My Current Software Stack: 20+ Docker Containers on a Mini PC
A deep dive into every service running on my NiPoGi mini PC β from Home Assistant and Zigbee2MQTT to Authentik and WireGuard, all orchestrated with Docker Compose.
On this page
In the hardware post, I covered the physical devices. Now itβs time to look at the other half of the equation: the software that ties everything together. Every service listed here runs as a Docker Compose container on the same NiPoGi mini PC β a Celeron J4125 with 8 GB of RAM and 128 GB of storage. Yes, all of it. On that one little box.
Let me walk you through every container, what it does, why I chose it, and where the cracks are starting to show.
Container Management
π³ Dockge
Dockge is how I manage all my Docker Compose stacks. Built by the same developer behind Uptime Kuma, it provides a clean web UI for creating, editing, starting, and stopping docker-compose.yml files β without touching the terminal. Each stack gets its own directory and its own compose file, which makes organization straightforward.
What makes Dockge stand out compared to Portainer:
- Compose-native β it works directly with
docker-compose.ymlfiles on disk, not an abstraction layer - Lightweight β minimal resource footprint, important when youβre running 20+ containers on 8 GB of RAM
- Simple UI β no enterprise features youβll never use, just compose management done well
Every service described below is a stack in Dockge.
Smart Home Core
π Home Assistant
Home Assistant is the brain of the entire smart home. It connects to every device β Zigbee sensors, WiFi plugs, IR blasters, radiator valves β and provides a unified interface for monitoring, automation, and control. I run it as a Docker container (not Home Assistant OS), which gives me full control over the host system but comes with trade-offs Iβll discuss later.
Key integrations:
- Zigbee2MQTT for all Zigbee devices (via MQTT)
- BTicino switches and blinds via the Legrand/Netatmo cloud integration
- Netatmo radiator valves
- Broadlink IR control for AC and TV
- Shelly energy monitoring via local API
- Matter for the Tapo smart plugs via Matter Hub
- ESPHome for the Everything Presence Lite sensors
The automation engine is where Home Assistant truly shines. Climate control, lighting scenes, presence-based actions, security alerts, energy dashboards β it all lives here.
π‘ Zigbee2MQTT
Zigbee2MQTT bridges the Zigbee network to MQTT, making every Zigbee device accessible to Home Assistant (and any other MQTT consumer). It connects to the Sonoff CC2652P USB dongle and manages the entire Zigbee mesh β device pairing, network mapping, firmware updates, and message routing.
Why Zigbee2MQTT over ZHA (Zigbee Home Automation, the built-in HA integration):
- Broader device support β more devices supported out of the box with specific converters
- Decoupled from Home Assistant β if HA restarts, the Zigbee network stays up
- Web UI for diagnostics β network map, device logs, and manual message sending
- Active community β new device support lands quickly
It runs with an Eclipse Mosquitto MQTT broker in the same compose stack.
π Matter Hub
The Python Matter Server acts as a Matter controller, enabling Home Assistant to communicate with Matter-compatible devices β in my case, the five Tapo Matter smart plugs. Matter is still maturing, but having native local control over these plugs without any vendor cloud is the promise of this protocol.
π± Broadlink Manager
A web interface for managing the two Broadlink RM4 Mini IR blasters. It makes learning and testing IR codes much easier than doing it through Home Assistant directly. Once codes are captured, theyβre used in HA automations to control the AC units and bedroom TV.
Networking & Security
π‘οΈ Pi-hole
Pi-hole is the network-wide DNS sinkhole that blocks ads, tracking domains, and telemetry at the DNS level. Every device on the network β phones, laptops, smart TVs, IoT devices β benefits from it without needing any client-side software.
Configuration highlights:
- Custom blocklists tuned for Italian ad networks and smart TV telemetry
- Local DNS records for all internal services (e.g.,
ha.localβ Home Assistant) - Conditional forwarding for proper reverse DNS resolution of local devices
- Serves as the primary DNS server for the entire network
π Nginx Proxy Manager
Nginx Proxy Manager provides reverse proxy with automatic SSL certificate management via Letβs Encrypt. Every internal service gets a clean subdomain (ha.mydomain.com, dockge.mydomain.com, etc.) with HTTPS β no more remembering ports.
Key features:
- Automatic Letβs Encrypt SSL with DNS challenge via Cloudflare
- Access lists to restrict certain services to local network only
- Proxy hosts for all Docker services with WebSocket support
- Simple UI β no hand-editing nginx config files
βοΈ Cloudflare Tunnel (cloudflared)
Cloudflared creates an encrypted tunnel between my home network and Cloudflareβs edge network. This allows secure remote access to selected services without opening any ports on the router β no port forwarding, no exposed attack surface.
Only specific services are exposed through the tunnel: Home Assistant, Nginx Proxy Managerβs dashboard, and a few others that need remote access. Everything else stays local-only.
π Authentik
Authentik is a full-featured identity provider (IdP) and single sign-on (SSO) solution. It sits in front of services that donβt have their own authentication or where I want centralized identity management.
What it provides:
- SSO with OIDC/OAuth2 and SAML β one login for multiple services
- 2FA/MFA support β TOTP and WebAuthn for all accounts
- Application proxy β can protect services that have no auth by placing Authentik in front
- User management β centralized user directory, useful when I eventually let family members access specific services
Setting up Authentik was the most complex deployment in the entire stack, but the security benefit is worth it.
π WireGuard
WireGuard provides VPN access to the home network when Iβm away. Itβs dramatically simpler and faster than OpenVPN β the entire configuration is a few lines, and the protocol overhead is minimal.
Use cases:
- Accessing internal services from mobile or laptop when traveling
- Secure DNS β routing DNS queries through Pi-hole even on public WiFi
- Full tunnel mode β all traffic routed through home for privacy when on untrusted networks
Monitoring & Observability
π Uptime Kuma
Uptime Kuma monitors every service and device on the network. It checks HTTP endpoints, TCP ports, DNS resolution, and ping responses β and sends alerts via Telegram when something goes down.
Monitoring targets include:
- All Docker containers (HTTP health checks)
- Router and mesh nodes (ping)
- External services and domains (HTTP/HTTPS)
- DNS resolution (Pi-hole health)
π Beszel
Beszel is a lightweight server monitoring tool that tracks CPU, memory, disk, network, and temperature metrics. It provides historical graphs and alerts when resource thresholds are crossed. On a machine with only 8 GB of RAM running 20+ containers, knowing where resources are going is critical.
π Homarr
Homarr is the dashboard β the landing page for everything. It displays all services with their icons, status indicators, and direct links. Rather than bookmarking dozens of IP:port combinations, Homarr gives me a single pane of glass for the entire stack.
I actually run two instances β one for the full admin dashboard and another as a simplified view for quick access to the most-used services.
Development & File Management
π» Code Server
Code Server is VS Code in the browser. It gives me a full development environment accessible from any device β useful for editing Home Assistant YAML configurations, tweaking Docker Compose files, or writing scripts directly on the server without SSH.
Having a browser-based IDE means I can make quick config changes from a tablet or even a phone in a pinch.
π File Browser
File Browser provides a clean web UI for browsing, uploading, downloading, and managing files on the server. Itβs the lightweight alternative to a full NAS interface when I just need to quickly grab or upload a file.
π§ Zone Configurator
A web-based text editor originally designed for Home Assistant configuration files. It provides syntax highlighting for YAML and a file tree view β useful as a lightweight alternative to Code Server when I only need to make a small configuration change.
Additional Services
π SpeedTest
A self-hosted speed test tool running on the local network. It lets me measure LAN throughput between devices β useful for diagnosing network bottlenecks and verifying that the Xiaomi mesh is performing as expected (spoiler: the 1 Gbit ethernet limitation is real).
π€ Open WebUI
Open WebUI is a self-hosted interface for interacting with large language models. I use it for experimenting with local AI models β running small LLMs for quick queries, code assistance, and general experimentation. On the Celeron J4125 itβs painfully slow with anything beyond tiny models, but it works for testing the concept before investing in better hardware.
π‘ Everything Presence Lite β Firmware Installer
Not a Docker container per se, but a bookmarked web tool for flashing and updating firmware on the Everything Presence Lite mmWave sensors via ESPHome. These sensors receive periodic firmware updates that improve presence detection accuracy and add new features.
π» SONOFF Zigbee Dongle Firmware
Similarly, this is a reference link for the Sonoff Zigbee coordinator firmware. Keeping the CC2652P firmware up to date ensures the best Zigbee mesh stability and support for new device types.
