A constellation of devices stitched together by a Tailscale mesh, a single Traefik reverse proxy, and a private DNS zone — running 16 Docker Compose service stacks at home.
Every machine joins a private Tailscale tailnet and takes on one job. The center of gravity is a Ryzen mini-server; the edges handle public hosting and AI inference.
Debian 13 on an AMD Ryzen mini-PC. The nerve center — runs all 16 Docker Compose stacks behind a single Traefik v3 proxy with Let's Encrypt TLS and Authelia SSO.
A Raspberry Pi at the internet-facing edge. Runs zipgo behind nginx, serving static sites to the open web under *.dev.gabvdl.xyz. Also hosts a remote MCP file endpoint.
A GMKTec mini-PC dedicated to local LLM inference via LM Studio (OpenAI-compatible API). Stays powered off until a Wake-on-LAN proxy wakes it on demand.
A Gluetun container wrapped in a Tailscale sidecar — advertises itself as a tailnet exit node, letting any device route its traffic through a US VPN with zero local config.
The original Raspberry Pi that once ran the whole stack. Superseded by the Ryzen server, now powered off but kept on the tailnet as a reference node.
A Pixel 9, a MacBook Air, and a Windows desktop join the tailnet to reach internal services from anywhere. The phone receives Home Assistant push notifications.
Each service is a Docker Compose stack on the main bridge network, routed by Traefik at <name>.lab.gabvdl.xyz and gated behind Compose profiles.
How devices talk to each other — every hop rides the encrypted Tailscale wire, so most internal links stay plain HTTP.
LibreChat on homelab proxies to the EVOX2's local model, waking the box first if it's asleep. RAG via pgvector + Meilisearch.
Static sites are built on homelab and rsynced over Tailscale to zipgo on raspy2, which serves them publicly with Let's Encrypt HTTPS.
The *arr suite indexes and organizes the media library; Jellyfin streams it to any device on the tailnet.
Automations push alerts — new episodes, download finished, coffee reminders — straight to the phone over the mesh.
Selecting the VPN exit node sends a device's traffic out through NordVPN — no VPN client to install locally.
A home LAN behind an ISP router, overlaid with a Tailscale mesh and split-horizon DNS — internal names point inward, public names point at the edge.
Resolved by CoreDNS to the homelab's private mesh address. Internal services simply don't exist outside the tailnet.
Resolved by public DNS to raspy2 at the edge — the published sites, reachable by anyone.