Kubernetes Namespaces¶

All workloads run on the mdapi-prod cluster (Harvester HCI / RKE2). Namespaces are organized by function.

About envuassu

"En Vuassu" is the name of the neighbourhood where multiple villas jointly own and manage a shared private space. The envuassu namespace hosts the services run for that small community of families (Nextcloud, Zammad ticketing, a dedicated Keycloak at login.envuassu.ch) — it is not an MDAPI-org service. It sits in the Web Hosting group below alongside the other independent web properties, and its identity is fully separate from the MDAPI Keycloak at idp.mdapi.ch.

Categories¶

Namespaces grouped by function. The Full Inventory table below lists every namespace with workloads, storage, and ingress.

Platform operators — kube-system (ingress-nginx), longhorn-system, rook-ceph (in-cluster Ceph), cert-manager, metallb-system, external-secrets, keel, reloader (config-change rollouts), democratic-csi, fleet-*.

Identity & Auth (MDAPI org) — keycloak (idp.mdapi.ch), oauth2-proxy, openldap (LDAP + LAM).

Ops / DevOps — bootstrap (GitLab EE), windmill (automation), cribl (log streaming), openobserve (logs.mdapi.ch, indexed log search), zot (OCI registry), mirror (package mirror), squid (HTTP proxy), meshcentral (help.mdapi.ch, remote support for family devices).

Networking / Infrastructure — ntppool (Chrony GPS stratum-1), nameserver (BIND9 public DNS), technitium (internal DNS + DHCP), split-horizon (in-cluster unbound split-horizon resolver), opennic (tier-2 resolver), vpn (WireGuard), openvpn (OpenVPN admin UI), honeypot (Trapeye), certspotter (CT monitor).

Collaboration & Comms — joplin (notes.mdapi.ch), paperless (documents.mdapi.ch, DMS), mail (full mail stack, 130 Gi), znc (IRC bouncer), mqtt (Mosquitto).

Domotics — home-assistant, appdaemon, esphome, frigate (NVR), scrypted (Nest → RTSP bridge for Frigate).

Media / TV — tv: 16-service stack (Plex, Sonarr, Radarr, Prowlarr, Bazarr, Tdarr, Autobrr, Seerr, Transmission + PIA, Threadfin × 2, Flaresolverr) on CephFS RWX volumes.

Web Hosting (independent properties) — spider3 (spider3.ch), coiffuredreams (coiffuredreams.ch), dellambrogio (dellambrogio.ch), ivodellambrogio (ivodellambrogio.ch), owncloud (cloud.mdapi.ch), envuassu (the En Vuassu neighbourhood community: Nextcloud + Zammad + Keycloak login.envuassu.ch).

