Application & Services (Layer 7)

Service inventory and application access paths.

Service inventory

Core services:

• Reverse proxy (Caddy)
• Identity provider (Authentik)
• Applications (Immich, Paperless, Vaultwarden)
• Observability (Prometheus, Grafana)

Access paths

All application access is routed through defined ingress paths and authenticated via Authentik.

External access (Internet)

Client → Cloudflare Access → Tunnel → Authentik → Application

• No inbound ports exposed on WAN
• Cloudflare acts as the public entry point
• Authentication enforced via Authentik

Internal access (VLAN 30)

Client → Caddy → Authentik → Application

• Access via HTTP/HTTPS
• Authentication enforced before reaching the app
• No direct access to backend services

Management access (VLAN 10)

Admin → Service (direct)

• SSH and admin interfaces
• Restricted to management network

Service boundaries

• Applications run in VLAN 20
• Only ingress components (Caddy / Cloudflare Tunnel) are exposed
• All application access passes through Authentik
• Internal services (e.g. databases) are not exposed

Rule

All application access must go through an authenticated ingress path.
Direct access to applications or internal services is not allowed.