Homelab Architecture

danilohorta.me — served by nginx on pi4, proxied through Caddy on pi3

Network

Router

Dream Router 7

ISP

Virgin Media

LAN Subnet

192.168.1.0/24

DNS

Gandi

Domain

danilohorta.me

Subdomains

dash · web · api

Topology

Internet

Virgin Media WAN

▽

UniFi Dream Router 7

NAT · Firewall · DHCP · 192.168.1.1

Port forwards: 80/443 → pi3

▽

pi3

Raspberry Pi 3B+ · 192.168.1.137

Caddy · fail2ban · firewall

Edge Gateway

pi4

Raspberry Pi 4 (4 GB) · 192.168.1.49

Docker Compose services

App Server

macmini

Mac Mini M1 (16 GB) · 192.168.1.222

Primary workstation

Dev Machine

Traffic Flow

*.danilohorta.me

→ Dream Router 7 (NAT 80/443)

→ pi3 Caddy (TLS termination)

→ pi4 Docker service

Machines

Host	Hardware	OS	CPU	RAM	Role
`pi3`	Raspberry Pi 3B+	Debian 13	4-core aarch64	905 MiB	Edge gateway
`pi4`	Raspberry Pi 4	Debian 13	4-core aarch64	3.7 GiB	App server
`macmini`	Mac Mini M1	macOS 26.3	8-core arm64	16 GiB	Workstation

Services

Service	URL	Stack	Routing
Architecture	web.danilohorta.me	nginx:alpine	Caddy → pi4:8080
Homelab API	api.danilohorta.me	FastAPI	Caddy → pi4:8081
Dashboard	dash.danilohorta.me	Homepage	Caddy → pi4:8082

Security

TLS

Caddy auto-provisions Let's Encrypt certificates

Firewall

pi3 allows only 80/443 inbound; SSH restricted to LAN

fail2ban

Active on pi3 for SSH and Caddy logs

SSH

Key-only auth; password and root login disabled

API Auth

X-API-Key header required for /v1/ endpoints

Dashboard Auth

Caddy basic auth in front of Homepage