Networking & Access¶
Traffic routing, VPN, DNS filtering, identity, and authentication.
Identity & Authentication¶
Authentik¶
ingress
Identity provider (IdP). Handles SSO, OAuth2/OIDC, SAML, and LDAP for all protected services. The primary auth system going forward.
Documentation · values.sops.yaml
Authelia¶
ingress
SSO and 2FA authentication proxy. Currently being decommissioned in favour of Authentik.
Documentation · values.sops.yaml
LLDAP¶
ingress
Lightweight LDAP server. Provides a simple user directory consumed by Authentik and other LDAP-aware services.
Documentation · values.sops.yaml
Ingress & Tunnels¶
ingress-nginx¶
ingress
Kubernetes ingress controller. Routes external HTTP/HTTPS traffic to the appropriate services based on hostname and path rules.
Documentation · values.sops.yaml
Cloudflared¶
ingress
Cloudflare Tunnel daemon. Establishes an outbound-only connection from the cluster to the Cloudflare edge, exposing services publicly without opening inbound firewall ports.
Documentation · values.sops.yaml
Wireguard¶
ingress
VPN server. Provides direct, encrypted network-level access to the cluster for trusted devices.
Cloudflare DDNS¶
ingress
Dynamic DNS updater for Cloudflare. Two instances run in parallel — one for the PT zone, one for the UK zone — keeping DNS records in sync with the current public IP.
values-pt.yaml · values-uk.yaml
DNS Filtering¶
AdGuard Home¶
rpi-4b · Docker*
Network-wide DNS ad blocker. Acts as the local DNS resolver for the LAN, blocking ads and trackers at the DNS level for all devices.
Network Hardware¶
UniFi Controller¶
UniFi Cloud Gateway Ultra*
Network management controller for UniFi access points, switches, and the Cloud Gateway Ultra itself. Handles VLAN configuration, client monitoring, and firmware updates.