# ๐๏ธ Service Architecture
## Overview
This document shows how the 157+ Docker services (plus Olares K8s) interact, their dependencies, and the data flows between them.
---
## ๐ฌ Media Stack Architecture (Mermaid)
```mermaid
graph TB
subgraph Internet["โ๏ธ Internet Sources"]
USENET["Usenet
Providers"]
TORRENT["Torrent
Trackers"]
INDEXERS["Indexers
(NZB/Torrent)"]
end
subgraph Acquisition["๐ฅ Content Acquisition (Atlantis)"]
PROWLARR["Prowlarr
Indexer Manager"]
SONARR["Sonarr
TV Shows"]
RADARR["Radarr
Movies"]
LIDARR["Lidarr
Music"]
READARR["Readarr
Books"]
WHISPARR["Whisparr
Adult"]
BAZARR["Bazarr
Subtitles"]
SAB["SABnzbd
Usenet Client"]
DELUGE["Deluge
Torrent Client
(via Gluetun VPN)"]
end
subgraph Storage["๐พ Storage (Atlantis NAS)"]
MEDIA_TV["/volume1/media/tv"]
MEDIA_MOV["/volume1/media/movies"]
MEDIA_MUS["/volume1/media/music"]
MEDIA_BOOK["/volume1/media/books"]
end
subgraph Streaming["๐บ Media Streaming"]
PLEX["Plex
Media Server"]
JELLYFIN["Jellyfin
Media Server"]
TAUTULLI["Tautulli
Plex Analytics"]
end
subgraph Clients["๐ฑ Client Devices"]
TV["Smart TVs"]
PHONE["Phones/Tablets"]
WEB["Web Browsers"]
APPS["Desktop Apps"]
end
%% Acquisition flow
INDEXERS --> PROWLARR
PROWLARR --> SONARR & RADARR & LIDARR & READARR & WHISPARR
SONARR --> SAB & DELUGE
RADARR --> SAB & DELUGE
LIDARR --> SAB & DELUGE
READARR --> SAB & DELUGE
WHISPARR --> SAB & DELUGE
USENET --> SAB
TORRENT --> DELUGE
%% Storage flow
SAB --> MEDIA_TV & MEDIA_MOV & MEDIA_MUS & MEDIA_BOOK
DELUGE --> MEDIA_TV & MEDIA_MOV & MEDIA_MUS & MEDIA_BOOK
BAZARR --> MEDIA_TV & MEDIA_MOV
%% Streaming flow
MEDIA_TV & MEDIA_MOV --> PLEX & JELLYFIN
PLEX --> TAUTULLI
%% Client access
PLEX & JELLYFIN --> TV & PHONE & WEB & APPS
classDef acquisition fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef storage fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef streaming fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef client fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
class PROWLARR,SONARR,RADARR,LIDARR,READARR,WHISPARR,BAZARR,SAB,DELUGE acquisition
class MEDIA_TV,MEDIA_MOV,MEDIA_MUS,MEDIA_BOOK storage
class PLEX,JELLYFIN,TAUTULLI streaming
class TV,PHONE,WEB,APPS client
```
---
## ๐ Monitoring Stack Architecture
```mermaid
graph TB
subgraph Targets["๐ฏ Monitored Targets"]
subgraph Synology["Synology NAS"]
ATL_SNMP["Atlantis
SNMP"]
CAL_SNMP["Calypso
SNMP"]
SET_SNMP["Setillo
SNMP"]
end
subgraph Hosts["Linux Hosts"]
NODE1["Homelab VM
node_exporter"]
NODE2["Guava
node_exporter"]
NODE3["Anubis
node_exporter"]
end
subgraph Containers["Containers"]
CADV["cAdvisor
Container Metrics"]
end
subgraph Network["Network"]
BLACK["Blackbox Exporter
HTTP/ICMP Probes"]
end
end
subgraph Collection["๐ฅ Metric Collection (Homelab VM)"]
PROM["Prometheus
Time Series DB"]
SNMP_EXP["SNMP Exporter"]
end
subgraph Visualization["๐ Visualization"]
GRAFANA["Grafana
Dashboards"]
end
subgraph Alerting["๐จ Alerting"]
ALERTMGR["Alertmanager"]
NTFY["ntfy
Push Notifications"]
UPTIME["Uptime Kuma
Status Page"]
end
%% Collection
ATL_SNMP & CAL_SNMP & SET_SNMP --> SNMP_EXP
SNMP_EXP --> PROM
NODE1 & NODE2 & NODE3 --> PROM
CADV --> PROM
BLACK --> PROM
%% Visualization
