Plex Wazuh Grafana Loki CrowdSec
Self-hosted · Docker · Windows 11

Infrastructure that runs itself.

25+ containers orchestrated through Docker Compose on WSL2, secured behind Authelia SSO, CrowdSec, and Wazuh SIEM with live CTI feeds. Network-layer detection via Suricata IDS and netifyd DPI on the GL-BE9300 router. Internal apps use *.home.aahmed.ca, with selected public endpoints on dedicated hostnames.

0
Containers
0
SIEM Rules
0
Alert Rules
0
Security Layers
Architecture
Ingress Flow
Every request passes through five layers before reaching a service.
Internet :80 / :443 Caddy reverse proxy CrowdSec IPS · LAPI Authelia SSO · 2FA 127.0.0.1 Wazuh Ollama Grafana Plex + 20 more services TLS · Cloudflare DNS-01 certificates · https://{service}.home.aahmed.ca
Request lifecycle from WAN to service
Services
Core Stack
▶️

Media Server

Plex media server for self-hosted streaming with GPU-accelerated transcoding, DVR ingest, and curated libraries.

PlexTautulli
📚

Media Automation

Automated library management across film, television, books, subtitles, and release quality profiles.

RadarrSonarrReadarrBazarrRecyclarr
📋

Dashboards

Media requests, watch history, Discord request intake, and automated cleanup across the Plex ecosystem.

OverseerrRequestrrTautulliHomarrMaintainerr
⬇️

Download Pipeline

qBittorrent and SABnzbd run through a dedicated Gluetun VPN gateway, with Unpackerr feeding completed imports back into the library managers.

qBittorrentSABnzbdUnpackerrGluetun
🔎

Indexers & Live TV

Prowlarr centralizes indexer sync, while Threadfin/xTeVe map IPTV sources into Plex-friendly channel lineups.

ProwlarrFlaresolverrThreadfinxTeVe
🧠

AI / ML

GPU-accelerated local LLM inference with Authelia SSO.

OllamaOpen WebUINVIDIA
🎬

Processing

GPU-accelerated media transcoding, commercial trimming, and format conversion.

FileFlowsGPUNVIDIA
🔧

Utilities

Quality profile sync, challenge handling, automated updates, and queue cleanup around the media stack.

RecyclarrWatchtowerFlaresolverrUnpackerr
Security
Defense in Depth

Caddy Reverse Proxy

  • HTTPS via Cloudflare DNS-01 certificate renewal
  • All backends bound to 127.0.0.1
  • JSON access logs feed CrowdSec in real time
🔑

Authelia SSO

  • forward_auth on every Caddy route
  • Two-factor: passkey + biometric or TOTP
  • OIDC provider for Homarr, Grafana
🛡

CrowdSec IPS

  • Community blocklists + log analysis
  • Bouncer queries LAPI every 15s
  • Collections: caddy, authelia, http-cve
🔎

Wazuh SIEM

  • Windows agent on AsharPC �?" Sysmon + Security + FIM events
  • 30,000+ active rules; custom rules 100500�?"100800
  • Syslog TCP listener on :5140 for router alerts
  • OpenSearch indexer + dashboard at wazuh.home.aahmed.ca
Endpoint · Network · CTI
Threat Detection
Layered detection across hosts, the network edge, and live threat intelligence.

Sysmon Detection Rules

  • Suspicious child from Office / Browser �?" T1566.001
  • Encoded / download commands �?" T1059.001
  • Lsass credential access �?" T1003.001
  • Remote thread injection �?" T1055
  • Registry persistence & C2 named pipes
🧬

CTI & Enrichment

  • Daily feeds: Feodo C2 IPs, URLhaus domains, MalwareBazaar hashes
  • CDB match rules fire at level 14�?"15 on network/FIM events
  • AbuseIPDB v2 enrichment �?" score, ISP, country posted to Discord
  • YARA active response on FIM file-create; VirusTotal hash lookup
  • IOC SQLite DB �?" 15-min collector; daily Discord threat hunt report
📡

