📊 Data Flow Architecture

Complete request lifecycle through VPS → Pi Hub → Homelab

1

Client Request

User accesses service via HTTPS from any device. DNS resolves to VPS public IP.

Client Types
Web Browsers (Desktop/Mobile)
Native Mobile Apps
Desktop Sync Clients
API Consumers
2

VPS Gateway

Request hits public VPS in Berlin. CrowdSec analyzes traffic for threats. Newt relay prepares to forward through tunnel.

Security Filters
UFW Firewall (Ports 80/443)
CrowdSec IDS/IPS Analysis
Rate Limiting Check
IP Reputation Lookup
3

Wireguard Tunnel Entry

Newt relay on VPS packages request and sends through encrypted Wireguard tunnel. VPS acts as "dumb pipe" - never sees decrypted content.

Tunnel Layer
ChaCha20-Poly1305 Encryption
Perfect Forward Secrecy
NAT Traversal via Gerbil
< 10ms Added Latency
4

Pi 5 Pangolin Brain

Raspberry Pi 5 receives encrypted traffic via Newt. Pangolin server terminates SSL, handles identity, and routes request to appropriate backend service on NAS.

Pi Hub Functions
SSL Termination (Local)
Let's Encrypt Management
Traefik Routing Rules
Identity & Access Control
5

NAS Routing

Pi forwards decrypted request to NAS over local network. Docker network routes to target container based on domain/path.

Network Layer
Local Ethernet (1Gbps)
Docker Bridge Networks
Service Discovery
Health Checks
6

Service Execution

Target container processes request. May access PostgreSQL databases, Redis cache, or BTRFS storage as needed.

Backend Services
PostgreSQL (8x instances)
Redis Cache (3x)
BTRFS RAID5 Storage
Application Logic
7

Response Return Path

Response travels back: NAS → Pi (re-encrypt) → Wireguard → VPS → Internet. Same encryption and security layers in reverse.

Return Journey
Container → Docker → NAS
NAS → Pi Hub (Local)
Pi → Wireguard → VPS
VPS → Internet → Client
~20ms
Total Latency
256-bit
Encryption
3
Network Hops
0%
VPS Data Access
HTTPS/TLS 1.3
Wireguard Tunnel
Pi Hub Processing
Docker Networks
Database Layer