Letzte Aktualisierung: 2026-01-17
24 Docker-Container auf cisco + 11 Container auf gideon
Organisation: Privates Test-Lab (K.I.T. Solutions Entwicklung)
Internet
│
├─→ Cloudflare DNS (SSL Certs)
│
└─→ FRITZ!Box 6660 Cable
│
├─→ cisco (24 Container - core_network)
│ ├─→ Caddy Reverse Proxy (HTTPS Termination)
│ ├─→ Keycloak (SSO für alle Services)
│ ├─→ OAuth2-Proxy (Auth-Layer)
│ └─→ Workmate, N8N, Guacamole, etc.
│
└─→ gideon (11 Container - Unraid)
├─→ Jellyfin (Media)
├─→ Home Assistant (Smart Home)
├─→ Pi-hole (DNS)
└─→ Wiki.js, Paperless, Vaultwarden
Image: caddy:latest
Ports: 80, 443, 2019
Funktion: HTTPS Termination & Routing
*.intern.phudevelopement.xyz {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
@kuma host kuma.intern.phudevelopement.xyz
handle @kuma {
reverse_proxy oauth2-proxy-kuma:4180
}
@workmate host workmate.intern.phudevelopement.xyz
handle @workmate {
reverse_proxy workmate-ui:5173
}
# ... weitere Routes
}
Features:
Image: cloudflare/cloudflared:latest
Funktion: Sichere externe Erreichbarkeit ohne Port-Forwarding
Vorteile:
Image: quay.io/keycloak/keycloak:latest
Ports: 8080
Database: PostgreSQL (shared)
Admin-URL: https://login.intern.phudevelopement.xyz
Realms:
workmate - Hauptrealm für Workmate OShomelab - SSO für alle Homelab-ServicesClients:
Features:
Image: ghcr.io/zitadel/zitadel:latest
Status: Testing (alternative zu Keycloak)
Funktion: Moderne Identity & Access Management Platform
Warum parallel?
Image: quay.io/oauth2-proxy/oauth2-proxy:latest
Upstream: http://uptime-kuma:3001
Provider: Keycloak
Config:
--provider=keycloak-oidc
--client-id=uptime-kuma
--client-secret=${KUMA_OAUTH_SECRET}
--oidc-issuer-url=https://login.intern.phudevelopement.xyz/realms/homelab
--email-domain=*
--cookie-secret=${COOKIE_SECRET}
Image: quay.io/oauth2-proxy/oauth2-proxy:latest
Upstream: http://code-server:8443
Provider: Keycloak
Zweck: VS Code Web-Zugriff nur mit SSO-Login
Image: postgres:16-alpine
Ports: 5432
Storage: Docker Volume postgres_data
Datenbanken:
workmate_os - Workmate Backendkeycloak - Keycloak SSOn8n - N8N Workflowsguacamole - Guacamole Connections (geplant)Backup:
Monitoring:
https://pgweb.intern.phudevelopement.xyzImage: mysql:8
Ports: 3306
Funktion: Guacamole Database
Datenbanken:
guacamole_db - Guacamole Connections & UsersImage: Custom (FastAPI)
Ports: 8000
Tech Stack: FastAPI, SQLAlchemy, Alembic, Pydantic V2
Database: PostgreSQL (workmate_os)
Auth: Keycloak OAuth2
Module:
Features:
API-Docs: https://workmate.intern.phudevelopement.xyz/docs
Image: Custom (Vue 3 + Vite)
Ports: 5173
Tech Stack: Vue 3, TypeScript, Pinia, TailwindCSS
Auth: Keycloak OAuth2 (Public Client)
Features:
URL: https://workmate.intern.phudevelopement.xyz
Image: Custom
Ports: 3002
Funktion: Personal Dashboard & Analytics
Widgets:
Image: Custom (Next.js)
Ports: 3000
Tech Stack: Next.js 14, TypeScript, Velite, MDX
Funktion: Persönliche Portfolio-Website
Features:
URL: https://einfachnurphu.io
Image: Custom
Ports: 3001
Funktion: API Aggregation & Proxy
Integrationen:
Image: n8nio/n8n:latest
Ports: 5678
Database: PostgreSQL (n8n)
URL: https://n8n.intern.phudevelopement.xyz
Workflows:
Features:
Image: guacamole/guacamole:latest
Ports: 8080
Daemon: Guacd (172.19.0.17)
Database: MySQL (guacamole_db)
Protokolle:
Verbindungen:
URL: https://guacamole.intern.phudevelopement.xyz
Image: louislam/uptime-kuma:latest
Ports: 3001
Auth: OAuth2-Proxy (Keycloak)
URL: https://kuma.intern.phudevelopement.xyz
Überwachte Services:
Benachrichtigungen:
Image: codercom/code-server:latest
Ports: 8443
Auth: OAuth2-Proxy (Keycloak)
URL: https://code.intern.phudevelopement.xyz
Features:
Image: sosedoff/pgweb:latest
Ports: 8081
Database: PostgreSQL (172.19.0.9)
Features:
⚠️ Sicherheitsrisiko: Aktuell ohne Authentifizierung - OAuth2-Proxy geplant
Image: deluan/navidrome:latest
Ports: 4533
Storage: NFS Mount zu gideon (/mnt/music)
URL: https://music.intern.phudevelopement.xyz
Features:
Bibliothek:
Image: Custom
Ports: 8888
Funktion: OAuth2 Token Refresh für Spotify API
Verwendung:
Image: axllent/mailpit:latest
Ports: 8025 (Web), 1025 (SMTP)
URL: https://mail.intern.phudevelopement.xyz
Funktion:
⚠️ Nur für Development - Keine echten E-Mails versenden!