PROM --> GRAFANA
PROM --> ALERTMGR
ALERTMGR --> NTFY
%% Uptime Kuma separate
BLACK -.-> UPTIME
classDef target fill:#e67e22,stroke:#333,stroke-width:2px,color:#fff
classDef collection fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef viz fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef alert fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
class ATL_SNMP,CAL_SNMP,SET_SNMP,NODE1,NODE2,NODE3,CADV,BLACK target
class PROM,SNMP_EXP collection
class GRAFANA viz
class ALERTMGR,NTFY,UPTIME alert
```
---
## ๐ Authentication & Security Stack
### Complete Authentication Architecture
```mermaid
graph TB
subgraph External["๐ External Access"]
USERS["๐ค Users"]
CLOUDFLARE["โ๏ธ Cloudflare
DNS/WAF/DDoS"]
end
subgraph Gateway["๐ช Gateway Layer (matrix-ubuntu)"]
NPM["๐ Nginx Proxy Manager
matrix-ubuntu :81/:443
Reverse Proxy + SSL"]
CFT["๐ Cloudflare Tunnel
Zero Trust Access"]
end
subgraph AuthLayer["๐ Authentication Layer (Calypso)"]
AUTH_SRV["๐ Authentik Server
:9000"]
AUTH_PROXY["๐ก๏ธ Authentik Outpost
:9444
Forward Auth Proxy"]
AUTH_WRK["โ๏ธ Authentik Worker"]
AUTH_DB["๐ PostgreSQL"]
AUTH_RED["๐ด Redis"]
end
subgraph VPN["๐ VPN Layer"]
WIREGUARD["๐ Wireguard
Atlantis :51820"]
TAILSCALE["๐ท Tailscale
100.x.x.x"]
HEADSCALE["๐ Headscale
Calypso :8080"]
end
subgraph DNS["๐ DNS & Ad Blocking"]
ADGUARD1["๐ก๏ธ AdGuard
Calypso :53"]
ADGUARD2["๐ก๏ธ AdGuard
Atlantis :53"]
ADGUARD3["๐ก๏ธ AdGuard
NUC :53"]
end
subgraph SecVault["๐ Secrets Management"]
VAULT["๐ Vaultwarden
vault.vish.gg"]
end
subgraph ProtectedServices["๐ก๏ธ Protected Services"]
GRAFANA["๐ Grafana"]
PAPERLESS["๐ Paperless"]
IMMICH["๐ธ Immich"]
ACTUAL["๐ฐ Actual Budget"]
GITEA["๐ง Gitea"]
NETBOX["๐ NetBox"]
HOMARR["๐ Homarr"]
RXRESUME["๐ Reactive Resume"]
HEADPLANE["๐ Headplane"]
end
subgraph PublicServices["๐ Public/Self-Auth Services"]
PLEX["๐บ Plex"]
SEAFILE["โ๏ธ Seafile"]
OST["๐ OpenSpeedTest"]
NTFY["๐ฃ ntfy"]
end
%% External flow
USERS --> CLOUDFLARE
CLOUDFLARE --> NPM
CLOUDFLARE --> CFT
USERS --> TAILSCALE
%% NPM to Auth
NPM -->|"Forward Auth
Header Check"| AUTH_PROXY
AUTH_PROXY -->|"Validate Session"| AUTH_SRV
%% Auth internal
AUTH_SRV --> AUTH_DB
AUTH_SRV --> AUTH_RED
AUTH_WRK --> AUTH_DB
AUTH_WRK --> AUTH_RED
%% Protected services via NPM + Auth
NPM -->|"โ Authenticated"| ProtectedServices
%% Public services direct
NPM --> PublicServices
%% VPN access
TAILSCALE --> HEADSCALE
WIREGUARD --> ProtectedServices
TAILSCALE --> ProtectedServices
%% DNS
ADGUARD1 -.-> ProtectedServices
ADGUARD2 -.-> PublicServices
classDef external fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef gateway fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef auth fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef dns fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
classDef protected fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef public fill:#27ae60,stroke:#333,stroke-width:2px,color:#fff
class USERS,CLOUDFLARE external
class NPM,CFT gateway
class AUTH_SRV,AUTH_PROXY,AUTH_WRK,AUTH_DB,AUTH_RED,VAULT auth
class ADGUARD1,ADGUARD2,ADGUARD3 dns
class GRAFANA,PAPERLESS,IMMICH,ACTUAL,GITEA,NETBOX,HOMARR,RXRESUME,HEADPLANE protected
