This repository contains Infrastructure-as-Code (IaC) configurations for a self-hosted homelab server designed with a Zero Trust Network Access (ZTNA) approach.
The goal was to create an environment that is completely invisible to public network scanners (shodan/nmap) while maintaining high availability of services via Cloudflare Proxy network.
User ➡️ Cloudflare Proxy ➡️ Secure Tunnel ➡️ Localhost (127.0.0.1) ➡️ Docker Containers
- Hermetic Networking: Docker containers are bound exclusively to the loopback interface (
127.0.0.1:port). This prevents Docker from bypassing the firewall using raw iptables. - Firewall Hardening (UFW):
- Policy:
DEFAULT_INPUT_POLICY="DROP" - NO open inbound ports (No port 22, 80, or 443 opened on the router/firewall).
- Policy:
- SSH Security: Access is possible only via Cloudflare Access (Identity-Aware Proxy) using
ProxyCommand.
- OS: Ubuntu Server / Debian
- Orchestration: Docker Compose (Per-service isolation strategy)
- Networking: Cloudflare Tunnel (
cloudflared), UFW - Monitoring: Uptime Kuma
The system is optimized for low resource usage. Below is the htop output showing the server under load with active Cloudflare Tunnels and Docker containers.
*Snapshot of system resources: CPU usage is minimal (~5%) despite multiple active services.*
Binding ports to 127.0.0.1 ensures the service is not reachable via the server's public LAN IP.
services:
webapp:
image: nginx:alpine
ports:
# CRITICAL: Bind to localhost only.
# Blocks direct access bypassing the Tunnel.
- "127.0.0.1:8080:80"
restart: alwaysThe server relies on outbound connections for the Tunnel.
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow in on lo # Allow localhost communication for Tunnel <-> Docker
sudo ufw enableYou can view the live status of this infrastructure here: monitor.czerks.pl
Created & Maintained by Karol Wójcik 🌐 Website • 💼 LinkedIn • 📧 Email