Architecture deep-dive

How Beelab actually works.

Every layer, every node, every diagram. Built scalable, documented honest. Nothing here is theoretical, the same architecture ships in your install.

See the seven layers Open the diagrams

7

Layers

9+

VMs · scales 1 to N

5

VLANs

The Architecture

Seven layers, one stack.

The architecture has seven layers: Physical, Network, DevOps Pipeline, Orchestration, AI Station, Backup Station, and Observability + Recovery. Every layer earns its place by closing a specific failure mode. Security isn't a separate layer; it cuts across all of them.

Security cuts across every layer.

Layer 01

Physical

The Proxmox Cluster

The reference build runs Proxmox VE 8 across a primary plus compute nodes (scales 1 to N nodes). The primary carries the VMs and a software-defined storage pool sized to your tier (NFS for VM access, Seafile / ownCloud / OpenCloud sync overlays, ZFS mirror on the backup tier, RAID across the live tier on the roadmap). The compute nodes handle workload distribution. Live migration across nodes means maintenance never interrupts the cluster.

The primary runs enterprise-grade NVMe TLC for live workloads, plus a secondary drive for disaster recovery clones. A Clonezilla clone restores the entire system in about 10 minutes if the primary fails.

HP EliteDesk
Lenovo ThinkCentre
Mac mini Pro
Raspberry Pi
Pi Zero
IP KVM
NVMe TLC
software-defined pool (sized to your tier)
UPS (tiered)
SNMP env monitoring

Components & roles · reference build (scales 1 to N)

Component	What it does
Primary node (enterprise PC family)	Proxmox hypervisor, VMs, software-defined storage pool sized to your tier (NFS, Seafile / ownCloud / OpenCloud overlays, ZFS mirror on backup tier, RAID on the roadmap)
Compute nodes (validated enterprise PC family)	Proxmox nodes, workload distribution, scales 1 to N
Production tier (Talos)	Talos Linux production cluster (scales 1 to N nodes). Immutable, no SSH, API-only. Runs upstream Kubernetes for hardened production workloads (apps you cannot afford to break).
DevOps tier (k3s on Ubuntu)	k3s control plane on Ubuntu (a lighter Kubernetes distro). Cilium CNI + MetalLB. For the lab and CI/CD side, where fast rebuild matters more than hardening.
k3s worker pool	k3s workers sized to your tier, attached to the DevOps k3s control plane (not Talos). Scales to N agents.
AI mesh (head + secondary + agents)	Mac Studio Ultra (head) plus Mac mini Pro secondary plus Mac mini Pro agent runners, Tailscale mesh, OpenAI-compatible AI Gateway (yours to swap), scales 1 to N
Backup tier (primary + mirror)	PBS + NVMe / TrueNAS ZFS mirror (sized to your tier), scales 1 to N
Security node	Threat detection (Wazuh + T-Pot honeypot), security monitoring, forensics
Raspberry Pi watchdogs plus IP KVM	Honeypot (T-Pot), edge testing, live IDE, remote BIOS
Pi Zero watchdogs	Ping watchdog + GPIO relay auto-reboot
Enterprise software firewall	OPNsense in the reference build, pfSense and VyOS work too. Multi-VLAN segmentation, inter-VLAN routing, IDS via the Suricata plugin

Primary node (enterprise PC family)Proxmox hypervisor, VMs, software-defined storage pool sized to your tier (NFS, Seafile / ownCloud / OpenCloud overlays, ZFS mirror on backup tier, RAID on the roadmap)
Compute nodes (validated enterprise PC family)Proxmox nodes, workload distribution, scales 1 to N
Production tier (Talos)Talos Linux production cluster (scales 1 to N nodes). Immutable, no SSH, API-only. Runs upstream Kubernetes for hardened production workloads (apps you cannot afford to break).
DevOps tier (k3s on Ubuntu)k3s control plane on Ubuntu (a lighter Kubernetes distro). Cilium CNI + MetalLB. For the lab and CI/CD side, where fast rebuild matters more than hardening.
k3s worker poolk3s workers sized to your tier, attached to the DevOps k3s control plane (not Talos). Scales to N agents.
AI mesh (head + secondary + agents)Mac Studio Ultra (head) plus Mac mini Pro secondary plus Mac mini Pro agent runners, Tailscale mesh, OpenAI-compatible AI Gateway (yours to swap), scales 1 to N
Backup tier (primary + mirror)PBS + NVMe / TrueNAS ZFS mirror (sized to your tier), scales 1 to N
Security nodeThreat detection (Wazuh + T-Pot honeypot), security monitoring, forensics
Raspberry Pi watchdogs plus IP KVMHoneypot (T-Pot), edge testing, live IDE, remote BIOS
Pi Zero watchdogsPing watchdog + GPIO relay auto-reboot
Enterprise software firewallOPNsense in the reference build, pfSense and VyOS work too. Multi-VLAN segmentation, inter-VLAN routing, IDS via the Suricata plugin