Suricata IDS & netifyd DPI

  • Suricata in LXC on GL-BE9300 �?" shares host netns, sniffs br-lan
  • netifyd nDPI engine �?" flow classification with ndpi_risk_score
  • High-risk flows forwarded via TCP syslog to Wazuh (:5140)
  • Rule 100800 fires at level 12 with MITRE T1071 tagging
Monitoring
Observability
30s
Scrape
15d
Metrics
30d
Logs
30+
Alerts
8
Probes
SOURCES cAdvisor windows-exporter Exportarr Blackbox probes SNMP · Router Prometheus 30s scrape · 15d 20+ jobs · rules rules fire Alertmanager group · route · notify ntfy Telegram Grafana dashboards · SSO metrics + logs LOG SOURCES Docker containers /var/log · syslog Promtail ship · label Loki 30d retention Uptime Kuma · status page
Metrics pipeline (left) and log pipeline (right) converge in Grafana
🔥

Prometheus

  • 20+ scrape jobs: exporters, cAdvisor, blackbox, SNMP
  • Alert rules: health, network, compliance, media, router
  • Alertmanager routes to ntfy + Telegram
📊

Grafana

  • Dashboards: system health, media, router, logs
  • Datasources: Prometheus + Loki
  • SSO via Authelia at grafana.home.aahmed.ca
📝

Loki + Promtail

  • All Docker containers + /var/log
  • Syslog on 1514/UDP for network devices
  • 30-day retention, local filesystem
🔍

Exporters & Probes

  • TCP, DNS, TLS, ICMP, HTTP blackbox probes
  • Exportarr: application-specific Prometheus exporters
  • cAdvisor, windows-exporter, plex-exporter, Uptime Kuma
Networking
Network Topology
WAN / ISP GL-BE9300 Flint3 192.168.8.1 · Suricata · netifyd DOCKER HOST · Windows 11 · WSL2 proxy_net 172.30.0.0/16 Caddy Radarr Sonarr +20 all bound to 127.0.0.1 Tailscale Mesh 100.x.x.x · remote access CoreDNS home.aahmed.ca zone
Docker host networks, VPN isolation for torrent/IPTV traffic, and remote access overlay
🌐

Gluetun + Mullvad

  • Mullvad WireGuard tunnel for torrent + IPTV workloads
  • network_mode: "service:gluetun" for qBittorrent and companion containers
  • VPN-routed download traffic isolated from host and proxy networks
📡

Split DNS + Tailscale

  • CoreDNS for home.aahmed.ca on Tailscale
  • Mesh VPN for remote access everywhere
  • Docker bridge proxy_net 172.30.0.0/16
🛰

Router IDS �?" GL-BE9300 Flint3

  • Suricata in LXC container �?" host netns, sniffs br-lan directly
  • netifyd nDPI daemon �?" per-flow risk scoring on all LAN traffic
  • High-risk DPI events �+' TCP syslog �+' Wazuh :5140 �+' alert
  • Public file access at homefiles.aahmed.ca
Automation
Tooling & Scripts

PowerShell

  • $ validate-stack.ps1
  • $ prepare-monitoring.ps1
  • $ harden-rdp.ps1
  • $ cleanup-media-cache.ps1
  • $ rotate-qbit-category.ps1
  • $ vm-control.ps1
  • $ cf-update-dns.ps1

Python

  • > add_missing_kuma_monitors.py
  • > plex-scan-corrupt-streams.py
  • > request-bot/app.py
  • > telegram-bot/app.py
  • > update_cti_feeds.py
  • > ioc_collector.py
  • > threat_hunt_report.py

Scheduled

  • Watchtower — daily 4 AM
  • Recyclarr — TRaSH sync
  • Unpackerr — completed-download import
  • Cleanup — stale cache files
  • CTI feeds — daily 03:00 UTC
  • IOC collector — every 15 min
  • Threat hunt report — daily 07:00 UTC
Infrastructure
Platform
OS
Windows 11 Pro
Docker Desktop + WSL2
GPU
NVIDIA
Transcoding & LLM
Remote
Tailscale mesh
RDP
Config
Environment-driven
Conventional commits