class PLEX,SEAFILE,OST,NTFY public
```
---
### Authentik SSO Flow (Detailed)
```mermaid
sequenceDiagram
autonumber
participant U as ๐ค User
participant CF as โ๏ธ Cloudflare
participant NPM as ๐ NPM (matrix-ubuntu)
participant OUT as ๐ก๏ธ Outpost (Calypso)
participant AUTH as ๐ Authentik (Calypso)
participant APP as ๐ฑ Application
U->>CF: Request app.vish.gg
CF->>NPM: Forward (HTTPS)
NPM->>OUT: Forward Auth Request
(/outpost.goauthentik.io/auth/nginx)
alt No Valid Session
OUT->>AUTH: Check Session
AUTH-->>OUT: No Session
OUT-->>NPM: 401 Unauthorized
NPM-->>U: Redirect to sso.vish.gg/flows/default-authentication/
U->>AUTH: Login Page
U->>AUTH: Submit Credentials + 2FA
AUTH->>AUTH: Validate
AUTH-->>U: Set Cookie + Redirect to app
U->>NPM: Retry with Session Cookie
NPM->>OUT: Forward Auth (with cookie)
end
OUT->>AUTH: Validate Session
AUTH-->>OUT: Valid โ
OUT-->>NPM: 200 OK + Headers
(X-authentik-username, X-authentik-email)
NPM->>APP: Proxy Request (with auth headers)
APP-->>U: Response
```
---
### NPM Proxy Host Configuration
```mermaid
graph TB
subgraph NPM["๐ Nginx Proxy Manager (matrix-ubuntu :81)"]
subgraph ProxyHosts["Proxy Hosts"]
PH1["sso.vish.gg โ Calypso:9000"]
PH2["git.vish.gg โ Calypso:3052"]
PH3["gf.vish.gg โ homelab-vm:3300"]
PH4["nb.vish.gg โ homelab-vm:8443"]
PH5["ntfy.vish.gg โ homelab-vm:8081"]
PH6["dash.vish.gg โ Atlantis:7575"]
PH7["paperless.vish.gg โ Calypso:8777"]
PH8["rx.vish.gg โ Calypso:4550"]
PH9["actual.vish.gg โ Calypso:8304"]
PH10["kuma.vish.gg โ RPi5:3001"]
end
subgraph SSL["SSL Certificates"]
WILD["*.vish.gg
Cloudflare DNS Challenge"]
end
subgraph AccessControl["Access Control"]
AUTH_LOC["Authentik Forward Auth
Location: /outpost.goauthentik.io"]
end
end
subgraph Services["Backend Services"]
direction LR
S1["Authentik"]
S2["Gitea"]
S3["Grafana"]
S4["NetBox"]
S5["ntfy"]
S6["Homarr"]
S7["Paperless"]
S8["Reactive Resume"]
S9["Actual"]
S10["Uptime Kuma"]
end
PH1 --> S1
PH2 --> S2
PH3 --> S3
PH4 --> S4
PH5 --> S5
PH6 --> S6
PH7 --> S7
PH8 --> S8
PH9 --> S9
PH10 --> S10
```
---
### Services Protected by Authentik
| Domain | Service | Host | Auth Type | Notes |
|--------|---------|------|-----------|-------|
| `sso.vish.gg` | Authentik | Calypso | - | Identity Provider |
| `git.vish.gg` | Gitea | Calypso | OAuth2/OIDC | Source Control |
| `gf.vish.gg` | Grafana | Homelab VM | OAuth2/OIDC | Monitoring |
| `nb.vish.gg` | NetBox | Homelab VM | OAuth2/OIDC | DCIM/IPAM |
| `dash.vish.gg` | Homarr | Atlantis | OAuth2/OIDC | Dashboard |
| `rx.vish.gg` | Reactive Resume | Calypso | OAuth2/OIDC | Resume Builder |
| `immich` | Immich | Calypso | OAuth2/OIDC | Photos |
| `headscale.vish.gg/admin` | Headplane | Calypso | OAuth2/OIDC | VPN Admin |
| `paperless.vish.gg` | Paperless-NGX | Calypso | Forward Auth | Documents |
| `actual.vish.gg` | Actual Budget | Calypso | Forward Auth | Finance |
### Services NOT Protected (Public/Self-Auth)
| Domain | Service | Host | Reason |
|--------|---------|------|--------|
| `plex.vish.gg` | Plex | Atlantis | Has Plex Auth |
| `sf.vish.gg` | Seafile | Calypso | Has built-in auth + share links |
| `ntfy.vish.gg` | ntfy | Homelab | Has built-in auth + public topics |
