diff --git a/clusters/atlas/applications/kustomization.yaml b/clusters/atlas/applications/kustomization.yaml
index c25257b..f5c64e8 100644
--- a/clusters/atlas/applications/kustomization.yaml
+++ b/clusters/atlas/applications/kustomization.yaml
@@ -5,7 +5,7 @@ resources:
   - ../../services/crypto
   - ../../services/gitea
   - ../../services/jellyfin
-  - ../../services/communication
+  - ../../services/comms
   - ../../services/monitoring
   - ../../services/pegasus
   - ../../services/vault
diff --git a/clusters/atlas/flux-system/applications/comms/kustomization.yaml b/clusters/atlas/flux-system/applications/comms/kustomization.yaml
deleted file mode 100644
index 42dc736..0000000
--- a/clusters/atlas/flux-system/applications/comms/kustomization.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-# clusters/atlas/flux-system/applications/comms/kustomization.yaml
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: comms
-  namespace: flux-system
-spec:
-  interval: 10m
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  path: ./services/comms
-  targetNamespace: comms
-  timeout: 2m
diff --git a/clusters/atlas/flux-system/applications/communication/kustomization.yaml b/clusters/atlas/flux-system/applications/communication/kustomization.yaml
index f9f3531..ab2e7d8 100644
--- a/clusters/atlas/flux-system/applications/communication/kustomization.yaml
+++ b/clusters/atlas/flux-system/applications/communication/kustomization.yaml
@@ -10,7 +10,7 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
-  path: ./services/communication
+  path: ./services/comms
   targetNamespace: comms
   timeout: 2m
   dependsOn:
diff --git a/clusters/atlas/flux-system/applications/kustomization.yaml b/clusters/atlas/flux-system/applications/kustomization.yaml
index 9fefc9c..d8e27af 100644
--- a/clusters/atlas/flux-system/applications/kustomization.yaml
+++ b/clusters/atlas/flux-system/applications/kustomization.yaml
@@ -5,7 +5,6 @@ resources:
   - gitea/kustomization.yaml
   - vault/kustomization.yaml
   - vaultwarden/kustomization.yaml
-  - comms/kustomization.yaml
   - communication/kustomization.yaml
   - crypto/kustomization.yaml
   - monerod/kustomization.yaml
diff --git a/knowledge/catalog/atlas-summary.json b/knowledge/catalog/atlas-summary.json
index 16e3019..2139e29 100644
--- a/knowledge/catalog/atlas-summary.json
+++ b/knowledge/catalog/atlas-summary.json
@@ -1,8 +1,8 @@
 {
   "counts": {
     "helmrelease_host_hints": 7,
-    "http_endpoints": 32,
-    "services": 42,
-    "workloads": 47
+    "http_endpoints": 35,
+    "services": 44,
+    "workloads": 49
   }
 }
diff --git a/knowledge/catalog/atlas.json b/knowledge/catalog/atlas.json
index 359af22..92f08f4 100644
--- a/knowledge/catalog/atlas.json
+++ b/knowledge/catalog/atlas.json
@@ -16,14 +16,9 @@
       "path": "services/ci-demo",
       "targetNamespace": null
     },
-    {
-      "name": "comms",
-      "path": "services/comms",
-      "targetNamespace": "comms"
-    },
     {
       "name": "communication",
-      "path": "services/communication",
+      "path": "services/comms",
       "targetNamespace": "comms"
     },
     {
@@ -324,6 +319,19 @@
         "ghcr.io/element-hq/matrix-authentication-service:1.8.0"
       ]
     },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "matrix-guest-register",
+      "labels": {
+        "app.kubernetes.io/name": "matrix-guest-register"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "python:3.11-slim"
+      ]
+    },
     {
       "kind": "Deployment",
       "namespace": "comms",
@@ -777,6 +785,21 @@
         "python:3.12-alpine"
       ]
     },
+    {
+      "kind": "Deployment",
+      "namespace": "nextcloud",
+      "name": "collabora",
+      "labels": {
+        "app": "collabora"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "collabora/code:latest"
+      ]
+    },
     {
       "kind": "Deployment",
       "namespace": "nextcloud",
@@ -1399,6 +1422,22 @@
         }
       ]
     },
+    {
+      "namespace": "comms",
+      "name": "matrix-guest-register",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/name": "matrix-guest-register"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8080,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
     {
       "namespace": "comms",
       "name": "matrix-wellknown",
@@ -1834,6 +1873,22 @@
         }
       ]
     },
+    {
+      "namespace": "nextcloud",
+      "name": "collabora",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "collabora"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 9980,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
     {
       "namespace": "nextcloud",
       "name": "nextcloud",
@@ -2040,21 +2095,41 @@
     },
     {
       "host": "bstein.dev",
-      "path": "/.well-known/matrix",
+      "path": "/.well-known/matrix/client",
       "backend": {
         "namespace": "comms",
-        "service": "othrys-synapse-matrix-synapse",
-        "port": 8008,
+        "service": "matrix-wellknown",
+        "port": 80,
         "workloads": [
           {
             "kind": "Deployment",
-            "name": "othrys-synapse-matrix-synapse"
+            "name": "matrix-wellknown"
           }
         ]
       },
       "via": {
         "kind": "Ingress",
-        "name": "othrys-synapse-matrix-synapse",
+        "name": "matrix-wellknown-bstein-dev",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "bstein.dev",
+      "path": "/.well-known/matrix/server",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-wellknown",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-wellknown"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-wellknown-bstein-dev",
         "source": "communication"
       }
     },
@@ -2218,26 +2293,6 @@
         "source": "communication"
       }
     },
-    {
-      "host": "live.bstein.dev",
-      "path": "/.well-known/matrix",
-      "backend": {
-        "namespace": "comms",
-        "service": "othrys-synapse-matrix-synapse",
-        "port": 8008,
-        "workloads": [
-          {
-            "kind": "Deployment",
-            "name": "othrys-synapse-matrix-synapse"
-          }
-        ]
-      },
-      "via": {
-        "kind": "Ingress",
-        "name": "othrys-synapse-matrix-synapse",
-        "source": "communication"
-      }
-    },
     {
       "host": "live.bstein.dev",
       "path": "/.well-known/matrix/client",
@@ -2294,7 +2349,7 @@
       },
       "via": {
         "kind": "Ingress",
-        "name": "othrys-synapse-matrix-synapse",
+        "name": "matrix-routing",
         "source": "communication"
       }
     },
@@ -2349,7 +2404,7 @@
       },
       "via": {
         "kind": "Ingress",
-        "name": "matrix-authentication-service",
+        "name": "matrix-routing",
         "source": "communication"
       }
     },
@@ -2409,7 +2464,27 @@
       },
       "via": {
         "kind": "Ingress",
-        "name": "othrys-synapse-matrix-synapse",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_matrix/client/r0/register",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-guest-register",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-guest-register"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
         "source": "communication"
       }
     },
@@ -2429,7 +2504,7 @@
       },
       "via": {
         "kind": "Ingress",
-        "name": "matrix-authentication-service-compat",
+        "name": "matrix-routing",
         "source": "communication"
       }
     },
@@ -2449,7 +2524,7 @@
       },
       "via": {
         "kind": "Ingress",
-        "name": "matrix-authentication-service-compat",
+        "name": "matrix-routing",
         "source": "communication"
       }
     },
@@ -2469,7 +2544,27 @@
       },
       "via": {
         "kind": "Ingress",
-        "name": "matrix-authentication-service-compat",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_matrix/client/v3/register",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-guest-register",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-guest-register"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
         "source": "communication"
       }
     },
@@ -2489,7 +2584,7 @@
       },
       "via": {
         "kind": "Ingress",
-        "name": "othrys-synapse-matrix-synapse",
+        "name": "matrix-routing",
         "source": "communication"
       }
     },
@@ -2513,6 +2608,26 @@
         "source": "monerod"
       }
     },
+    {
