docs: publish 2026-04-26

docs/SERVICES.md

@@ -1,97 +1,108 @@
 # Services
 
-Full registry of what's running, where it lives, and how to reach it. See [README](../README.md) for compute layout and [Network](NETWORK.md) for VLAN/IP context.
+Everything I'm running, grouped by what it does. URLs, ports, and which host runs what are operational details — those live in the private repo.
 
-## Status Key
+## Identity & access
 
-| Symbol | Meaning |
-|--------|---------|
-| ✅ | Running, healthy |
-| ⚠️ | Running, needs attention |
-| 🔴 | Down / broken |
-| 🚧 | In progress |
-| ➖ | Decommissioned |
+| Service | What it does |
+|---|---|
+| Authentik | SSO for everything internal. OIDC where the app supports it, Caddy forward auth where it doesn't. |
+| Pi-hole | DNS for the LAN, ad blocking, and the source of truth for internal hostnames. |
+| WireGuard | The only way in from outside. All admin work happens through the tunnel. |
 
-## Core Network (VLAN 1000/1010/1020)
+## Reverse proxy & TLS
 
-Admin consoles at <service>.lerkolabs.com, VPN-gated.
+Two Caddy instances, by design:
 
-| Service | IP | Port | VLAN | Status | Notes |
-|---------|----|------|------|--------|-------|
-| pfSense | 10.1.0.1 / 10.0.0.1 | 443 | LAN/MGMT | ✅ | Firewall, DHCP, WireGuard VPN |
-| Omada Switch | 10.0.0.2 | 443 | MGMT | ✅ | Managed switch, VLAN config |
-| AT&T Gateway | 192.168.1.254 | 80 | — | ✅ | IP Passthrough only, WiFi disabled |
-| Pi-hole | 10.2.0.11 | 80/53 | 1020 | ✅ | Primary DNS, ad blocking |
-| Caddy (infra) | 10.2.0.20 | 80/443 | 1020 | ✅ | Reverse proxy, wildcard SSL via Cloudflare DNS-01 |
-| ntfy | 10.2.0.20 | — | 1020 | ✅ | Push notifications (infra LXC) |
-| Authentik | 10.2.0.25 | 9000 | 1020 | ✅ | SSO — OIDC + forward auth |
-| Proxmox | 10.2.0.10 | 8006 | 1020 | ✅ | Hypervisor |
+- **Internal Caddy** — fronts everything internal. Reachable from inside the LAN or via VPN. Does most of the routing.
+- **DMZ Caddy** — fronts the small set of things I want public. Lives on its own VLAN with no inbound access to internal services beyond a tight, firewall-enforced allowlist.
 
-## Observability (monitor LXC — 10.2.0.51)
+Both use Cloudflare DNS-01 for ACME, which is how internal-only services get valid public certs without ever being exposed to the internet for issuance.
 
-Observability at <service>.lerkolabs.com, VPN-gated.
+## Productivity & knowledge
 
-| Service | Notes |
-|---------|-------|
-| Grafana | Dashboards, alerting |
-| Victoria Metrics | Metrics storage |
-| Beszel | Container + host monitoring |
+| Service | What it replaces |
+|---|---|
+| Outline | Notion / Confluence |
+| Vikunja | Todoist / Asana |
+| Hoarder | Pocket / Raindrop |
+| Memos | Apple Notes (the quick-capture kind) |
+| FreshRSS | Feedly |
+| Bytestash | gist / pastebin |
+| Filebrowser | Dropbox-style file access |
+| Baikal | iCloud calendar/contacts (CalDAV / CardDAV) |
 
-## Productivity Apps (apps LXC — 10.2.0.60)
+## Money
 
-All apps served at <service>.lerkolabs.com behind Authentik.
+| Service | What it replaces |
+|---|---|
+| Actual Budget | YNAB / Mint |
+| Ghostfolio | Personal Capital |
 
-| Service | Auth | Purpose |
-|---------|------|---------|
-| Outline | OIDC | Team wiki |
-| Vikunja | OIDC | Task management |
-| Ghostfolio | Forward auth | Portfolio tracking |
-| Hoarder | Forward auth | Bookmark manager |
-| Grist | Forward auth | Spreadsheets / data |
-| Actual Budget | Forward auth | Personal budgeting |
-| FreshRSS | Forward auth | RSS reader |
-| Memos | Forward auth | Quick notes |
-| Traggo | Forward auth | Time tracking |
-| Baikal | Forward auth | CalDAV / CardDAV |
-| Glance | Forward auth | Homepage dashboard |
-| Filebrowser | Forward auth | File management |
-| Bytestash | Forward auth | Snippet storage |
+## Operations & day-to-day
 