Full Inventory¶

Namespace	Key Workloads	Storage	Ingress / VIP
`bootstrap`	GitLab EE (webservice, sidekiq, toolbox, registry, kas)	Ceph RGW (S3)	gitlab.mdapi.ch
`cert-manager`	cert-manager operator	—	—
`certspotter`	certspotter (CT log monitor)	5Gi	—
`coiffuredreams`	WordPress + MariaDB	4Gi	coiffuredreams.ch
`cribl`	Cribl Stream	50Gi	cribl.mdapi.ch
`democratic-csi`	NFS + iSCSI CSI drivers	—	—
`dellambrogio`	WordPress (custom image)	—	dellambrogio.ch
`envuassu`	Nextcloud AIO + Zammad + Keycloak (neighbourhood community)	200Gi data + more	cloud.envuassu.ch, suivi.envuassu.ch, login.envuassu.ch
`esphome`	ESPHome	50Gi	esphome.mdapi.ch
`external-secrets`	External Secrets Operator	—	—
`flame`	Flame dashboard	SQLite	flame.mdapi.ch
`frigate`	Frigate NVR	11Gi	frigate.mdapi.ch
`home-assistant`	Home Assistant	—	home.mdapi.ch
`honeypot`	Trapeye	—	192.168.1.45
`ivodellambrogio`	WordPress + MariaDB	2Gi	ivodellambrogio.ch
`joplin`	Joplin Server + MCP bridge + Postgres	5Gi	notes.mdapi.ch
`keel`	Keel operator (poll every 4h)	—	—
`keycloak`	Keycloak + Postgres (MDAPI org SSO)	5Gi	idp.mdapi.ch
`kube-system`	ingress-nginx	—	192.168.1.191
`longhorn-system`	Longhorn controller + UI	—	—
`mail`	docker-mailserver + Roundcube + Rspamd + Autoconfig	130Gi	webmail.mdapi.ch
`meshcentral`	MeshCentral (NeDB on Longhorn, single replica)	20Gi	help.mdapi.ch
`mirror`	Package mirror	200Gi	mirror.mdapi.ch
`mqtt`	Eclipse Mosquitto	5Gi	192.168.1.43
`nameserver`	BIND9 + Webmin	1Gi	ns.mdapi.ch, 192.168.1.53
`ntppool`	Chrony (GPS PPS, stratum-1)	—	192.168.1.58
`oauth2-proxy`	OAuth2 proxy	—	auth.mdapi.ch
`openldap`	OpenLDAP + LAM	5Gi	lam.mdapi.ch, 192.168.1.52
`opennic`	OpenNIC tier-2 resolver	—	192.168.1.44
`openobserve`	OpenObserve (indexed log search)	Ceph RGW (Parquet) + PVC	logs.mdapi.ch
`openvpn`	ovpn-admin UI (on `mdapi-rancher`)	—	vpnadmin.home.tillo.ch
`owncloud`	OwnCloud + Postgres + Redis	5Gi	cloud.mdapi.ch
`paperless`	Paperless-NGX + CNPG Postgres + Valkey	100Gi docs + 5Gi pg	documents.mdapi.ch
`metallb-system`	MetalLB controller + speaker	—	—
`reloader`	Stakater Reloader (rolls workloads on ConfigMap / Secret change)	—	—
`rook-ceph`	Rook operator + Ceph cluster (18 OSDs, mgr dashboard)	Ceph OSDs on P420i + FusionIO + bay-5 SSDs	ceph.mdapi.ch
`scrypted`	Scrypted (Google Nest → RTSP bridge for Frigate)	20Gi	scrypted.mdapi.ch
`spider3`	Joomla + MariaDB	52Gi	spider3.ch
`split-horizon`	unbound (split-horizon DNS resolver)	—	192.168.1.1
`squid`	Squid HTTP/S proxy	—	192.168.1.50
`technitium`	Technitium DNS + DHCP (primary + secondary)	—	192.168.1.54 (DNS), 192.168.1.55 (DHCP)
`tv`	16-service media stack	CephFS RWX (`ceph-filesystem`)	*.mdapi.ch per service
`vpn`	WireGuard (`wg-prod`)	—	31820/UDP (NodePort)
`windmill`	Windmill + Postgres	5Gi	windmill.mdapi.ch
`znc`	ZNC IRC bouncer	2Gi	192.168.1.51
`zot`	Zot OCI registry	20Gi	zot.mdapi.ch

TV Namespace — Media Stack¶

The tv namespace runs a full arr-stack for media acquisition and management, sharing ReadWriteMany (RWX) CephFS volumes (via Rook) across all services. The library was migrated off a Longhorn RWX volume onto CephFS.

Plex Live TV / EPG

Operational notes on the Threadfin → Plex XMLTV ingest path — channel mapping, xepg.json editing, and forcing a Plex EPG re-ingest — live on the Plex Live TV / Threadfin EPG page.

Service	Image	Role
pms-docker	plexinc/pms-docker	Media server
sonarr	linuxserver/sonarr	TV show management
radarr	linuxserver/radarr	Movie management
prowlarr	linuxserver/prowlarr	Indexer management
bazarr	linuxserver/bazarr	Subtitle management
tdarr	haveagitgat/tdarr	Transcode automation
seerr	ghcr.io/seerr-team/seerr	Request management
transmission	transmission + PIA VPN sidecar	Download client
autobrr	ghcr.io/autobrr/autobrr	Torrent automation
threadfin × 2	custom (registry.mdapi.ch)	IPTV proxy
flaresolverr	flaresolverr	Cloudflare bypass

RWX storage

The media library's RWX volumes are provided by CephFS (the ceph-filesystem storage class, via Rook), which handles concurrent multi-pod access natively. The earlier Longhorn RWX class (harvester-longhorn-2replicas-notmigratable) pinned replicas to fixed nodes to avoid live-migration issues with large RWX volumes; it is no longer used for the media stack.