This lab runs a mix of virtualized services on Proxmox, fronted by a reverse proxy, with centralized authentication via Authentik federated against an on-prem Active Directory (LDAP source). External access is VPN-only — nothing is exposed directly to the internet.

Network Diagram

Network Diagram - 20062026

Architecture Summary

Host IP Role
ry-proxmox 192.168.1.160 Proxmox hypervisor hosting ry-proxy, ry-app, ry-n8n, ry-ad01
ry-proxy 192.168.1.116 NGINX Proxy Manager — reverse proxy for internal apps
ry-app 192.168.1.52 Docker host — Mealie, Koodo Reader, UptimeKuma
ry-n8n 192.168.1.84 n8n automation, connected to local Ollama instance
ry-ad01 192.168.1.199 Windows AD — LDAP source for Authentik
ry-pi01 192.168.1.161 Docker host — Pi-hole (DNS filtering), Navidrome
ry-pc01 192.168.1.154 Ollama instance (LLM backend for n8n)

Identity & Access

  • Authentik acts as the central identity provider, sitting behind NGINX Proxy Manager
  • Active Directory is synced into Authentik as an LDAP source, so AD group membership drives application access Authentication flow: User requests app → NGINX forwards to Authentik → Authentik checks group membership against synced AD groups → access granted/denied
AD Group Apps Granted Source
‘APP_Navidrome’ Access to Navidrome AD/LDAP
‘APP_MealieUsers’ Access to Mealie As User AD/LDAP
‘APP_MealieAdmin’ Access to Mealie as Admin AD/LDAP

Remote Access

  • All external access is via UniFi WireGuard VPN — no service is directly internet-facing
  • VPN terminates at the UniFi gateway; once connected, clients reach internal services the same as if on the LAN
  • Authentik MFA provides a second layer of access control behind the VPN gate

Why This Setup

  • Proxmox for proper VM/host segmentation rather than running everything on one box
  • Authentik + LDAP to centralize auth instead of managing separate logins per app, and to practice federated identity patterns used in real enterprise environments
  • VPN-only external access to minimize attack surface — no public-facing reverse proxy or admin panel
  • Pi-hole for network-wide DNS filtering

Lessons Learned / Next Steps

  • OS Hardening
  • Add SIEM/log aggregation (Wazuh or similar) once hardening is complete
  • Consider documenting VLAN segmentation if/when implemented
<
Previous Post
Homelab Networking
>
Blog Archive
Archive of all previous blog posts