# ๐๏ธ Service Architecture
## Overview
This document shows how the 176+ Docker services interact, their dependencies, and the data flows between them.
---
## ๐ฌ Media Stack Architecture (Mermaid)
```mermaid
graph TB
subgraph Internet["โ๏ธ Internet Sources"]
USENET["Usenet
Providers"]
TORRENT["Torrent
Trackers"]
INDEXERS["Indexers
(NZB/Torrent)"]
end
subgraph Acquisition["๐ฅ Content Acquisition (Atlantis)"]
PROWLARR["Prowlarr
Indexer Manager"]
SONARR["Sonarr
TV Shows"]
RADARR["Radarr
Movies"]
LIDARR["Lidarr
Music"]
READARR["Readarr
Books"]
BAZARR["Bazarr
Subtitles"]
SAB["SABnzbd
Usenet Client"]
QBIT["qBittorrent
Torrent Client"]
end
subgraph Storage["๐พ Storage (Atlantis NAS)"]
MEDIA_TV["/volume1/media/tv"]
MEDIA_MOV["/volume1/media/movies"]
MEDIA_MUS["/volume1/media/music"]
MEDIA_BOOK["/volume1/media/books"]
end
subgraph Streaming["๐บ Media Streaming"]
PLEX["Plex
Media Server"]
JELLYFIN["Jellyfin
Media Server"]
NAVIDROME["Navidrome
Music Server"]
TAUTULLI["Tautulli
Plex Analytics"]
end
subgraph Clients["๐ฑ Client Devices"]
TV["Smart TVs"]
PHONE["Phones/Tablets"]
WEB["Web Browsers"]
APPS["Desktop Apps"]
end
%% Acquisition flow
INDEXERS --> PROWLARR
PROWLARR --> SONARR & RADARR & LIDARR & READARR
SONARR --> SAB & QBIT
RADARR --> SAB & QBIT
LIDARR --> SAB & QBIT
READARR --> SAB & QBIT
USENET --> SAB
TORRENT --> QBIT
%% Storage flow
SAB --> MEDIA_TV & MEDIA_MOV & MEDIA_MUS & MEDIA_BOOK
QBIT --> MEDIA_TV & MEDIA_MOV & MEDIA_MUS & MEDIA_BOOK
BAZARR --> MEDIA_TV & MEDIA_MOV
%% Streaming flow
MEDIA_TV & MEDIA_MOV --> PLEX & JELLYFIN
MEDIA_MUS --> NAVIDROME
PLEX --> TAUTULLI
%% Client access
PLEX & JELLYFIN & NAVIDROME --> TV & PHONE & WEB & APPS
classDef acquisition fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef storage fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef streaming fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef client fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
class PROWLARR,SONARR,RADARR,LIDARR,READARR,BAZARR,SAB,QBIT acquisition
class MEDIA_TV,MEDIA_MOV,MEDIA_MUS,MEDIA_BOOK storage
class PLEX,JELLYFIN,NAVIDROME,TAUTULLI streaming
class TV,PHONE,WEB,APPS client
```
---
## ๐ Monitoring Stack Architecture
```mermaid
graph TB
subgraph Targets["๐ฏ Monitored Targets"]
subgraph Synology["Synology NAS"]
ATL_SNMP["Atlantis
SNMP"]
CAL_SNMP["Calypso
SNMP"]
SET_SNMP["Setillo
SNMP"]
end
subgraph Hosts["Linux Hosts"]
NODE1["Homelab VM
node_exporter"]
NODE2["Guava
node_exporter"]
NODE3["Anubis
node_exporter"]
end
subgraph Containers["Containers"]
CADV["cAdvisor
Container Metrics"]
end
subgraph Network["Network"]
BLACK["Blackbox Exporter
HTTP/ICMP Probes"]
end
end
subgraph Collection["๐ฅ Metric Collection (Homelab VM)"]
PROM["Prometheus
Time Series DB"]
SNMP_EXP["SNMP Exporter"]
end
subgraph Visualization["๐ Visualization"]
GRAFANA["Grafana
Dashboards"]
end
subgraph Alerting["๐จ Alerting"]
ALERTMGR["Alertmanager"]
NTFY["ntfy
Push Notifications"]
UPTIME["Uptime Kuma
Status Page"]
end
%% Collection
ATL_SNMP & CAL_SNMP & SET_SNMP --> SNMP_EXP
SNMP_EXP --> PROM
NODE1 & NODE2 & NODE3 --> PROM
CADV --> PROM
BLACK --> PROM
%% Visualization
PROM --> GRAFANA
PROM --> ALERTMGR
ALERTMGR --> NTFY
%% Uptime Kuma separate
BLACK -.-> UPTIME
classDef target fill:#e67e22,stroke:#333,stroke-width:2px,color:#fff
classDef collection fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef viz fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef alert fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
