Server Projects

Everything self-hosted and managed, organized by where it lives in the stack.

Layer 3 — Network

IP routing, segmentation, inter-container networking

Docker Network Segmentation

Isolated bridge networks per service group to enforce traffic boundaries — arr_network for the media stack, authentik_routing for SSO, matrix_network for chat, and a shared routing network that Nginx Proxy Manager bridges across stacks.

Docker Bridge Networks Network Isolation

Layer 4 — Transport

VPN tunneling, port management

Gluetun VPN Gateway

Containerized VPN client that Deluge routes all torrent traffic through. Gluetun acts as a network gateway — the torrent container has no direct internet access, only what exits through the VPN tunnel. Exposes port 6881 for torrent traffic and 8112 for the Deluge web UI.

Gluetun VPN Kill Switch Docker Networking

Layer 7 — Proxy, Tunneling & DNS

Reverse proxy, external access, Cloudflare

Nginx Proxy Manager

Central reverse proxy routing all inbound HTTP/HTTPS traffic to the correct container by hostname. Handles SSL termination and certificate management across all services. Sits on the shared routing network so it can reach containers across isolated stacks.

Nginx Proxy Manager Reverse Proxy SSL/TLS Let's Encrypt

Cloudflare Tunnels

Multiple cloudflared tunnel instances exposing services externally without opening inbound firewall ports. Separate tunnels for routing, Matrix, VaultWarden, and documentation — each scoped to its own subdomain and traffic type.

Cloudflare cloudflared Zero Trust No Open Ports

Layer 7 — Identity & Security

Authentication, secrets, SIEM

Authentik

Self-hosted SSO identity provider with LDAP support. Runs a server, background worker, PostgreSQL database, and Redis cache. The LDAP outpost (authentik_ldap) allows non-web services to authenticate against the same user directory. Sits on its own authentik_routing network.

Authentik SSO LDAP OAuth2 / OIDC PostgreSQL Redis

VaultWarden

Unofficial Bitwarden-compatible password manager server. Exposed externally via a dedicated Cloudflare tunnel. Handles vault sync for browser extensions and mobile clients.

VaultWarden Bitwarden Password Manager Cloudflare Tunnel

AliasVault

Self-hosted email alias manager for generating unique aliases per service — keeps real email private and makes phishing/breach tracking easier.

AliasVault Email Privacy Alias Management

Wazuh SIEM

Enterprise-grade security information and event management stack — indexer (OpenSearch-based), manager, and dashboard running as a three-container cluster. Provides log aggregation, threat detection, file integrity monitoring, and a full security dashboard. The most operationally complex stack on the server.

Wazuh SIEM Threat Detection Log Aggregation OpenSearch FIM

Layer 7 — Media Stack

Streaming, music, books, acquisition

Jellyfin

Self-hosted media server for movies, TV, and music. Handles transcoding, client streaming, and library management. Access controlled via Jellyseerr for request management and Wizarr for user onboarding.

Jellyfin Media Server Transcoding

*arr Automation Stack

Full automated media acquisition pipeline: Prowlarr (indexer management) feeds Sonarr (TV), Radarr (movies), and Lidarr (music). Jellyseerr provides the user-facing request interface. Flaresolverr and Byparr handle Cloudflare-protected indexers. All on the isolated arr_network.

Sonarr Radarr Lidarr Prowlarr Jellyseerr Flaresolverr Byparr

Deluge (via VPN)

Torrent client with all traffic routed through the Gluetun VPN container. Has no direct network access — everything in and out goes through the VPN kill switch.

Deluge Torrent Gluetun VPN

Music Servers

Three separate music streaming options: Navidrome (Subsonic-compatible, broad client support), SwingMusic (modern web UI), and Audiobookshelf (audiobooks and podcasts). Feishin is a desktop client pointed at Navidrome.

Navidrome SwingMusic Audiobookshelf Feishin Subsonic API

Layer 7 — Communication

Messaging, notifications, forums

Matrix / Synapse

Self-hosted Matrix homeserver for federated, end-to-end encrypted messaging. Exposed externally via a dedicated Cloudflare tunnel. Runs alongside a PostgreSQL database on the isolated matrix_network.

Matrix Synapse Federated Chat E2EE PostgreSQL Cloudflare Tunnel

NTFY

Self-hosted push notification server. Sends alerts from other services (including N8N workflows) to phone and desktop without going through a third-party notification broker.

NTFY Push Notifications Self-hosted

Discourse

Full forum platform. Runs a three-container stack: the Discourse app, a dedicated PostgreSQL database, and Redis for caching and background jobs.

Discourse Forum PostgreSQL Redis

Layer 7 — Publishing & Documentation

CMS, wikis, static sites

Ghost

Headless CMS and blogging platform. Runs with a MySQL 8 database backend.

Ghost CMS MySQL

Docmost

Self-hosted collaborative wiki and documentation platform. Three-container stack: app, PostgreSQL, and Redis.

Docmost Wiki PostgreSQL Redis

Static Web Server (this site)

Three instances of a lightweight Rust-based static file server. This personal site runs on one of them. Written in plain HTML and CSS.

Static Web Server HTML/CSS Rust

Layer 7 — Productivity & Storage

Automation, files, photos, forms

N8N

Self-hosted workflow automation platform. Runs with a PostgreSQL backend. Powers automations across other services — including the contact form on the home page.

N8N Workflow Automation PostgreSQL

Immich

Self-hosted photo and video backup platform with machine learning features (facial recognition, object detection, semantic search). Runs a four-container stack: server, ML worker, pgvector-enabled PostgreSQL, and Valkey cache.

Immich Photo Backup Machine Learning pgvector Valkey

OwnCloud

Self-hosted file storage and sync. Runs a three-container stack: app, MariaDB, and Redis.

OwnCloud File Storage MariaDB Redis

HeyForm

Self-hosted form builder. Backed by MongoDB and KeyDB.

HeyForm Forms MongoDB KeyDB

Layer 7 — Tools & Utilities

Developer and sysadmin tooling

Portainer

Web-based Docker management UI. Used to monitor container health, manage stacks, and inspect logs across the entire server.

Portainer Docker Management

IT-Tools & CyberChef

IT-Tools: a collection of developer utilities (encoders, formatters, converters). CyberChef: the GCHQ data transformation Swiss army knife — encoding, encryption, parsing, and more.

IT-Tools CyberChef Developer Tools

Mini-QR & Airstation

Mini-QR: self-hosted QR code generator. Airstation: AirDrop-style local file transfer between devices on the same network.

Mini-QR Airstation File Transfer

Handbrake

Web-based Handbrake front-end for video transcoding jobs running on the server.

Handbrake Transcoding

Wizarr

Onboarding wizard for Jellyfin — generates invite links and walks new users through getting set up with the media server.

Wizarr Jellyfin User Onboarding

Rickroll Server

Exactly what it sounds like.

Important Infrastructure