How it works

How The Install Actually Goes

Five steps. Reference-build measurement; your time varies with hardware. Coffee optional.

Step 1 · Reserve

Pick a tier and reserve

Each Beelab box (Solo, Studio, Cluster, QuBee the 8U mini rack) reservation enters the first-cohort build queue (pre-flashed images and burn-in process documented per Box at handover), shipping in a single tracked carton. Default install image is signed and verifiable today. Per-customer signed image built around your config (domain, network, secrets) planned for v1.0. Bringing your own hardware? Pick a BYO install (Lite, Studio, Pro, Enterprise) and you get the same install image with three install paths (USB, PXE/iPXE, IPMI virtual media). Want 16U, 32U, or parallel rack layouts? Book a 1-on-1 scoping call.

Step 2 · Boot

Boot, watch the screen print a URL

Boot validated hardware. The installer runs with a pre-configured answer file on tested families; standard prompts walk you through disks and networks on the rest. When it finishes, the screen shows a local URL on your network. Open it in any browser.

beelab installer

✓disks ready

✓network up

✓proxmox installed

→http://192.0.2.42:9999_

Step 3 · Configure

Fill 5 short forms

Domain, IP range, Cloudflare token, backup target, email. Reference-build measurement; your time varies with hardware and network.

domain

lab.you.dev

IP range

192.0.2.0/24

cloudflare

tok_•••

backup

B2 / S3

email

you@

Step 4 · Deploy

Click Deploy

The phase checklist ticks through network, storage, Kubernetes, apps, AI. Watch the checkmarks if you like, or come back when the timer says done.

network...

storage...

kubernetes...

apps...

AI mesh...

Step 5 · Login

Login at your domain

SSO catches you (Authentik by default, swap your IdP). 80+ apps live in tiles. Click any. You are in.

80+ apps · click any

It took me years of breaking things to make those minutes feel boring.

Samad Ballajfounder

Real hardware

This is the reference rack. Yours scales from 1 node to N.

Reference build shown. Your rack scales 1 to N nodes. Sixteen U. Ten functional sections. A Proxmox cluster, an Apple Silicon mesh on Tailscale, Raspberry Pi watchdogs (Pi 5, Pi 4, Pi Zero 2 W), and an isolated security node, all scaling 1 to N. The architecture diagram and the real photos line up because nothing on the diagram is theoretical. Apple Silicon hardware is supplied by the buyer unless quoted as a bundle.

/rack/architecture.png

Every U mapped. Every node has one job.

16U reference buildScales 1 to N nodesReal hardwarePhotographed in the reference build.

The whole point

Hardware dies. The stack rebuilds.

If the hardware dies tomorrow, I lose nothing. The VMs, configs, services, and firewall rules all exist as code in a private Git repo.

Ansible playbooks cover the VMs. Docker Compose handles the applications. The enterprise software firewall and VLAN configs are exported and versioned. Every failure scenario I've hit has a tested runbook. Point the playbooks at fresh hardware, answer about fifteen questions (IP range, domain, drives, services), and the stack rebuilds itself. That's the entire point ⚡

Reserve a Beelab spot See the runbooks

code/hardware/code

9f2c1abansible: pin k3s 1.32

a83d4e0compose: bump immich digest

12d9bf5opnsense: export rules.xml

Every change. Versioned. Replayable.

Ready to build yours

The architecture is the easy part.

Pick the configuration that fits, or send me a note and I will walk you through what your stack should actually look like.

See pricing Talk to me