I have always defaulted to spin up dedicated compute for each one of my projects. It's Christmas time now, and I spent some time reviewing my subscription to find a whopping >50$ being spent on servers every month for old hobby projects. Hence, I decided to spend some time to set up my new "homelab" on which I plan to spin up new pet projects as containers. The goal was to create a modern, secure self-hosting environment using Traefik as a reverse proxy and Authentik as a centralized Identity Provider (IdP). These will be the foundations for any project I build going forwards.

While the stack is powerful, Debian 13 is still very new, which led to some interesting technical hurdles. Here is a breakdown of the setup, the architecture, and the lessons learned.

🏗 The Architecture

The setup follows a "Hub and Spoke" model where all traffic enters through a single, secure gate.

• Traefik: Acts as the edge router. It listens on ports 80 and 443, automatically handles Let's Encrypt SSL certificates, and routes traffic to internal containers based on Docker labels. Each container will contain a project. For example, I will start by handling auth using an Authentik applicaiton, and a blog using Ghost.
• Authentik: The "brain" of the operation. It manages users, groups, and Single Sign-On (SSO). It’s a multi-container stack consisting of a web server, a background worker, a PostgreSQL database, and a Redis cache.

Challenge 1: Goodbay default Firewall

The first challenge wasn't software—it was infrastructure. Netcup provides a preconfigured external firewall via their Server Control Panel (SCP).

The Lesson: Even if your server-side firewall (like UFW) is off, Netcup’s hardware firewall will drop incoming packets on ports 80 and 443 by default. You must log into the SCP and delete the restrictive default policy (or explicitly allow web traffic) before anything will work.

Challenge 2: Traefik was obsessed with obsolete Docker APIs

Debian 13 ships with a very modern Docker engine. Traefik v3, by default, tried to communicate using an older API version (1.24) and was promptly rejected.

The logs showed: ERR Provider error: client version 1.24 is too old. Minimum supported API version is 1.44.

The Solution:
I had to force Traefik to use recent Docker API versions. In the Traefik docker-compose.yml, I explicitly set the environment variable and added a provider timeout flag:

environment:
  - DOCKER_API_VERSION=1.44
command:
  - "--providers.docker.httpClientTimeout=300"```

Challenge 3: Deploying Authentik is not trivial

Authentik is a robust application that requires unique secrets to function. We used pwgen to create secure strings for the .env file, ensuring the database and application secret keys were hardened from minute one.

The Port Gotcha: I initially ran into a 502 Bad Gateway. After checking the logs, I realized Authentik’s internal web server listens on port 9000, not 8000.

The Fix: I updated the Traefik labels in the Authentik docker-compose.yml to point to the correct internal port:

labels:
  - "traefik.http.services.authentik.loadbalancer.server.port=9000"

Challenge 4: Classic Networking and DNS issues

To keep things secure, I created a dedicated Docker network called proxy:

docker network create proxy

Both Traefik and Authentik use this network to communicate internally, meaning the database and Redis cache are never exposed to the public internet.

On the DNS side, I pointed auth.qcomb.com to the server IP. If you ever see a DNS_PROBE_FINISHED_NXDOMAIN error right after setting this up, don't panic—it’s just propagation. Testing on a mobile hotspot is the quickest way to verify if the site is actually live. My ISP took about 5 hours to reflect the DNS changes from my domain registrar. However, I could see these instantly using my 5G mobile connection.

💡 Key Learnings

1. Trust the Logs: docker compose logs -f is your best friend. It diagnosed the Docker API mismatch in seconds.
2. Infrastructure First: Always check your VPS provider's external firewall settings before assuming your Docker config is broken.
3. Permissions Matter: Traefik’s SSL storage file (acme.json) must have permissions set to 600 (chmod 600 acme.json) or Traefik will refuse to boot for security reasons.

Conclusion

The Traefik+Authentik server is now live at https://auth.qcomb.com. With the identity provider established, the foundation for many hobby projects is set. I can now deploy virtually any application and protect it behind a single, secure login.

Word of the Day

Bravado is an noun that represents bold courage, especially that shown by doing something unnecessary or dangerous with the intent to make people admire you

Larry Bird’s bravado was second to none, he was the most amusing and savage trash talker the NBA has ever seen