+      "host": "office.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "nextcloud",
+        "service": "collabora",
+        "port": 9980,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "collabora"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "collabora",
+        "source": "nextcloud"
+      }
+    },
     {
       "host": "pegasus.bstein.dev",
       "path": "/",
diff --git a/knowledge/catalog/atlas.yaml b/knowledge/catalog/atlas.yaml
index 4b2e8bd..06e2469 100644
--- a/knowledge/catalog/atlas.yaml
+++ b/knowledge/catalog/atlas.yaml
@@ -10,11 +10,8 @@ sources:
 - name: ci-demo
   path: services/ci-demo
   targetNamespace: null
-- name: comms
-  path: services/comms
-  targetNamespace: comms
 - name: communication
-  path: services/communication
+  path: services/comms
   targetNamespace: comms
 - name: core
   path: infrastructure/core
@@ -207,6 +204,15 @@ workloads:
     hardware: rpi5
   images:
   - ghcr.io/element-hq/matrix-authentication-service:1.8.0
+- kind: Deployment
+  namespace: comms
+  name: matrix-guest-register
+  labels:
+    app.kubernetes.io/name: matrix-guest-register
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - python:3.11-slim
 - kind: Deployment
   namespace: comms
   name: matrix-wellknown
@@ -526,6 +532,16 @@ workloads:
   nodeSelector: {}
   images:
   - python:3.12-alpine
+- kind: Deployment
+  namespace: nextcloud
+  name: collabora
+  labels:
+    app: collabora
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - collabora/code:latest
 - kind: Deployment
   namespace: nextcloud
   name: nextcloud
@@ -935,6 +951,16 @@ services:
     port: 8081
     targetPort: internal
     protocol: TCP
+- namespace: comms
+  name: matrix-guest-register
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: matrix-guest-register
+  ports:
+  - name: http
+    port: 8080
+    targetPort: http
+    protocol: TCP
 - namespace: comms
   name: matrix-wellknown
   type: ClusterIP
@@ -1214,6 +1240,16 @@ services:
     port: 8000
     targetPort: http
     protocol: TCP
+- namespace: nextcloud
+  name: collabora
+  type: ClusterIP
+  selector:
+    app: collabora
+  ports:
+  - name: http
+    port: 9980
+    targetPort: http
+    protocol: TCP
 - namespace: nextcloud
   name: nextcloud
   type: ClusterIP
@@ -1344,17 +1380,28 @@ http_endpoints:
     name: bstein-dev-home
     source: bstein-dev-home
 - host: bstein.dev
-  path: /.well-known/matrix
+  path: /.well-known/matrix/client
   backend:
     namespace: comms
-    service: othrys-synapse-matrix-synapse
-    port: 8008
+    service: matrix-wellknown
+    port: 80
     workloads: &id001
     - kind: Deployment
-      name: othrys-synapse-matrix-synapse
+      name: matrix-wellknown
   via:
     kind: Ingress
-    name: othrys-synapse-matrix-synapse
+    name: matrix-wellknown-bstein-dev
+    source: communication
+- host: bstein.dev
+  path: /.well-known/matrix/server
+  backend:
+    namespace: comms
+    service: matrix-wellknown
+    port: 80
+    workloads: *id001
+  via:
+    kind: Ingress
+    name: matrix-wellknown-bstein-dev
     source: communication
 - host: bstein.dev
   path: /api
@@ -1460,26 +1507,13 @@ http_endpoints:
     kind: Ingress
     name: othrys-element-element-web
     source: communication
-- host: live.bstein.dev
-  path: /.well-known/matrix
-  backend:
-    namespace: comms
-    service: othrys-synapse-matrix-synapse
-    port: 8008
-    workloads: *id001
-  via:
-    kind: Ingress
-    name: othrys-synapse-matrix-synapse
-    source: communication
 - host: live.bstein.dev
   path: /.well-known/matrix/client
   backend:
     namespace: comms
     service: matrix-wellknown
     port: 80
-    workloads: &id002
-    - kind: Deployment
-      name: matrix-wellknown
+    workloads: *id001
   via:
     kind: Ingress
     name: matrix-wellknown
@@ -1490,7 +1524,7 @@ http_endpoints:
     namespace: comms
     service: matrix-wellknown
     port: 80
-    workloads: *id002
+    workloads: *id001
   via:
     kind: Ingress
     name: matrix-wellknown
@@ -1501,10 +1535,12 @@ http_endpoints:
     namespace: comms
     service: othrys-synapse-matrix-synapse
     port: 8008
-    workloads: *id001
+    workloads: &id002
+    - kind: Deployment
+      name: othrys-synapse-matrix-synapse
   via:
     kind: Ingress
-    name: othrys-synapse-matrix-synapse
+    name: matrix-routing
     source: communication
 - host: longhorn.bstein.dev
   path: /
@@ -1541,7 +1577,7 @@ http_endpoints:
       name: matrix-authentication-service
   via:
     kind: Ingress
-    name: matrix-authentication-service
+    name: matrix-routing
     source: communication
 - host: matrix.live.bstein.dev
   path: /.well-known/matrix/client
@@ -1549,7 +1585,7 @@ http_endpoints:
     namespace: comms
     service: matrix-wellknown
     port: 80
-    workloads: *id002
+    workloads: *id001
   via:
     kind: Ingress
     name: matrix-wellknown-matrix-live
@@ -1560,7 +1596,7 @@ http_endpoints:
     namespace: comms
     service: matrix-wellknown
     port: 80
-    workloads: *id002
+    workloads: *id001
   via:
     kind: Ingress
     name: matrix-wellknown-matrix-live
@@ -1571,10 +1607,23 @@ http_endpoints:
     namespace: comms
     service: othrys-synapse-matrix-synapse
     port: 8008
-    workloads: *id001
+    workloads: *id002
   via:
     kind: Ingress
-    name: othrys-synapse-matrix-synapse
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_matrix/client/r0/register
+  backend:
+    namespace: comms
+    service: matrix-guest-register
+    port: 8080
+    workloads: &id004
+    - kind: Deployment
+      name: matrix-guest-register
+  via:
+    kind: Ingress
+    name: matrix-routing
     source: communication
 - host: matrix.live.bstein.dev
   path: /_matrix/client/v3/login
@@ -1585,7 +1634,7 @@ http_endpoints:
     workloads: *id003
   via:
     kind: Ingress
-    name: matrix-authentication-service-compat
+    name: matrix-routing
     source: communication
 - host: matrix.live.bstein.dev
   path: /_matrix/client/v3/logout
@@ -1596,7 +1645,7 @@ http_endpoints:
     workloads: *id003
   via:
     kind: Ingress
-    name: matrix-authentication-service-compat
+    name: matrix-routing
     source: communication
 - host: matrix.live.bstein.dev
   path: /_matrix/client/v3/refresh
@@ -1607,7 +1656,18 @@ http_endpoints:
     workloads: *id003
   via:
     kind: Ingress
-    name: matrix-authentication-service-compat
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_matrix/client/v3/register
+  backend:
+    namespace: comms
+    service: matrix-guest-register
+    port: 8080
+    workloads: *id004
+  via:
+    kind: Ingress
+    name: matrix-routing
     source: communication
 - host: matrix.live.bstein.dev
   path: /_synapse
@@ -1615,10 +1675,10 @@ http_endpoints:
     namespace: comms
     service: othrys-synapse-matrix-synapse
     port: 8008
-    workloads: *id001
+    workloads: *id002
   via:
     kind: Ingress
-    name: othrys-synapse-matrix-synapse
+    name: matrix-routing
     source: communication
 - host: monero.bstein.dev
   path: /
@@ -1633,6 +1693,19 @@ http_endpoints:
     kind: Ingress
     name: monerod
     source: monerod
+- host: office.bstein.dev
+  path: /
+  backend:
+    namespace: nextcloud
+    service: collabora
+    port: 9980
+    workloads:
+    - kind: Deployment
+      name: collabora
+  via:
+    kind: Ingress
+    name: collabora
+    source: nextcloud
 - host: pegasus.bstein.dev
   path: /
   backend:
diff --git a/knowledge/catalog/runbooks.json b/knowledge/catalog/runbooks.json
index d7356ca..0718562 100644
--- a/knowledge/catalog/runbooks.json
+++ b/knowledge/catalog/runbooks.json
@@ -20,6 +20,22 @@
     ],
     "body": "# CI: Gitea \u2192 Jenkins pipeline\n\n## What this is\nAtlas uses Gitea for source control and Jenkins for CI. Authentication is via Keycloak (SSO).\n\n## Where it is configured\n- Gitea manifests: `services/gitea/`\n- Jenkins manifests: `services/jenkins/`\n- Credential sync helpers: `scripts/gitea_cred_sync.sh`, `scripts/jenkins_cred_sync.sh`\n\n## What users do (typical flow)\n- Create a repo in Gitea.\n- Create/update a Jenkins job/pipeline that can fetch the repo.\n- Configure a webhook (or SCM polling) so pushes trigger builds.\n\n## Troubleshooting (common)\n- \u201cWebhook not firing\u201d: confirm ingress host, webhook URL, and Jenkins job is reachable.\n- \u201cAuth denied cloning\u201d: confirm Keycloak group membership and that Jenkins has a valid token/credential configured."
