A private cloud and homelab architecture using Tailscale, Caddy, private DNS, browser-trusted TLS, nftables, and DOCKER-USER filtering to keep internal services reachable to trusted devices only.