Services
Identity & access
| Service |
What it does |
| Authentik |
SSO for internal services, OIDC where supported + caddy forward auth otherwis |
| Pi-hole |
LAN DNS, ad blocking + source of truth for internal hostnames |
| WireGuard |
remote access |
Reverse proxy & TLS
Two Caddy instances:
- Internal Caddy fronts everything internal. LAN or VPN only.
- DMZ Caddy fronts the public services. Lives on its own VLAN with a firewall-enforced allowlist into internal.
Both use Cloudflare DNS-01 for ACME, which lets internal-only services get valid public certs without being exposed for issuance.
Productivity & knowledge
| Service |
What it replaces |
| Outline |
notion |
| Vikunja |
todoist / asana |
| Hoarder |
pocket / raindrop |
| Memos |
apple nnotes |
| FreshRSS |
feedly |
| Bytestash |
gist / pastebin |
| Filebrowser |
dropbox |
| Baikal |
iCloud calendar/contacts (CalDAV / CardDAV) |
Money
| Service |
What it replaces |
| Actual Budget |
YNAB |
| Ghostfolio |
personal capital |
Operations
| Service |
What it does |
| Grist |
lightweight excel type |
| Glance |
personal homepage |
| Traggo |
time tracking |
Media
| Service |
What it does |
| Plex |
mdia library (legacy clients) |
| Jellyfin |
media library (primary) |
| *arr stack |
library automation |
| qBittorrent |
Downloads |
| Immich |
photo backup and viewing |
Home / IoT
| Service |
What it does |
| Home Assistant OS |
home automation hub |
Secrets
| Service |
What it does |
| Vaultwarden |
bitwarden-compatible password manager *Planned, not deployed yet |
Bots & automation
| Service |
What it does |
| Vocard |
discord music bot |
| MonitorRSS |
rss-to-discord feed |
| ntfy |
push notifications for ops alerts |
Monitoring
| Service |
What it does |
| Victoria Metrics |
time-series store |
| Grafana |
dashboards |
| Beszel |
host metrics |
| Uptime Kuma |
uptime checks |
Public services
A small set behind the DMZ reverse proxy on a VLAN with no inbound to internal.
| Service |
Why it's public |
| Portfolio |
it's a portfolio |
| Self-hosted Git |
so you can read this |
| SSO endpoint |
required for the OIDC flow on the Discord bot dashboard. the firewall is enabled so that the public proxy can only reach this one internal backend |
| Discord bot dashboard |
so my friends can use pick tunes. authentik forward auth gates it |
