This page is the machine-friendly map for NOX Homelab. It helps browser agents, AI assistants, and automated checks understand how the documentation site is organized and how to operate against it safely.

Start here when an agent needs to audit the site, answer questions from the documentation, or browser-test one of the homelab services.

Machine-readable entry points

• /llms.txt — compact summary of the site, safety rules, and all published guides.
• Archives — chronological list of posts.
• Categories — broad topic grouping.
• Tags — service and technology index.
• Contact — correction and issue-reporting guidance.

Agentic browsing checklist

Use this checklist when adding or testing a web UI in the homelab.

Navigation and structure

• Each important page should have one clear h1 and predictable section headings.
• Service documentation should include purpose, route, access model, Compose files, Traefik labels, Authentik notes, backups, updates, troubleshooting, and related documentation.
• Related posts should be cross-linked so agents can follow dependencies such as Traefik, Authentik, Cloudflare Companion, Headscale, and Pi-hole.
• Avoid relying on visual card position alone; expose real links, text labels, and headings.

Accessibility tree

• Buttons, links, form fields, menus, and toggles should have programmatic names.
• Prefer semantic HTML before custom clickable div elements.
• Do not hide interactive controls from the accessibility tree.
• Use valid ARIA roles only when native HTML cannot express the control.

Stability for browser automation

• Set image dimensions or reserve space for media to reduce layout shift.
• Avoid injecting banners or cards above the active task after load.
• Wait for UI state to settle before clicking during browser tests.
• Prefer stable labels and URLs over fragile CSS selectors.

Machine-readable hints

• Keep /llms.txt current.
• Keep post descriptions accurate in front matter.
• Use clear tags for services and dependencies.
• Use placeholder domains in code blocks instead of private real domains.
• Keep secrets, tokens, session cookies, private keys, and real infrastructure details out of public posts.

Service documentation map

• Deploy Image Extender AI outpainting with Docker, Traefik, and Authentik — Run Image Extender as a private AI outpainting and 2D game-art studio behind Traefik and Authentik, with OpenRouter BYOK stored in the browser or an optional server-side fallback key.

• Deploy Open Design with Docker, Traefik, Authentik, Gemini CLI, and Codex CLI — Run Open Design as a private AI design workspace behind Traefik and Authentik, with Gemini CLI and Codex CLI installed inside the container and persisted across rebuilds.

• Run REALITY and Hysteria2 on port 443 with Traefik, HAProxy, sing-box, and optional Pi-hole filtering — A complete, secret-free guide for sharing port 443 between Traefik web services, REALITY over TCP, and Hysteria2 over UDP, with direct Cloudflare DoH and Pi-hole-filtered client profiles backed by cloudflared upstream DoH.

• Deploy Android Redroid with droidVNC-NG and noVNC — Run Android in Docker with Redroid, control it using droidVNC-NG, expose noVNC through Traefik and Authentik, and keep raw VNC tailnet-only.

• Deploy OmniVoice with Docker, Gradio, Traefik, and Authentik — Run OmniVoice as a protected Gradio voice-cloning service on an ARM64 homelab host with CPU PyTorch and persistent model cache.

• Deploy Supabase self-hosted with Docker, Traefik, and Authentik — Run the official self-hosted Supabase stack with Studio protected by Authentik, Kong exposed as the app API, and Postgres kept private.

• Deploy Medusa Commerce with Docker, Traefik, Postgres and Redis — Run Medusa as a self-hosted ecommerce stack with a backend, Next.js storefront, PostgreSQL database, Redis cache and Traefik HTTPS routing.

• Deploy a Samba root share over Headscale/Tailscale with Docker — Expose an administrative SMB share only on a Headscale/Tailscale address, with Docker binding, explicit Samba config, and strong safety warnings.

• Deploy Stalwart Mail Server with Roundcube, Docker, and Cloudflare DNS — Run a self-hosted mail backend with Stalwart, expose webmail through Roundcube, and publish the DNS records that make mail delivery trustworthy.

• Deploy Pterodactyl Panel and Wings with Docker, Traefik, and Headscale — Run Pterodactyl Panel publicly while keeping Wings, SFTP, and game allocations private over Headscale.

• Deploy the complete WatchParty service with Docker, Traefik, Firebase, and Headscale — Run the full WatchParty service: synced rooms, chat, playlists, Firebase login, PostgreSQL persistence, Redis coordination, Traefik routing, and optional Headscale-only VBrowser.

• Deploy Homepage as a Docker dashboard for homelab web UIs — Build a self-hosted Homepage dashboard that advertises only real homelab web UIs, runs from one project folder, and is protected by Traefik and Authentik.

