torresvault:services:npm
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| torresvault:services:npm [2026/01/23 15:20] – nathna | torresvault:services:npm [2026/01/23 18:38] (current) – nathna | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Nginx Proxy Manager (NPM) ===== | + | Pi-hole handles **internal DNS**, enabling: |
| - | Overview | + | |
| - | Nginx Proxy Manager (NPM) is the public-facing HTTPS reverse proxy for the entire TorresVault ecosystem. | + | * `*.torresvault.com` → LAN |
| - | It provides: | + | * `in.torresvault.com` → internal dashboard |
| + | * All app shortcuts (e.g., `jellyfin.torresvault.com`, | ||
| - | Centralized SSL termination (Let’s Encrypt) | + | This ensures a unified naming scheme both internally and externally. |
| - | Clean domain names under torresvault.com | + | ---- |
| - | Secure exposure of selected services to the internet | + | ===== Configured Proxy Hosts ===== |
| - | Internal forwarding to LAN IPs | + | Below is the current public-facing NPM UI (from your screenshot): |
| - | Access control & auditing | + | {{: |
| - | + | ||
| - | Simple UI for rapid updates | + | |
| - | + | ||
| - | NPM is hosted on its own dedicated VM to maintain failure domain isolation, matching your preferred architecture (one app → one VM). | + | |
| - | + | ||
| - | Deployment Details | + | |
| - | + | ||
| - | Server: npm.torresvault.com | + | |
| - | + | ||
| - | Internal IP: 192.168.1.99 | + | |
| - | + | ||
| - | Network: Default VLAN (1) | + | |
| - | + | ||
| - | Runs under Docker Compose on Ubuntu | + | |
| - | + | ||
| - | Automatic SSL renewals enabled | + | |
| - | + | ||
| - | All upstream services use private LAN IPs (never exposed directly) | + | |
| - | + | ||
| - | DNS + Reverse Proxy Flow | + | |
| - | client → torresvault.com → Cloudflare → NPM (192.168.1.99) → internal service | + | |
| - | + | ||
| - | + | ||
| - | Internal DNS uses Pi-hole for: | + | |
| - | + | ||
| - | *.torresvault.com → LAN | + | |
| - | + | ||
| - | in.torresvault.com → internal dashboard server | + | |
| - | + | ||
| - | Services like ha.torresvault.com, | + | |
| - | + | ||
| - | Configured Proxy Hosts | + | |
| - | + | ||
| - | Below is the complete list of active reverse proxy entries extracted from your NPM UI: | + | |
| - | + | ||
| - | Public Sites (HTTPS with Let’s Encrypt) | + | |
| - | {{: | + | |
| NPM is responsible for: | NPM is responsible for: | ||
| - | Public-facing web entry point for all apps | + | * Main entry point for all public-facing |
| + | * Consolidated HTTPS security | ||
| + | * Hiding backend VM IP addresses | ||
| + | * Enforcing access policies | ||
| + | * Keeping external URLs predictable and organized | ||
| - | Consolidated HTTPS security | + | Apps managed through NPM include: |
| - | Hiding all backend VM IPs | + | * Home Assistant |
| + | * Nextcloud | ||
| + | * Jellyfin | ||
| + | * Internal dashboards | ||
| + | * FPP-related pages | ||
| + | * Prometheus, monitoring, and more | ||
| - | Enforcing access policy | + | --- |
| - | Giving you a single source of truth for every external URL | + | ===== Why This Architecture Works ===== |
| - | This setup allows the entire ecosystem—Home Assistant, Nextcloud, Jellyfin, FPP, dashboards, and internal services—to remain cleanly organized | + | * No internal system is exposed directly |
| + | * All SSL is centralized | ||
| + | * Access is easy to manage | ||
| + | * NPM can be migrated, updated, or rebuilt without affecting backend apps | ||
| + | * Clean separation from Pi-hole (DNS) and Proxmox (VM orchestration) | ||
| + | * Cloudflare shields your public endpoints | ||
| - | Future | + | This results in a secure, clean, and maintainable public entry point for the entire |
| - | (These can be added to the Roadmap page) | + | ---- |
| - | Migrate NPM into Kubernetes | + | ===== Future TorresVault 2.0 Enhancements ===== |
| + | (These can also be mirrored on the Roadmap page.) | ||
| - | Add Cloudflare Zero Trust for external access | + | * Migrate NPM into **Kubernetes** (with standalone VM as fallback) |
| + | * Add **Cloudflare Zero Trust** for secure | ||
| + | * Add NPM **failover** using VRRP/ | ||
| + | * Forward logs to **Grafana Loki** for centralized log management | ||
| + | * Add **blue-green staged routing** for: | ||
| + | * Home Assistant upgrades | ||
| + | * Nextcloud upgrades | ||
| + | * Future Kubernetes services | ||
| - | Add automatic failover of NPM using VRRP/ | + | ---- |
| - | Move logging to centralized Loki/ | + | '' |
| - | Add staged/ | ||
torresvault/services/npm.1769199631.txt.gz · Last modified: by nathna