Kubernetes Namespaces¶
All workloads run on the mdapi-prod cluster (Harvester HCI / RKE2). Namespaces are organized by function.
Namespace Map¶
graph LR
subgraph plat["Platform Operators"]
ks["kube-system\ningress-nginx + Diun"]
lh["longhorn-system\nLonghorn"]
cm_ns["cert-manager"]
purelb_ns["purelb\nLB controller"]
es_ns["external-secrets\nOperator"]
keel_ns["keel\nImage updater"]
dcsi["democratic-csi\nNFS + iSCSI"]
fleet_ns["fleet-*\nFleet controllers"]
end
subgraph ops["Ops / DevOps"]
bootstrap["bootstrap\nGitLab EE"]
windmill_ns["windmill\nAutomation"]
cribl_ns["cribl\nLog streaming"]
zot_ns["zot\nOCI registry"]
mirror_ns["mirror\nPackage mirror"]
squid_ns["squid\nHTTP proxy"]
end
subgraph infra_net["Networking / Infrastructure"]
ntppool_ns["ntppool\nChrony NTP\nGPS stratum-1"]
nameserver_ns["nameserver\nBIND9 DNS"]
opennic_ns["opennic\nOpenNIC tier-2"]
openvpn_ns["openvpn\nVPN admin UI"]
honeypot_ns["honeypot\nTrapeye"]
certspotter_ns["certspotter\nCT monitor"]
end
subgraph collab["Collaboration & Comms"]
joplin_ns["joplin\nnotes.mdapi.ch"]
mail_ns["mail\nFull mail stack\n130Gi"]
openldap_ns["openldap\nLDAP + LAM"]
znc_ns["znc\nIRC bouncer"]
mqtt_ns["mqtt\nMosquitto"]
end
subgraph dom["Domotics"]
ha_ns["home-assistant"]
appdaemon_ns["appdaemon"]
esphome_ns["esphome"]
frigate_ns["frigate\nNVR"]
akri_ns["akri\ndevice discovery"]
end
subgraph media["Media / TV"]
tv_ns["tv\nPlex + Sonarr + Radarr\n+ Prowlarr + Tdarr\n+ Bazarr + Autobrr\n+ Overseerr + Transmission\n+ Threadfin x2\n3.5Ti RWX PVC"]
end
subgraph identity["Identity & Auth"]
keycloak_ns["keycloak\nKeycloak SSO\nlogin.envuassu.ch"]
oauth2_ns["oauth2-proxy"]
end
subgraph envuassu_grp["Envuassu (Multi-tenant)"]
nc_ns["envuassu\nNextcloud AIO\n200Gi data\n+ Zammad ticketing"]
end
subgraph web["Web Hosting"]
spider3_ns["spider3 — spider3.ch"]
coiffure_ns["coiffuredreams — coiffuredreams.ch"]
della_ns["dellambrogio — dellambrogio.ch"]
ivod_ns["ivodellambrogio — ivodellambrogio.ch"]
texto_ns["textopolis — textopolis.net"]
owncloud_ns["owncloud — cloud.mdapi.ch"]
endFull Inventory¶
| Namespace | Key Workloads | Storage | Ingress / VIP |
|---|---|---|---|
bootstrap |
GitLab EE (webservice, sidekiq, toolbox, registry, kas) | MinIO S3 | gitlab.mdapi.ch |
cert-manager |
cert-manager operator | — | — |
certspotter |
certspotter (CT log monitor) | 5Gi | — |
coiffuredreams |
WordPress + MariaDB | 4Gi | coiffuredreams.ch |
cribl |
Cribl Stream | 50Gi | cribl.mdapi.ch |
democratic-csi |
NFS + iSCSI CSI drivers | — | — |
dellambrogio |
WordPress (custom image) | — | dellambrogio.ch |
envuassu |
Nextcloud AIO + Zammad | 200Gi data + more | cloud.envuassu.ch, suivi.envuassu.ch |
esphome |
ESPHome | 50Gi | esphome.mdapi.ch |
external-secrets |
External Secrets Operator | — | — |
flame |
Flame dashboard | SQLite | flame.mdapi.ch |
frigate |
Frigate NVR | 11Gi | frigate.mdapi.ch |
home-assistant |
Home Assistant | — | home.mdapi.ch |
honeypot |
Trapeye | — | 192.168.1.43 |
ivodellambrogio |
WordPress + MariaDB | 2Gi | ivodellambrogio.ch |
joplin |
Joplin Server + MCP bridge + Postgres | 5Gi | notes.mdapi.ch |
keel |
Keel operator (poll every 4h) | — | — |
keycloak |
Keycloak + Postgres | 5Gi | login.envuassu.ch |
kube-system |
ingress-nginx + Diun | — | 192.168.1.191 |
longhorn-system |
Longhorn controller + UI | — | — |
mail |
docker-mailserver + Roundcube + Rspamd + Autoconfig | 130Gi | webmail.mdapi.ch |
mirror |
Package mirror | 200Gi | mirror.mdapi.ch |
mqtt |
Eclipse Mosquitto | 5Gi | 192.168.1.40 |
nameserver |
BIND9 + Webmin | 1Gi | ns.mdapi.ch, 192.168.1.53 |
ntppool |
Chrony (GPS PPS, stratum-1) | — | 192.168.1.48 |
oauth2-proxy |
OAuth2 proxy | — | auth.mdapi.ch |
openldap |
OpenLDAP + LAM | 5Gi | lam.mdapi.ch, 192.168.1.52 |
opennic |
OpenNIC tier-2 resolver | — | 192.168.1.49 |
openvpn |
ovpn-admin UI | — | vpnadmin.home.tillo.ch |
owncloud |
OwnCloud + Postgres + Redis | 5Gi | cloud.mdapi.ch |
purelb |
PureLB controller | — | — |
spider3 |
Joomla + MariaDB | 52Gi | spider3.ch |
squid |
Squid HTTP/S proxy | — | 192.168.1.50 |
textopolis |
WordPress + MariaDB | 4Gi | textopolis.net |
tv |
16-service media stack | 3.5Ti RWX | *.mdapi.ch per service |
windmill |
Windmill + Postgres | 5Gi | windmill.mdapi.ch |
znc |
ZNC IRC bouncer | 2Gi | 192.168.1.51 |
zot |
Zot OCI registry | 20Gi | zot.mdapi.ch |
TV Namespace — Media Stack¶
The tv namespace runs a full arr-stack for media acquisition and management, sharing a 3.5 TiB ReadWriteMany (RWX) Longhorn volume across all services.
| Service | Image | Role |
|---|---|---|
| pms-docker | plexinc/pms-docker | Media server |
| sonarr | linuxserver/sonarr | TV show management |
| radarr | linuxserver/radarr | Movie management |
| prowlarr | linuxserver/prowlarr | Indexer management |
| bazarr | linuxserver/bazarr | Subtitle management |
| tdarr | haveagitgat/tdarr | Transcode automation |
| overseerr | sctx/overseerr | Request management |
| transmission | transmission + PIA VPN sidecar | Download client |
| autobrr | ghcr.io/autobrr/autobrr | Torrent automation |
| threadfin × 2 | custom (registry.mdapi.ch) | IPTV proxy |
| flaresolverr | flaresolverr | Cloudflare bypass |
RWX storage
Longhorn RWX volumes use the harvester-longhorn-2replicas-notmigratable storage class, which keeps replicas on fixed nodes to avoid live migration issues with large RWX volumes.