-Shared infrastructure in apps LXC: single Postgres instance (multi-DB) + Redis. See [D004](DECISIONS.md#d004--shared-postgres--redis-in-apps-lxc).
+| Service | What it does |
+|---|---|
+| Grist | Lightweight relational tracking — anything that wants to be in a spreadsheet but shouldn't be |
+| Glance | Personal landing page / dashboard |
+| Traggo | Time tracking |
 
-## Secrets (vault LXC — 10.2.0.21)
+## Media
 
-Served at <service>.lerkolabs.com, VPN-gated.
+| Service | What it does |
+|---|---|
+| Plex | Media library (legacy clients) |
+| Jellyfin | Media library (primary, open source) |
+| *arr stack | Library automation |
+| qBittorrent | Downloads |
+| Immich | Self-hosted Google Photos replacement |
 
-| Service | Notes |
-|---------|-------|
-| Vaultwarden | Isolated LXC — not shared with apps |
+## Home / IoT
 
-## Media (servarr VM)
+| Service | What it does |
+|---|---|
+| Home Assistant OS | Home automation hub |
 
-| Service | Purpose |
-|---------|---------|
-| Plex + Jellyfin | Media streaming |
-| Sonarr / Radarr / Lidarr | Automated media management |
-| Prowlarr + Bazarr | Indexer aggregation + subtitles |
-| qBittorrent (via Gluetun) | Downloads — VPN-gated |
-| Calibre-Web Automated | Book library with auto-ingest |
-| Kavita | E-reader |
+## Secrets
 
-## DMZ (VLAN 1099 — 10.99.0.0/24)
+| Service | What it does |
+|---|---|
+| Vaultwarden | Bitwarden-compatible password manager. **Planned, not deployed yet.** |
 
-| Service | URL | Status | Notes |
-|---------|-----|--------|-------|
-| Caddy (DMZ) | — | ✅ | Public reverse proxy |
-| Gitea | https://gitea.lerkolabs.com | ✅ | Public Git |
-| Portfolio | https://lerkolabs.com | ✅ | Personal site |
+## Bots & automation
 
-## Access Matrix
+| Service | What it does |
+|---|---|
+| Vocard | Discord music bot |
+| MonitorRSS | RSS-to-Discord notifications |
+| ntfy | Push notifications for ops alerts |
 
-| Service | LAN | Homelab | Guest | IoT | WFH | VPN |
-|---------|-----|---------|-------|-----|-----|-----|
-| pfSense Web GUI | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
-| Pi-hole Admin | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ |
-| All *.lerkolabs.com | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ |
-| Proxmox | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ |
-| Internet | ✅ | limited | ✅ | ✅ | ✅ | optional |
+## Monitoring
+
+| Service | What it does |
+|---|---|
+| Victoria Metrics | Time-series store |
+| Grafana | Dashboards |
+| Beszel | Lightweight host metrics |
+| Uptime Kuma | Synthetic uptime checks |
+
+## Public services
+
+A small, intentional set of things that are reachable from the open internet. They all sit behind the DMZ reverse proxy on a VLAN with no inbound access to internal subnets.
+
+| Service | Why it's public |
+|---|---|
+| Portfolio | It's a portfolio. |
+| Self-hosted Git | Where you're reading this. |
+| SSO endpoint | Has to be reachable for an OIDC flow on one specific public-facing service (the Discord bot dashboard). It's the only internal-VLAN backend the public proxy is allowed to talk to, and the firewall enforces that — not just the proxy config. |
+| One Authentik-gated app | The Discord bot dashboard. Public so I can hit it from outside the LAN; gated by Authentik forward auth before anything responds. |
+
+## Who can access what
+
+Three audiences, three levels:
+
+- **Internet, anonymous** — sees only the small public set above.
+- **Internet, signed into Authentik** — same as above, plus access to the Authentik-gated public services.
+- **Connected via WireGuard** — gets everything: internal apps and admin surfaces (hypervisor, firewall, backup server, network controller, monitoring). This is the only way to reach any admin surface.
+
+The WFH and IoT VLANs are deliberately *outside* this access model. Those are for me-as-a-user (work laptop, smart devices), not me-as-an-operator. They never see the internal service plane.