All services run as containers on a single Linux Docker host on host2, with NFS mounts to the primary NAS for media and data storage. Everything sits behind a reverse proxy with SSO, so there is one login for the whole stack. Public services are reachable via a tunneled outbound gateway; internal-only services stay off the internet entirely.
The media stack is built around Jellyfin for video and Audiobookshelf for audio. The GPU on host2 handles hardware transcoding so Jellyfin can serve multiple simultaneous streams without touching the CPU. A request manager connects to the automation stack to handle the full download-to-library pipeline.
Media server for films and TV. GPU-accelerated transcoding via the passed-through NVIDIA Quadro. Libraries live on the primary NAS over NFS.
Request front-end for the media server. Users can search for titles and request them; the request manager routes to the automation stack automatically.
Audiobook and podcast server. Handles streaming, progress sync, and library management. Books live on the primary NAS over NFS.
Self-hosted photo and video library with ML-powered facial recognition, object tagging, and search. Photos are stored on the primary NAS. Internal-only, not exposed externally.
File sync, wiki, and a self-hosted site, all containerised. Nextcloud handles the job that iCloud or Google Drive usually would. Bookstack provides structured documentation for projects and notes. WordPress runs a personal site that stays internal.
File sync, contacts, and calendar. OIDC login via the identity provider. CalDAV and CardDAV are handled through reverse proxy redirects so native clients work without any manual configuration.
Wiki-style documentation platform organised into books, chapters, and pages. Used for project notes and reference docs.
Self-hosted site running internally. Not exposed publicly.
Central SSO for the entire stack. All public services and most internal services authenticate through here using OIDC. The reverse proxy handles forward auth for services that do not support OIDC natively, so everything shares a single login.
Self-hosted internet speed test. Gated behind SSO forward auth so it is publicly reachable but login-protected.
Self-hosted personal finance tracking. OIDC login via the identity provider. Internal-only, not exposed externally.
The automation stack handles the full pipeline from a request in the request manager through to a finished file in the media library. An indexer aggregator collects sources, a library manager handles organisation, and a download client handles the actual transfers.
| Service | Role |
|---|---|
| Film library manager | Film library management and automated download requests |
| Indexer aggregator | Aggregates indexer sources, feeds the library manager |
| Download client | Handles transfers from indexers to storage |
All automation services are internal-only. Completed downloads land on the primary NAS over NFS and are picked up by the media server automatically.
An internal metrics stack collects container-level resource stats and displays them on dashboards. All monitoring services are internal-only and not reachable from outside the network.