LWS Lab · Overview

Self-hosted ops, built to last.

~22 containerized apps across four active hosts. SCM, CI, observability, content, storage, and agent orchestration — all on hardware you can touch.

The fleet

4
Active hosts
3
Queued hosts
~22
Containers
~$60
Monthly cost

01 · What is it

Two purposes, one stack

The lab serves a dual role: replacing SaaS dependencies we want to deeply understand, and orchestrating the agents that ship our work.

Lab dogfood

GitHub → Forgejo · Google Analytics → Plausible · Sentry → GlitchTip · 1Password → Vaultwarden. Run the failure modes ourselves.

Agent operations hub

Mission Control + Paperclip orchestrate 9 OpenClaw agents, Hermes, Claude Code, and 5 utility agents.

02 · Who uses it

User roster

One human admin, ~17 agents, dozens of external webhooks. Future: family and clients.

Human admin (Rudy)

Everything · OIDC + session + API key

Claude Code

Tailnet apps via MCP + REST · session + API keys

Hermes (lws profile)

Tailnet apps via MCP + REST · session + MCP wrapper

OpenClaw agents (9)

Discord / Telegram bots, MC tasks · bot tokens + agent name

Utility agents (5)

MC heartbeat, audit logs · API key

External webhooks (48)

hooks.lima.to (n8n) · webhook secret

Future · family

Plex / Immich · Tailscale device-tag

Future · clients

Status pages · public read-only

03 · Access tiers

Three layers of reach

Every app belongs to exactly one tier — from "anyone on the internet" to "only the box itself".

Public · 3 apps

Internet-reachable via Cloudflare Tunnel. analytics, errors, hooks.

Tailnet · 17 apps

Tailnet members + LAN via AdGuard DNS rewrites. auth, git, n8n, mc, paperclip, kb, vault, ...

Host-local · 3 services

Only on the host's loopback (or tailnet bind). postgres :5432, openclaw :18789, MCP stdio.

04 · Auth model

Three flavors of identity

Authentik OIDC

4 wired (git, errors, affine, vault), 8+ planned. Single sign-on for the lab.

App-native sessions

Per-app cookies: mc, paperclip, analytics, n8n, mail.

API keys & tokens

Machine-to-machine: MC API_KEY, Forgejo PATs, GlitchTip DSNs, Telegram bots, Tailscale tags.

Power draw & monthly cost

Massachusetts blended @ $0.30/kWh. Estimates until verified with Kill-A-Watt sensors.

~$40
Idle 24×7
~$61
Mixed (typical)
~$99
Heavy (AI + Plex + CI)

Roadmap — twelve months out

Q3 2026 — next 3 months

T7 SSD as Time Machine target · TrueNAS deploy → lws-nas live · i5-b + i9 tier-2 workloads · 12 TB drive · Authentik SSO to 8+ apps.

Q4 2026 — 3 to 6 months

TM target switch TC → NAS · Offsite cold rotation · Restic snapshots i7 → NAS · Local LLM on i9 GPU · MC dispatcher v0.3.

Q1 2027 — 6 to 12 months

Plex + Immich production (family access) · Client status pages · Ansible config-as-code · Lab usage telemetry · k3s vs compose decision.

05 · Security boundary

What stays out of the KB

✓ Publishable

App names + hostnames · Internal port numbers · Auth modes (no values) · Architecture + playbooks · DB schema (no data) · Tailnet .ts.net hostnames.

⛔ Vault / .env mode 600 only

API keys, tokens, passwords, DSNs · CF Tunnel UUIDs · Telegram bot tokens · DB passwords · Tailscale auth keys · SSO secrets.

Want to dig deeper?

Companion docs cover data-flow, per-app deep dives, and SDK wiring playbooks. The slide deck has the same content in presentation form.