All services running on the k3s cluster. Internal URLs require being on the home network or VPN. Public URLs are accessible from anywhere and protected by Authentik (Google OIDC).
| Category | Services |
|---|---|
| AI & Automation | Open WebUI, OpenClaw, Alert Responder, Trade Bot, Polymarket Lab, Cluster Health Monitor, RAG Platform |
| Media | Jellyfin, Plex, Jellyseerr, Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent, Tdarr, Media Controller, Media Profiler |
| Development | Dev Workspace, Gitea, Harbor, GHA Dashboard, AWS Lens, Jupyter |
| Smart Home | Home Assistant, Digital Signage |
| Infrastructure | Grafana, Prometheus, Longhorn, Traefik, Wiki.js, Authentik, WireGuard, Velero |
| Personal Projects | Cardboard, OpenDonor, HMB, HAM, Auto Brand |
| Shared / Family | Aja Recipes, DnD, Cat Game, Steve Lee |
| Service | Internal URL | Public URL | Namespace | Auth | Docs |
|---|---|---|---|---|---|
| Open WebUI (Strommen AI) | https://chat.k3s.internal.strommen.systems | https://chat.k3s.strommen.systems | open-webui |
Authentik SSO | Open WebUI |
| OpenClaw (gateway service) | https://openclaw.k3s.internal.strommen.systems | — | open-webui |
Authentik SSO | OpenClaw |
| OpenClaw Ops | — | — | openclaw-ops |
Internal | OpenClaw |
| OpenClaw Personal | — | — | openclaw-personal |
None (internal) | OpenClaw |
| Alert Responder | https://alert-responder.k3s.internal.strommen.systems | — | alert-responder |
Internal | Alert Responder |
| Trade Bot | https://trade-bot.k3s.internal.strommen.systems | — | trade-bot |
Internal | Trade Bot |
| Polymarket Lab | — | — | polymarket-lab |
Internal | Polymarket Lab |
| Cluster Health Monitor | — | — | cluster-health-monitor |
Internal | Cluster Health Monitor |
| RAG Platform | — | — | rag |
Internal | RAG Platform |
Open WebUI: Self-hosted AI chat interface + LiteLLM proxy routing to Bedrock, Anthropic, and OpenRouter. Public URL protected by Authentik SSO (Google OIDC). Both
chat.k3s.internal.*(Open WebUI Helm, port 8080) andopenclaw.k3s.internal.*(custom openclaw gateway) run inopen-webuinamespace as distinct services.
OpenClaw Personal: Job search & interview prep AI agent. Cluster-internal only — no public ingress.
Polymarket Lab: Prediction market research platform — several services scaffolded atreplicas: 0.
RAG Platform: Qdrant vector DB + document ingester — shared AI infrastructure used by Polymarket Lab and OpenClaw.
| Service | URL | Namespace | Purpose | Docs |
|---|---|---|---|---|
| Jellyfin | https://jellyfin.k3s.strommen.systems | media |
GPU-accelerated media server (HA, 2 replicas) | Jellyfin |
| Plex | https://plex.k3s.strommen.systems | media |
Media server for TV/mobile clients (GPU, built-in auth) | Plex |
| Jellyseerr | https://jellyseerr.k3s.strommen.systems | media |
Media request management | Jellyseerr |
| Sonarr | https://sonarr.k3s.strommen.systems | media |
TV show automation | Sonarr |
| Radarr | https://radarr.k3s.strommen.systems | media |
Movie automation | Radarr |
| Prowlarr | https://prowlarr.k3s.strommen.systems | media |
Indexer manager | Prowlarr |
| Bazarr | https://bazarr.k3s.strommen.systems | media |
Subtitle automation | Bazarr |
| qBittorrent | https://qbt.k3s.internal.strommen.systems | media |
VPN-tunneled torrent client | qBittorrent |
| Tdarr | https://tdarr.k3s.strommen.systems | media |
GPU transcode queue | Tdarr |
| Media Controller | https://media-controller.k3s.strommen.systems | media |
Automated media lifecycle | Media Controller |
| Media Profiler | https://media-profiler.k3s.strommen.systems | media-profiler |
Public media profile generator (any @gmail.com) | Media Profiler |
| Seedbox Sync | CronJob (every 4h) | media |
rsync from RapidSeedbox → NAS staging | Seedbox Sync |
| Media Stack | — | media |
Full media stack overview | Media Stack |
| Service | Internal URL | Namespace | Purpose | Docs |
|---|---|---|---|---|
| Dev Workspace (Mat) | https://dev-mat.k3s.internal.strommen.systems | dev-workspace |
ARCHIVED — namespace not deployed | Dev Workspace |
| Dev Workspace (Aja) | https://dev-aja.k3s.internal.strommen.systems | dev-workspace |
ARCHIVED — namespace not deployed | Dev Workspace |
| Gitea | https://gitea.k3s.internal.strommen.systems | gitea |
PyPI / npm / generic package registry | Gitea |
| Harbor | https://harbor.k3s.internal.strommen.systems | harbor |
Container registry (staging + production) | Harbor |
| GHA Dashboard | https://gha.k3s.internal.strommen.systems | gha-dashboard |
GitHub Actions run monitor | GHA Dashboard |
| AWS Lens | https://aws-lens.k3s.internal.strommen.systems | aws-lens |
AWS cost + resource viewer | AWS Lens |
| Jupyter | https://jupyter.k3s.internal.strommen.systems | jupyter |
Notebook server with Prometheus/Loki access | Jupyter |
| Security Scanner | https://scanner.k3s.internal.strommen.systems | security-scanner |
Trivy vulnerability scanning | — |
| Service | Internal URL | Public URL | Namespace | Auth | Docs |