| `ost.vish.gg` | OpenSpeedTest | Calypso | Public utility |
---
### Authentik Forward Auth Setup (NPM)
To protect a service with Authentik Forward Auth in NPM:
1. **Create Provider in Authentik**:
- Type: Proxy Provider
- External Host: `https://app.vish.gg`
- Mode: Forward auth (single application)
2. **Create Application in Authentik**:
- Link to the provider
- Set policies for access control
3. **Create Outpost in Authentik**:
- Type: Proxy
- Include the application
4. **Configure NPM Proxy Host**:
```nginx
# Custom Nginx Configuration (Advanced tab)
# Authentik Forward Auth
location /outpost.goauthentik.io {
proxy_pass http://calypso.vish.local:9444/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location / {
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# Forward auth headers to application
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-email $authentik_email;
proxy_pass http://backend;
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
```
---
## ๐ ASCII Service Distribution by Host
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SERVICE DISTRIBUTION BY HOST โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐๏ธ ATLANTIS (51 Containers) - Media & Communication Hub โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐บ Media ๐ Security ๐ ๏ธ Infrastructure โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โ
โ โข Plex โข Vaultwarden โข Portainer โ
โ โข Jellyfin โข Wireguard โข DokuWiki โ
โ โข Immich โข Dozzle โ
โ โข Tautulli โข Watchtower โ
โ โข Homarr (dash) โข IT-Tools โ
โ โข AdGuard Home (backup DNS) โ
โ โ
โ ๐ฌ Communication ๐ Productivity ๐ฎ Other โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Matrix Synapse โข Documenso โข Stirling PDF โ
โ โข Mastodon โข Joplin Server โข YouTube DL โ
โ โข Mattermost โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ข CALYPSO (54 Containers) - Auth, Proxy, Arr Suite & Development โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ Auth ๐ฅ Arr Suite ๐ป Development ๐ฆ Infrastructure โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Authentik โข Sonarr โข Gitea โข Headscale โ
โ โข Authentik Outpost โข Radarr โข Reactive Resume โข AdGuard Home โ
โ โข Lidarr โข Seafile โข Portainer Agent โ
โ โข Readarr โข Wireguard โ
โ ๐ฐ Finance โข Prowlarr ๐ Productivity โ
โ โโโโโโโโโโโโโ โข SABnzbd โโโโโโโโโโโโโ โ
โ โข Actual Budget โข Deluge (Gluetun) โข Paperless-NGX โ
โ โข Bazarr โข Rustdesk โ
โ โข Whisparr โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ป HOMELAB VM (30 Containers) - Monitoring, Tools & Privacy โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ Monitoring ๐ Notifications ๐ DCIM ๐ง Utilities โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Grafana โข ntfy โข NetBox โข Archivebox โ
โ โข Prometheus โข Signal-API โข Hoarder โ
โ โข Alertmanager ๐ Privacy โข Perplexica โ
โ โข SNMP Exporter ๐ค AI/Dev โโโโโโโโโโโโโ โข OpenHands โ
โ โข node_exporter โโโโโโโโโโโโโ โข Redlib โ
โ โข OpenHands โข Binternet โ
โ โข Perplexica โข ProxiTok โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ CONCORD NUC (19 Containers) - Home Automation & Edge โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ Home Automation ๐บ Media ๐ต Music ๐ง Network โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Home Assistant โข Plex โข Your-Spotify โข AdGuard Home โ
