Table of Contents
Pi-hole handles internal DNS, enabling:
- `*.torresvault.com` → LAN
- `in.torresvault.com` → internal dashboard
- All app shortcuts (e.g., `jellyfin.torresvault.com`, `ha.torresvault.com`)
This ensures a unified naming scheme both internally and externally.
Configured Proxy Hosts
Below is the current public-facing NPM UI (from your screenshot):
NPM is responsible for:
- Main entry point for all public-facing apps
- Consolidated HTTPS security
- Hiding backend VM IP addresses
- Enforcing access policies
- Keeping external URLs predictable and organized
Apps managed through NPM include:
- Home Assistant
- Nextcloud
- Jellyfin
- Internal dashboards
- FPP-related pages
- Prometheus, monitoring, and more
—
Why This Architecture Works
- No internal system is exposed directly
- All SSL is centralized
- Access is easy to manage
- NPM can be migrated, updated, or rebuilt without affecting backend apps
- Clean separation from Pi-hole (DNS) and Proxmox (VM orchestration)
- Cloudflare shields your public endpoints
This results in a secure, clean, and maintainable public entry point for the entire TorresVault platform.
Future TorresVault 2.0 Enhancements
(These can also be mirrored on the Roadmap page.)
- Migrate NPM into Kubernetes (with standalone VM as fallback)
- Add Cloudflare Zero Trust for secure external access
- Add NPM failover using VRRP/Keepalived across Mini-PC nodes
- Forward logs to Grafana Loki for centralized log management
- Add blue-green staged routing for:
- Home Assistant upgrades
- Nextcloud upgrades
- Future Kubernetes services
This page documents the Nginx Proxy Manager deployment inside the TorresVault ecosystem.