• Deploy ComfyUI AI workflows with Docker, Traefik, and Authentik — Run ComfyUI as a self-hosted AI workflow interface with persistent model folders, Docker Compose, Traefik HTTPS routing, and Authentik forward-auth protection.

• Deploy LM Studio headless as a local AI API — Run a local OpenAI-compatible model API for private experiments and internal tools.

• Deploy PocketBase backend with Docker and Traefik — Run PocketBase as a small self-hosted backend for apps, APIs, auth, and file storage.

• Deploy Discourse forum with PostgreSQL, Redis and Traefik — Run a Discourse community forum with internal database/cache services and HTTPS routing.

• Deploy Karakeep bookmarks with Meilisearch and Chrome — Run a self-hosted bookmark and archive system with search, crawling, and optional AI metadata.

• Deploy Portainer for Docker management behind Traefik — Manage Docker containers from a web UI behind Traefik, then add built-in Portainer OAuth with Authentik.

• Deploy Vaultwarden password manager with Docker and Traefik — Run a self-hosted Bitwarden-compatible password manager and protect its data carefully.

• Deploy OpenClaw Gateway with Docker, Traefik and Authentik — Run OpenClaw close to your infrastructure so it can help operate files, containers, and chat integrations.

• Deploy a Jekyll documentation site with Docker and Traefik — Build Markdown documentation into a static site and serve it through Traefik.

• Deploy WordPress with MySQL, Redis, Docker and Traefik — Run a production-style WordPress stack with persistent files, MySQL, Redis caching, and HTTPS routing.

• Deploy Garage S3 object storage with Docker and Traefik — Run a lightweight S3-compatible object store with a separate API endpoint and protected web UI.

• Deploy Pi-hole private DNS with Docker and Headscale clients — Run Pi-hole as a private DNS resolver for local and Headscale/Tailscale clients without exposing an open resolver.

• Deploy Headscale and Headscale UI with Docker and Traefik — Run your own Tailscale-compatible control server and protect the optional UI.

• Deploy Cloudflare Companion for Traefik DNS automation — Automatically create Cloudflare DNS records for Traefik-routed Docker services.

• Deploy Authentik SSO with Docker and Traefik — Run Authentik as the identity provider for your homelab and expose it safely behind Traefik.

• Deploy Traefik as a Docker reverse proxy with Cloudflare DNS — A secret-free standalone guide for deploying Traefik as the HTTPS front door for Docker services, using Cloudflare DNS challenges and a shared proxy network.

• Private Pi-hole DNS over Headscale with DNSCrypt and Authentik — How to run Pi-hole privately behind Headscale/Tailscale, use DNSCrypt as the upstream resolver, and protect the Pi-hole web dashboard with Authentik and Traefik.

• Self-host OpenClaw with Docker, Traefik, Authentik, and Telegram — A clean fresh-install guide for running OpenClaw on a VPS or homelab server behind Traefik and Authentik, with Telegram integration and no direct exposed app ports.

• Self-host WordPress with Redis, MySQL, Docker Compose and Traefik — Deploy WordPress on a root domain with Docker Compose, Traefik HTTPS, MySQL persistence, Redis object cache support, and safe Linux permissions.

• Self-host Karakeep for bookmarks and AI-assisted archives — A secret-free Karakeep deployment pattern with Meilisearch, Chrome crawling, and OpenAI-compatible inference settings.

• Build a Jekyll documentation site for your homelab — How to turn your homelab notes into a public Jekyll documentation website without leaking secrets.

• Run Garage S3 object storage in a homelab — A practical Garage S3 deployment with a protected web UI and an unbroken S3 API route.

• Self-host Headscale with a protected web UI — Deploy Headscale behind Traefik and protect the optional web UI with Authentik while keeping the control API reachable.

• Build a homelab auth gateway with Traefik and Authentik — A practical, secret-free walkthrough of using Traefik and Authentik as the front door for self-hosted services.

Practical Lighthouse usage

The Lighthouse Agentic Browsing category is still emerging, so treat it as a readiness signal rather than a final grade.

Good results generally mean:

• agents can discover important controls;
• the accessibility tree describes the page accurately;
• the layout is stable enough for automation;
• machine-readable hints such as /llms.txt exist;
• WebMCP-style integrations can be added later for custom apps.

For NOX Homelab, the first priority is documentation and dashboard reliability. WebMCP can come later for custom services that expose meaningful actions, such as queueing a task, checking a service, or opening a filtered dashboard.