โ โข Matter Server โข Invidious โข Wireguard โ
โ โข Whisper (STT) โ
โ โข Piper (TTS) โ
โ โข OpenWakeWord โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ RPi 5 (3 Containers) - Monitoring โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ Monitoring โ
โ โโโโโโโโโโโโโ โ
โ โข Uptime Kuma โ
โ โข Glances โ
โ โข Portainer Agent โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ค OLARES - K8s Node (Core Ultra 9 275HX, RTX 5090, 96GB) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ง AI/ML (Kubernetes, not Docker) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โข Ollama (LLM serving) โ
โ โข vLLM (high-throughput inference) โ
โ โข OpenClaw (robotics foundation model) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ต SETILLO (4 Services) - Tucson Remote โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ Monitoring ๐ DNS โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Prometheus โข AdGuard Home โ
โ โข SNMP Exporter โข Syncthing โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SERVICE COUNT SUMMARY โ
โ โโโโโโโโโโโโโโโโโโโโโ โ
โ Atlantis: 59 containers โ Calypso: 61 containers โ
โ Homelab VM: 38 containers โ Concord NUC: 19 containers โ
โ RPi 5: 6 containers โ matrix-ubuntu: 12+ containers (NPM, Matrix) โ
โ Olares: K8s (~60 pods, not Portainer) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ TOTAL: ~195 containers across 5 Portainer endpoints + matrix-ubuntu + Olares โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## ๐ Related Diagrams
- [Network Topology](network-topology.md) - How hosts connect
- [Storage Topology](storage-topology.md) - Where data lives
- [Tailscale Mesh](tailscale-mesh.md) - Cross-location access
---
## ๐ฌ Communication Stack Architecture
```mermaid
graph TB
subgraph Internet["โ๏ธ Internet / Federation"]
FEDI["Fediverse
(ActivityPub)"]
MATRIX_FED["Matrix
Federation"]
WEBRTC["WebRTC
Voice/Video"]
end
subgraph Cloudflare["๐ก๏ธ Cloudflare"]
CF_PROXY["Cloudflare
Proxy/WAF"]
CF_TUNNEL["Cloudflare
Tunnel"]
end
subgraph MatrixUbuntuVM["๐ง Matrix-Ubuntu VM (Atlantis)"]
subgraph Mastodon["๐ Mastodon Stack"]
MASTO_WEB["Mastodon Web
:3000"]
MASTO_STREAM["Mastodon Streaming
:4000"]
MASTO_SIDEKIQ["Sidekiq
Background Jobs"]
end
subgraph Matrix["๐ Matrix Stack"]
SYNAPSE["Synapse
:8008 / :8018"]
ELEMENT["Element Web
Client"]
COTURN["Coturn
TURN Server
:3478"]
end
subgraph Mattermost["๐ฌ Mattermost"]
MM_APP["Mattermost
:8065"]
end
subgraph SharedDB["๐๏ธ Shared Services"]
POSTGRES["PostgreSQL
:5432"]
REDIS["Redis
:6379"]
end
NPM_VM["NPM
Reverse Proxy
(host nginx disabled)"]
end
subgraph Atlantis["๐๏ธ Atlantis NAS"]
subgraph JitsiStack["๐น Jitsi Meet"]
JITSI_WEB["Jitsi Web"]
JITSI_JVB["Jitsi Video Bridge"]
JITSI_PROSODY["Prosody XMPP"]
end
subgraph Vaultwarden["๐ Vaultwarden"]
VW["Vaultwarden
Password Manager"]
end
subgraph Joplin["๐ Joplin"]
JOPLIN_SRV["Joplin Server"]
end
end
subgraph Clients["๐ฑ Clients"]
BROWSER["Web Browsers"]
MOBILE["Mobile Apps"]
DESKTOP["Desktop Apps"]
end
%% External connections
FEDI <--> CF_PROXY
