Skip to content

sheikhfarhan/services-sfhomelab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

26 Commits
_archive
_archive
Β 
Β 
assets
assets
Β 
Β 
media-stack
media-stack
Β 
Β 
mon-stack
mon-stack
Β 
Β 
ops-stack
ops-stack
Β 
Β 
scripts
scripts
Β 
Β 
.env.example
.env.example
Β 
Β 
.gitignore
.gitignore
Β 
Β 
.kopiaignore
.kopiaignore
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

🐳 HomeLab Server & Services

Status OS Docker Security

"A modular, automated homelab, running a media server on Arch Linux (CachyOS)"

πŸ“š FULL DOCUMENTATION: Detailed deployment guides, network architecture and security policies are hosted on the live wiki at docs.sfhomelab.com.

This repository houses the Docker Compose stacks, environment templates and some config files, where it will be relatively easy for me to clone/pull when deploying similar stacks to a new machine.

This is put together in Feb 2026, for the future me when I am ready to move what I have to an always-on homelab/server that I am putting together. And if it somehow helps others on their own journey, its awesome too!

Architecture Setup

Node 1: Home Server (Internal App & Vault)

Located in my home. Handles heavy compute, media storage, media server transcoding and the automated P2P download stack.

Component Detail
OS CachyOS (Arch Linux)
CPU / RAM AMD Ryzen 5 7600X / 32GB DDR5
GPU Radeon RX 5600 XT
Storage 2x 1TB NVMe + 2 x 2TB HDDs MergerFS Vault + 500GB Crucial SSD as "Scratch" Disk
Network Marvell 10GbE + Firewalld VLAN Isolation + Tailscale

Node 2: VPS (The Edge Gateway)

OVH SG Datacentre. Handles public ingress, identity, notifications and container management/orchestration.

Component Detail
OS Ubuntu 24.04 (VPS)
CPU / RAM 4 vCPU / 8GB RAM
Network High-Bandwidth Public Edge + Tailscale
Core Services Caddy (Proxy), VoidAuth (SSO), Komodo (Orchestration), MkDocs, Gotify

Architecture Highlights for Media Server

The "Two-Zone" Security Model

We bypass the default Docker bridge to enforce isolation.

  • Zone 1: 172.20.0.0/24. Static Docker IPs/Internal apps talk here.
  • Zone 2 (VPN Bubble): P2P clients (qBit/Transmission) have zero IP address. They utilize network_mode: service:gluetun, routing 100% of traffic through AirVPN (WireGuard)

Scratch Disk to Vault

  • Concept: Downloads and unpacks hit a dedicated 500GB SSD to absorb heavy random I/O and prevent mechanical drive thrashing.
  • Result: Finalized media is sequentially migrated to the unified 4TB MergerFS HDD Vault for long-term, buffer-free storage.

Zero-Touch Automation

  • Pipeline: Seerr (Request) β†’ Radarr (Monitored) β†’ Prowlarr (Search) β†’ Gluetun-Qbit (Download) β†’ Radarr (Import) | Bazaarr (Substitle) β†’ Jellyfin (Stream) β†’ Gotify (Notify)
  • Result: A fully automated experience where content appears automatically after requesting.

Defense-in-Depth

  1. Kernel: Firewalld drops all Docker-to-LAN traffic (Software VLAN).
  2. Ingress: Caddy handles SSL & GeoIP blocking (Singapore Only).
  3. Behavior: CrowdSec bans IPs showing aggressive behavior (brute force, scanners).
  4. Identity: VoidAuth enforces authentication for selected publicly exposed services/containers

Tech Stack / Tools

Logo Name Description
CachyOS CachyOS Base OS. An Arch Linux-based distribution
Docker Docker Runtime. Containerization engine for isolating application services.
Caddy Caddy Ingress. Secure reverse proxy with automatic HTTPS and GeoIP filtering.
CrowdSec CrowdSec Security. Collaborative IPS detecting and blocking aggressive IP behaviors.
VoidAuth VoidAuth Identity. Lightweight OIDC provider handling Single Sign-On (SSO).
Gluetun Gluetun VPN Tunnel. AirVPN (WireGuard) client acting as a sidecar for secure downloads.
Tailscale Tailscale Mesh Network. Remote access and Intra-Server Mesh Management.
Jellyfin Jellyfin Media Server. Streaming server.
Seerr Seerr Requests. Frontend for automated content discovery.
Radarr Radarr Automation. Movie collection manager and downloader integration.
Sonarr Sonarr Automation. TV Series management and calendar automation.
Profilarr Profilarr Management. Synchronizes quality profiles across *Arr applications.
Prowlarr Prowlarr Indexers. Centralized management for Torrent trackers.
FlareSolverr FlareSolverr Proxy. Solves Cloudflare challenges to allow Prowlarr indexer access.
qBittorrent qBittorrent Downloader. BitTorrent client routed through VPN.
transmission Transmission Downloader. BitTorrent client routed through VPN.
Beszel Beszel Monitoring. Lightweight agent tracking LVM, CPU, and Docker metrics.
Dozzle Dozzle Monitoring. WebUI to monitor Docker logs.
Homepage Homepage Dashboard. Central start page with live service widgets.
Kopia Kopia Backup. Dedup backups to Cloudflare R2.
GoAccess GoAccess Analytics. Real-time visual web log analyzer for Caddy.
Gotify Gotify Notifications WebUI and Backend Server Notification tool.
Cloudflare Cloudflare Network. DNS management, DDNS updates, and Object Storage (R2).

πŸ“š FULL DOCUMENTATION: Detailed deployment guides, network architecture, and security policies are hosted on the live wiki at docs.sfhomelab.com.

πŸ“Έ Gallery

Homepage Screenshot

GoAccess Screenshot

VoidAuth Screenshot

Jellyfin Screenshot

Seerr Screenshot

Beszel Screenshot

About

Core Services for my homelab deployments. Segmented Docker Compose configs for media server, monitoring, networking, and operations stacks.

docs.sfhomelab.com

Topics

docker-compose media-server self-hosted caddy homelab airvpn jellyfin gluetun arrstack seerr

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages