I wanted my family to have Blu-ray quality with a streaming UX. They open Overseerr on their phone, request a movie, and it shows up in Infuse on Apple TV. Subtitles in three languages, hardware transcoding for mobile, full remux on the big screen. They have no idea what's behind it.
What's behind it: Sonarr, Radarr, Prowlarr find and grab content. qBittorrent downloads through a WireGuard tunnel. Bazarr pulls subtitles. Jellyfin serves it all. Everything self-heals — endpoint health checks, autoheal restarts, dependency ordering so nothing starts in a broken state.
The security model is the part I obsessed over:
- qBittorrent shares Gluetun's network namespace at the kernel level. No firewall rule to misconfigure — if the VPN drops, there's no network path. - Traefik binds to a Tailscale IP only. Zero ports face the internet. - Three isolated Docker networks separate ingress, internal, and P2P traffic.
Two Compose stacks, one .env file, MIT licensed.