This chapter continues the early evolution of the infrastructure. After building the first prototypes and experimenting with containers, I needed a proper public entry point — a stable, secure, always-on machine that could handle encrypted traffic, DNS challenges, tunnels, and remote access.
That role was taken by the Edge VPS (fully anonymized in this article). It became the front door to everything else.
1. Why the Edge VPS mattered
Running services on the HOME machine was easy, but exposing them safely was not.
I needed:
- a public IP address
- secure TLS termination
- stable inbound access
- ability to route traffic anywhere in my private network
- a way to avoid exposing LAN services directly
- a single control point for all public domains
This is why the architecture split was born:
HOME = compute
EDGE = public-facing gateway
The separation improved security, routing, and overall clarity.
2. The Edge VPS stack
Over time, the Edge VPS evolved from a simple test box into a proper gateway host running:
1. Traefik v3 (reverse proxy)
- routes multiple domains
- performs ACME DNS-01 through cloud provider API
- terminates TLS/HTTPS
- provides middlewares for security
- logs all incoming traffic
2. WireGuard (private tunnel backbone)
- the VPS acts as a hub
- all private nodes connect into it
- no services on HOME are directly exposed
- routing is clean and predictable
- extremely low overhead
3. RustDesk relay
- anonymized setup
- provides remote access without needing cloud servers
- works behind NAT
- uses the VPS as a “meet point” only
4. Firewall (nftables)
- strict allowlist
- only core ports are exposed
- everything else dropped
- logs suspicious traffic
The VPS became a “security buffer zone” — it touches the public internet so the HOME network doesn’t have to.
3. Traefik – the brain of the edge
Traefik was one of the biggest upgrades.
It provided:
- domain routing
- automatic HTTPS
- wildcard certificates
- headers for security
- clean separation of apps
- ability to forward encrypted streams through WireGuard directly to HOME
This was a fundamental shift. Instead of exposing or port-forwarding random services, everything became:
Internet → Edge VPS → Traefik → WireGuard → HOME Service
Elegant. Clean. Secure.
4. WireGuard – the private backbone
WireGuard transformed the architecture completely.
The Edge VPS became the gateway node:
- all traffic for private services flows through the tunnel
- HOME never needs to open ports
- clients (laptop / phone) join the same mesh
- routing stays consistent across all locations
- reduces attack surface to nearly zero
Using an anonymized private subnet, the VPS effectively became the bridge between the outside world and the private compute environment.
5. Cloudflare + ACME DNS-01
To automate certificates for all domains, I integrated:
- Cloud DNS provider
- Traefik DNS-01 challenge
- automatic wildcard SSL
- zero manual renewals
The VPS now issues and renews certificates for:
- public domains
- subdomains
- internal domains exposed through the proxy
This removed the last bottleneck in public routing.
6. Security hardening
The VPS was hardened to act as a proper gateway:
- strict firewall allowlist
- fail2ban protection
- closed SSH password logins
- private-key access only
- no direct exposure of any HOME service
- all sensitive paths routed through WireGuard
- anonymized network segmentation
As a result:
The VPS is exposed — but nothing behind it is.
This is the core security philosophy of the entire infrastructure.
7. Final architecture snapshot
The Edge VPS (anonymized) now serves as:
Public HTTPS entry point
Traefik handles all domains.
Secure private tunnel hub
WireGuard connects all distributed nodes.
Remote access relay
RustDesk works through the VPS, never to the LAN.
Certificate authority
ACME DNS-01 generates wildcard certs for everything.
Firewall buffer
No LAN or HOME IPs are ever exposed.
Traffic director
Routes all incoming requests to HOME compute.
Conclusion
The Edge VPS became the public face of the infrastructure — a small, hardened, secure gateway that handles all external communication while keeping the internal world fully private.
It is the guard, the router, the certificate manager, and the tunnel hub. Without it, none of the later architecture would have worked.
This chapter marks the moment when the ecosystem became truly scalable, secure, and future-proof.