MATRIX_FED <--> CF_PROXY
WEBRTC <--> COTURN
%% Cloudflare to services
CF_PROXY --> NPM_VM
CF_TUNNEL --> NPM_VM
%% NPM routing (host nginx disabled, NPM handles all)
NPM_VM --> MASTO_WEB & MASTO_STREAM
NPM_VM --> SYNAPSE & ELEMENT
NPM_VM --> MM_APP
%% Database connections
MASTO_WEB & MASTO_SIDEKIQ --> POSTGRES & REDIS
SYNAPSE --> POSTGRES
MM_APP --> POSTGRES
%% Client access
BROWSER & MOBILE & DESKTOP --> CF_PROXY
BROWSER & MOBILE & DESKTOP --> JITSI_WEB
BROWSER & MOBILE & DESKTOP --> VW
BROWSER & MOBILE & DESKTOP --> JOPLIN_SRV
classDef mastodon fill:#6364FF,stroke:#333,stroke-width:2px,color:#fff
classDef matrix fill:#0DBD8B,stroke:#333,stroke-width:2px,color:#fff
classDef mattermost fill:#0058CC,stroke:#333,stroke-width:2px,color:#fff
classDef infra fill:#e67e22,stroke:#333,stroke-width:2px,color:#fff
class MASTO_WEB,MASTO_STREAM,MASTO_SIDEKIQ mastodon
class SYNAPSE,ELEMENT,COTURN matrix
class MM_APP mattermost
class POSTGRES,REDIS,NPM_VM infra
```
### Communication Services Summary
| Service | Domain | Protocol | Purpose |
|---------|--------|----------|---------|
| **Mastodon** | mastodon.vish.gg | ActivityPub | Fediverse microblogging |
| **Matrix (Primary)** | mx.vish.gg | Matrix | Federated chat |
| **Matrix (Legacy)** | matrix.thevish.io | Matrix | Legacy homeserver |
| **Mattermost** | mm.crista.love | Proprietary | Team collaboration |
| **Jitsi Meet** | meet.vish.gg | WebRTC | Video conferencing |
| **Joplin** | joplin.vish.gg | Joplin Sync | Note synchronization |
| **Vaultwarden** | vault.vish.gg | Bitwarden | Password management |
### Deployment Scripts
| Script | Location | Description |
|--------|----------|-------------|
| Mastodon Install | [mastodon-production/](../mastodon-production/) | Bare metal & Docker deployment |
| Matrix Install | [matrix-element/](../matrix-element/) | Synapse + Element + TURN |
| Mattermost Install | [mattermost-production/](../mattermost-production/) | Docker deployment |
| VM Config | [matrix-ubuntu-vm/](../matrix-ubuntu-vm/) | Complete VM configuration |
---
## ๐ CI/CD Pipeline Architecture
### Git Repository Mirroring
The homelab repository uses Gitea Actions for automated CI/CD, including sanitized public mirroring.
```mermaid
graph LR
subgraph Development["๐ป Development"]
DEV["Developer
Pushes Code"]
end
subgraph Gitea["๐ง Gitea (Calypso)"]
PRIVATE["๐ Private Repo
homelab"]
PUBLIC["๐ Public Repo
homelab-optimized"]
RUNNER["๐ Gitea Runners
(homelab, calypso, pi5)"]
end
subgraph Workflow["โ๏ธ CI/CD Workflow"]
CHECKOUT["๐ฅ Checkout Code"]
SANITIZE["๐งน Sanitize
Remove Secrets"]
PUSH["๐ค Force Push
Fresh History"]
end
subgraph Deployment["๐ Deployment"]
ANSIBLE["๐ Ansible
Multi-host"]
PORTAINER["๐ณ Portainer
5 Endpoints"]
end
DEV -->|"git push"| PRIVATE
PRIVATE -->|"Triggers"| RUNNER
RUNNER --> CHECKOUT
CHECKOUT --> SANITIZE
SANITIZE --> PUSH
PUSH --> PUBLIC
PRIVATE --> ANSIBLE
ANSIBLE --> PORTAINER
```
### Sanitization Process
The sanitization script removes sensitive data before public mirroring:
| Removed | Pattern | Example |
|---------|---------|---------|
| Passwords | `password:`, `PASS=` | `password: "REDACTED_PASSWORD" |
