Self-hosted Docker stack on Proxmox · Managed via Forgejo CI/CD · Automatic TLS · 2FA on everything
Internet
│
▼
Cloudflare DNS (DNS-only, no proxy)
│
▼
Traefik v3 (reverse proxy · TLS termination)
├── CrowdSec bouncer (IP blocking)
└── Authelia (2FA / SSO)
│
├── 🌐 Public services (Authelia-protected)
│ ├── Nextcloud · Immich · Vaultwarden
│ ├── n8n · Grafana · Guacamole · Portainer
│ └── ntfy · Forgejo · Excalidraw
│
└── 🔒 VPN-only
├── Homepage dashboard
├── Proxmox UI
└── Router UI
WireGuard ── 10.x.x.0/24
Tailscale ── overlay network
Service
Description
Auth
Traefik Reverse proxy, automatic TLS via Cloudflare DNS challenge
—
Authelia 2FA / SSO provider for all exposed services
—
CrowdSec Intrusion detection + Traefik bouncer for IP blocking
—
WireGuard VPN server
—
ddclient Dynamic DNS updater
—
Service
Description
Auth
Nextcloud Primary cloud storage & collaboration
Nextcloud
Nextcloud Media
Secondary Nextcloud instance for media
Nextcloud
Immich Self-hosted photo & video library with ML
Immich
Vaultwarden Bitwarden-compatible password manager
Vaultwarden
Service
Description
Auth
n8n Low-code workflow automation
Authelia
Forgejo Self-hosted Git forge
Forgejo
Forgejo Runner
CI/CD pipeline executor
—
Renovate Automated dependency updates
—
Service
Description
Auth
Grafana Dashboards & visualization
Authelia
Prometheus Metrics collection & storage
—
Alertmanager Alert routing → ntfy
—
cAdvisor Container metrics
—
Node Exporter
Host system metrics
—
ntfy Push notification broker
ntfy auth
Service
Description
Auth
Portainer Docker management UI
Authelia
Guacamole Clientless remote desktop gateway
Authelia
Homepage Service dashboard
Local/VPN only
Excalidraw Self-hosted whiteboard
Authelia
Watchtower Container image auto-updater
—
Powered by Forgejo Actions with three pipelines:
Workflow
Trigger
What it does
deploy.ymlPush to master
Detects changed services, SSH-deploys only those
renovate.ymlWeekly (Sat 8AM)
Opens PRs to update pinned Docker image versions
security-scan.ymlPush + weekly (Sun 4AM)
Runs Gitleaks (secrets) + Grype (CVEs)
Auto-merge is enabled for minor/patch updates. Major updates and security-critical services (traefik, authelia, crowdsec) require manual review.
Docker + Docker Compose v2
A domain with Cloudflare DNS
Cloudflare API token with DNS edit permissions
Create the shared Traefik network docker network create traefik cd < service-directory>
cp .env.example .env
# Fill in .env with real values1. networking/traefik
2. networking/crowdsec
3. networking/authelia
4. Everything else (any order)
Alertmanager doesn't support env var substitution natively. Generate the config before starting:
export $( grep -v ' ^#' | xargs) < monitoring/alertmanager/alertmanager.yml.tmpl > monitoring/alertmanager/alertmanager.yml
Mount
Purpose
/Root filesystem, Docker volumes
/mnt/immichImmich original photos
/mnt/immich-thumbsImmich thumbnails & previews
/mnt/mediaShared media files
/mnt/small-nxtcNextcloud Media instance data
/mnt/forgejoForgejo repositories
Every service follows the same conventions:
Independent compose files — each service has its own compose.yml, deployed separatelyPinned image versions — all images locked to specific tags with # renovate: datasource=docker for auto-updates.env for secrets.env.example provided as templateSecurity hardening — no-new-privileges:true, cap_drop: ALL, minimal cap_addResource limits — CPU and memory limits on every containerHealthchecks — 30s interval, 5s timeout, 3 retries on all servicesTraefik labels — standardized label pattern for routing, TLS, and middleware
Variable
Description
PUID / PGIDUser/group ID (typically 1000)
TZTimezone (e.g. Europe/Madrid)
TRAEFIK_DOMAINService subdomain
TRAEFIK_ROUTER_NAMEUnique router name for Traefik
TRAEFIK_CERT_RESOLVERCertificate resolver (cloudflare)