class ATL_SNMP,CAL_SNMP,SET_SNMP,NODE1,NODE2,NODE3,CADV,BLACK target
class PROM,SNMP_EXP collection
class GRAFANA viz
class ALERTMGR,NTFY,UPTIME alert
```
---
## ๐ Authentication & Security Stack
### Complete Authentication Architecture
```mermaid
graph TB
subgraph External["๐ External Access"]
USERS["๐ค Users"]
CLOUDFLARE["โ๏ธ Cloudflare
DNS/WAF/DDoS"]
end
subgraph Gateway["๐ช Gateway Layer (Atlantis)"]
NPM["๐ Nginx Proxy Manager
:81/:443
Reverse Proxy + SSL"]
CFT["๐ Cloudflare Tunnel
Zero Trust Access"]
end
subgraph AuthLayer["๐ Authentication Layer (Calypso)"]
AUTH_SRV["๐ Authentik Server
:9000"]
AUTH_PROXY["๐ก๏ธ Authentik Outpost
:9444
Forward Auth Proxy"]
AUTH_WRK["โ๏ธ Authentik Worker"]
AUTH_DB["๐ PostgreSQL"]
AUTH_RED["๐ด Redis"]
end
subgraph VPN["๐ VPN Layer"]
WIREGUARD["๐ Wireguard
Atlantis :51820"]
TAILSCALE["๐ท Tailscale
100.x.x.x"]
HEADSCALE["๐ Headscale
Calypso :8080"]
end
subgraph DNS["๐ DNS & Ad Blocking"]
PIHOLE["๐ณ๏ธ Pi-hole
Atlantis :53"]
ADGUARD1["๐ก๏ธ AdGuard
Calypso :53"]
ADGUARD2["๐ก๏ธ AdGuard
Setillo :53"]
end
subgraph SecVault["๐ Secrets Management"]
VAULT["๐ Vaultwarden
vault.vish.gg"]
end
subgraph ProtectedServices["๐ก๏ธ Protected Services"]
GRAFANA["๐ Grafana"]
PAPERLESS["๐ Paperless"]
IMMICH["๐ธ Immich"]
FIREFLY["๐ฅ Firefly III"]
ACTUAL["๐ฐ Actual Budget"]
GITEA["๐ง Gitea"]
end
subgraph PublicServices["๐ Public/Self-Auth Services"]
PLEX["๐บ Plex"]
SEAFILE["โ๏ธ Seafile"]
OST["๐ OpenSpeedTest"]
NTFY["๐ฃ ntfy"]
end
%% External flow
USERS --> CLOUDFLARE
CLOUDFLARE --> NPM
CLOUDFLARE --> CFT
USERS --> TAILSCALE
%% NPM to Auth
NPM -->|"Forward Auth
Header Check"| AUTH_PROXY
AUTH_PROXY -->|"Validate Session"| AUTH_SRV
%% Auth internal
AUTH_SRV --> AUTH_DB
AUTH_SRV --> AUTH_RED
AUTH_WRK --> AUTH_DB
AUTH_WRK --> AUTH_RED
%% Protected services via NPM + Auth
NPM -->|"โ Authenticated"| ProtectedServices
%% Public services direct
NPM --> PublicServices
%% VPN access
TAILSCALE --> HEADSCALE
WIREGUARD --> ProtectedServices
TAILSCALE --> ProtectedServices
%% DNS
ADGUARD1 -.-> ProtectedServices
PIHOLE -.-> PublicServices
classDef external fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef gateway fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef auth fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef dns fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
classDef protected fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef public fill:#27ae60,stroke:#333,stroke-width:2px,color:#fff
class USERS,CLOUDFLARE external
class NPM,CFT gateway
class AUTH_SRV,AUTH_PROXY,AUTH_WRK,AUTH_DB,AUTH_RED,VAULT auth
class PIHOLE,ADGUARD1,ADGUARD2 dns
class GRAFANA,PAPERLESS,IMMICH,FIREFLY,ACTUAL,GITEA protected
class PLEX,SEAFILE,OST,NTFY public
```
---
### Authentik SSO Flow (Detailed)
```mermaid
sequenceDiagram
autonumber
participant U as ๐ค User
participant CF as โ๏ธ Cloudflare
participant NPM as ๐ NPM (Atlantis)
participant OUT as ๐ก๏ธ Outpost (Calypso)
participant AUTH as ๐ Authentik (Calypso)
participant APP as ๐ฑ Application
U->>CF: Request app.vish.gg
CF->>NPM: Forward (HTTPS)
NPM->>OUT: Forward Auth Request
(/outpost.goauthentik.io/auth/nginx)
alt No Valid Session
OUT->>AUTH: Check Session
AUTH-->>OUT: No Session
OUT-->>NPM: 401 Unauthorized
NPM-->>U: Redirect to sso.vish.gg/flows/default-authentication/
U->>AUTH: Login Page
U->>AUTH: Submit Credentials + 2FA
