A Production-Grade Homelab on Raspberry Pi 5
There is a distinct satisfaction in reclaiming your digital sovereignty. Whether it is preserving memories with Immich, managing a digital library with Calibre Web, archiving the web with Readeck, staying informed with FreshRSS, or securing credentials with Vaultwarden, running a home server is the ultimate expression of technical freedom. However, I have always struggled with the classic homelab dilemma: Accessibility versus Security.
Traditionally, accessing these local services from the outside world meant opening ports on a router. In 2025, that feels like leaving your front door unlocked in a busy city. It works, but the risk is unacceptable.
When I upgraded my setup to the powerful Raspberry Pi 5 with 8 GB of RAM, I decided to treat this not as a hobbyist project, but as a micro-production environment. I wanted the convenience of the cloud with the privacy of bare metal, without ever exposing a single port to the public internet.
Here is the architecture I designed to achieve a Zero Trust environment at home, combining the power of Cloudflare’s edge network with the routing intelligence of Traefik.
Overview
This architecture outlines a robust, security-first approach to exposing on-premise services hosted on a Raspberry Pi 5 to the public internet. Moving away from traditional port forwarding, which significantly increases the attack surface, this setup leverages Cloudflare Tunnel to establish a secure, outbound-only connection from the Docker host to Cloudflare’s global edge network.
In this model, the request flow is sanitized at the edge before ever reaching the private network. The traffic passes through an encrypted tunnel to a local daemon, which then hands off routing responsibilities to Traefik. Acting as an internal ingress controller, Traefik dynamically routes traffic to the appropriate containerized microservices. This design minimizes operational complexity while maximizing security and performance.
Architecture Flow
1. Client Request Initiation
The process begins when an external user triggers an HTTPS request via a browser, mobile application, or API call intended for a self-hosted service.
2. Cloudflare Edge Security
Before touching the private infrastructure, the request is intercepted by Cloudflare’s Edge Network. Here, critical security measures are applied, including DDoS mitigation, Web Application Firewall (WAF) filtering, and TLS termination, ensuring only legitimate traffic proceeds.
3. Encrypted Ingress Tunnel
Verified traffic is encapsulated and transmitted via the QUIC protocol through a persistent, encrypted tunnel. This connects the edge directly to the cloudflared daemon running on the host, eliminating the need for open inbound ports on the local firewall.
4. Local Routing & Middleware (Traefik)
The cloudflared service hands off the decrypted HTTP traffic to Traefik, the internal reverse proxy. Traefik analyzes the request headers and leverages Docker service discovery to route the traffic to the correct backend container, such as immich or Readeck, while also handling middleware tasks like rate limiting or header modification.
5. Target Container Execution
The request reaches the specific Docker container responsible for the service. The application processes the payload and returns the response back through the established secure pipeline to the end user.
Sleep Soundly with Zero Trust
Building this architecture was about more than just routing traffic. It was about peace of mind.
By decoupling the ingress mechanism from my local network configuration, I no longer worry about port scanners, botnets, or exposing my home IP address. The “Cloudflare Tunnel plus Traefik” combination creates an incredibly resilient system. It allows me to spin up a new Docker container and have it securely accessible via HTTPS in seconds, all while the firewall remains completely shut to inbound traffic.
This setup bridges the gap between a fragile DIY project and a robust, professional infrastructure. It proves that you do not need an enterprise budget to have enterprise-grade security. You just need the right architecture.
I hope this breakdown inspires you to harden your own homelab. There is a special kind of joy in knowing your data is sitting safely in your living room, yet is accessible from anywhere in the world, securely.
Happy hosting.