🐳 Home Lab Docker Architecture
-blue){kind=icon}
"A modular, automated homelab, running a media server on Arch Linux (CachyOS), featuring a split-network security model and atomic-move storage."
This is put together in Feb 2026, for the future me when I am ready to move what I have to a always-on homelab/server that I am putting together. And if it somehow helps others on their own journey, its awesome too!
This documentation contains the entire infrastructure: compose files, hows-tos, automation scripts for all current running services.
🖥️ Current Hardware Specifications
| Component | Detail |
|---|---|
| OS | Daily Driver - CachyOS |
| MOBO | X870 Asrock Pro Rs |
| CPU | AMD Ryzen 5 7600X |
| RAM | 32GB DDR5 |
| GPU | Radeon RX 5600 XT (Transcoding) |
| Storage | 2x 1TB NVMe LVM Pool (/mnt/pool01) + 500GB Crucial SSD (/mnt/CrucialBackup) |
| Network Card | Marvell AQC113C 10GbE |
Quick Navigation
| Category | Topic | Description |
|---|---|---|
| 🏗️ Global | Deployment Guide | Start Here. Zero-to-Hero guide for host OS setup (Docker install, LVM, DNS, Firewall) |
| Network Architecture | Explaining the custom docker network vs. service:gluetun split-tunnel design |
|
| Storage & LVM | How the NVMe pool is aggregated and the "Atomic Move" logic | |
| Host Firewall | The firewalld rules creating the "Software VLAN" to block LAN access |
|
| Backups | Dockerapps Local Mirror/Rsync, Kopia x Cloudflare R2 & OS Rescuezilla | |
| Troubleshooting | "War Stories" log: Solving exit code 137, 401 healthchecks, and race conditions | |
| 🛡️ Gateway | Overview | Overview and Directory setup |
| Caddy | Reverse proxy config, GeoIP filtering, and SSL hardening | |
| CrowdSec | IPS configuration, bouncer setup, and acquisition rules | |
| VoidAuth | Identity provider setup | |
| Tailscale | Setup for remote access | |
| Cloudflare DDNS | Global Doc: Managing DNS records and API tokens for the proxy. | |
| 🍿 Media | Overview | Overview on the Architecture setup |
| Jellyfin & Seerr | Setup, hardware transcoding (AMD GPU) and client connectivity | |
| The VPN & *Arr Stack | Radarr/Sonarr setup, Prowlarr/Indexers, and Gluetun tunneling | |
| Custom Anime Profiles via Profilarr | Profilarr setup for Anime Grabs | |
| The "Atomic Move" Logic | Technical deep-dive on how hardlinks work in this specific setup | |
| 📊 Utilities | Overview | Overview on the Architecture setup |
| Monitoring Stack Overview | Overview on the Homepage, WUD, Dozzle behind Socket Proxy | |
| Beszel | Setting up the lightweight agent and mapping LVM metrics. | |
| Kopia | Dedup snapshot strategy to Cloudflare R2. | |
| GoAccess | Real-time visual web log analyzer for Caddy. | |
| Gotify | Self-hosted push notification setup. | |
| Scripts | Pull-All Images | Auto-Pull all services' images |
| Recreate-All | Auto docker compose up -d --force-recreate for all |
Quick Start
If setting this server up from scratch, do read the Deployment Guide. It covers the "Invisible" host OS configurations (Firewall, DNS) required before Docker can start.
Compose File Configs
For each of the services listed in Gateway, Media and Utilities sections, the compose configs are available.
Architecture Highlights
The "Two-Zone" Security Model
We bypass the default Docker bridge to enforce strict isolation
- Zone 1 (Trusted):
172.20.0.0/24. Static IPs/Internal apps talk here. - Zone 2 (VPN Bubble): P2P clients (qBit/Transmission) have zero IP address. They utilize
network_mode: service:gluetun, routing 100% of traffic through AirVPN (WireGuard)
"Atomic Moves" Filesystem
- Concept: Downloads and Media Library reside on the same LVM Logical Volume (
/mnt/pool01/media) - Result: Importing a 50GB file is instant and consumes 0 bytes of extra space via Hardlinks
Zero-Touch Automation
- Pipeline: Seerr (Request) → Radarr (Monitored) → Prowlarr (Search) → Gluetun-Qbit (Download) → Radarr (Import) | Bazaarr (Substitle) → Jellyfin (Stream) → Gotify (Notify)
- Result: A fully automated experience where content appears automatically after requesting.
Defense-in-Depth
- Kernel:
Firewallddrops all Docker-to-LAN traffic (Software VLAN). - Ingress: Caddy handles SSL & GeoIP blocking (Singapore Only).
