Open Source · MIT License

Self-hosted media stack.
Zero port forwarding.

Run one command. Get wildcard HTTPS, single sign-on, and remote access for every service — without touching your router or exposing your home IP.

Get Started → View on GitHub 
# clone and run the wizard
$ git clone https://github.com/techbutton/portless.git
$ cd portless
$ chmod +x install.sh manage.sh
$ ./install.sh

  ══ portless Setup Wizard ══
  Phase 1: System check  ✔
  Phase 2: Basic config  ✔
  Phase 3: Domain & TLS  ✔
  Phase 4: Select apps   ✔
  Phase 5: Remote access ✔
  Phase 6: Deploy        ✔

Preview

portless stack preview — install flow, service cards, and architecture diagram
Why portless
Everything set up by the wizard

The installer walks through six phases and handles all the plumbing — DNS, certs, auth, routing, and remote access.

🔒

Wildcard TLS — automatic

Traefik handles Let's Encrypt DNS-01 challenges via Cloudflare. Every service gets a valid cert on first boot.

🗝️

Single sign-on

TinyAuth sits in front of every app as a Traefik ForwardAuth middleware. One login, optional 2FA, covers the whole stack.

🌐

No open ports

Your home server only makes outbound connections. Cloudflare Tunnel, Pangolin, Tailscale, Headscale, and Netbird all work without DDNS or port rules.

🛡️

Edge protection

CrowdSec runs on your VPS where real attacker IPs are visible. Community threat intelligence blocks bad actors before they reach home.

📦

40+ apps included

Media, downloads, dashboards, books, music, passwords, recipes, finance, automation, monitoring — all pre-wired with Traefik rules.

⚙️

manage.sh CLI

Add apps, update images, switch tunnel methods, and manage auth — all from a single command.

Remote Access
Five ways to reach your stack

Pick the method that fits your situation. Switch any time with ./manage.sh tunnel setup.

Method Cost Public URLs VPS needed Works with CGNAT
Cloudflare Tunnel Free Yes No Yes
Pangolin ~$18/yr VPS Yes Yes Yes
Tailscale Free Private only No Yes
Headscale ~$18/yr VPS Private only Yes Yes
Netbird Free Private only No (cloud) Yes
Included apps
40+ apps, pick what you need

Select during install or add any time with ./manage.sh add <app>. Every app gets a Traefik rule, auth middleware, and optional tunnel exposure — automatically.

Media

Plex Jellyfin Radarr Sonarr Lidarr Bazarr Prowlarr Overseerr Jellyseerr Maintainerr Kometa

Books, Music & Audio

Audiobookshelf Kavita Calibre-Web Navidrome

Downloads

qBittorrent + Gluetun VPN SABnzbd

Dashboards

Homepage Homarr

Management & Monitoring

Portainer Dozzle Uptime Kuma What's Up Docker Glances Grafana Gotify Notifiarr deunhealth

Productivity

Mealie Linkding FreshRSS Vikunja Actual Budget

Automation & Development

n8n Home Assistant Forgejo

Security

Vaultwarden TinyAuth SSO CrowdSec

Search & Network

SearXNG Whoogle

Utilities

VS Code (code-server) IT Tools Stirling PDF Arrmate ✨
Documentation
Guides

Everything you need to install, configure, and extend portless.

Getting Started

Install prerequisites, run the wizard, and access your services.

Remote Access Guide

Compare all five tunnel methods and pick the right one.

Pangolin Guide

VPS setup, DNS config, CrowdSec, and troubleshooting.

Adding Apps

Create your own app catalog entry and compose snippet.

Troubleshooting

Common issues with Traefik, TinyAuth, tunnels, and more.

References & Credits

Every open source project that powers the stack.

Support the project

portless is free and open source. If it saves you time, a coffee goes a long way.

☕ Buy Me a Coffee