Service Catalog
Generated file — regenerated by
make gen-docsfromdocker/docker-compose.ymlanddocker/scripts/setup_rbac.py. Hand-edits will be overwritten. CI fails if this file drifts from source.
Single source of truth for every service in the stack. For RAM-tuning rationale see services_and_optimization.md, for RBAC see authentik_rbac.md.
Legend
- SSO tier:
public(no auth),L2(auto-assigned on sign-up),L3(manual promotion),Admin,OIDC(Authentik as OIDC IdP). - Backup: ✅ stopped during nightly offen backup (has label
h5h-backup-stop), — not stopped. - Subdomain blank means the service has no external route.
Core (always on — no profile)
| Service | Subdomain | Image | RAM | SSO | Backup |
|---|---|---|---|---|---|
authentik-postgres | — | postgres:16-alpine | 256m | — | ✅ |
authentik-redis | — | redis:7-alpine | 64m | — | ✅ |
authentik-server | auth.h5h.me | ghcr.io/goauthentik/server:latest | 800m | — | — |
authentik-worker | — | ghcr.io/goauthentik/server:latest | 512m | — | — |
cloudflared | — | cloudflare/cloudflared:latest | 128m | — | — |
dashboard | sh.h5h.me | ghcr.io/gethomepage/homepage:latest | 128m | (public) | — |
sablier | — | ghcr.io/sablierapp/sablier:1.11.2 | 64m | — | — |
traefik | traefik.h5h.me | traefik:v3.6 | 256m | Admin | — |
Photos profile
| Service | Subdomain | Image | RAM | SSO | Backup |
|---|---|---|---|---|---|
immich-machine-learning | — | ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} | 1536m | — | — |
immich-postgres | — | ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0 | 1g | — | ✅ |
immich-redis | — | docker.io/valkey/valkey:8-alpine | 128m | — | ✅ |
immich-server | photos.h5h.me | ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} | 512m | L3 | — |
Drive profile
| Service | Subdomain | Image | RAM | SSO | Backup |
|---|---|---|---|---|---|
nextcloud | drive.h5h.me | nextcloud:30-apache | 512m | L3 | — |
nextcloud-postgres | — | postgres:16-alpine | 512m | — | ✅ |
nextcloud-redis | — | redis:7-alpine | 64m | — | ✅ |
obsidian | notes.h5h.me | lscr.io/linuxserver/obsidian:latest | 1g | L3 | ✅ |
Plex profile
| Service | Subdomain | Image | RAM | SSO | Backup |
|---|---|---|---|---|---|
plex | plex.h5h.me | lscr.io/linuxserver/plex:version-1.40.5.8921-836b34c27 | 512m | (public) | — |
qbittorrent | torrent.h5h.me | lscr.io/linuxserver/qbittorrent:latest | 256m | L2 / L3(settings) | — |
Monitoring profile
| Service | Subdomain | Image | RAM | SSO | Backup |
|---|---|---|---|---|---|
grafana | grafana.h5h.me | grafana/grafana-oss:latest | 192m | OIDC | — |
node-exporter | — | prom/node-exporter:latest | 64m | — | — |
prometheus | prometheus.h5h.me | prom/prometheus:latest | 256m | Admin | — |
VPN profile
| Service | Subdomain | Image | RAM | SSO | Backup |
|---|---|---|---|---|---|
tailscale | — | tailscale/tailscale:latest | 128m | — | — |
Security profile
| Service | Subdomain | Image | RAM | SSO | Backup |
|---|---|---|---|---|---|
crowdsec | — | crowdsecurity/crowdsec:latest | 256m | — | — |
crowdsec-bouncer | — | fbonalair/traefik-crowdsec-bouncer:latest | 64m | — | — |
loki | — | grafana/loki:3.4.3 | 256m | — | — |
promtail | — | grafana/promtail:3.4.3 | 64m | — | — |
Backup profile
| Service | Subdomain | Image | RAM | SSO | Backup |
|---|---|---|---|---|---|
backup | — | offen/docker-volume-backup:v2 | 256m | — | — |
Networks
h5h_proxy— bridge, subnet${DOCKER_SUBNET:-172.20.0.0/24}. User-facing.h5h_internal— bridge,internal: true. Databases/workers — no egress.
Named volumes
immich-model-cache, redis-data, authentik-media.
Entrypoints (Traefik)
:80web — redirects to 443:443websecure — public entry:8082metrics — Prometheus scrape +/pinghealthcheck:8081internal-api — used only by the Homepage widget to read Traefik state