AUTH->>AUTH: Validate
AUTH-->>U: Set Cookie + Redirect to app
U->>NPM: Retry with Session Cookie
NPM->>OUT: Forward Auth (with cookie)
end
OUT->>AUTH: Validate Session
AUTH-->>OUT: Valid โ
OUT-->>NPM: 200 OK + Headers
(X-authentik-username, X-authentik-email)
NPM->>APP: Proxy Request (with auth headers)
APP-->>U: Response
```
---
### NPM Proxy Host Configuration
```mermaid
graph TB
subgraph NPM["๐ Nginx Proxy Manager (Atlantis :81)"]
subgraph ProxyHosts["Proxy Hosts"]
PH1["sso.vish.gg โ Calypso:9000"]
PH2["git.vish.gg โ Calypso:3000"]
PH3["docs.vish.gg โ Atlantis:8088"]
PH4["photos.vish.gg โ Calypso:2283"]
PH5["gf.vish.gg โ Atlantis:3000"]
PH6["actual.vish.gg โ Calypso:5006"]
PH7["ff.vish.gg โ Calypso:8888"]
PH8["plex.vish.gg โ Atlantis:32400"]
PH9["sf.vish.gg โ Calypso:8092"]
PH10["ntfy.vish.gg โ Homelab:7080"]
PH11["rackula.vish.gg โ Calypso:4999"]
end
subgraph SSL["SSL Certificates"]
WILD["*.vish.gg
Cloudflare DNS Challenge"]
end
subgraph AccessControl["Access Control"]
AUTH_LOC["Authentik Forward Auth
Location: /outpost.goauthentik.io"]
end
end
subgraph Services["Backend Services"]
direction LR
S1["Authentik"]
S2["Gitea"]
S3["Paperless"]
S4["Immich"]
S5["Grafana"]
S6["Actual"]
S7["Firefly"]
S8["Plex"]
S9["Seafile"]
S10["ntfy"]
S11["Rackula"]
end
PH1 --> S1
PH2 --> S2
PH3 --> S3
PH4 --> S4
PH5 --> S5
PH6 --> S6
PH7 --> S7
PH8 --> S8
PH9 --> S9
PH10 --> S10
PH11 --> S11
```
---
### Services Protected by Authentik
| Domain | Service | Host | Auth Type | Notes |
|--------|---------|------|-----------|-------|
| `sso.vish.gg` | Authentik | Calypso | - | Identity Provider |
| `git.vish.gg` | Gitea | Calypso | OAuth2/OIDC | Source Control |
| `gf.vish.gg` | Grafana | Atlantis | OAuth2/OIDC | Monitoring |
| `docs.vish.gg` | Paperless-NGX | Atlantis | Forward Auth | Documents |
| `photos.vish.gg` | Immich | Calypso | Forward Auth | Photos |
| `actual.vish.gg` | Actual Budget | Calypso | Forward Auth | Finance |
| `ff.vish.gg` | Firefly III | Calypso | Forward Auth | Finance |
| `rackula.vish.gg` | Rackula | Calypso | Forward Auth | Rack Diagram |
### Services NOT Protected (Public/Self-Auth)
| Domain | Service | Host | Reason |
|--------|---------|------|--------|
| `plex.vish.gg` | Plex | Atlantis | Has Plex Auth |
| `sf.vish.gg` | Seafile | Calypso | Has built-in auth + share links |
| `ntfy.vish.gg` | ntfy | Homelab | Has built-in auth + public topics |
| `ost.vish.gg` | OpenSpeedTest | Calypso | Public utility |
---
### Authentik Forward Auth Setup (NPM)
To protect a service with Authentik Forward Auth in NPM:
1. **Create Provider in Authentik**:
- Type: Proxy Provider
- External Host: `https://app.vish.gg`
- Mode: Forward auth (single application)
2. **Create Application in Authentik**:
- Link to the provider
- Set policies for access control
3. **Create Outpost in Authentik**:
- Type: Proxy
- Include the application
4. **Configure NPM Proxy Host**:
```nginx
# Custom Nginx Configuration (Advanced tab)
# Authentik Forward Auth
location /outpost.goauthentik.io {
proxy_pass http://calypso.vish.local:9444/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location / {
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# Forward auth headers to application
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-email $authentik_email;
proxy_pass http://backend;
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
```
---
