Network & Security
Networking Strategy
Section titled “Networking Strategy”The homelab is designed to be accessible both locally and remotely while maintaining a high level of security. We follow a Single Entry Point architecture, where most services are routed through a central proxy.
Single Entry Point (Nginx)
Section titled “Single Entry Point (Nginx)”Instead of exposing multiple ports for each service (Sonarr, Radarr, etc.), we use Nginx as a central reverse proxy. This allows:
- Centralized SSL: All external traffic is encrypted via HTTPS.
- Friendly URLs: Services are accessed via
service-home.javiersc.cominstead of IP addresses and ports. - Access Control: Centralized authentication and filtering at the proxy level.
Smart Firewall
Section titled “Smart Firewall”We use a dynamic firewall strategy managed by NixOS.
Global Rules
Section titled “Global Rules”- SSH (Port 22): Open to all (managed via
modules/nixos/programs/ssh.nix). - Nginx (Port 80/443): Open to all (managed via
modules/nixos/services/proxy/default.nix). - mDNS (Port 5353 UDP): Open for local service discovery (
nixos.local).
Network Topology (Double Router)
Section titled “Network Topology (Double Router)”The homelab uses a Double Router setup to separate the smart home infrastructure (Thread/Matter) from the ISP router:
- ISP Router (Orange): Handles the main fiber connection and provides internet to the Eero router.
- Smart Home Router (Eero): Acts as a Thread Border Router and creates a dedicated private network for all smart devices and the homelab server.
[!IMPORTANT] The homelab server MUST be connected directly to the Eero LAN port. This ensures it is on the same Layer 2 segment as the Alexa devices and Matter hardware, which is required for mDNS discovery and Matter commissioning.
Connectivity Strategy
Section titled “Connectivity Strategy”We prioritize mDNS (nixos.local) over static IPs for local access to allow the server to move between network segments (e.g., for maintenance or hardware upgrades) without reconfiguration.
Local Network Access
Section titled “Local Network Access”The firewall automatically allows connections from the Local Private Network (192.168.0.0/16). This covers both the ISP subnet and the Eero subnet.
The list of ports is dynamically generated from the homelab.proxies declarations.
Connectivity Matrix
Section titled “Connectivity Matrix”| Access Mode | Protocol | Entry Point | Requirement |
|---|---|---|---|
| Local (mDNS) | http://nixos.local | Nginx (Port 80) | Be on Eero network (WiFi/LAN) |
| Local (Direct) | http://nixos.local:<port> | Direct Service Port | Be on Eero network (WiFi/LAN) |
| Remote | https://<svc>-home.javiersc.com | Cloudflare Tunnel | Internet + Auth |
| Tailscale | http://<tailscale-ip>:<port> | Mesh VPN | Tailscale network membership |
[!WARNING] Accessing
nixos.localfrom the ISP router (outside the Eero) will not work due to NAT traversal and mDNS link-local restrictions. Use the Remote URL or connect your management device to the Eero network.
Declarative Infrastructure
Section titled “Declarative Infrastructure”Starting April 2026, the homelab infrastructure (DNS, Cloudflare Access, and Tunnel Routing) is managed declaratively via OpenTofu (Terraform).
Automatic Provisioning
Section titled “Automatic Provisioning”When a new service is added to the homelab.proxies list in NixOS:
- DNS: A CNAME record is automatically created in Cloudflare pointing to the tunnel.
- Access Control: A Cloudflare Access Application is provisioned with a default policy allowing the
adminEmailandmemberEmails. - Tunnel Routing: The Tunnel “Ingress Rules” (Public Hostnames) are updated to route traffic to the local service target (
http://127.0.0.1:<port>by default, orcloudflareServicefor protocol-specific targets such as SSH).
This ensures that the Nix configuration is the single source of truth for the entire network stack, from the local port to the public internet.
Remote Access Authentication
Section titled “Remote Access Authentication”All remote access is protected by Cloudflare Zero Trust. Users must authenticate via email before reaching the local Nginx proxy.