   },
+  {
+    "path": "runbooks/comms-verify.md",
+    "title": "Othrys verification checklist",
+    "tags": [
+      "comms",
+      "matrix",
+      "element",
+      "livekit"
+    ],
+    "entrypoints": [
+      "https://live.bstein.dev",
+      "https://matrix.live.bstein.dev"
+    ],
+    "source_paths": [],
+    "body": "1) Guest join:\n- Open a private window and visit:\n  `https://live.bstein.dev/#/room/#othrys:live.bstein.dev?action=join`\n- Confirm the guest join flow works and the displayname becomes `<word>-<word>`.\n\n2) Keycloak login:\n- Log in from `https://live.bstein.dev` and confirm MAS -> Keycloak -> Element redirect.\n\n3) Video rooms:\n- Start an Element Call room and confirm audio/video with a second account.\n- Check that guests can read public rooms but cannot start calls.\n\n4) Well-known:\n- `https://live.bstein.dev/.well-known/matrix/client` returns JSON.\n- `https://matrix.live.bstein.dev/.well-known/matrix/client` returns JSON.\n\n5) TURN reachability:\n- Confirm `turn.live.bstein.dev:3478` and `turns:5349` are reachable from WAN."
+  },
   {
     "path": "runbooks/kb-authoring.md",
     "title": "KB authoring: what to write (and what not to)",
diff --git a/knowledge/diagrams/atlas-http.mmd b/knowledge/diagrams/atlas-http.mmd
index a6fc2b5..ddd33d8 100644
--- a/knowledge/diagrams/atlas-http.mmd
+++ b/knowledge/diagrams/atlas-http.mmd
@@ -9,10 +9,10 @@ flowchart LR
   host_bstein_dev --> svc_bstein_dev_home_bstein_dev_home_frontend
   wl_bstein_dev_home_bstein_dev_home_frontend["bstein-dev-home/bstein-dev-home-frontend (Deployment)"]
   svc_bstein_dev_home_bstein_dev_home_frontend --> wl_bstein_dev_home_bstein_dev_home_frontend
-  svc_comms_othrys_synapse_matrix_synapse["comms/othrys-synapse-matrix-synapse (Service)"]
-  host_bstein_dev --> svc_comms_othrys_synapse_matrix_synapse
-  wl_comms_othrys_synapse_matrix_synapse["comms/othrys-synapse-matrix-synapse (Deployment)"]
-  svc_comms_othrys_synapse_matrix_synapse --> wl_comms_othrys_synapse_matrix_synapse
+  svc_comms_matrix_wellknown["comms/matrix-wellknown (Service)"]
+  host_bstein_dev --> svc_comms_matrix_wellknown
+  wl_comms_matrix_wellknown["comms/matrix-wellknown (Deployment)"]
+  svc_comms_matrix_wellknown --> wl_comms_matrix_wellknown
   svc_bstein_dev_home_bstein_dev_home_backend["bstein-dev-home/bstein-dev-home-backend (Service)"]
   host_bstein_dev --> svc_bstein_dev_home_bstein_dev_home_backend
   wl_bstein_dev_home_bstein_dev_home_backend["bstein-dev-home/bstein-dev-home-backend (Deployment)"]
@@ -51,11 +51,11 @@ flowchart LR
   host_live_bstein_dev --> svc_comms_othrys_element_element_web
   wl_comms_othrys_element_element_web["comms/othrys-element-element-web (Deployment)"]
   svc_comms_othrys_element_element_web --> wl_comms_othrys_element_element_web
-  host_live_bstein_dev --> svc_comms_othrys_synapse_matrix_synapse
-  svc_comms_matrix_wellknown["comms/matrix-wellknown (Service)"]
   host_live_bstein_dev --> svc_comms_matrix_wellknown
-  wl_comms_matrix_wellknown["comms/matrix-wellknown (Deployment)"]
-  svc_comms_matrix_wellknown --> wl_comms_matrix_wellknown
+  svc_comms_othrys_synapse_matrix_synapse["comms/othrys-synapse-matrix-synapse (Service)"]
+  host_live_bstein_dev --> svc_comms_othrys_synapse_matrix_synapse
+  wl_comms_othrys_synapse_matrix_synapse["comms/othrys-synapse-matrix-synapse (Deployment)"]
+  svc_comms_othrys_synapse_matrix_synapse --> wl_comms_othrys_synapse_matrix_synapse
   host_longhorn_bstein_dev["longhorn.bstein.dev"]
   svc_longhorn_system_oauth2_proxy_longhorn["longhorn-system/oauth2-proxy-longhorn (Service)"]
   host_longhorn_bstein_dev --> svc_longhorn_system_oauth2_proxy_longhorn
@@ -71,11 +71,20 @@ flowchart LR
   svc_comms_matrix_authentication_service --> wl_comms_matrix_authentication_service
   host_matrix_live_bstein_dev --> svc_comms_matrix_wellknown
   host_matrix_live_bstein_dev --> svc_comms_othrys_synapse_matrix_synapse
+  svc_comms_matrix_guest_register["comms/matrix-guest-register (Service)"]
+  host_matrix_live_bstein_dev --> svc_comms_matrix_guest_register
+  wl_comms_matrix_guest_register["comms/matrix-guest-register (Deployment)"]
+  svc_comms_matrix_guest_register --> wl_comms_matrix_guest_register
   host_monero_bstein_dev["monero.bstein.dev"]
   svc_crypto_monerod["crypto/monerod (Service)"]
   host_monero_bstein_dev --> svc_crypto_monerod
   wl_crypto_monerod["crypto/monerod (Deployment)"]
   svc_crypto_monerod --> wl_crypto_monerod
+  host_office_bstein_dev["office.bstein.dev"]
+  svc_nextcloud_collabora["nextcloud/collabora (Service)"]
+  host_office_bstein_dev --> svc_nextcloud_collabora
+  wl_nextcloud_collabora["nextcloud/collabora (Deployment)"]
+  svc_nextcloud_collabora --> wl_nextcloud_collabora
   host_pegasus_bstein_dev["pegasus.bstein.dev"]
   svc_jellyfin_pegasus["jellyfin/pegasus (Service)"]
   host_pegasus_bstein_dev --> svc_jellyfin_pegasus
@@ -116,8 +125,8 @@ flowchart LR
     wl_bstein_dev_home_chat_ai_gateway
   end
   subgraph comms[comms]
-    svc_comms_othrys_synapse_matrix_synapse
-    wl_comms_othrys_synapse_matrix_synapse
+    svc_comms_matrix_wellknown
+    wl_comms_matrix_wellknown
     svc_comms_element_call
     wl_comms_element_call
     svc_comms_livekit_token_service
@@ -126,10 +135,12 @@ flowchart LR
     wl_comms_livekit
     svc_comms_othrys_element_element_web
     wl_comms_othrys_element_element_web
-    svc_comms_matrix_wellknown
-    wl_comms_matrix_wellknown
+    svc_comms_othrys_synapse_matrix_synapse
+    wl_comms_othrys_synapse_matrix_synapse
     svc_comms_matrix_authentication_service
     wl_comms_matrix_authentication_service
+    svc_comms_matrix_guest_register
+    wl_comms_matrix_guest_register
   end
   subgraph crypto[crypto]
     svc_crypto_monerod
@@ -159,6 +170,8 @@ flowchart LR
   subgraph nextcloud[nextcloud]
     svc_nextcloud_nextcloud
     wl_nextcloud_nextcloud
+    svc_nextcloud_collabora
+    wl_nextcloud_collabora
   end
   subgraph sso[sso]
     svc_sso_oauth2_proxy
diff --git a/knowledge/runbooks/comms-verify.md b/knowledge/runbooks/comms-verify.md
new file mode 100644
index 0000000..8c09d0a
--- /dev/null
+++ b/knowledge/runbooks/comms-verify.md
@@ -0,0 +1,30 @@
+---
+title: Othrys verification checklist
+tags:
+  - comms
+  - matrix
+  - element
+  - livekit
+entrypoints:
+  - https://live.bstein.dev
+  - https://matrix.live.bstein.dev
+---
+
+1) Guest join:
+- Open a private window and visit:
+  `https://live.bstein.dev/#/room/#othrys:live.bstein.dev?action=join`
+- Confirm the guest join flow works and the displayname becomes `<word>-<word>`.
