Everything deployed on top of the platform — the actual workloads serving users (or, in this case, mostly serving me).
Grouped by what each app does, not by what stack it runs on. Each page covers the choice rationale, alternatives, and per-cluster deployment notes generated from the matching k8s/apps/ tree.
| App | Role |
|---|
| Jellyfin | Movies, shows, music streaming — the central media server |
| Immich | Self-hosted Google Photos replacement |
| Tube Archivist | YouTube channel archiver with metadata |
| Audiobookshelf | Audiobook + podcast library |
| Navidrome | Subsonic-compatible music server |
| Komga | Comics, manga, and ebook server |
| Tachiyomi | Manga catalog backend |
| RomM | ROM manager with IGDB / MobyGames metadata |
| Your Spotify | Personal Spotify listening-history dashboard |
| FileFlows | Media-processing pipeline (transcodes, conversions) |
Productivity & files
| App | Role |
|---|
| Nextcloud | File sync, calendar, contacts, office |
| Outline | Team wiki and knowledge base |
| Paperless | Document scanning, OCR, and archiving |
| Memos | Lightweight note-taking |
| Vikunja | Task and project management |
| Tandoor | Recipe manager and meal planning |
| Filebrowser | Web file browser over arbitrary directories |
| Baserow | No-code database / Airtable replacement |
Identity & security
| App | Role |
|---|
| Keycloak | OIDC / SAML identity provider — the auth root of trust |
| LLDAP | Lightweight LDAP directory (users + groups) |
| Pocket ID | Passkey-first OIDC provider |
| Vaultwarden | Bitwarden-compatible password manager |
| DefectDojo | Vulnerability management and security findings tracker |
| Policy Reporter | Kyverno PolicyReport dashboard |
DevOps & automation
| App | Role |
|---|
| Gitea | Source of truth for the homelab repo + every personal project |
| Gitea Runner | Gitea Actions runners + Renovate driver |
| n8n | Workflow automation |
| Selenium | Browser-automation grid |
Monitoring & alerting
| App | Role |
|---|
| Monitoring | Victoria-Metrics + Grafana stack for everything observability |
| Gatus | External health-check / uptime monitor |
| ntfy | Push-notification broker for alerts |
Dashboards & reading
| App | Role |
|---|
| Homepage | Single-pane-of-glass dashboard for the whole homelab |
| Miniflux | Minimalist RSS reader |
| Kiwix | Offline knowledge archive (Wikipedia, Stack Exchange, …) |
Communication & utilities
| App | Role |
|---|
| Bichon | Rust-based self-hosted webmail |
| PrivateBin | Encrypted pastebin |
| IT Tools | Bundle of dev / IT utilities — encoders, formatters, generators |
On the Maresa Docker host
These don't run on Kubernetes — they live on the always-on Synology so they keep working when the cluster is down or being upgraded.
How an app page is structured
Each per-app page is two layers:
- Hand-written prose at the top — what the app is, why it ended up the choice here, alternatives that were on the table, opinionated operational notes.
## Cluster Deployment at the bottom — auto-generated from the cluster-specific README.md next to the manifests (k8s/apps/<cluster>/<name>/README.md). Includes the Helm release / image pin, detected platform dependencies, and the public URLs from the HTTPRoute.
See Components for the building blocks every app reuses (CNPG cluster patches, k8up Schedules, NetworkPolicy templates) and Platform for the controllers underneath.