Service directory
All services run as containers on the home server. They're organized by what they do.
For everyone
These are the services you'll use day-to-day. They all require a tala.family account.
| Service | URL | What it does |
|---|---|---|
| OpenCloud | space.tala.family | File storage, sharing, and document editing |
| Immich | photos.tala.family | Photo and video backup with albums and search |
| Vikunja | planner.tala.family | Task lists, project boards, and shared planning |
| Booklore | library.tala.family | Digital book library with e-reader sync |
| LibreChat | llm.tala.family | AI chat assistant powered by local models |
| SearXNG | search.tala.family | Privacy-respecting metasearch engine (no account needed) |
| Pocket ID | id.tala.family | Your account and passkeys — sign-in provider for all services |
| Headscale | vpn.tala.family | VPN coordination — manages device connections |
Access levels
Services have different access levels:
- Public — Reachable from any internet connection. Protected by your tala.family sign-in.
- VPN only — Only reachable when connected to the family VPN via Tailscale.
- Internal — Only reachable by other services on the server. Not directly accessible to users.
| Service | Access |
|---|---|
| OpenCloud, Immich, Vikunja, Booklore, LibreChat, SearXNG, Pocket ID | Public |
| Forgejo (forge.tala.family), AI API, Headscale admin panel, Handbook | VPN only |
| Databases, Collabora Online, WOPI server | Internal |
How services talk to each other
Services are grouped into isolated networks. A database is only reachable by the service that needs it — nothing else can see it. Services that need to be accessed through a browser go through a reverse proxy (Caddy), which handles HTTPS certificates and routing.
This is managed by a system called Podman with Quadlet files — think of it as a recipe that describes what each service needs (its image, storage, network, and settings). The server reads these recipes and keeps everything running.