+
+2) Keycloak login:
+- Log in from `https://live.bstein.dev` and confirm MAS -> Keycloak -> Element redirect.
+
+3) Video rooms:
+- Start an Element Call room and confirm audio/video with a second account.
+- Check that guests can read public rooms but cannot start calls.
+
+4) Well-known:
+- `https://live.bstein.dev/.well-known/matrix/client` returns JSON.
+- `https://matrix.live.bstein.dev/.well-known/matrix/client` returns JSON.
+
+5) TURN reachability:
+- Confirm `turn.live.bstein.dev:3478` and `turns:5349` are reachable from WAN.
diff --git a/scripts/comms_sync_kb.sh b/scripts/comms_sync_kb.sh
new file mode 100755
index 0000000..16f9332
--- /dev/null
+++ b/scripts/comms_sync_kb.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+python scripts/knowledge_render_atlas.py --write
+python scripts/knowledge_render_atlas.py --write --out services/comms/knowledge
diff --git a/services/communication/atlasbot-configmap.yaml b/services/comms/atlasbot-configmap.yaml
similarity index 99%
rename from services/communication/atlasbot-configmap.yaml
rename to services/comms/atlasbot-configmap.yaml
index 672c4f4..d8e74e8 100644
--- a/services/communication/atlasbot-configmap.yaml
+++ b/services/comms/atlasbot-configmap.yaml
@@ -1,4 +1,4 @@
-# services/communication/atlasbot-configmap.yaml
+# services/comms/atlasbot-configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/services/communication/atlasbot-deployment.yaml b/services/comms/atlasbot-deployment.yaml
similarity index 98%
rename from services/communication/atlasbot-deployment.yaml
rename to services/comms/atlasbot-deployment.yaml
index 528d4b2..86e5c28 100644
--- a/services/communication/atlasbot-deployment.yaml
+++ b/services/comms/atlasbot-deployment.yaml
@@ -1,4 +1,4 @@
-# services/communication/atlasbot-deployment.yaml
+# services/comms/atlasbot-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/services/communication/atlasbot-rbac.yaml b/services/comms/atlasbot-rbac.yaml
similarity index 96%
rename from services/communication/atlasbot-rbac.yaml
rename to services/comms/atlasbot-rbac.yaml
index 59685d0..bc6623b 100644
--- a/services/communication/atlasbot-rbac.yaml
+++ b/services/comms/atlasbot-rbac.yaml
@@ -1,4 +1,4 @@
-# services/communication/atlasbot-rbac.yaml
+# services/comms/atlasbot-rbac.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
diff --git a/services/communication/bstein-force-leave-job.yaml b/services/comms/bstein-force-leave-job.yaml
similarity index 99%
rename from services/communication/bstein-force-leave-job.yaml
rename to services/comms/bstein-force-leave-job.yaml
index 5763290..4690aa6 100644
--- a/services/communication/bstein-force-leave-job.yaml
+++ b/services/comms/bstein-force-leave-job.yaml
@@ -1,4 +1,4 @@
-# services/communication/bstein-force-leave-job.yaml
+# services/comms/bstein-force-leave-job.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
diff --git a/services/communication/coturn.yaml b/services/comms/coturn.yaml
similarity index 99%
rename from services/communication/coturn.yaml
rename to services/comms/coturn.yaml
index 9051082..12fa78a 100644
--- a/services/communication/coturn.yaml
+++ b/services/comms/coturn.yaml
@@ -1,4 +1,4 @@
-# services/communication/coturn.yaml
+# services/comms/coturn.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/services/communication/element-call-config.yaml b/services/comms/element-call-config.yaml
similarity index 87%
rename from services/communication/element-call-config.yaml
rename to services/comms/element-call-config.yaml
index c86bbb6..85368f2 100644
--- a/services/communication/element-call-config.yaml
+++ b/services/comms/element-call-config.yaml
@@ -1,9 +1,8 @@
-# services/communication/element-call-config.yaml
+# services/comms/element-call-config.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: element-call-config
-  namespace: communication
 data:
   config.json: |
     {
diff --git a/services/communication/element-call-deployment.yaml b/services/comms/element-call-deployment.yaml
similarity index 92%
rename from services/communication/element-call-deployment.yaml
rename to services/comms/element-call-deployment.yaml
index f5752ac..7f3581d 100644
--- a/services/communication/element-call-deployment.yaml
+++ b/services/comms/element-call-deployment.yaml
@@ -1,9 +1,8 @@
-# services/communication/element-call-deployment.yaml
+# services/comms/element-call-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: element-call
-  namespace: communication
   labels:
     app: element-call
 spec:
@@ -41,7 +40,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: element-call
-  namespace: communication
 spec:
   selector:
     app: element-call
@@ -54,7 +52,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: element-call
-  namespace: communication
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
diff --git a/services/communication/element-rendered.yaml b/services/comms/element-rendered.yaml
similarity index 100%
rename from services/communication/element-rendered.yaml
rename to services/comms/element-rendered.yaml
diff --git a/services/communication/guest-name-job.yaml b/services/comms/guest-name-job.yaml
similarity index 99%
rename from services/communication/guest-name-job.yaml
rename to services/comms/guest-name-job.yaml
index 3e101f8..5e5a2e9 100644
--- a/services/communication/guest-name-job.yaml
+++ b/services/comms/guest-name-job.yaml
@@ -1,4 +1,4 @@
-# services/communication/guest-name-job.yaml
+# services/comms/guest-name-job.yaml
 apiVersion: batch/v1
 kind: CronJob
 metadata:
diff --git a/services/communication/guest-register-configmap.yaml b/services/comms/guest-register-configmap.yaml
similarity index 99%
rename from services/communication/guest-register-configmap.yaml
rename to services/comms/guest-register-configmap.yaml
index 804c7d7..ded54ec 100644
--- a/services/communication/guest-register-configmap.yaml
+++ b/services/comms/guest-register-configmap.yaml
@@ -1,4 +1,4 @@
-# services/communication/guest-register-configmap.yaml
+# services/comms/guest-register-configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/services/communication/guest-register-deployment.yaml b/services/comms/guest-register-deployment.yaml
similarity index 98%
rename from services/communication/guest-register-deployment.yaml
rename to services/comms/guest-register-deployment.yaml
index 00e430c..a9dd675 100644
--- a/services/communication/guest-register-deployment.yaml
+++ b/services/comms/guest-register-deployment.yaml
@@ -1,4 +1,4 @@
-# services/communication/guest-register-deployment.yaml
+# services/comms/guest-register-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/services/communication/guest-register-service.yaml b/services/comms/guest-register-service.yaml
similarity index 84%
rename from services/communication/guest-register-service.yaml
rename to services/comms/guest-register-service.yaml
index 776e3ab..5bb740a 100644
--- a/services/communication/guest-register-service.yaml
+++ b/services/comms/guest-register-service.yaml
@@ -1,4 +1,4 @@
-# services/communication/guest-register-service.yaml
+# services/comms/guest-register-service.yaml
 apiVersion: v1
 kind: Service
 metadata:
diff --git a/services/comms/knowledge/catalog/atlas-summary.json b/services/comms/knowledge/catalog/atlas-summary.json
new file mode 100644
index 0000000..2139e29
--- /dev/null
+++ b/services/comms/knowledge/catalog/atlas-summary.json
@@ -0,0 +1,8 @@
+{
+  "counts": {
+    "helmrelease_host_hints": 7,
+    "http_endpoints": 35,
+    "services": 44,
+    "workloads": 49
+  }
+}
diff --git a/services/comms/knowledge/catalog/atlas.json b/services/comms/knowledge/catalog/atlas.json
new file mode 100644
index 0000000..92f08f4
--- /dev/null
+++ b/services/comms/knowledge/catalog/atlas.json
@@ -0,0 +1,2771 @@
+{
+  "cluster": "atlas",
+  "sources": [
+    {
+      "name": "ai-llm",
+      "path": "services/ai-llm",
+      "targetNamespace": "ai"
+    },
+    {
+      "name": "bstein-dev-home",
+      "path": "services/bstein-dev-home",
+      "targetNamespace": "bstein-dev-home"
+    },
+    {
+      "name": "ci-demo",
+      "path": "services/ci-demo",
+      "targetNamespace": null
+    },
+    {
+      "name": "communication",
+      "path": "services/comms",
+      "targetNamespace": "comms"
+    },
+    {
+      "name": "core",
+      "path": "infrastructure/core",
+      "targetNamespace": null
+    },
+    {
+      "name": "crypto",
+      "path": "services/crypto",
+      "targetNamespace": "crypto"
+    },
+    {
+      "name": "flux-system",
+      "path": "clusters/atlas/flux-system",
+      "targetNamespace": null
+    },
+    {
+      "name": "gitea",
+      "path": "services/gitea",
+      "targetNamespace": "gitea"
+    },
+    {
+      "name": "gitops-ui",
+      "path": "services/gitops-ui",
+      "targetNamespace": "flux-system"
+    },
+    {
+      "name": "harbor",
+      "path": "services/harbor",
+      "targetNamespace": "harbor"
+    },
+    {
+      "name": "helm",
+      "path": "infrastructure/sources/helm",
+      "targetNamespace": "flux-system"
+    },
