The service catalog

Services are the self-hosted building blocks of the network. They are enabled per host, in etc/config.yaml. The host profile does not matter.

Enabling a service

Under a host’s services key, each entry enables a service. The (optional) value customizes it:

etc/config.yaml

    services:
      immich:
        title: "Photos"
        description: "My photos & videos"
        domain: "photos"          # service subdomain
        global: true              # → https://photos.domain.tld (public, no zone)
      nextcloud:
        domain: "cloud"           # → cloud.<zone>.domain.tld (not global)
      restic:                     # default values

Field	Role
(key)	The service to enable (e.g. immich)
title	Name displayed on the portal
description	Subtitle on the portal
domain	Subdomain (default: service name). FQDN: <domain>.<zone>.domain.tld
global	Exposes publicly via HCS: <domain>.domain.tld, without the zone (public DNS)
icon	Portal icon

Visible across the whole network

Declaring a service in etc/config.yaml makes it visible and resolvable from all zones. See Names and DNS resolution.

The catalog

Category	Services
Authentication	idm (Kanidm), vaultwarden
Files & cloud	nextcloud, oxicloud, immich, garage, minio, nfs
Communication	matrix, element, jitsi-meet, turn
Media & leisure	jellyfin, mealie, geneweb
Productivity	outline, docs, searx
AI	ai (Open WebUI + Ollama)
Network	dnsmasq, adguardhome, headscale, tailscale, homepage
Development	forgejo, harmonia, ncps
Monitoring & backup	monitoring, loki, restic
System	fail2ban, postfix, printing, audio, home-assistant

Full reference

Detailed options for each service in the module reference.

Portal and access

• Portal: the homepage service provides a services dashboard, per zone.
• Single sign-on: most services go through SSO Kanidm.
• Local or global: a service stays in its zone, unless global: true exposes it publicly.