Services
Everything I'm running, grouped by what it does. URLs, ports, and which host runs what are operational details — those live in the private repo.
Identity & access
| Service |
What it does |
| Authentik |
SSO for everything internal. OIDC where the app supports it, Caddy forward auth where it doesn't. |
| Pi-hole |
DNS for the LAN, ad blocking, and the source of truth for internal hostnames. |
| WireGuard |
The only way in from outside. All admin work happens through the tunnel. |
Reverse proxy & TLS
Two Caddy instances, by design:
- Internal Caddy — fronts everything internal. Reachable from inside the LAN or via VPN. Does most of the routing.
- DMZ Caddy — fronts the small set of things I want public. Lives on its own VLAN with no inbound access to internal services beyond a tight, firewall-enforced allowlist.
Both use Cloudflare DNS-01 for ACME, which is how internal-only services get valid public certs without ever being exposed to the internet for issuance.
Productivity & knowledge
| Service |
What it replaces |
| Outline |
Notion / Confluence |
| Vikunja |
Todoist / Asana |
| Hoarder |
Pocket / Raindrop |
| Memos |
Apple Notes (the quick-capture kind) |
| FreshRSS |
Feedly |
| Bytestash |
gist / pastebin |
| Filebrowser |
Dropbox-style file access |
| Baikal |
iCloud calendar/contacts (CalDAV / CardDAV) |
Money
| Service |
What it replaces |
| Actual Budget |
YNAB / Mint |
| Ghostfolio |
Personal Capital |
Operations & day-to-day
| Service |
What it does |
| Grist |
Lightweight relational tracking — anything that wants to be in a spreadsheet but shouldn't be |
| Glance |
Personal landing page / dashboard |
| Traggo |
Time tracking |
Media
| Service |
What it does |
| Plex |
Media library (legacy clients) |
| Jellyfin |
Media library (primary, open source) |
| *arr stack |
Library automation |
| qBittorrent |
Downloads |
| Immich |
Self-hosted Google Photos replacement |
Home / IoT
| Service |
What it does |
| Home Assistant OS |
Home automation hub |
Secrets
| Service |
What it does |
| Vaultwarden |
Bitwarden-compatible password manager. Planned, not deployed yet. |
Bots & automation
| Service |
What it does |
| Vocard |
Discord music bot |
| MonitorRSS |
RSS-to-Discord notifications |
| ntfy |
Push notifications for ops alerts |
Monitoring
| Service |
What it does |
| Victoria Metrics |
Time-series store |
| Grafana |
Dashboards |
| Beszel |
Lightweight host metrics |
| Uptime Kuma |
Synthetic uptime checks |
Public services
A small, intentional set of things that are reachable from the open internet. They all sit behind the DMZ reverse proxy on a VLAN with no inbound access to internal subnets.
| Service |
Why it's public |
| Portfolio |
It's a portfolio. |
| Self-hosted Git |
Where you're reading this. |
| SSO endpoint |
Has to be reachable for an OIDC flow on one specific public-facing service (the Discord bot dashboard). It's the only internal-VLAN backend the public proxy is allowed to talk to, and the firewall enforces that — not just the proxy config. |
| One Authentik-gated app |
The Discord bot dashboard. Public so I can hit it from outside the LAN; gated by Authentik forward auth before anything responds. |
Who can access what
Three audiences, three levels:
- Internet, anonymous — sees only the small public set above.
- Internet, signed into Authentik — same as above, plus access to the Authentik-gated public services.
- Connected via WireGuard — gets everything: internal apps and admin surfaces (hypervisor, firewall, backup server, network controller, monitoring). This is the only way to reach any admin surface.
The WFH and IoT VLANs are deliberately outside this access model. Those are for me-as-a-user (work laptop, smart devices), not me-as-an-operator. They never see the internal service plane.
lerko96