+    {
+      "name": "jellyfin",
+      "path": "services/jellyfin",
+      "targetNamespace": "jellyfin"
+    },
+    {
+      "name": "jenkins",
+      "path": "services/jenkins",
+      "targetNamespace": "jenkins"
+    },
+    {
+      "name": "keycloak",
+      "path": "services/keycloak",
+      "targetNamespace": "sso"
+    },
+    {
+      "name": "longhorn-ui",
+      "path": "infrastructure/longhorn/ui-ingress",
+      "targetNamespace": "longhorn-system"
+    },
+    {
+      "name": "mailu",
+      "path": "services/mailu",
+      "targetNamespace": "mailu-mailserver"
+    },
+    {
+      "name": "metallb",
+      "path": "infrastructure/metallb",
+      "targetNamespace": "metallb-system"
+    },
+    {
+      "name": "monerod",
+      "path": "services/crypto/monerod",
+      "targetNamespace": "crypto"
+    },
+    {
+      "name": "monitoring",
+      "path": "services/monitoring",
+      "targetNamespace": null
+    },
+    {
+      "name": "nextcloud",
+      "path": "services/nextcloud",
+      "targetNamespace": "nextcloud"
+    },
+    {
+      "name": "nextcloud-mail-sync",
+      "path": "services/nextcloud-mail-sync",
+      "targetNamespace": "nextcloud"
+    },
+    {
+      "name": "oauth2-proxy",
+      "path": "services/oauth2-proxy",
+      "targetNamespace": "sso"
+    },
+    {
+      "name": "openldap",
+      "path": "services/openldap",
+      "targetNamespace": "sso"
+    },
+    {
+      "name": "pegasus",
+      "path": "services/pegasus",
+      "targetNamespace": "jellyfin"
+    },
+    {
+      "name": "sui-metrics",
+      "path": "services/sui-metrics/overlays/atlas",
+      "targetNamespace": "sui-metrics"
+    },
+    {
+      "name": "traefik",
+      "path": "infrastructure/traefik",
+      "targetNamespace": "traefik"
+    },
+    {
+      "name": "vault",
+      "path": "services/vault",
+      "targetNamespace": "vault"
+    },
+    {
+      "name": "vault-csi",
+      "path": "infrastructure/vault-csi",
+      "targetNamespace": "kube-system"
+    },
+    {
+      "name": "vaultwarden",
+      "path": "services/vaultwarden",
+      "targetNamespace": "vaultwarden"
+    },
+    {
+      "name": "xmr-miner",
+      "path": "services/crypto/xmr-miner",
+      "targetNamespace": "crypto"
+    }
+  ],
+  "workloads": [
+    {
+      "kind": "Deployment",
+      "namespace": "ai",
+      "name": "ollama",
+      "labels": {
+        "app": "ollama"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "ollama/ollama:latest"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "bstein-dev-home",
+      "name": "bstein-dev-home-backend",
+      "labels": {
+        "app": "bstein-dev-home-backend"
+      },
+      "serviceAccountName": "bstein-dev-home",
+      "nodeSelector": {
+        "kubernetes.io/arch": "arm64",
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-84"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "bstein-dev-home",
+      "name": "bstein-dev-home-frontend",
+      "labels": {
+        "app": "bstein-dev-home-frontend"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "kubernetes.io/arch": "arm64",
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "registry.bstein.dev/bstein/bstein-dev-home-frontend:0.1.1-84"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "bstein-dev-home",
+      "name": "chat-ai-gateway",
+      "labels": {
+        "app": "chat-ai-gateway"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "kubernetes.io/arch": "arm64",
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "python:3.11-slim"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "ci-demo",
+      "name": "ci-demo",
+      "labels": {
+        "app.kubernetes.io/name": "ci-demo"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi4"
+      },
+      "images": [
+        "registry.bstein.dev/infra/ci-demo:v0.0.0-3"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "atlasbot",
+      "labels": {
+        "app": "atlasbot"
+      },
+      "serviceAccountName": "atlasbot",
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "python:3.11-slim"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "coturn",
+      "labels": {
+        "app": "coturn"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "ghcr.io/coturn/coturn:4.6.2"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "element-call",
+      "labels": {
+        "app": "element-call"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "ghcr.io/element-hq/element-call:latest"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "livekit",
+      "labels": {
+        "app": "livekit"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "livekit/livekit-server:v1.9.0"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "livekit-token-service",
+      "labels": {
+        "app": "livekit-token-service"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "ghcr.io/element-hq/lk-jwt-service:0.3.0"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "matrix-authentication-service",
+      "labels": {
+        "app": "matrix-authentication-service"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "ghcr.io/element-hq/matrix-authentication-service:1.8.0"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "matrix-guest-register",
+      "labels": {
+        "app.kubernetes.io/name": "matrix-guest-register"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "python:3.11-slim"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "matrix-wellknown",
+      "labels": {
+        "app": "matrix-wellknown"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "nginx:1.27-alpine"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "othrys-element-element-web",
+      "labels": {
+        "app.kubernetes.io/instance": "othrys-element",
+        "app.kubernetes.io/name": "element-web"
+      },
+      "serviceAccountName": "othrys-element-element-web",
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "ghcr.io/element-hq/element-web:v1.12.6"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "othrys-synapse-matrix-synapse",
+      "labels": {
+        "app.kubernetes.io/component": "synapse",
+        "app.kubernetes.io/instance": "othrys-synapse",
+        "app.kubernetes.io/name": "matrix-synapse"
+      },
+      "serviceAccountName": "default",
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "ghcr.io/element-hq/synapse:v1.144.0"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "comms",
+      "name": "othrys-synapse-redis-master",
+      "labels": {
+        "app.kubernetes.io/component": "master",
+        "app.kubernetes.io/instance": "othrys-synapse",
+        "app.kubernetes.io/managed-by": "Helm",
+        "app.kubernetes.io/name": "redis",
+        "helm.sh/chart": "redis-17.17.1"
+      },
+      "serviceAccountName": "othrys-synapse-redis",
+      "nodeSelector": {},
+      "images": [
+        "docker.io/bitnamilegacy/redis:7.0.12-debian-11-r34"
+      ]
+    },
+    {
+      "kind": "DaemonSet",
+      "namespace": "crypto",
+      "name": "monero-xmrig",
+      "labels": {
+        "app": "monero-xmrig"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "ghcr.io/tari-project/xmrig:latest"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "crypto",
+      "name": "monero-p2pool",
+      "labels": {
+        "app": "monero-p2pool"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "debian:bookworm-slim"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "crypto",
+      "name": "monerod",
+      "labels": {
+        "app": "monerod"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "registry.bstein.dev/crypto/monerod:0.18.4.1"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "flux-system",
+      "name": "helm-controller",
+      "labels": {
+        "app": "helm-controller",
+        "app.kubernetes.io/component": "helm-controller",
+        "app.kubernetes.io/instance": "flux-system",
+        "app.kubernetes.io/part-of": "flux",
+        "app.kubernetes.io/version": "v2.7.5"
+      },
+      "serviceAccountName": "helm-controller",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "ghcr.io/fluxcd/helm-controller:v1.4.5"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "flux-system",
+      "name": "image-automation-controller",
+      "labels": {
+        "app": "image-automation-controller",
+        "app.kubernetes.io/component": "image-automation-controller",
+        "app.kubernetes.io/instance": "flux-system",
+        "app.kubernetes.io/part-of": "flux",
+        "app.kubernetes.io/version": "v2.7.5"
+      },
+      "serviceAccountName": "image-automation-controller",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "ghcr.io/fluxcd/image-automation-controller:v1.0.4"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "flux-system",
+      "name": "image-reflector-controller",
+      "labels": {
+        "app": "image-reflector-controller",
+        "app.kubernetes.io/component": "image-reflector-controller",
+        "app.kubernetes.io/instance": "flux-system",
+        "app.kubernetes.io/part-of": "flux",
+        "app.kubernetes.io/version": "v2.7.5"
+      },