- Behavior: CrowdSec bans IPs showing aggressive behavior (brute force, scanners).
- Identity: VoidAuth enforces authentication for selected publicly exposed services/containers
Tech Stack / Tools
Expand to View: Tech Stack
| Logo | Name | Description |
|---|---|---|
 |
CachyOS | Base OS. An Arch Linux-based distribution |
 |
Docker | Runtime. Containerization engine for isolating application services. |
 |
Caddy | Ingress. Secure reverse proxy with automatic HTTPS and GeoIP filtering. |
 |
CrowdSec | Security. Collaborative IPS detecting and blocking aggressive IP behaviors. |
 |
VoidAuth | Identity. Lightweight OIDC provider handling Single Sign-On (SSO). |
 |
Gluetun | VPN Tunnel. AirVPN (WireGuard) client acting as a sidecar for secure downloads. |
 |
Tailscale | Mesh Network. Zero-config VPN for secure remote access and management. |
 |
Jellyfin | Media Server. Streaming server. |
 |
Seerr | Requests. "Netflix-style" frontend for automated content discovery. |
 |
Radarr | Automation. Movie collection manager and downloader integration. |
 |
Sonarr | Automation. TV Series management and calendar automation. |
 |
Profilarr | Management. Synchronizes quality profiles across *Arr applications. |
 |
Prowlarr | Indexers. Centralized management for Torrent trackers. |
 |
FlareSolverr | Proxy. Solves Cloudflare challenges to allow Prowlarr indexer access. |
 |
qBittorrent | Downloader. BitTorrent client routed through VPN. |
 |
Transmission | Downloader. BitTorrent client routed through VPN. |
 |
Beszel | Monitoring. Lightweight agent tracking LVM, CPU, and Docker metrics. |
 |
Dozzle | Monitoring. WebUI to monitor Docker logs. |
 |
WUD | Monitoring. Watches and alerts for images updates. |
 |
Speedtest | Monitoring. Automated internet bandwidth and latency tracking. |
 |
Homepage | Dashboard. Central start page with live service widgets. |
 |
Kopia | Backup. Dedup backups to Cloudflare R2. |
 |
GoAccess | Analytics. Real-time visual web log analyzer for Caddy. |
 |
Gotify | Notifications WebUI and Backend Server Notification tool. |
 |
Cloudflare | Network. DNS management, DDNS updates, and Object Storage (R2). |
Static IP Allocation Map
Subnet: 172.20.0.0/24 | Gateway: 172.20.0.1
Expand to View: Master IP Table
| IP Address | Service | Stack | Port |
|---|---|---|---|
| GATEWAY | |||
172.20.0.11 |
Gluetun (VPN) | gateway |
- |
172.20.0.23 |
Caddy (Proxy) | gateway |
80/443 |
172.20.0.24 |
CrowdSec | gateway |
8080 |
172.20.0.37 |
VoidAuth | gateway |
3002 |
Host Mode |
Tailscale | gateway |
- |
| MEDIA | |||
172.20.0.10 |
Jellyfin | media |
8096 |
172.20.0.12 |
Seerr | media |
5055 |
172.20.0.13 |
Radarr | media |
7878 |
172.20.0.14 |
Sonarr | media |
8989 |
172.20.0.15 |
Bazarr | media |
6767 |
172.20.0.19 |
Profilarr | media |
6868 |
172.20.0.20 |
Prowlarr | media |
9696 |
172.20.0.21 |
FlareSolverr | media |
8191 |
172.20.0.22 |
Jackett | media |
9117 |
Sidecar |
qBittorrent | media |
8080 |
Sidecar |
Transmission | media |
9091 |
Sidecar |
Speedtest | media |
8085 |
| UTILITIES / OPS / MONITORING | |||
172.20.0.16 |
Gotify | ops |
8081 |
172.20.0.17 |
Arcane | ops |
3552 |
172.20.0.25 |
Homepage | ops |
3000 |
172.20.0.26 |
Dozzle | ops |
9090 |
172.20.0.27 |
WUD | ops |
3001 |
172.20.0.28 |
Socket Proxy | ops |
2375 |
172.20.0.29 |
GoAccess | ops |
7890 |
172.20.0.31 |
Beszel Hub | ops |
8090 |
172.20.0.32 |
Beszel Agent | ops |
- |
172.20.0.33 |
Kopia | ops |
51515 |
📸 Gallery
Homepage Dashboard
GoAccess
VoidAuth
Jellyfin
Seerr
Beszel