The Full Stack at a Glance
| Category | Service | Purpose |
|---|---|---|
| Container Management | Dockge | Docker Compose UI |
| Smart Home | Home Assistant | Automation platform |
| Smart Home | Zigbee2MQTT + Mosquitto | Zigbee bridge + MQTT broker |
| Smart Home | Matter Hub | Matter device controller |
| Smart Home | Broadlink Manager | IR code management |
| Networking | Pi-hole | DNS ad blocking |
| Networking | Nginx Proxy Manager | Reverse proxy + SSL |
| Networking | Cloudflare Tunnel | Secure remote access |
| Security | Authentik | Identity provider / SSO |
| Security | WireGuard | VPN access |
| Monitoring | Uptime Kuma | Service uptime monitoring |
| Monitoring | Beszel | Server resource monitoring |
| Dashboard | Homarr (x2) | Service dashboard |
| Development | Code Server | Browser-based VS Code |
| Files | File Browser | Web file manager |
| Development | Zone Configurator | HA config editor |
| Utility | SpeedTest | LAN speed testing |
| AI | Open WebUI | Local LLM interface |
Thatβs 20+ containers sharing 8 GB of RAM and a Celeron J4125 CPU. The fact that it all runs β and runs reasonably well β is a testament to how lightweight most of these services are when containerized.
The Elephant in the Room: Home Assistant as a Container
This is the single biggest pain point of my current setup, and it deserves an honest discussion.
Running Home Assistant as a Docker container instead of Home Assistant Operating System (HAOS) means you get full control over the host machine β I can run all these other services alongside it, manage the OS directly, and have complete flexibility. But it comes at a cost.
What Iβm missing
- Add-ons β HAOS has a built-in add-on store with one-click installs for services like Zigbee2MQTT, Node-RED, Mosquitto, and dozens more. As a container, I have to deploy and manage each of these separately via Docker Compose. Every update, every configuration change, every port mapping β itβs manual.
- Backups β HAOS provides full automated snapshot backups that include the OS, configuration, and all add-ons. With the container approach, I have to script my own backup strategy, making sure to capture all the compose stacks, volumes, and configuration files.
- Supervisor β the HAOS Supervisor manages service health, restart policies, and system updates. Without it, I rely on Dockerβs restart policies and Dockge for management β functional, but not as integrated.
- Hardware discovery β HAOS handles USB device passthrough (like the Zigbee dongle) more gracefully. In Docker, you need to explicitly map
/dev/ttyUSB0or/dev/serial/by-id/...and hope the device path doesnβt change after a reboot.
Whatβs actually breaking
The 8 GB RAM limit is the real killer. Hereβs a typical memory snapshot:
| Service | Approx. RAM |
|---|---|
| Home Assistant | ~800 MB |
| Zigbee2MQTT + Mosquitto | ~150 MB |
| Authentik (server + worker + PostgreSQL + Redis) | ~1.2 GB |
| Pi-hole | ~100 MB |
| Nginx Proxy Manager | ~80 MB |
| Uptime Kuma | ~120 MB |
| Beszel | ~80 MB |
| Homarr (x2) | ~200 MB |
| All others combined | ~800 MB |
| OS + Docker overhead | ~1.5 GB |
| Total | ~5 GB |
That looks manageable on paper, but the moment Home Assistant runs a complex automation sequence, or Authentik processes an auth flow, or all services decide to garbage-collect at the same time β RAM spikes above 7 GB and things start swapping. The 128 GB SSD doubles as swap space, and that SSD is already near capacity with container images and volumes.
The next step: HAOS on dedicated hardware
For the new homelab build, Iβm seriously considering switching to Home Assistant Operating System on dedicated hardware. The plan:
- HAOS on its own machine β a dedicated mini PC or NUC running HAOS, with the Zigbee dongle attached directly. No more USB passthrough, no more manual add-on management.
- Separate Docker host β a more powerful server (more RAM, more storage) running all the non-HA services: Authentik, monitoring, development tools, AI experiments.
- Clean separation β Home Assistant focuses on what it does best (home automation), while the Docker host handles everything else.
This separation would also improve reliability. Right now, if the Docker host needs a reboot for updates, the smart home goes down too. With dedicated HAOS hardware, the lights, heating, and security continue working independently.
What Iβve Learned
Running 20+ containers on a single mini PC has been a masterclass in resource optimization and Linux systems administration. Iβve learned more about Docker networking, reverse proxies, DNS, identity management, and monitoring in the past few years than I did in any course or tutorial.
But Iβve also learned that thereβs a line between βefficientβ and βfragile.β A single point of failure β one machine, one SSD, one power supply β running your entire smart home and infrastructure is a risk. The new lab will address that.
Next Steps
In the next post, I discuss the new hardware selection β the philosophy behind the build, the scenarios I evaluated (mini PC + NAS vs custom build), and why expandability and GPU support drove the final decision.
The migration is coming. Time to build it right.