My Homelab
A self-hosted infrastructure built around privacy, control, and curiosity — every service accessible over a private VPN mesh, secured with automatic HTTPS, and reachable through custom domains without exposing a single port to the public internet.
The System at a Glance
VPS / Proxy
Edge entry point — routes traffic into the private network
- Traefik
- Homepage
App Server
Runs the day-to-day application workloads
- n8n
- Portainer
- OpenWebUI
Virtualization Host
Provides compute isolation and persistent storage
- Proxmox
- Synology NAS
Traffic flows through the VPS where Traefik terminates TLS and routes requests over the Tailscale mesh to the appropriate backend — whether that's an automation workflow on the app server, a virtual machine on Proxmox, or a file share on the Synology NAS.
Private by Design
Split-Horizon DNS
A wildcard A record points all subdomains at the VPS. Adding a new service means creating a Docker label or Traefik file rule — no DNS changes, no port forwarding, no manual certificate steps.
Tailscale VPN
Every node joins a zero-config WireGuard mesh. Services are only reachable from inside the tailnet, so there is no public attack surface. Devices authenticate through SSO and keys rotate automatically.
SSL via DNS-01
Traefik obtains and renews Let's Encrypt certificates using DNS-01 challenges through the Cloudflare API. HTTPS works everywhere — including private-only domains — without opening port 80 or 443 to the internet.
UFW Firewall
The VPS firewall allows inbound traffic only on the Tailscale interface. Even if someone discovers the server's public IP, there are no open ports to probe.
The Services
Traefik
Reverse proxy backbone
The single entry point for every HTTP request. Traefik discovers services automatically through Docker labels and Traefik file provider rules, provisions TLS certificates via DNS-01, and routes traffic across the tailnet. Adding a new service is a one-label operation.
Proxmox
Virtualization platform
Runs VMs and LXC containers with hardware-level isolation. Each workload gets its own resource envelope, making it safe to experiment without risking production services.
n8n
Workflow automation
Connects services into automated pipelines — webhook triggers, API calls, data transforms — all defined visually and version-controlled.
Portainer
Container management
A visual management layer for Docker across multiple hosts. Deploy, monitor, and update containers without SSH sessions.
OpenWebUI
Self-hosted AI interface
A private chat interface for running local and remote LLMs. Conversations stay on-premises, and model access is fully controlled.
Homepage
Centralized dashboard
A single pane of glass for every running service. Integrates with Docker APIs and service health checks to show real-time status across the entire homelab.
Synology
Network-attached storage
The data sovereignty layer — file shares, backups, and media all live here on hardware I own. RAID provides redundancy, and Tailscale makes it accessible from anywhere.
How It All Connects
Imagine opening a browser on your phone and navigating to n8n.mdwoodruff.me. The request first hits a DNS wildcard record that resolves to the VPS. Because the VPS firewall only accepts traffic from the Tailscale interface, the connection is already authenticated — your device is part of the mesh.
Traefik, running on the VPS, matches the subdomain to a routing rule and forwards the request over the WireGuard tunnel to the app server where n8n is running in a Docker container. The TLS certificate was issued automatically through a DNS-01 challenge — no ports were opened, no manual renewal is needed.
The result is a system where adding a new service is as simple as deploying a container with the right labels. DNS, certificates, routing, and access control all happen automatically. Every service gets a clean URL, valid HTTPS, and zero public exposure — the kind of setup that lets you focus on building things instead of managing infrastructure.