| API Keys | `api_key:`, `API_KEY=` | `api_key: REDACTED_API_KEY` |
| Tokens | `token:`, `TOKEN=` | `token: REDACTED_TOKEN` |
| Secrets | `secret:`, `SECRET=` | `secret: REDACTED_SECRET` |
| Private Keys | `-----BEGIN.*KEY-----` | File removed |
| SSH Keys | `id_rsa`, `id_ed25519` | File removed |
| Personal Emails | `*@gmail.com`, `*@*.com` | `REDACTED_EMAIL@example.com` |
| JWT Secrets | `JWT_SECRET=` | `JWT_SECRET=REDACTED` |
### Gitea Runner Setup
```mermaid
graph TB
subgraph Calypso["๐ Calypso (DS723+)"]
GITEA["๐ง Gitea Server
:3052"]
RUNNER_CAL["๐ Runner (calypso)"]
end
subgraph HomelabVM["๐ป Homelab VM"]
RUNNER_HLB["๐ Runner (homelab)"]
end
subgraph Pi5["๐ RPi 5"]
RUNNER_PI["๐ Runner (pi5)"]
end
GITEA -->|"Workflow Dispatch"| RUNNER_CAL
GITEA -->|"Workflow Dispatch"| RUNNER_HLB
GITEA -->|"Workflow Dispatch"| RUNNER_PI
```
**Runner Configuration:**
- Runner binary: `act_runner` v0.2.6, systemd service (not Docker container)
- Labels: `ubuntu-latest`, `linux`, `python` (all 3 runners)
- Runners: homelab (VM), calypso, pi5
- Trigger: Push to main branch
### Ansible Automation
```mermaid
graph TB
subgraph Control["๐ Ansible Control"]
SITE["site.yml
Master Playbook"]
INV["inventory.yml
13 Hosts"]
ROLES["Roles
docker_stack, directory_setup"]
end
subgraph Hosts["๐ฅ๏ธ Target Hosts"]
SYN["Synology
Atlantis, Calypso, Setillo"]
VMS["VMs
Homelab, matrix-ubuntu"]
PHYS["Physical
Guava, NUC, Shinku-Ryuu"]
EDGE["Edge
RPi5, Jellyfish"]
CLOUD["Cloud
Seattle VPS"]
end
SITE --> INV
INV --> SYN
INV --> VMS
INV --> PHYS
INV --> EDGE
INV --> CLOUD
```
**Ansible Commands:**
```bash
# Deploy everything
ansible-playbook site.yml
# Deploy to specific host
ansible-playbook site.yml --limit atlantis
# Deploy by category
ansible-playbook site.yml --tags synology
# Check status
ansible-playbook playbooks/common/status.yml
```
---
## ๐ง AI/ML Stack Architecture
```mermaid
graph TB
subgraph Olares["๐ค Olares K8s Node (Core Ultra 9 275HX, RTX 5090, 96GB)"]
OLLAMA["๐ฆ Ollama
LLM Serving
Local Models"]
VLLM["โก vLLM
High-Throughput
Inference Engine"]
OPENCLAW["๐ค OpenClaw
Robotics Foundation
Model"]
end
subgraph Clients["๐ฑ AI Consumers"]
ANYTHINGLLM["๐ฌ AnythingLLM
RAG Chat"]
OPENWEBUI["๐ Open WebUI"]
API_CLIENTS["๐ง API Clients"]
end
OLLAMA -->|"OpenAI-compatible API"| Clients
VLLM -->|"OpenAI-compatible API"| Clients
classDef ai fill:#8e44ad,stroke:#333,stroke-width:2px,color:#fff
classDef client fill:#2980b9,stroke:#333,stroke-width:2px,color:#fff
class OLLAMA,VLLM,OPENCLAW ai
class ANYTHINGLLM,OPENWEBUI,API_CLIENTS client
```
### AI/ML Services Summary
| Service | Host | Type | Purpose |
|---------|------|------|---------|
| **Ollama** | Olares (K8s) | LLM Server | Local model serving (Llama, Mistral, etc.) |
| **vLLM** | Olares (K8s) | Inference Engine | High-throughput batched inference |
| **OpenClaw** | Olares (K8s) | Foundation Model | Robotics/manipulation research |
| **AnythingLLM** | Homelab VM | RAG Client | Document Q&A with local LLMs |
---
## ๐ Related Diagrams
- [Network Topology](network-topology.md) - How hosts connect
- [Storage Topology](storage-topology.md) - Where data lives
- [Tailscale Mesh](tailscale-mesh.md) - Cross-location access