🛠️ Utilities & Management Layer
Unlike the Media Stack (which serves content) or the Gateway Stack (which handles public traffic), these services focus on Monitoring, Container Management, Logs Analysis and Backups.
Architecture Overview
The Utilities layer is physically divided into two groups on the host.
The Monitoring Cluster runs behind a secure, read-only Docker Socket Proxy. This ensures that exposed dashboards cannot be exploited to gain root access to the host machine. The Standalone Ops Tools operate independently, handling localized tasks like backups, log analysis, and push notifications.
The Monitoring Cluster (mon-stack)
| Service | Type | Role |
|---|---|---|
| Socket Proxy | Security | Secure, read-only gatekeeper for the Docker socket |
| Homepage | Dashboard | The central "Glass Pane" dashboard for all services |
| Beszel | Monitoring | Lightweight agent tracking CPU, Docker, and LVM I/O |
| Dozzle | Log Viewer | Real-time, web-based Docker log viewer |
| Arcane | Management | Container management interface (Portainer alternative) |
| What's Up Docker | Monitoring | Monitors container registries for image updates |
Standalone Ops Tools (ops-stack)
| Service | Type | Role |
|---|---|---|
| Gotify | Notifications | Push notification server for automated alerts |
| Kopia | Backups | Encrypted, deduplicated snapshots to Cloudflare R2 |
| GoAccess | Analytics | Real-time visual analysis of Caddy web logs (LAN Only) |
Directory Prep
Because we use bind mounts, directories must be created on the host before starting containers to prevent permission issues.
# 1. Monitoring Stack (mon-stack)
mkdir -p mon-stack/beszel/{data,beszel_agent_data}
mkdir -p mon-stack/homepage/config/{icons,logs}
mkdir -p mon-stack/wud/store
mkdir -p mon-stack/arcane/arcane-data
mkdir -p mon-stack/dozzle
# socket-proxy is stateless
# 2. Standalone Tools (ops-stack)
mkdir -p ops-stack/gotify/data
mkdir -p ops-stack/goaccess/{data,html}
mkdir -p ops-stack/kopia/{cache,config,logs}