Skip to main content

Service Architecture

All services in v3.0 run as Docker containers across three virtualized environments:
  • docker-prod-01 (192.168.30.11) - Primary service VM hosting media, infrastructure, and application stacks
  • auth-prod-01 (192.168.30.13) - Dedicated VM for Authentik identity provider
  • immich-prod-01 (192.168.30.14) - Isolated VM for Immich photo management with ML workloads
  • nas-prod-01 (Unraid) - Plex runs natively on the NAS for direct hardware transcoding access

Infrastructure

Reverse proxy, authentication, DNS, and tunneling services

Media

Plex, ARR stack, and torrent automation

Books

Ebook and audiobook library management

Photos

Immich photo server with ML-powered organization

Monitoring

Host metrics, uptime tracking, and backup monitoring

Stack Organization

Services are organized into logical stacks using Docker Compose:
StackServicesLocation
infraTraefik, Dockman, Homarrdocker-prod-01
authAuthentik (server, worker, PostgreSQL, Redis)auth-prod-01
cloudflaredCloudflare Tunneldocker-prod-01
dns-syncadguardhome-syncdocker-prod-01
arrSonarr (TV + Anime), Radarr (1080p + 4K), Prowlarr, Bazarr, Profilarr, Maintainerr, Seerr, Tautulli, Flaresolverrdocker-prod-01
torrentGluetun, qBittorrent, qBitrrdocker-prod-01
booksAudiobookshelf, Calibre-Web-Automated, Shelfmarkdocker-prod-01
photosImmich (server, ML, PostgreSQL, Redis)immich-prod-01
monitoringBeszeldocker-prod-01
plexPlex Media Servernas-prod-01 (Unraid native Docker)

Access Model

Internal Access

All services accessible via Traefik reverse proxy:
  • Protocol: HTTPS with wildcard certificate (*.giohosted.com)
  • DNS: AdGuard Home provides split-horizon DNS rewrites
  • Internal resolution: service.giohosted.com → Traefik at 192.168.30.11
Example internal URLs:
  • https://sonarr.giohosted.com
  • https://radarr.giohosted.com
  • https://plex.giohosted.com

External Access

Cloudflare Tunnel (cloudflared):
  • Audiobookshelf: audiobooks.giohosted.com
  • Shelfmark: books.giohosted.com
  • Seerr: request.giohosted.com
  • Authentik: auth.giohosted.com
Direct port forward:
  • Plex: Port 32400 → nas-prod-01 (Cloudflare ToS prohibits video streaming)
WireGuard VPN:
  • Full LAN access via UDM-SE WireGuard server
  • Used for remote administration and unrestricted service access

Service Identity

All containers run as UID/GID 2000:2000 for consistent NFS permission management.

Storage Architecture

Docker VM local storage (/opt):
  • /opt/stacks/ - Git-tracked compose files
  • /opt/appdata/ - Container persistent data (backed up nightly)
NAS NFS mount (/data):
  • /data/media/ - Plex libraries (movies, TV, anime, books)
  • /data/downloads/ - Active torrent staging
  • /data/photos/ - Immich library (ZFS mirror pool)
  • /data/backups/ - Backup destinations (ZFS mirror pool)
Downloads and media shares MUST remain on the same filesystem (Unraid parity array) to support hardlinks used by ARR stack for atomic moves.

Container Management

Dockman provides web-based Docker Compose management:
  • Restart individual containers without affecting entire stack
  • View logs and resource usage
  • Access at https://dockman.giohosted.com
Cockpit provides VM-level management:
  • Disk usage and network monitoring
  • System updates
  • File browser
  • Installed on docker-prod-01 for day-to-day operations

Backup Coverage

TierWhatToolDestination
Tier 0VM/LXC snapshotsProxmox Backup Serverpbs-prod-01 → NAS ZFS pool
Tier 1Docker appdata + stacksrsync + HealthchecksNAS /backups (ZFS)
Tier 1Plex databaseDedicated backup scriptNAS /backups/plex
Tier 2NAS snapshotsUnraid ZFS snapshotsLocal on NAS
Tier 3Off-box cold copySynology ABBSynology NAS (nightly pull)

Future: Kubernetes Migration

Phase 6 (future) introduces k3s cluster for selective service migration: Migration candidates:
  • Immich (HA + operator-managed upgrades)
  • Authentik (IdP high availability)
  • Monitoring stack (Beszel, Uptime Kuma)
  • Traefik (natural fit as k3s ingress controller)
Intentionally staying in Docker:
  • ARR stack (hardlinks and atomic moves incompatible with k8s storage)
  • qBittorrent + Gluetun (VPN killswitch model)
  • Books stack (filesystem-dependent ingest workflows)
Kubernetes migration is sandbox-first approach. No production services move until cluster is proven stable in isolated lab environment.

Build docs developers (and LLMs) love

Get started for freeTalk to us