Pi-hole handles **internal DNS**, enabling:

  * `*.torresvault.com` → LAN  
  * `in.torresvault.com` → internal dashboard  
  * All app shortcuts (e.g., `jellyfin.torresvault.com`, `ha.torresvault.com`)

This ensures a unified naming scheme both internally and externally.

----

===== Configured Proxy Hosts =====

Below is the current public-facing NPM UI (from your screenshot):

{{:torresvault:services:npm.png?800|NPM Proxy Host List}}

NPM is responsible for:

  * Main entry point for all public-facing apps  
  * Consolidated HTTPS security  
  * Hiding backend VM IP addresses  
  * Enforcing access policies  
  * Keeping external URLs predictable and organized  

Apps managed through NPM include:

  * Home Assistant  
  * Nextcloud  
  * Jellyfin  
  * Internal dashboards  
  * FPP-related pages  
  * Prometheus, monitoring, and more  

---

===== Why This Architecture Works =====

  * No internal system is exposed directly  
  * All SSL is centralized  
  * Access is easy to manage  
  * NPM can be migrated, updated, or rebuilt without affecting backend apps  
  * Clean separation from Pi-hole (DNS) and Proxmox (VM orchestration)  
  * Cloudflare shields your public endpoints  

This results in a secure, clean, and maintainable public entry point for the entire TorresVault platform.

----

===== Future TorresVault 2.0 Enhancements =====
(These can also be mirrored on the Roadmap page.)

  * Migrate NPM into **Kubernetes** (with standalone VM as fallback)
  * Add **Cloudflare Zero Trust** for secure external access
  * Add NPM **failover** using VRRP/Keepalived across Mini-PC nodes
  * Forward logs to **Grafana Loki** for centralized log management
  * Add **blue-green staged routing** for:
    * Home Assistant upgrades  
    * Nextcloud upgrades  
    * Future Kubernetes services  

----

''This page documents the Nginx Proxy Manager deployment inside the TorresVault ecosystem.''