+      "serviceAccountName": "image-reflector-controller",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "ghcr.io/fluxcd/image-reflector-controller:v1.0.4"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "flux-system",
+      "name": "kustomize-controller",
+      "labels": {
+        "app": "kustomize-controller",
+        "app.kubernetes.io/component": "kustomize-controller",
+        "app.kubernetes.io/instance": "flux-system",
+        "app.kubernetes.io/part-of": "flux",
+        "app.kubernetes.io/version": "v2.7.5"
+      },
+      "serviceAccountName": "kustomize-controller",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "ghcr.io/fluxcd/kustomize-controller:v1.7.3"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "flux-system",
+      "name": "notification-controller",
+      "labels": {
+        "app": "notification-controller",
+        "app.kubernetes.io/component": "notification-controller",
+        "app.kubernetes.io/instance": "flux-system",
+        "app.kubernetes.io/part-of": "flux",
+        "app.kubernetes.io/version": "v2.7.5"
+      },
+      "serviceAccountName": "notification-controller",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "ghcr.io/fluxcd/notification-controller:v1.7.5"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "flux-system",
+      "name": "source-controller",
+      "labels": {
+        "app": "source-controller",
+        "app.kubernetes.io/component": "source-controller",
+        "app.kubernetes.io/instance": "flux-system",
+        "app.kubernetes.io/part-of": "flux",
+        "app.kubernetes.io/version": "v2.7.5"
+      },
+      "serviceAccountName": "source-controller",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "ghcr.io/fluxcd/source-controller:v1.7.4"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "gitea",
+      "name": "gitea",
+      "labels": {
+        "app": "gitea"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "gitea/gitea:1.23"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "jellyfin",
+      "name": "jellyfin",
+      "labels": {
+        "app": "jellyfin"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "docker.io/jellyfin/jellyfin:10.11.5"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "jellyfin",
+      "name": "pegasus",
+      "labels": {
+        "app": "pegasus"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "kubernetes.io/arch": "arm64",
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "alpine:3.20",
+        "registry.bstein.dev/streaming/pegasus:1.2.32"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "jenkins",
+      "name": "jenkins",
+      "labels": {
+        "app": "jenkins"
+      },
+      "serviceAccountName": "jenkins",
+      "nodeSelector": {
+        "kubernetes.io/arch": "arm64",
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "jenkins/jenkins:2.528.3-jdk21"
+      ]
+    },
+    {
+      "kind": "DaemonSet",
+      "namespace": "kube-system",
+      "name": "nvidia-device-plugin-jetson",
+      "labels": {
+        "app.kubernetes.io/instance": "jetson",
+        "app.kubernetes.io/name": "nvidia-device-plugin"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "jetson": "true",
+        "kubernetes.io/arch": "arm64"
+      },
+      "images": [
+        "nvcr.io/nvidia/k8s-device-plugin:v0.16.2"
+      ]
+    },
+    {
+      "kind": "DaemonSet",
+      "namespace": "kube-system",
+      "name": "nvidia-device-plugin-minipc",
+      "labels": {
+        "app.kubernetes.io/instance": "titan22",
+        "app.kubernetes.io/name": "nvidia-device-plugin"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "kubernetes.io/arch": "amd64",
+        "kubernetes.io/hostname": "titan-22"
+      },
+      "images": [
+        "nvcr.io/nvidia/k8s-device-plugin:v0.16.2"
+      ]
+    },
+    {
+      "kind": "DaemonSet",
+      "namespace": "kube-system",
+      "name": "nvidia-device-plugin-tethys",
+      "labels": {
+        "app.kubernetes.io/instance": "titan24",
+        "app.kubernetes.io/name": "nvidia-device-plugin"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "kubernetes.io/arch": "amd64",
+        "kubernetes.io/hostname": "titan-24"
+      },
+      "images": [
+        "nvcr.io/nvidia/k8s-device-plugin:v0.16.2"
+      ]
+    },
+    {
+      "kind": "DaemonSet",
+      "namespace": "kube-system",
+      "name": "vault-csi-provider",
+      "labels": {
+        "app.kubernetes.io/name": "vault-csi-provider"
+      },
+      "serviceAccountName": "vault-csi-provider",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "hashicorp/vault-csi-provider:1.7.0"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "longhorn-system",
+      "name": "oauth2-proxy-longhorn",
+      "labels": {
+        "app": "oauth2-proxy-longhorn"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "quay.io/oauth2-proxy/oauth2-proxy:v7.6.0"
+      ]
+    },
+    {
+      "kind": "DaemonSet",
+      "namespace": "mailu-mailserver",
+      "name": "vip-controller",
+      "labels": {
+        "app": "vip-controller"
+      },
+      "serviceAccountName": "vip-controller",
+      "nodeSelector": {
+        "mailu.bstein.dev/vip": "true"
+      },
+      "images": [
+        "lachlanevenson/k8s-kubectl:latest"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "mailu-mailserver",
+      "name": "mailu-sync-listener",
+      "labels": {
+        "app": "mailu-sync-listener"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "python:3.11-alpine"
+      ]
+    },
+    {
+      "kind": "DaemonSet",
+      "namespace": "metallb-system",
+      "name": "metallb-speaker",
+      "labels": {
+        "app.kubernetes.io/component": "speaker",
+        "app.kubernetes.io/instance": "metallb",
+        "app.kubernetes.io/name": "metallb"
+      },
+      "serviceAccountName": "metallb-speaker",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "quay.io/frrouting/frr:10.4.1",
+        "quay.io/metallb/speaker:v0.15.3"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "metallb-system",
+      "name": "metallb-controller",
+      "labels": {
+        "app.kubernetes.io/component": "controller",
+        "app.kubernetes.io/instance": "metallb",
+        "app.kubernetes.io/name": "metallb"
+      },
+      "serviceAccountName": "metallb-controller",
+      "nodeSelector": {
+        "kubernetes.io/os": "linux"
+      },
+      "images": [
+        "quay.io/metallb/controller:v0.15.3"
+      ]
+    },
+    {
+      "kind": "DaemonSet",
+      "namespace": "monitoring",
+      "name": "dcgm-exporter",
+      "labels": {
+        "app": "dcgm-exporter"
+      },
+      "serviceAccountName": "default",
+      "nodeSelector": {},
+      "images": [
+        "registry.bstein.dev/monitoring/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "monitoring",
+      "name": "postmark-exporter",
+      "labels": {
+        "app": "postmark-exporter"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "python:3.12-alpine"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "nextcloud",
+      "name": "collabora",
+      "labels": {
+        "app": "collabora"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "collabora/code:latest"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "nextcloud",
+      "name": "nextcloud",
+      "labels": {
+        "app": "nextcloud"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "hardware": "rpi5"
+      },
+      "images": [
+        "nextcloud:29-apache"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "sso",
+      "name": "keycloak",
+      "labels": {
+        "app": "keycloak"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "quay.io/keycloak/keycloak:26.0.7"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "sso",
+      "name": "oauth2-proxy",
+      "labels": {
+        "app": "oauth2-proxy"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "quay.io/oauth2-proxy/oauth2-proxy:v7.6.0"
+      ]
+    },
+    {
+      "kind": "StatefulSet",
+      "namespace": "sso",
+      "name": "openldap",
+      "labels": {
+        "app": "openldap"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {
+        "kubernetes.io/arch": "arm64",
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "docker.io/osixia/openldap:1.5.0"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "sui-metrics",
+      "name": "sui-metrics",
+      "labels": {
+        "app": "sui-metrics"
+      },
+      "serviceAccountName": "sui-metrics",
+      "nodeSelector": {
+        "kubernetes.io/hostname": "titan-24"
+      },
+      "images": [
+        "victoriametrics/vmagent:v1.103.0"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "traefik",
+      "name": "traefik",
+      "labels": {
+        "app": "traefik"
+      },
+      "serviceAccountName": "traefik-ingress-controller",
+      "nodeSelector": {
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "traefik:v3.3.3"
+      ]
+    },
+    {
+      "kind": "StatefulSet",
+      "namespace": "vault",
+      "name": "vault",
+      "labels": {
+        "app": "vault"
+      },
+      "serviceAccountName": "vault",
+      "nodeSelector": {
