Homelab Secure Access Orchestrator
0
Automatically configure secure external access for self-hosted apps across Cloudflare, Tailscale, reverse proxies, and authentication layers.
Added May 28, 2026
7 signals
The Problem
Homelab users want to expose Jellyfin, Nextcloud, game servers, dashboards, and other self-hosted services without opening dangerous ports or confusing family members with VPN setup. They struggle to combine reverse proxies, certificates, tunnels, dynamic DNS, Authentik, Docker, Kubernetes, and firewall rules into a setup that is actually secure and works reliably.
Potential Solution
A web-based orchestration tool scans a user's homelab services and generates deployable configurations for Traefik, Nginx Proxy Manager, Cloudflare Tunnel, Tailscale, Authentik, Let's Encrypt, Docker Compose, and Kubernetes ingress. It validates DNS, certificates, proxy headers, authentication policies, and exposure risk, then provides one-click fixes or ready-to-run config updates.
Why Now?
Self-hosting and homelab adoption are growing as users move media, password management, storage, and game servers onto cheap mini PCs and NAS devices. At the same time, secure remote access has become more complex with tunnels, zero-trust auth, dynamic DNS, and reverse proxy stacks replacing simple port forwarding.
Would this idea work, using a cloudflare tunnel in combination with my dynamic DNS subdomain to expose my internal services securely?
I'm not entirely sure if I have my mental model correct, so please correct me if I'm off the mark here. Since cloudflare tunnels themselves are free as far as I know, and I already have a free dynamic DNS subdomain, is it possible to combine the two securely to make my internal services visible without running afoul of ISP terms of service or painting a giant hack me sign on my network? I think what I would do to add another layer of security is to have all of my services behind Authentik before they go to the load balancer.
Traefik not working with CloudFlare Proxy
I am trying to migrate from Nginx Proxy Manager to Traefik. I have successfully gotten it working with some of my self hosted services that are internal only but I can't get it to load anything that goes through CloudFlare Proxy. I am unsure what I am doing wrong but maybe someone here can help. When I try to go to a service that is behind CloudFlare Proxy my browser says that it can't connect to the server. Here is a copy of my docker compose of both a service behind CloudFlare Proxy and my Traefik container itself. Also if possible I would like to turn off TLS on any service behind CloudFlare Proxy but its not working or maybe I have the wrong label set. services: traefik: image: traefik:v3.7 restart: unless-stopped command: - "--providers.docker" - "--api.insecure=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=traefik" # ACME Configuration - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "[email protected]" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" # Traefik entrypoint configuration - "--entryPoints.websecure.address=:443" - "--entrypoints.web.address=:80" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" # Lets Encrypt Configuration - "--entrypoints.websecure.http.tls=true" - "--entrypoints.websecure.http.tls.certResolver=letsencrypt" - "--entrypoints.websecure.http.tls.domains[0].main=mgmt.mydomain.xyz" - "--entrypoints.websecure.http.tls.domains[0].sans=*.mgmt.mydomain.xyz" secrets: - "cloudflare-token" - "cloudflare-email" environment: - "CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare-token" - "CF_API_EMAIL_FILE=/run/secrets/cloudflare-email" ports: - 80:80 - 443:443 - 8080:8080 volumes: - /var/run/docker.sock:/var/run/docker.sock - ./letsencrypt:/letsencrypt networks: - net - traefik networks: net: {} traefik: external: true secrets: cloudflare-token: file: "./secrets/cloudflare-token.secret" cloudflare-email: file: "./secrets/cloudflare-email.secret" services: filebrowser: image: gtstef/filebrowser:latest user: filebrowser environment: FILEBROWSER_CONFIG: "data/config.yaml" volumes: - ./data:/folder - ./config:/home/filebrowser/data - ./tmp:/home/filebrowser/tmp ports: - 8081:80 restart: unless-stopped networks: - net - traefik labels: - "traefik.enable=true" - "traefik.http.routers.filebrowser.rule=Host(`files.mydomain.xyz`)" - "traefik.http.routers.filebrowser.entrypoints=websecure" # - "traefik.http.routers.filebrowser.tls=false" networks: net: {} traefik: external: true
Guidance on certs and a personal/private k8s cluster
Hello all I've gone about learning k8s the wrong way around: started in prod at work with an already established cluster (i.e. I can get around with \`kubectl\` and \`k9s\` and \`ArgoCD\`), but I want to learn more and dabble on my own. I have a homelab set up on a multi-node Proxmox cluster, serving various applications behind Pangolin deployed to a VPS so my home IP is never associated with my domain. My goal, mostly as a learning experience but also ideally to be a permanent refactor, is to transition what I've deployed as LXCs and Docker containers in VMs into deployments in a k8s cluster spanning the Proxmox nodes. However, I still intend to stay behind the Pangolin fence and not directly expose my home network to the internet. I've gotten as far as standing up the cluster (3/6 Talos nodes), installing a couple of plugins (Cilium for CNI, proxmox-csi for CSI), and am now at the stage where I plan to set up Ingress using Traefik. Just about everything I've read directs me to set up Traefik (or, separately, cert-manager) with LetsEncrypt to automagically handle the creation of certs for any endpoints that are to be exposed. I expect to be able to do this without any real issue (Pangolin uses Traefik under the hood, and I've previously set that up to work with a wildcard cert for my domain), however I'm stumped on the actual logic of it. Assuming I configure Traefik to handle certs, my domain is not associated with my home IP, nor do I want my k8s ingress points to be directly accessible outside my home network. It sounds to me like the best way forward is to have it work with self-signed cert, though my initial worry is that how will I get other devices on my network to trust that. I'd ideally like to navigate to my exposed endpoints by a name (endpoint.homelab.svc.local or somesuch) and not IP:port... Essentially, I'm looking for a bit of "best path forward" advice, as my general k8s knowledge foundation is not yet solidified.
Is Optiplex 3060 Mt Intel 8500 be enough?
I'm want to run docker, tailscale, vaultwarden, nextcloud, maybe a Minecraft server for 5 people playing simultaneously, but my priority would be jellyfin with arr stack.
+5 more signals