## ๐ ASCII Service Distribution by Host
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SERVICE DISTRIBUTION BY HOST โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐๏ธ ATLANTIS (55 Services) - Primary Hub โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐บ Media ๐ Monitoring ๐ Security ๐ ๏ธ Infrastructure โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โ
โ โข Plex โข Grafana โข Vaultwarden โข Portainer โ
โ โข Jellyfin โข Prometheus โข Wireguard โข Nginx Proxy Mgr โ
โ โข Immich โข Uptime Kuma โข Pi-hole โข DokuWiki โ
โ โข Tautulli โข SNMP Exporter โข Dozzle โ
โ โข Arr Suite (7) โข Blackbox Exp โข Watchtower โ
โ โข Navidrome โ
โ โ
โ ๐ฌ Communication ๐ Productivity ๐ฎ Other โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Matrix Synapse โข Paperless-NGX โข IT-Tools โ
โ โข Mastodon โข Firefly III โข Stirling PDF โ
โ โข Joplin Server โข Documenso โข YouTube DL โ
โ โข Netbox โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ข CALYPSO (17 Services) - Development & Backup โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ป Development ๐ฐ Finance ๐ฆ Infrastructure ๐ธ Media โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Gitea โข Firefly III โข APT-Cacher-NG โข Immich (backup) โ
โ โข Reactive Resume โข Actual Budget โข Prometheus โข Seafile โ
โ โข Rustdesk โข Wireguard โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ป HOMELAB VM (36 Services) - Experimentation โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ URL Services ๐ฎ Gaming ๐ Monitoring ๐ง Utilities โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Shlink โข Satisfactory โข Prometheus Hub โข Archivebox โ
โ โข ntfy โข Minecraft โข node_exporter โข WebCheck โ
โ โข Hoarder โข L4D2 โข Redlib โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ CONCORD NUC (9 Services) - Edge/IoT โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ Home Automation ๐บ Media ๐ต Music ๐ง Network โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Home Assistant โข Plex โข YourSpotify โข AdGuard Home โ
โ โข Matter Server โข Invidious โข Piped โข Wireguard โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ค ANUBIS (8 Services) - AI/HPC (Mac Mini Ubuntu) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ง AI/ML ๐ธ Photo ๐ง Development โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Ollama โข PhotoPrism โข Draw.io โ
โ โข ChatGPT UI โข Archivebox โข Element Web โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ต SETILLO (4 Services) - Tucson Remote โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โ ๐ Monitoring ๐ DNS โ
โ โโโโโโโโโโโโโ โโโโโโโโโโโโโ โ
โ โข Prometheus โข AdGuard Home โ
โ โข SNMP Exporter โข Syncthing โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SERVICE COUNT SUMMARY โ
โ โโโโโโโโโโโโโโโโโโโโโ โ
โ Atlantis: 55 services โ Calypso: 17 services โ
โ Homelab VM: 36 services โ Chicago VM: 8 services โ
โ Bulgaria VM: 12 services โ Concord NUC: 9 services โ
โ Anubis: 8 services โ Guava: 6 services โ
โ Setillo: 4 services โ RPi nodes: 2 services โ
โ Contabo: 1 service โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ TOTAL: 176+ services across 13 hosts โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
---
## ๐ Related Diagrams
- [Network Topology](network-topology.md) - How hosts connect
- [Storage Topology](storage-topology.md) - Where data lives
- [Tailscale Mesh](tailscale-mesh.md) - Cross-location access
---
## ๐ฌ Communication Stack Architecture
```mermaid
graph TB