+        "kubernetes.io/arch": "arm64",
+        "node-role.kubernetes.io/worker": "true"
+      },
+      "images": [
+        "hashicorp/vault:1.17.6"
+      ]
+    },
+    {
+      "kind": "Deployment",
+      "namespace": "vaultwarden",
+      "name": "vaultwarden",
+      "labels": {
+        "app": "vaultwarden"
+      },
+      "serviceAccountName": null,
+      "nodeSelector": {},
+      "images": [
+        "vaultwarden/server:1.33.2"
+      ]
+    }
+  ],
+  "services": [
+    {
+      "namespace": "ai",
+      "name": "ollama",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "ollama"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 11434,
+          "targetPort": 11434,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "bstein-dev-home",
+      "name": "bstein-dev-home-backend",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "bstein-dev-home-backend"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": 8080,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "bstein-dev-home",
+      "name": "bstein-dev-home-frontend",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "bstein-dev-home-frontend"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": 80,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "bstein-dev-home",
+      "name": "chat-ai-gateway",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "chat-ai-gateway"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": 8080,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "ci-demo",
+      "name": "ci-demo",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/name": "ci-demo"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "coturn",
+      "type": "LoadBalancer",
+      "selector": {
+        "app": "coturn"
+      },
+      "ports": [
+        {
+          "name": "turn-udp",
+          "port": 3478,
+          "targetPort": 3478,
+          "protocol": "UDP"
+        },
+        {
+          "name": "turn-tcp",
+          "port": 3478,
+          "targetPort": 3478,
+          "protocol": "TCP"
+        },
+        {
+          "name": "turn-tls",
+          "port": 5349,
+          "targetPort": 5349,
+          "protocol": "TCP"
+        },
+        {
+          "name": "relay-50000",
+          "port": 50000,
+          "targetPort": 50000,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50001",
+          "port": 50001,
+          "targetPort": 50001,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50002",
+          "port": 50002,
+          "targetPort": 50002,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50003",
+          "port": 50003,
+          "targetPort": 50003,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50004",
+          "port": 50004,
+          "targetPort": 50004,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50005",
+          "port": 50005,
+          "targetPort": 50005,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50006",
+          "port": 50006,
+          "targetPort": 50006,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50007",
+          "port": 50007,
+          "targetPort": 50007,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50008",
+          "port": 50008,
+          "targetPort": 50008,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50009",
+          "port": 50009,
+          "targetPort": 50009,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50010",
+          "port": 50010,
+          "targetPort": 50010,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50011",
+          "port": 50011,
+          "targetPort": 50011,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50012",
+          "port": 50012,
+          "targetPort": 50012,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50013",
+          "port": 50013,
+          "targetPort": 50013,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50014",
+          "port": 50014,
+          "targetPort": 50014,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50015",
+          "port": 50015,
+          "targetPort": 50015,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50016",
+          "port": 50016,
+          "targetPort": 50016,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50017",
+          "port": 50017,
+          "targetPort": 50017,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50018",
+          "port": 50018,
+          "targetPort": 50018,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50019",
+          "port": 50019,
+          "targetPort": 50019,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50020",
+          "port": 50020,
+          "targetPort": 50020,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50021",
+          "port": 50021,
+          "targetPort": 50021,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50022",
+          "port": 50022,
+          "targetPort": 50022,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50023",
+          "port": 50023,
+          "targetPort": 50023,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50024",
+          "port": 50024,
+          "targetPort": 50024,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50025",
+          "port": 50025,
+          "targetPort": 50025,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50026",
+          "port": 50026,
+          "targetPort": 50026,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50027",
+          "port": 50027,
+          "targetPort": 50027,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50028",
+          "port": 50028,
+          "targetPort": 50028,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50029",
+          "port": 50029,
+          "targetPort": 50029,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50030",
+          "port": 50030,
+          "targetPort": 50030,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50031",
+          "port": 50031,
+          "targetPort": 50031,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50032",
+          "port": 50032,
+          "targetPort": 50032,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50033",
+          "port": 50033,
+          "targetPort": 50033,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50034",
+          "port": 50034,
+          "targetPort": 50034,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50035",
+          "port": 50035,
+          "targetPort": 50035,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50036",
+          "port": 50036,
+          "targetPort": 50036,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50037",
+          "port": 50037,
+          "targetPort": 50037,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50038",
+          "port": 50038,
+          "targetPort": 50038,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50039",
+          "port": 50039,
+          "targetPort": 50039,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50040",
+          "port": 50040,
+          "targetPort": 50040,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50041",
+          "port": 50041,
+          "targetPort": 50041,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50042",
+          "port": 50042,
+          "targetPort": 50042,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50043",
+          "port": 50043,
+          "targetPort": 50043,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50044",
+          "port": 50044,
+          "targetPort": 50044,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50045",
+          "port": 50045,
+          "targetPort": 50045,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50046",
+          "port": 50046,
+          "targetPort": 50046,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50047",
+          "port": 50047,
+          "targetPort": 50047,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50048",
+          "port": 50048,
+          "targetPort": 50048,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50049",
+          "port": 50049,
+          "targetPort": 50049,
+          "protocol": "UDP"
+        },
+        {
+          "name": "relay-50050",
+          "port": 50050,
+          "targetPort": 50050,
+          "protocol": "UDP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "element-call",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "element-call"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": 8080,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "livekit",
+      "type": "LoadBalancer",
+      "selector": {
+        "app": "livekit"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 7880,
+          "targetPort": 7880,
+          "protocol": "TCP"
+        },
+        {
+          "name": "rtc-tcp",
+          "port": 7881,
+          "targetPort": 7881,
+          "protocol": "TCP"
+        },
+        {
+          "name": "rtc-udp-7882",
+          "port": 7882,
+          "targetPort": 7882,
+          "protocol": "UDP"
+        },
+        {
+          "name": "rtc-udp-7883",
+          "port": 7883,
+          "targetPort": 7883,
