Table of Contents
- Meta – Glossary
- ACME / Let's Encrypt
- CA (Certificate Authority)
- Cell
- Certificate
- Container
- DDNS (Dynamic DNS)
- DNS (Domain Name System)
- Docker
- HTTPS
- NTP (Network Time Protocol)
- Peer
- Reverse Proxy
- Split-horizon DNS
- Store Service
- Subdomain
- TLS / HTTPS
- Tor
- VPN (Virtual Private Network)
- VPS (Virtual Private Server)
- WireGuard
Status: Active | Owner: @roof | Updated: 2026-06-11
Meta – Glossary
Plain-language definitions for every term used on User pages. Click a term from any User page to land here.
ACME / Let's Encrypt
ACME (Automatic Certificate Management Environment) is the protocol used to request TLS certificates automatically. Let's Encrypt is the free certificate authority that PIC uses by default for internet-facing cells. When your cell's domain is set to pic_ngo, cloudflare, or duckdns mode, PIC handles the ACME process for you — you do not need to do anything to get a certificate.
CA (Certificate Authority)
A certificate authority is a trusted organisation (or, in lan mode, your cell itself) that issues TLS certificates. Browsers and operating systems trust a list of well-known CAs. In lan mode, PIC generates its own internal CA. To trust HTTPS from a lan-mode cell, you import the cell's CA certificate into your device's trust store.
Cell
A Personal Internet Cell is the server you or your admin runs. It bundles a VPN, DNS, NTP, HTTPS termination, and optional services into a single self-hosted system. "Cell" and "PIC" are used interchangeably throughout this wiki.
Certificate
A TLS certificate is a small file that proves to your browser that it is talking to the genuine server and not an imposter, and that the connection is encrypted. PIC provisions certificates automatically through Let's Encrypt (for internet-facing cells) or through its own internal CA (for LAN-only cells).
Container
A container is a lightweight, isolated environment in which a single piece of software runs. PIC uses Docker containers for each of its components (VPN, DNS, web UI, and so on). You do not need to interact with containers directly — the admin uses make commands to manage them.
DDNS (Dynamic DNS)
Dynamic DNS is a service that keeps a domain name pointing at your current public IP address, even when that IP changes (as it does on most home internet connections). PIC supports three DDNS providers: pic_ngo (the free pic.ngo subdomain), cloudflare, and duckdns. The cell updates the DNS record automatically every 5 minutes.
DNS (Domain Name System)
DNS translates human-readable names (like myhome.pic.ngo) into IP addresses that computers use to connect. PIC runs its own DNS server (cell-dns) that handles name resolution for VPN-connected devices. This means your devices' DNS queries stay inside your cell's network, not going to a third-party resolver.
Docker
Docker is the software that runs PIC's components as isolated containers. PIC uses Docker under the hood; you do not interact with it directly unless you are an admin running command-line tools.
HTTPS
HTTPS is the secure version of HTTP, the protocol your browser uses to load web pages. The S stands for "Secure" — the connection is encrypted with TLS. A padlock icon in your browser address bar means HTTPS is working.
NTP (Network Time Protocol)
NTP is the protocol devices use to synchronise their clocks with an accurate time source. PIC runs an NTP server (cell-ntp) that VPN-connected devices use to keep accurate time. Accurate time matters for TLS certificates and for TOTP authentication.
Peer
A peer is a person or device that connects to a cell over WireGuard. The cell admin adds peers from the Peers page in the admin dashboard. Each peer gets a unique VPN IP address and a WireGuard configuration file or QR code.
Reverse Proxy
A reverse proxy is a server that sits in front of other services and forwards incoming requests to the right one. PIC uses Caddy as its reverse proxy. When you go to https://mail.myhome.pic.ngo, Caddy receives the request and forwards it to the email container. Caddy also handles TLS certificate management.
Split-horizon DNS
Split-horizon DNS means the same domain name resolves to different IP addresses depending on where the query comes from. Inside the VPN, myhome.pic.ngo resolves to the cell's internal WireGuard address so traffic stays in the tunnel. Outside the VPN, the same name resolves to the cell's public IP. PIC configures this automatically — no action required from the user.
Store Service
A store service is an optional piece of software you can install on a cell from the built-in service store. Examples: email, calendar/contacts, file storage, webmail. Each service runs in its own Docker container. The cell admin installs services; peers use them through standard apps (email clients, calendar apps, WebDAV clients).
Subdomain
A subdomain is the prefix before a domain name. For example, in mail.myhome.pic.ngo, mail is the subdomain, myhome is the cell name, and pic.ngo is the base domain. Each service on a cell gets its own subdomain (for example, calendar.myhome.pic.ngo).
TLS / HTTPS
TLS (Transport Layer Security) is the encryption protocol that makes HTTPS work. When your browser connects to a cell over HTTPS, TLS encrypts the connection and verifies the server's identity using a certificate. PIC provisions TLS certificates automatically.
Tor
Tor is a network that anonymises internet traffic by routing it through multiple volunteer relays. PIC can optionally route selected peers' traffic through Tor as a "store service" exit. Tor routing is one instance only per cell. Tor traffic defaults to fail-open — if Tor goes down, traffic falls back to the direct internet rather than being blocked.
VPN (Virtual Private Network)
A VPN creates an encrypted tunnel between your device and a server. In PIC, the VPN connects your devices to your cell over WireGuard. Inside the VPN, your traffic is encrypted and your devices can reach cell services by name. PIC uses WireGuard, not OpenVPN or other older VPN protocols.
VPS (Virtual Private Server)
A VPS is a virtual machine rented from a cloud provider (such as DigitalOcean, Linode, or Hetzner). You can run a PIC cell on a VPS if you don't have always-on hardware at home. A small VPS (1–2 vCPU, 2 GB RAM) is sufficient for a personal cell.
WireGuard
WireGuard is the VPN protocol PIC uses. It is fast, modern, and much simpler than older protocols like OpenVPN. PIC runs WireGuard in a container (cell-wireguard) with NET_ADMIN capability only — it does not run in privileged mode. Each peer gets a unique WireGuard key pair and a VPN IP from the 10.0.0.0/24 subnet.
Didn't work? → User – Troubleshooting
Personal Internet Cell
New here?
Users
User – Connect to the VPN User – Use Your Services User – Troubleshooting
Admins
Admin – Overview Admin – Install and First Run Admin – Configure Domains and TLS Admin – Manage Services Admin – Configure Connectivity Admin – Manage Peers Admin – Back Up and Restore Admin – Logging and Audit Admin – Monitor and Troubleshoot
Developers
Dev – Overview Dev – Architecture Dev – Build a Store Service Dev – Service Manifest Reference Dev – API Reference Dev – Testing Dev – Install Internals
Decisions (ADRs)
ADR – 001 Store Images Are Signed and Verified by Cells ADR – 002 Named Connection Instances for Connectivity ADR – 003 All Optional Functionality Ships as Store Services
Meta
Meta – Glossary Meta – Template Runbook Meta – Template ADR
Archive
Archive – User Guide Archive – ADR 004 The Wiki Is the Single Documentation Source