subgraph Internet["โ๏ธ Internet / Federation"]
FEDI["Fediverse
(ActivityPub)"]
MATRIX_FED["Matrix
Federation"]
WEBRTC["WebRTC
Voice/Video"]
end
subgraph Cloudflare["๐ก๏ธ Cloudflare"]
CF_PROXY["Cloudflare
Proxy/WAF"]
CF_TUNNEL["Cloudflare
Tunnel"]
end
subgraph MatrixUbuntuVM["๐ง Matrix-Ubuntu VM (Atlantis)"]
subgraph Mastodon["๐ Mastodon Stack"]
MASTO_WEB["Mastodon Web
:3000"]
MASTO_STREAM["Mastodon Streaming
:4000"]
MASTO_SIDEKIQ["Sidekiq
Background Jobs"]
end
subgraph Matrix["๐ Matrix Stack"]
SYNAPSE["Synapse
:8008 / :8018"]
ELEMENT["Element Web
Client"]
COTURN["Coturn
TURN Server
:3478"]
end
subgraph Mattermost["๐ฌ Mattermost"]
MM_APP["Mattermost
:8065"]
end
subgraph SharedDB["๐๏ธ Shared Services"]
POSTGRES["PostgreSQL
:5432"]
REDIS["Redis
:6379"]
end
NGINX_VM["Nginx
Reverse Proxy"]
end
subgraph Atlantis["๐๏ธ Atlantis NAS"]
subgraph JitsiStack["๐น Jitsi Meet"]
JITSI_WEB["Jitsi Web"]
JITSI_JVB["Jitsi Video Bridge"]
JITSI_PROSODY["Prosody XMPP"]
end
subgraph Vaultwarden["๐ Vaultwarden"]
VW["Vaultwarden
Password Manager"]
end
subgraph Joplin["๐ Joplin"]
JOPLIN_SRV["Joplin Server"]
end
end
subgraph Clients["๐ฑ Clients"]
BROWSER["Web Browsers"]
MOBILE["Mobile Apps"]
DESKTOP["Desktop Apps"]
end
%% External connections
FEDI <--> CF_PROXY
MATRIX_FED <--> CF_PROXY
WEBRTC <--> COTURN
%% Cloudflare to services
CF_PROXY --> NGINX_VM
CF_TUNNEL --> NGINX_VM
%% Nginx routing
NGINX_VM --> MASTO_WEB & MASTO_STREAM
NGINX_VM --> SYNAPSE & ELEMENT
NGINX_VM --> MM_APP
%% Database connections
MASTO_WEB & MASTO_SIDEKIQ --> POSTGRES & REDIS
SYNAPSE --> POSTGRES
MM_APP --> POSTGRES
%% Client access
BROWSER & MOBILE & DESKTOP --> CF_PROXY
BROWSER & MOBILE & DESKTOP --> JITSI_WEB
BROWSER & MOBILE & DESKTOP --> VW
BROWSER & MOBILE & DESKTOP --> JOPLIN_SRV
classDef mastodon fill:#6364FF,stroke:#333,stroke-width:2px,color:#fff
classDef matrix fill:#0DBD8B,stroke:#333,stroke-width:2px,color:#fff
classDef mattermost fill:#0058CC,stroke:#333,stroke-width:2px,color:#fff
classDef infra fill:#e67e22,stroke:#333,stroke-width:2px,color:#fff
class MASTO_WEB,MASTO_STREAM,MASTO_SIDEKIQ mastodon
class SYNAPSE,ELEMENT,COTURN matrix
class MM_APP mattermost
class POSTGRES,REDIS,NGINX_VM infra
```
### Communication Services Summary
| Service | Domain | Protocol | Purpose |
|---------|--------|----------|---------|
| **Mastodon** | mastodon.vish.gg | ActivityPub | Fediverse microblogging |
| **Matrix (Primary)** | mx.vish.gg | Matrix | Federated chat |
| **Matrix (Legacy)** | matrix.thevish.io | Matrix | Legacy homeserver |
| **Mattermost** | mm.crista.love | Proprietary | Team collaboration |
| **Jitsi Meet** | meet.vish.gg | WebRTC | Video conferencing |
| **Joplin** | joplin.vish.gg | Joplin Sync | Note synchronization |
| **Vaultwarden** | vault.vish.gg | Bitwarden | Password management |
### Deployment Scripts
| Script | Location | Description |
|--------|----------|-------------|
| Mastodon Install | [mastodon-production/](../mastodon-production/) | Bare metal & Docker deployment |
| Matrix Install | [matrix-element/](../matrix-element/) | Synapse + Element + TURN |
| Mattermost Install | [mattermost-production/](../mattermost-production/) | Docker deployment |
| VM Config | [matrix-ubuntu-vm/](../matrix-ubuntu-vm/) | Complete VM configuration |
---
## ๐ CI/CD Pipeline Architecture
### Git Repository Mirroring
The homelab repository uses Gitea Actions for automated CI/CD, including sanitized public mirroring.
