# Services

Full registry of what's running, where it lives, and how to reach it. See [README](../README.md) for compute layout and [Network](NETWORK.md) for VLAN/IP context.

## Status Key

| Symbol | Meaning |
|--------|---------|
| ✅ | Running, healthy |
| ⚠️ | Running, needs attention |
| 🔴 | Down / broken |
| 🚧 | In progress |
| ➖ | Decommissioned |

## Core Network (VLAN 1000/1010/1020)

| Service | IP | Port | VLAN | URL | Status | Notes |
|---------|-----|------|------|-----|--------|-------|
| pfSense | 10.1.0.1 / 10.0.0.1 | 443 | LAN/MGMT | https://pfsense.lerkolabs.com | ✅ | Firewall, DHCP, WireGuard VPN |
| Omada Switch | 10.0.0.2 | 443 | MGMT | https://switch.lerkolabs.com | ✅ | Managed switch, VLAN config |
| AT&T Gateway | 192.168.1.254 | 80 | — | http://192.168.1.254 | ✅ | IP Passthrough only, WiFi disabled |
| Pi-hole | 10.2.0.11 | 80/53 | 1020 | https://pihole.lerkolabs.com | ✅ | Primary DNS, ad blocking |
| Caddy (infra) | 10.2.0.20 | 80/443 | 1020 | — | ✅ | Reverse proxy, wildcard SSL via Cloudflare DNS-01 |
| ntfy | 10.2.0.20 | — | 1020 | — | ✅ | Push notifications (infra LXC) |
| Authentik | 10.2.0.25 | 9000 | 1020 | https://auth.lerkolabs.com | ✅ | SSO — OIDC + forward auth |
| Proxmox | 10.2.0.10 | 8006 | 1020 | https://proxmox.lerkolabs.com | ✅ | Hypervisor |

## Observability (monitor LXC — 10.2.0.51)

| Service | URL | Notes |
|---------|-----|-------|
| Grafana | https://grafana.lerkolabs.com | Dashboards, alerting |
| Victoria Metrics | — | Metrics storage |
| Beszel | — | Container + host monitoring |

## Productivity Apps (apps LXC — 10.2.0.60)

All behind Authentik SSO.

| Service | URL | Auth | Purpose |
|---------|-----|------|---------|
| Outline | https://outline.lerkolabs.com | OIDC | Team wiki |
| Vikunja | https://tasks.lerkolabs.com | OIDC | Task management |
| Ghostfolio | https://finance.lerkolabs.com | Forward auth | Portfolio tracking |
| Hoarder | https://hoarder.lerkolabs.com | Forward auth | Bookmark manager |
| Grist | https://grist.lerkolabs.com | Forward auth | Spreadsheets / data |
| Actual Budget | https://budget.lerkolabs.com | Forward auth | Personal budgeting |
| FreshRSS | https://rss.lerkolabs.com | Forward auth | RSS reader |
| Memos | https://memos.lerkolabs.com | Forward auth | Quick notes |
| Traggo | https://time.lerkolabs.com | Forward auth | Time tracking |
| Baikal | https://dav.lerkolabs.com | Forward auth | CalDAV / CardDAV |
| Glance | https://glance.lerkolabs.com | Forward auth | Homepage dashboard |
| Filebrowser | https://files.lerkolabs.com | Forward auth | File management |
| Bytestash | — | Forward auth | Snippet storage |

Shared infrastructure in apps LXC: single Postgres instance (multi-DB) + Redis. See [D004](DECISIONS.md#d004--shared-postgres--redis-in-apps-lxc).

## Secrets (vault LXC — 10.2.0.21)

| Service | URL | Notes |
|---------|-----|-------|
| Vaultwarden | https://vault.lerkolabs.com | Isolated LXC — not shared with apps |

## Media (servarr VM)

| Service | Purpose |
|---------|---------|
| Plex + Jellyfin | Media streaming |
| Sonarr / Radarr / Lidarr | Automated media management |
| Prowlarr + Bazarr | Indexer aggregation + subtitles |
| qBittorrent (via Gluetun) | Downloads — VPN-gated |
| Calibre-Web Automated | Book library with auto-ingest |
| Kavita | E-reader |

## DMZ (VLAN 1 — 10.99.0.0/24)

| Service | IP | URL | Status | Notes |
|---------|----|-----|--------|-------|
| Caddy (DMZ) | 10.99.0.20 | — | ✅ | Public reverse proxy |
| Gitea | 10.99.0.22 | https://gitea.lerkolabs.com | ✅ | Public Git |
| Portfolio | 10.99.0.23 | https://lerkolabs.com | ✅ | Personal site |

## Access Matrix

| Service | LAN | Homelab | Guest | IoT | WFH | VPN |
|---------|-----|---------|-------|-----|-----|-----|
| pfSense Web GUI | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ |
| Pi-hole Admin | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ |
| All *.lerkolabs.com | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ |
| Proxmox | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ |
| Internet | ✅ | limited | ✅ | ✅ | ✅ | optional |