Applications¶
All apps are deployed as HelmRelease managed by Flux, in the apps/ folder.
Service List¶
| App | Namespace | Chart | Description |
|---|---|---|---|
| Authentik | authentik |
authentik/authentik | Identity Provider SSO (OIDC, SAML, LDAP) |
| Home Assistant | home-assistant |
home-assistant | Home automation |
| Home Assistant Matter | home-assistant |
matter-server | Matter/Thread protocol bridge |
| Immich | immich |
immich | Self-hosted photo/video management (Google Photos alternative) |
| Grafana | grafana |
grafana | Metrics dashboard and visualization |
| Prometheus | prometheus |
kube-prometheus-stack | Metrics collection + Alertmanager |
| Gatus | gatus |
gatus | Uptime monitoring with status page |
| Kubernetes Dashboard | kubernetes-dashboard |
kubernetes-dashboard | Web UI for cluster management |
| Mosquitto | mosquitto |
mosquitto | MQTT broker for IoT |
| Zigbee2MQTT | zigbee2mqtt |
zigbee2mqtt | Zigbee โ MQTT bridge |
| Tado API Proxy | tado-api-proxy |
custom | Proxy for Tado thermostats |
| Trek | trek |
trek | Travel planner |
| External Services | external-services |
โ | Proxy for services external to the network |
Common pattern¶
Each app follows this structure:
apps/<app-name>/
โโโ namespace.yaml # Dedicated namespace
โโโ helm-repository.yaml # Helm chart source
โโโ helm-release.yaml # Deployment configuration
โโโ httproute.yaml # HTTP routing (Gateway API)
โโโ kustomization.yaml # Kustomize resource list
โโโ pvc.yaml # (optional) PersistentVolumeClaim
โโโ secret-*.sops.yaml # (optional) SOPS-encrypted secrets
โโโ middleware*.yaml # (optional) Traefik/Authentik middleware
Service access¶
All exposed services use Gateway API HTTPRoute with hostname <service>.${DOMAIN}:
auth.${DOMAIN}โ Authentikha.${DOMAIN}โ Home Assistantphotos.${DOMAIN}โ Immichgrafana.${DOMAIN}โ Grafanastatus.${DOMAIN}โ Gatuskubernetes.${DOMAIN}โ Kubernetes Dashboard
Authentication
Services without native auth are protected by Authentik's forward-auth middleware on Traefik.