> [ OVERVIEW ]: WHAT IS ZERO-TRUST?
Zero-trust means no device on your network is trusted by default — every connection requires authentication, regardless of whether it's inside or outside your home. For a private AI stack, this means your inference nodes, workflow engines, and data never touch the public internet unless you explicitly allow it.
> [ ARCHITECTURE ]: THE A1AI NETWORK MODEL
- > All nodes (Moolah, Neo, Uno, Mac Studio) connected via Tailscale mesh
- > Public traffic enters only through Cloudflare Tunnel (outbound only — no open ports)
- > Internal services accessible only via Tailscale IP or .home DNS (Pi-hole)
- > Zero open firewall rules on any node
> [ TAILSCALE ]: HOW IT WORKS
- > Each node gets a Tailscale IP (100.x.x.x range)
- > WireGuard-based encrypted tunnels between all devices
- > ACL rules control which device can reach which port
- > Works across NAT, CGNAT, and firewalls without port forwarding
- > Mobile devices, laptops connect to the same mesh — access your AI from anywhere
> [ CLOUDFLARE ]: PUBLIC EXPOSURE WITHOUT OPEN PORTS
- > Cloudflare Tunnel runs as an outbound daemon on the VPS
- > Routes blog.aihomelab80.com → Ghost on Neo (internal)
- > Routes cal.aihomelab80.com → Cal.com on Neo (internal)
- > No firewall rules needed — tunnel is outbound-only
- > Cloudflare DDoS protection and WAF included
> [ PIHOLE ]: INTERNAL DNS
- > Pi-hole on Uno handles DNS for all Tailscale nodes
- > *.home domains resolve to internal Tailscale IPs
- > listmonk.home, portainer.home, n8n.home all route internally
- > Blocks ad and tracking domains network-wide
> [ NEXT_STEPS ]: IMPLEMENT THIS YOURSELF
Start with the Start Here guide and the AI Homelab Blueprint which includes the full Tailscale mesh configuration. For a custom zero-trust design tailored to your specific workloads, book an infrastructure audit.