```mermaid
graph LR
subgraph Development["๐ป Development"]
DEV["Developer
Pushes Code"]
end
subgraph Gitea["๐ง Gitea (Calypso)"]
PRIVATE["๐ Private Repo
homelab"]
PUBLIC["๐ Public Repo
homelab-optimized"]
RUNNER["๐ Gitea Runner
(Calypso)"]
end
subgraph Workflow["โ๏ธ CI/CD Workflow"]
CHECKOUT["๐ฅ Checkout Code"]
SANITIZE["๐งน Sanitize
Remove Secrets"]
PUSH["๐ค Force Push
Fresh History"]
end
subgraph Deployment["๐ Deployment"]
ANSIBLE["๐ Ansible
164 Services"]
PORTAINER["๐ณ Portainer
5 Endpoints"]
end
DEV -->|"git push"| PRIVATE
PRIVATE -->|"Triggers"| RUNNER
RUNNER --> CHECKOUT
CHECKOUT --> SANITIZE
SANITIZE --> PUSH
PUSH --> PUBLIC
PRIVATE --> ANSIBLE
ANSIBLE --> PORTAINER
```
### Sanitization Process
The sanitization script removes sensitive data before public mirroring:
| Removed | Pattern | Example |
|---------|---------|---------|
| Passwords | `password:`, `PASS=` | `password: "REDACTED_PASSWORD" |
| API Keys | `api_key:`, `API_KEY=` | `api_key: REDACTED_API_KEY` |
| Tokens | `token:`, `TOKEN=` | `token: REDACTED_TOKEN` |
| Secrets | `secret:`, `SECRET=` | `secret: REDACTED_SECRET` |
| Private Keys | `-----BEGIN.*KEY-----` | File removed |
| SSH Keys | `id_rsa`, `id_ed25519` | File removed |
| Personal Emails | `*@gmail.com`, `*@*.com` | `REDACTED_EMAIL@example.com` |
| JWT Secrets | `JWT_SECRET=` | `JWT_SECRET=REDACTED` |
### Gitea Runner Setup
```mermaid
graph TB
subgraph Calypso["๐ Calypso (DS920+)"]
GITEA["๐ง Gitea Server
:3000"]
RUNNER["๐ Gitea Runner
act_runner:latest"]
DOCKER["๐ณ Docker Socket"]
end
GITEA -->|"Workflow Dispatch"| RUNNER
RUNNER -->|"docker.sock"| DOCKER
DOCKER -->|"Spawn Containers"| RUNNER
```
**Runner Configuration:**
- Image: `gitea/act_runner:latest`
- Labels: `ubuntu-latest`, `ubuntu-22.04`, `python`
- Location: Portainer stack on Calypso
- Trigger: Push to main branch
### Ansible Automation
```mermaid
graph TB
subgraph Control["๐ Ansible Control"]
SITE["site.yml
Master Playbook"]
INV["inventory.yml
13 Hosts"]
ROLES["Roles
docker_stack, directory_setup"]
end
subgraph Hosts["๐ฅ๏ธ Target Hosts"]
SYN["Synology
Atlantis, Calypso, Setillo"]
VMS["VMs
Homelab, Chicago, Bulgaria"]
PHYS["Physical
Guava, NUC, Anubis"]
EDGE["Edge
RPi5"]
end
SITE --> INV
INV --> SYN
INV --> VMS
INV --> PHYS
INV --> EDGE
```
**Ansible Commands:**
```bash
# Deploy everything
ansible-playbook site.yml
# Deploy to specific host
ansible-playbook site.yml --limit atlantis
# Deploy by category
ansible-playbook site.yml --tags synology
# Check status
ansible-playbook playbooks/common/status.yml
```
---
## ๐ Related Diagrams
- [Network Topology](network-topology.md) - How hosts connect
- [Storage Topology](storage-topology.md) - Where data lives
- [Tailscale Mesh](tailscale-mesh.md) - Cross-location access