Home Server Chronicles: My Docker-Powered Ecosystem — Part 2
Deep dive into the backbone of secure external access: Nginx Proxy Manager, Authentik SSO/2FA, and Tailscale VPN — the core services that make everything work.
Welcome to Part 2 of my Home Server Chronicles! In Part 1, we explored the overall architecture and philosophy behind my Docker-powered ecosystem. Now, let's dive into the core services that form the backbone of secure external access.
These three services work together to create a robust, secure gateway to my home lab:
Nginx Proxy Manager — Reverse proxy with SSL termination
Authentik — SSO/2FA identity provider
Tailscale — Mesh VPN for remote access
Nginx Proxy Manager: The Traffic Director
Why NPM Over Traefik?
I chose Nginx Proxy Manager over Traefik for several reasons:
Web UI: Clean, intuitive interface for managing proxy hosts
SSL Certificates: Automatically managed via Let's Encrypt:
Wildcard certificates for *.jay739.dev
Auto-renewal every 60 days
HTTP to HTTPS redirect enforced
Dark Theme: Integration with theme.park for consistent dark mode across all services.
Authentik: The Identity Provider
Full SSO with Two-Factor Authentication
Authentik is a self-hosted identity provider that acts as the SSO layer across all my services. It replaced Authelia early on because I needed richer features — SAML/OIDC support, user management UI, and application-level access policies. It integrates with Nginx Proxy Manager via forward-auth headers.
Architecture
User Request → NPM → Authentik (if protected) → Target Service
Configuration
In infra.yml, Authentik runs as a server + worker pair backed by its own PostgreSQL and Redis instances:
Initial Setup: Admin account created on first boot, users/groups managed via Authentik admin UI
TOTP/WebAuthn: Each user enrolls 2FA devices through the Authentik user dashboard
Application Providers: Each service registered as an Authentik Application with proxy provider
Session Management: Configurable session duration with remember-me support
Tailscale: The Mesh VPN
Why Tailscale?
Tailscale provides a WireGuard-based mesh VPN that connects all my devices without port forwarding or complex configuration:
Zero Config: No port forwarding, NAT traversal handled automatically
MagicDNS: Automatic DNS for all devices on the tailnet
Cross-Platform: Works on macOS, iOS, Android, Linux, Windows
WireGuard Under the Hood: State-of-the-art cryptography
Exit Nodes: Route traffic through any device on the tailnet
Setup
Tailscale runs natively on the host (not in a container) for best performance:
# Install and authenticate
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --accept-routes --advertise-exit-node
Network Layout
My Tailscale tailnet connects 8 devices across multiple platforms:
Batcave (100.89.188.84) ←→ Oracle VPS (100.80.153.103)
↕ ↕
MacBook Air (100.103.152.9) iPhone (100.105.125.76)
Mac Mini (100.104.170.37) Pixel 7 (100.79.158.25)
The Oracle VPS acts as an exit node, and all services bind to both the LAN IP (10.0.0.101) and Tailscale IP (100.89.188.84) for multi-path access.
Split DNS
I use dnsmasq on Batcave with custom DNS records pointing *.jay739.dev to the LAN IP (10.0.0.101), so devices on the local network can reach services directly without depending on Tailscale. See my Tailscale resilience post for how I eliminated Tailscale as a single point of failure.
Traffic Flow: How It All Works Together
Here's the complete request flow for a protected service:
flowchart TD
A[User Request] --> B[Nginx Proxy Manager]
B --> C{Protected Service?}
C -->|Yes| D[Authentik Authentication]
C -->|No| E[Direct to Service]
D --> F{Valid Session?}
F -->|No| G[Login + 2FA]
F -->|Yes| E
G --> H[TOTP/WebAuthn Verification]
H --> E[Forward to Service]
E --> I[Service Response]
I --> J[User]
In Part 3, we'll explore the Infrastructure Layer — the tools that keep everything running smoothly:
Portainer: Container management with a web UI
VS Code Server: Cloud-based development environment
Netdata: Real-time system monitoring
Watchtower: Automated container updates
Backup Strategy: Protecting your data
This foundation of core services makes everything else possible. With secure access, authentication, and VPN connectivity in place, we can confidently expose our services to the internet while maintaining tight security controls.