| dns | ||
| forgejo | ||
| karakeep | ||
| newt | ||
| resilio | ||
| stirling-pdf | ||
| vaultwarden | ||
| .gitignore | ||
| README.md | ||
Voyager Homelab — Docker Stack
Self-hosted infrastructure running on an HP t630 thin client (Ubuntu Server).
All services are exposed externally via Pangolin reverse proxy tunnel through PMS1 (tunnel.pelagiamarine.com).
Architecture
Client
└── Pangolin (PMS1 VPS) ── Newt tunnel ──► Voyager (192.168.1.55)
├── Pi-hole :53
├── Unbound :5335
├── dnscrypt-proxy :5053
├── Vaultwarden :8000
├── Forgejo :3000
├── Karakeep :3000
├── Resilio Sync :8888
└── Stirling pdf :8181
DNS Chain
LAN Devices → Pi-hole (ad blocking) → Unbound (recursive) → dnscrypt-proxy (DoH) → Cloudflare/Quad9
Services
DNS (dns/)
| Service | Role | Port |
|---|---|---|
| Pi-hole | Network-wide ad blocking | 53 (public) |
| Unbound | Recursive DNS resolver + DNSSEC | 5335 (internal) |
| dnscrypt-proxy | DNS-over-HTTPS encryption | 5053 (internal) |
Pi-hole is the only DNS service exposed to the LAN. Unbound and dnscrypt-proxy are internal to the Docker network.
Vaultwarden (vaultwarden/)
Self-hosted password manager, compatible with all Bitwarden clients.
- URL:
https://vaultwarden.tunnel.pelagiamarine.com - Image:
vaultwarden/server:latest
Forgejo (forgejo/)
Self-hosted Git mirror. Primary instance lives on PMS1 (git.pelagiamarine.com).
This instance is a push mirror — automatically receives commits from PMS1.
- URL:
https://git.tunnel.pelagiamarine.com - Image:
codeberg.org/forgejo/forgejo:10 - SSH: port
22222
Karakeep (karakeep/)
Self-hosted bookmark manager with AI tagging, full-page archiving, and screenshots.
- URL:
https://bookmarks.tunnel.pelagiamarine.com
Resilio Sync (resilio/)
P2P sync for receiving PostgreSQL database backups from PMS1.
Paired with PMS1's Resilio instance which runs a nightly pg_dump cron.
- URL:
https://sync.tunnel.pelagiamarine.com - Sync folder:
~/backups/postgres/
Newt (newt/)
Pangolin tunnel client. Creates an outbound tunnel to PMS1 (87.76.191.133),
allowing Pangolin/Traefik to route *.tunnel.pelagiamarine.com traffic
back to Voyager without any open inbound ports.
Stirling pdf
Self hosted pdf toolbox
Host Network
| Detail | Value |
|---|---|
| Hostname | voyager |
| LAN IP | 192.168.1.55 (static) |
| IPv6 | 2405:201:24:38a4::55/64 (static) |
| OS | Ubuntu Server 24.04 |
| Hardware | HP t630 thin client |
Related Infrastructure
| Service | Host | URL |
|---|---|---|
| Pangolin (reverse proxy) | PMS1 VPS | pangolin.pelagiamarine.com |
| Forgejo (primary) | PMS1 VPS | git.pelagiamarine.com |
| Resilio (primary) | PMS1 VPS | resilio.pelagiamarine.com |
| Pelagia Portal (Next.js) | PMS1 VPS | pms.pelagiamarine.com |
Setup Notes
- Port 53 requires disabling
systemd-resolvedstub listener before starting the DNS stack - Unbound is built from a custom Dockerfile (Alpine-based) due to scratch image limitations in
klutchell/unbound - dnscrypt-proxy cache directory requires
chown 1000:1000for write permissions - Forgejo
ROOT_URLmust be set to the Pangolin tunnel URL to avoid redirect loops when accessed locally