SOP: Install aurbotstem.com Dashboard (NPM + Authentik + Homepage)

1) Purpose

Deploy a secure, public-facing dashboard at https://aurbotstem.com with SSO capability using:

• Cloudflare DNS
• Nginx Proxy Manager (NPM) as reverse proxy
• Authentik for identity/SSO
• Homepage as the dashboard UI

2) Scope

Applies to:

• Proxmox VM running Debian/Ubuntu
• Docker-based deployments
• Domain: aurbotstem.com

3) Architecture (high level)

Internet → Cloudflare DNS → Public IP → Router port-forward (80/443) → VM (NPM) → internal services (Authentik/Homepage)

4) Prerequisites

4.1 Accounts & Access

• Cloudflare account with DNS control of aurbotstem.com
• Router/firewall admin access (port forwarding)
• SSH access to VM

4.2 VM Requirements

Recommended minimum:

• OS: Debian 12 or Ubuntu 24.04 LTS
• CPU: 2 vCPU
• RAM: 4–8 GB
• Disk: 40–80 GB SSD
• Static LAN IP (example used here): 10.10.8.131

4.3 Ports

• Public inbound to VM:
  • TCP 80 → VM:80 (NPM)
  • TCP 443 → VM:443 (NPM)
• LAN-only admin:
  • VM 10.10.8.131:81 (NPM admin UI)
• Internal services on VM:
  • Authentik: 9000
  • Homepage: 3000

5) Inputs (fill these)

• VM LAN IP: 10.10.8.131
• Router gateway IP: 10.10.8.1 (example)
• Public IP: <YOUR_PUBLIC_IP>
• Domains:
  • Dashboard: aurbotstem.com
  • Auth: auth.aurbotstem.com

6) Procedure (step-by-step)

Step 1 — Configure Cloudflare DNS

In Cloudflare → DNS:

1. Create A record: aurbotstem.com → <YOUR_PUBLIC_IP>
2. Create A record: auth.aurbotstem.com → <YOUR_PUBLIC_IP>

Recommended during setup: set records to DNS only (grey cloud) until everything works.

Step 2 — Configure router port forwarding

Create port forwards to the VM:

• TCP 80 → 10.10.8.131:80
• TCP 443 → 10.10.8.131:443

Step 3 — Install Docker on the VM

SSH to VM:

sudo apt update
sudo apt install -y ca-certificates curl gnupg
curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker $USER
newgrp docker

Verify:

docker --version

Step 4 — Deploy Nginx Proxy Manager (NPM)

On VM:

mkdir -p ~/docker/npm
cd ~/docker/npm
cp -a /Users/robotics/aurbotstem-infra/compose/npm/docker-compose.yml ./
docker compose up -d

Verify (LAN):

• Open: http://10.10.8.131:81
• Login default: admin@example.com / changeme → change immediately.

Step 5 — Deploy Authentik

On VM:

mkdir -p ~/docker/authentik
cd ~/docker/authentik
cp -a /Users/robotics/aurbotstem-infra/compose/authentik/docker-compose.yml ./

# Edit secrets BEFORE starting
nano docker-compose.yml

docker compose up -d

Verify (LAN):

• http://10.10.8.131:9000

Step 6 — Publish Authentik through NPM

In NPM → Proxy Hosts → Add:

• Domain: auth.aurbotstem.com
• Scheme: http
• Forward Host/IP: 10.10.8.131
• Forward Port: 9000
• Websockets: ON
• SSL: Request Let’s Encrypt certificate + Force SSL

Verify:

• https://auth.aurbotstem.com

Step 7 — Deploy Homepage (dashboard)

On VM:

mkdir -p ~/docker/homepage
cd ~/docker/homepage
cp -a /Users/robotics/aurbotstem-infra/compose/homepage/docker-compose.yml ./
cp -a /Users/robotics/aurbotstem-infra/compose/homepage/config ./

docker compose up -d

Verify (LAN):

• http://10.10.8.131:3000

Step 8 — Publish Homepage through NPM

In NPM → Proxy Hosts → Add:

• Domain: aurbotstem.com
• Scheme: http
• Forward Host/IP: 10.10.8.131
• Forward Port: 3000
• SSL: Request Let’s Encrypt certificate + Force SSL

Verify:

• https://aurbotstem.com

Step 9 — Cloudflare SSL mode

Cloudflare → SSL/TLS:

• Set to Full during setup.
• After Let’s Encrypt is working in NPM, set to Full (strict).

Step 10 — (Optional) Gate dashboard with Authentik SSO

After Authentik is stable:

• Create Authentik Proxy Provider + Application + Outpost
• Add Authentik forward-auth snippet to the NPM Advanced tab for aurbotstem.com

Note: The exact snippet depends on your Outpost URL. Capture the Outpost URL from Authentik UI and store it in your docs.

7) Configuration (Homepage)

Edit:

• ~/docker/homepage/config/bookmarks.yaml
• ~/docker/homepage/config/settings.yaml

Apply changes:

docker restart homepage

8) Verification checklist (Definition of Done)

• http://10.10.8.131:81 accessible from LAN (NPM admin)
• https://auth.aurbotstem.com loads Authentik
• https://aurbotstem.com loads Homepage
• TLS certs valid (no certificate warnings)
• Only ports 80/443 exposed publicly; NPM admin not exposed

9) Rollback

• Stop services:

cd ~/docker/npm && docker compose down
cd ~/docker/authentik && docker compose down
cd ~/docker/homepage && docker compose down

• Remove DNS records / port forwards to disable public access.

10) Troubleshooting

Cloudflare 502 Bad Gateway

Usually means origin unreachable. Check:

• Router forwards 80/443 to VM
• NPM running: docker ps
• Proxy host forwards to correct port (9000/3000)

Let’s Encrypt fails

Common causes:

• Port 80/443 not reachable from internet
• Cloudflare proxy interference (try grey-cloud during issuance)

11) References

• Infra bundle: /Users/robotics/aurbotstem-infra/
• Homepage docs: https://gethomepage.dev/latest/
• Authentik docs: https://docs.goauthentik.io/
• NPM: https://nginxproxymanager.com/

12) Changelog

• 2026-02-12: Initial SOP created