|---|---|---|---|---|---|
| Home Assistant | https://ha.k3s.internal.strommen.systems | https://ha.k3s.strommen.systems | home-assistant |
HA native (no Authentik — companion app incompatible) | Home Assistant |
| Digital Signage | https://ds.k3s.internal.strommen.systems | — | digital-signage |
Authentik forwardAuth (Pi kiosks connect via MQTT LB directly) | Digital Signage |
| Service | URL | Namespace | Purpose | Docs |
|---|---|---|---|---|
| Grafana | https://grafana.k3s.internal.strommen.systems | monitoring |
Dashboards & visualization | Observability Stack |
| Prometheus | https://prometheus.k3s.internal.strommen.systems | monitoring |
Metrics collection | Observability Stack |
| AlertManager | https://alertmanager.k3s.internal.strommen.systems | monitoring |
Alert routing | Observability Stack |
| Longhorn UI | https://longhorn.k3s.internal.strommen.systems | longhorn-system |
Distributed storage | Storage Architecture |
| Traefik Dashboard | https://traefik.k3s.internal.strommen.systems | kube-system |
Ingress controller | Ingress Architecture |
| Wiki.js | https://wiki.k3s.internal.strommen.systems | wiki |
This wiki | Wiki.js |
| Authentik | https://auth.k3s.strommen.systems | authentik |
SSO / identity provider | Authentik |
| WireGuard Hub | wg.k3s.strommen.systems:51821/UDP |
mesh-peers |
Collective mesh VPN | WireGuard |
| Proxmox Watchdog | https://watchdog.k3s.internal.strommen.systems | proxmox-watchdog |
Auto power-cycle for all pve hosts | Proxmox Watchdog |
| Cluster Dashboard | https://dash.k3s.internal.strommen.systems | default |
Service health overview | Cluster Dashboard |
| Velero | — (no UI) | velero |
Kubernetes object backup | Backup Guide |
| Email Gateway | — (ClusterIP :587) | email-gateway |
Postfix → AWS SES relay for AlertManager + app SMTP | Email Gateway |
| kube-utils Honeypot | — (LoadBalancer :9100) | kube-utils |
Deception service mimicking node-exporter | kube-utils |
| Service | Internal URL | Public URL | Namespace | Purpose | Docs |
|---|---|---|---|---|---|
| Cardboard | https://cardboard.k3s.internal.strommen.systems | — | cardboard |
TCG price tracker | Cardboard |
| OpenDonor | — | — | — | Blood donor management CRM (not deployed here) | OpenDonor |
| HMB | — | — | — | Flutter CRM (not deployed here) | HMB |
| HAM | https://ham.k3s.internal.strommen.systems | https://ham.k3s.strommen.systems | ham |
Habit tracker with AI coach + Strava sync | HAM |
| Auto Brand | https://auto-brand.k3s.internal.strommen.systems | https://auto-brand.k3s.strommen.systems | auto-brand |
AI video factory | Auto Brand |
Note: OpenDonor and HMB do not currently have Kubernetes manifests in this repo — managed from their own repositories.
| Service | URL | Namespace | Purpose | Docs |
|---|---|---|---|---|
| Aja Recipes | https://recipes.k3s.internal.strommen.systems | aja-recipes |
Recipe management app | Aja Recipes |
| DnD | https://dnd.k3s.internal.strommen.systems | dnd |
Tabletop gaming — frontend + API (api.dnd.*) + LiveKit voice (voice.dnd.*) |
D&D Platform |
| Cat Game | (URL unconfirmed — manifest not in this repo) | cat-game |
Family browser game (Helm-managed externally) | Cat Game |
| Steve Lee | https://steve-lee.k3s.strommen.systems | open-webui |
Static product listing site (nginx + Etsy scraper); no auth — public | Steve Lee |
All public routes require Authentik Google OIDC sign-in except where noted:
| URL | Backend | Auth |
|---|---|---|
| https://chat.k3s.strommen.systems | Open WebUI (Strommen AI) — LiteLLM proxy (Bedrock/Anthropic/OpenRouter) | Authentik SSO |
| https://auth.k3s.strommen.systems | Authentik | Self (Google OIDC) |
| https://ha.k3s.strommen.systems | Home Assistant | HA native auth (no Authentik — companion app + Google Assistant webhook incompatible) |
| https://jellyfin.k3s.strommen.systems | Jellyfin | Jellyfin native accounts (no Authentik — TV/mobile apps incompatible) |
| https://plex.k3s.strommen.systems | Plex | Plex account auth via plex.tv (no Authentik) |
| https://jellyseerr.k3s.strommen.systems | Jellyseerr | Authentik SSO |
| https://radarr.k3s.strommen.systems | Radarr | Authentik SSO |
| https://sonarr.k3s.strommen.systems | Sonarr | Authentik SSO |
| https://prowlarr.k3s.strommen.systems | Prowlarr | Authentik SSO |
| https://bazarr.k3s.strommen.systems | Bazarr | Authentik SSO |
| https://tdarr.k3s.strommen.systems | Tdarr | Authentik SSO |
| https://ham.k3s.strommen.systems | HAM Habit Tracker | Authentik SSO |
| https://auto-brand.k3s.strommen.systems | Auto Brand | Authentik SSO |
| https://dash.k3s.strommen.systems | Cluster Dashboard | Authentik SSO |
| https://media-profiler.k3s.strommen.systems | Media Profiler | Open Gmail OAuth2 (any @gmail.com) |
| https://media-controller.k3s.strommen.systems | Media Controller | Authentik SSO |
| https://store.k3s.strommen.systems | T-shirt Storefront | Authentik SSO |
| https://steve-lee.k3s.strommen.systems | Steve Lee static site | No auth — open to the internet |