Image: eclipse-mosquitto:latest
Ports: 1883 (MQTT), 9001 (WebSockets)
Funktion: IoT Message Broker
Clients:
Topics:
homelab/sensors/*homelab/devices/*automation/*Image: Custom
Ports: 4000
Funktion: Manga Metadata & Scraping Service
Features:
Ports: 8096 (HTTP), 8920 (HTTPS)
URL: http://192.168.178.99:8096
Storage: /mnt/user/media/
Bibliothek:
Features:
Geplantes Upgrade:
Ports: 4533
Funktion: Musik-Streaming
Integration: Shared Storage mit cisco
Ports: 8123
URL: http://192.168.178.99:8123
Database: SQLite (geplant: PostgreSQL)
Integrationen:
Automatisierungen:
Ports: 5580
Funktion: Smart Home Protokoll-Server
Integration: Home Assistant
Geräte:
Ports: 3002
URL: http://192.168.178.99:3002
Database: SQLite
Storage: /mnt/user/appdata/wikijs/
Funktion:
Seiten:
Ports: 8000
URL: http://192.168.178.99:8010
Database: PostgreSQL (lokal auf gideon)
Storage: /mnt/user/paperless/
Funktion:
Kategorien:
Ports: 53 (DNS), 80 (Web)
IP: 192.168.178.2
URL: http://192.168.178.2/admin
Funktion:
Statistiken:
Upstream DNS:
Ports: 80
URL: http://192.168.178.99:8200
Database: SQLite
Funktion: Passwort-Manager
Features:
Backups:
Funktion: Sichere externe Verbindung
Integration: Parallel zu cisco-Tunnel
Ports: 3001
URL: http://192.168.178.99:3001
Funktion: Service-Dashboard für Homelab
Widgets:
Caddy Reverse Proxy
├─→ Keycloak (Auth)
│ ├─→ PostgreSQL (User DB)
│ └─→ OAuth2-Proxy (Kuma, Code Server)
│
├─→ Workmate Backend
│ ├─→ PostgreSQL (App DB)
│ └─→ Keycloak (SSO)
│
├─→ Workmate UI
│ └─→ Keycloak (SSO)
│
├─→ N8N
│ ├─→ PostgreSQL (Workflows)
│ └─→ Keycloak (SSO - optional)
│
└─→ Guacamole
├─→ MySQL (Connections)
└─→ Guacd (RDP/VNC Daemon)
Pi-hole DNS
└─→ Alle Netzwerk-Geräte (DNS Resolver)
Cloudflared Tunnel
└─→ Caddy (externe Erreichbarkeit)
| Service | Auth-Methode | Zugriff | Status |
|---|---|---|---|
| Workmate | Keycloak SSO | Caddy → OAuth2 | ✅ Sicher |
| Keycloak | Admin-Login | Caddy → HTTPS | ✅ Sicher |
| Uptime Kuma | OAuth2-Proxy | Caddy → Keycloak | ✅ Sicher |
| Code Server | OAuth2-Proxy | Caddy → Keycloak | ✅ Sicher |
| N8N | Basic Auth | Caddy → HTTPS | ⚠️ OAuth geplant |
| Guacamole | Intern | Caddy → HTTPS | ✅ Sicher |
| Pgweb | Keine | Direkt | ❌ OAuth2 nötig |
| Mailpit | Keine | Direkt | ❌ OAuth2 nötig |
| Navidrome | Intern | Caddy → HTTPS | ✅ Sicher |
| Jellyfin | Intern | Direkt | ✅ Sicher |
| Pi-hole | Admin-PW | Direkt | ⚠️ Lokal only |
| Wiki.js | Intern | Direkt | ✅ Sicher |
| Paperless | Intern | Direkt | ✅ Sicher |
| Vaultwarden | Master-PW | Direkt | ✅ Sicher |
Dokumentations-Stand: 2026-01-17
Services-Status: 35/35 Running (100%)