Server Projects
Everything self-hosted and managed, organized by where it lives in the stack.
Layer 3 — Network
Docker Network Segmentation
Isolated bridge networks per service group to enforce traffic boundaries — arr_network for the media stack, authentik_routing for SSO, matrix_network for chat, and a shared routing network that Nginx Proxy Manager bridges across stacks.
Layer 4 — Transport
Gluetun VPN Gateway
Containerized VPN client that Deluge routes all torrent traffic through. Gluetun acts as a network gateway — the torrent container has no direct internet access, only what exits through the VPN tunnel. Exposes port 6881 for torrent traffic and 8112 for the Deluge web UI.
Layer 7 — Proxy, Tunneling & DNS
Nginx Proxy Manager
Central reverse proxy routing all inbound HTTP/HTTPS traffic to the correct container by hostname. Handles SSL termination and certificate management across all services. Sits on the shared routing network so it can reach containers across isolated stacks.
Cloudflare Tunnels
Multiple cloudflared tunnel instances exposing services externally without opening inbound firewall ports. Separate tunnels for routing, Matrix, VaultWarden, and documentation — each scoped to its own subdomain and traffic type.
Layer 7 — Identity & Security
Authentik
Self-hosted SSO identity provider with LDAP support. Runs a server, background worker, PostgreSQL database, and Redis cache. The LDAP outpost (authentik_ldap) allows non-web services to authenticate against the same user directory. Sits on its own authentik_routing network.
VaultWarden
Unofficial Bitwarden-compatible password manager server. Exposed externally via a dedicated Cloudflare tunnel. Handles vault sync for browser extensions and mobile clients.
AliasVault
Self-hosted email alias manager for generating unique aliases per service — keeps real email private and makes phishing/breach tracking easier.
Wazuh SIEM
Enterprise-grade security information and event management stack — indexer (OpenSearch-based), manager, and dashboard running as a three-container cluster. Provides log aggregation, threat detection, file integrity monitoring, and a full security dashboard. The most operationally complex stack on the server.
Layer 7 — Media Stack
Jellyfin
Self-hosted media server for movies, TV, and music. Handles transcoding, client streaming, and library management. Access controlled via Jellyseerr for request management and Wizarr for user onboarding.
*arr Automation Stack
Full automated media acquisition pipeline: Prowlarr (indexer management) feeds Sonarr (TV), Radarr (movies), and Lidarr (music). Jellyseerr provides the user-facing request interface. Flaresolverr and Byparr handle Cloudflare-protected indexers. All on the isolated arr_network.
Deluge (via VPN)
Torrent client with all traffic routed through the Gluetun VPN container. Has no direct network access — everything in and out goes through the VPN kill switch.
Music Servers
Three separate music streaming options: Navidrome (Subsonic-compatible, broad client support), SwingMusic (modern web UI), and Audiobookshelf (audiobooks and podcasts). Feishin is a desktop client pointed at Navidrome.
Layer 7 — Communication
Matrix / Synapse
Self-hosted Matrix homeserver for federated, end-to-end encrypted messaging. Exposed externally via a dedicated Cloudflare tunnel. Runs alongside a PostgreSQL database on the isolated matrix_network.
NTFY
Self-hosted push notification server. Sends alerts from other services (including N8N workflows) to phone and desktop without going through a third-party notification broker.
Discourse
Full forum platform. Runs a three-container stack: the Discourse app, a dedicated PostgreSQL database, and Redis for caching and background jobs.
Layer 7 — Publishing & Documentation
Ghost
Headless CMS and blogging platform. Runs with a MySQL 8 database backend.
Docmost
Self-hosted collaborative wiki and documentation platform. Three-container stack: app, PostgreSQL, and Redis.
Static Web Server (this site)
Three instances of a lightweight Rust-based static file server. This personal site runs on one of them. Written in plain HTML and CSS.
Layer 7 — Productivity & Storage
N8N
Self-hosted workflow automation platform. Runs with a PostgreSQL backend. Powers automations across other services — including the contact form on the home page.
Immich
Self-hosted photo and video backup platform with machine learning features (facial recognition, object detection, semantic search). Runs a four-container stack: server, ML worker, pgvector-enabled PostgreSQL, and Valkey cache.
OwnCloud
Self-hosted file storage and sync. Runs a three-container stack: app, MariaDB, and Redis.
HeyForm
Self-hosted form builder. Backed by MongoDB and KeyDB.
Layer 7 — Tools & Utilities
Portainer
Web-based Docker management UI. Used to monitor container health, manage stacks, and inspect logs across the entire server.
IT-Tools & CyberChef
IT-Tools: a collection of developer utilities (encoders, formatters, converters). CyberChef: the GCHQ data transformation Swiss army knife — encoding, encryption, parsing, and more.
Mini-QR & Airstation
Mini-QR: self-hosted QR code generator. Airstation: AirDrop-style local file transfer between devices on the same network.
Handbrake
Web-based Handbrake front-end for video transcoding jobs running on the server.
Wizarr
Onboarding wizard for Jellyfin — generates invite links and walks new users through getting set up with the media server.
Rickroll Server
Exactly what it sounds like.