Plex Radarr Grafana Loki CrowdSec
Self-hosted · Docker · Windows 11

Infrastructure that runs itself.

25+ containers orchestrated through Docker Compose on WSL2, secured behind Authelia SSO and CrowdSec, monitored with Prometheus and Grafana. Internal apps use *.home.aahmed.ca, with selected public endpoints on dedicated hostnames.

0
Containers
0
Scrape Jobs
0
Alert Rules
0
Security Layers
Architecture
Ingress Flow
Every request passes through five layers before reaching a service.
Internet :80 / :443 Caddy reverse proxy CrowdSec IPS · LAPI Authelia SSO · 2FA 127.0.0.1 Radarr Sonarr Grafana Plex + 20 more services TLS · Cloudflare DNS-01 certificates · https://{service}.home.aahmed.ca
Request lifecycle from WAN to service
Services
Core Stack
▶️

Media Server

Plex for movies, TV, and live TV via IPTV tuners.

Plex:32400
📥

Media Automation

Automated acquisition and library management via the *arr stack.

RadarrSonarrProwlarrReadarrWhisparrBazarr
⬇️

Downloads

qBittorrent via Gluetun WireGuard VPN. SABnzbd for Usenet.

qBittorrentVPNSABnzbdGluetun
📺

IPTV

Threadfin + Xteve M3U proxies for Plex Live TV, VPN-routed.

ThreadfinXteveVPN
📋

Dashboards

Media requests, watch history, library cleanup, and unified dashboard.

OverseerrRequestrrTautulliHomarrMaintainerr
🧠

AI / ML

GPU-accelerated local LLM inference with Authelia SSO.

OllamaOpen WebUINVIDIA
🎬

Processing

GPU transcoding and Cloudflare bypass for indexers.

FileFlowsFlaresolverrGPU
🔧

Utilities

Auto-extraction, TRaSH profile sync, container updates.

UnpackerrRecyclarrWatchtower
Security
Defense in Depth

Caddy Reverse Proxy

  • HTTPS via Cloudflare DNS-01 certificate renewal
  • All backends bound to 127.0.0.1
  • JSON access logs feed CrowdSec in real time
🔑

Authelia SSO

  • forward_auth on every Caddy route
  • Two-factor: passkey + biometric or TOTP
  • OIDC provider for Homarr, Grafana
🛡

CrowdSec IPS

  • Community blocklists + log analysis
  • Bouncer queries LAPI every 15s
  • Collections: caddy, authelia, http-cve
🔎

Wazuh SIEM

  • Log aggregation via Wazuh Manager
  • OpenSearch indexer for security events
  • Dashboard at wazuh.home.aahmed.ca
Monitoring
Observability
30s
Scrape
15d
Metrics
30d
Logs
30+
Alerts
8
Probes
SOURCES cAdvisor windows-exporter Exportarr (6) Blackbox probes SNMP · Router Prometheus 30s scrape · 15d 20+ jobs · rules rules fire Alertmanager group · route · notify ntfy Telegram Grafana dashboards · SSO metrics + logs LOG SOURCES Docker containers /var/log · syslog Promtail ship · label Loki 30d retention Uptime Kuma · status page
Metrics pipeline (left) and log pipeline (right) converge in Grafana
🔥

Prometheus

  • 20+ scrape jobs: exporters, cAdvisor, blackbox, SNMP
  • Alert rules: health, network, compliance, media, router
  • Alertmanager routes to ntfy + Telegram
📊

Grafana

  • Dashboards: system health, media, router, logs
  • Datasources: Prometheus + Loki
  • SSO via Authelia at grafana.home.aahmed.ca
📝

Loki + Promtail

  • All Docker containers + /var/log
  • Syslog on 1514/UDP for network devices
  • 30-day retention, local filesystem
🔍

Exporters & Probes

  • TCP, DNS, TLS, ICMP, HTTP blackbox probes
  • Exportarr: Sonarr, Radarr, Prowlarr, Readarr, SABnzbd
  • cAdvisor, windows-exporter, plex-exporter, Uptime Kuma
Networking
Network Topology
WAN / ISP GL.iNet Router 192.168.8.1 · SNMP DOCKER HOST · Windows 11 · WSL2 proxy_net 172.30.0.0/16 Caddy Radarr Sonarr +20 all bound to 127.0.0.1 GLUETUN · WireGuard VPN qBittorrent Threadfin Xteve Mullvad Tailscale Mesh 100.x.x.x · remote access CoreDNS home.aahmed.ca zone
Docker host networks, VPN isolation, and remote access overlay
🌐

Gluetun VPN Gateway

  • Mullvad WireGuard for torrent + IPTV
  • network_mode: "service:gluetun"
  • qBittorrent, Threadfin, Xteve isolated
📡

Split DNS + Tailscale

  • CoreDNS for home.aahmed.ca on Tailscale
  • Mesh VPN for remote access everywhere
  • Docker bridge proxy_net 172.30.0.0/16
Automation
Tooling & Scripts

PowerShell

  • $ validate-stack.ps1
  • $ prepare-monitoring.ps1
  • $ harden-rdp.ps1
  • $ cleanup-downloads.ps1
  • $ vm-control.ps1
  • $ cf-update-dns.ps1

Python

  • > add_missing_kuma_monitors.py
  • > plex-scan-corrupt-streams.py
  • > telegram-bot/app.py

Scheduled

  • Watchtower — daily 4 AM
  • Recyclarr — TRaSH sync
  • Cleanup — stale downloads
Infrastructure
Platform
OS
Windows 11 Pro
Docker Desktop + WSL2
GPU
NVIDIA
Transcoding & LLM
Remote
Tailscale mesh
RDP
Config
Environment-driven
Conventional commits