LWS Lab · Overview
Self-hosted ops, built to last.
~22 containerized apps across four active hosts. SCM, CI, observability, content, storage, and agent orchestration — all on hardware you can touch.
The fleet
01 · What is it
Two purposes, one stack
The lab serves a dual role: replacing SaaS dependencies we want to deeply understand, and orchestrating the agents that ship our work.
Lab dogfood
GitHub → Forgejo · Google Analytics → Plausible · Sentry → GlitchTip · 1Password → Vaultwarden. Run the failure modes ourselves.
Agent operations hub
Mission Control + Paperclip orchestrate 9 OpenClaw agents, Hermes, Claude Code, and 5 utility agents.
02 · Who uses it
User roster
One human admin, ~17 agents, dozens of external webhooks. Future: family and clients.
Everything · OIDC + session + API key
Tailnet apps via MCP + REST · session + API keys
Tailnet apps via MCP + REST · session + MCP wrapper
Discord / Telegram bots, MC tasks · bot tokens + agent name
MC heartbeat, audit logs · API key
hooks.lima.to (n8n) · webhook secret
Plex / Immich · Tailscale device-tag
Status pages · public read-only
03 · Access tiers
Three layers of reach
Every app belongs to exactly one tier — from "anyone on the internet" to "only the box itself".
Public · 3 apps
Internet-reachable via Cloudflare Tunnel. analytics, errors, hooks.
Tailnet · 17 apps
Tailnet members + LAN via AdGuard DNS rewrites. auth, git, n8n, mc, paperclip, kb, vault, ...
Host-local · 3 services
Only on the host's loopback (or tailnet bind). postgres :5432, openclaw :18789, MCP stdio.
04 · Auth model
Three flavors of identity
Authentik OIDC
4 wired (git, errors, affine, vault), 8+ planned. Single sign-on for the lab.
App-native sessions
Per-app cookies: mc, paperclip, analytics, n8n, mail.
API keys & tokens
Machine-to-machine: MC API_KEY, Forgejo PATs, GlitchTip DSNs, Telegram bots, Tailscale tags.
Power draw & monthly cost
Massachusetts blended @ $0.30/kWh. Estimates until verified with Kill-A-Watt sensors.
Roadmap — twelve months out
Q3 2026 — next 3 months
T7 SSD as Time Machine target · TrueNAS deploy → lws-nas live · i5-b + i9 tier-2 workloads · 12 TB drive · Authentik SSO to 8+ apps.
Q4 2026 — 3 to 6 months
TM target switch TC → NAS · Offsite cold rotation · Restic snapshots i7 → NAS · Local LLM on i9 GPU · MC dispatcher v0.3.
Q1 2027 — 6 to 12 months
Plex + Immich production (family access) · Client status pages · Ansible config-as-code · Lab usage telemetry · k3s vs compose decision.
05 · Security boundary
What stays out of the KB
✓ Publishable
App names + hostnames · Internal port numbers · Auth modes (no values) · Architecture + playbooks · DB schema (no data) · Tailnet .ts.net hostnames.
⛔ Vault / .env mode 600 only
API keys, tokens, passwords, DSNs · CF Tunnel UUIDs · Telegram bot tokens · DB passwords · Tailscale auth keys · SSO secrets.
Want to dig deeper?
Companion docs cover data-flow, per-app deep dives, and SDK wiring playbooks. The slide deck has the same content in presentation form.