+          "protocol": "UDP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "livekit-token-service",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "livekit-token-service"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8080,
+          "targetPort": 8080,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "matrix-authentication-service",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "matrix-authentication-service"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8080,
+          "targetPort": "http",
+          "protocol": "TCP"
+        },
+        {
+          "name": "internal",
+          "port": 8081,
+          "targetPort": "internal",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "matrix-guest-register",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/name": "matrix-guest-register"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8080,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "matrix-wellknown",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "matrix-wellknown"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": 80,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "othrys-element-element-web",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/instance": "othrys-element",
+        "app.kubernetes.io/name": "element-web"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "othrys-synapse-matrix-synapse",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/component": "synapse",
+        "app.kubernetes.io/instance": "othrys-synapse",
+        "app.kubernetes.io/name": "matrix-synapse"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8008,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "othrys-synapse-redis-headless",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/instance": "othrys-synapse",
+        "app.kubernetes.io/name": "redis"
+      },
+      "ports": [
+        {
+          "name": "tcp-redis",
+          "port": 6379,
+          "targetPort": "redis",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "othrys-synapse-redis-master",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/component": "master",
+        "app.kubernetes.io/instance": "othrys-synapse",
+        "app.kubernetes.io/name": "redis"
+      },
+      "ports": [
+        {
+          "name": "tcp-redis",
+          "port": 6379,
+          "targetPort": "redis",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "comms",
+      "name": "othrys-synapse-replication",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/component": "synapse",
+        "app.kubernetes.io/instance": "othrys-synapse",
+        "app.kubernetes.io/name": "matrix-synapse"
+      },
+      "ports": [
+        {
+          "name": "replication",
+          "port": 9093,
+          "targetPort": "replication",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "crypto",
+      "name": "monerod",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "monerod"
+      },
+      "ports": [
+        {
+          "name": "rpc",
+          "port": 18081,
+          "targetPort": 18081,
+          "protocol": "TCP"
+        },
+        {
+          "name": "p2p",
+          "port": 18080,
+          "targetPort": 18080,
+          "protocol": "TCP"
+        },
+        {
+          "name": "zmq",
+          "port": 18083,
+          "targetPort": 18083,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "crypto",
+      "name": "p2pool",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "p2pool"
+      },
+      "ports": [
+        {
+          "name": "stratum",
+          "port": 3333,
+          "targetPort": 3333,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "flux-system",
+      "name": "notification-controller",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "notification-controller"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "flux-system",
+      "name": "source-controller",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "source-controller"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "flux-system",
+      "name": "webhook-receiver",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "notification-controller"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http-webhook",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "gitea",
+      "name": "gitea",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "gitea"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 3000,
+          "targetPort": 3000,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "gitea",
+      "name": "gitea-ssh",
+      "type": "NodePort",
+      "selector": {
+        "app": "gitea"
+      },
+      "ports": [
+        {
+          "name": "ssh",
+          "port": 2242,
+          "targetPort": 2242,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "jellyfin",
+      "name": "jellyfin",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "jellyfin"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": 8096,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "jellyfin",
+      "name": "pegasus",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "pegasus"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "jenkins",
+      "name": "jenkins",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "jenkins"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8080,
+          "targetPort": 8080,
+          "protocol": "TCP"
+        },
+        {
+          "name": "agent-listener",
+          "port": 50000,
+          "targetPort": 50000,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "kube-system",
+      "name": "traefik",
+      "type": "LoadBalancer",
+      "selector": {
+        "app.kubernetes.io/instance": "traefik-kube-system",
+        "app.kubernetes.io/name": "traefik"
+      },
+      "ports": [
+        {
+          "name": "web",
+          "port": 80,
+          "targetPort": "web",
+          "protocol": "TCP"
+        },
+        {
+          "name": "websecure",
+          "port": 443,
+          "targetPort": "websecure",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "longhorn-system",
+      "name": "oauth2-proxy-longhorn",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "oauth2-proxy-longhorn"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": 4180,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "mailu-mailserver",
+      "name": "mailu-front-lb",
+      "type": "LoadBalancer",
+      "selector": {
+        "app.kubernetes.io/component": "front",
+        "app.kubernetes.io/instance": "mailu",
+        "app.kubernetes.io/name": "mailu"
+      },
+      "ports": [
+        {
+          "name": "smtp",
+          "port": 25,
+          "targetPort": 25,
+          "protocol": "TCP"
+        },
+        {
+          "name": "smtps",
+          "port": 465,
+          "targetPort": 465,
+          "protocol": "TCP"
+        },
+        {
+          "name": "submission",
+          "port": 587,
+          "targetPort": 587,
+          "protocol": "TCP"
+        },
+        {
+          "name": "imaps",
+          "port": 993,
+          "targetPort": 993,
+          "protocol": "TCP"
+        },
+        {
+          "name": "pop3s",
+          "port": 995,
+          "targetPort": 995,
+          "protocol": "TCP"
+        },
+        {
+          "name": "sieve",
+          "port": 4190,
+          "targetPort": 4190,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "mailu-mailserver",
+      "name": "mailu-sync-listener",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "mailu-sync-listener"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8080,
+          "targetPort": 8080,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "metallb-system",
+      "name": "metallb-webhook-service",
+      "type": "ClusterIP",
+      "selector": {
+        "app.kubernetes.io/component": "controller",
+        "app.kubernetes.io/instance": "metallb",
+        "app.kubernetes.io/name": "metallb"
+      },
+      "ports": [
+        {
+          "name": null,
+          "port": 443,
+          "targetPort": 9443,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "monitoring",
+      "name": "dcgm-exporter",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "dcgm-exporter"
+      },
+      "ports": [
+        {
+          "name": "metrics",
+          "port": 9400,
+          "targetPort": "metrics",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "monitoring",
+      "name": "postmark-exporter",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "postmark-exporter"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8000,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "nextcloud",
+      "name": "collabora",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "collabora"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 9980,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "nextcloud",
+      "name": "nextcloud",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "nextcloud"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "sso",
+      "name": "keycloak",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "keycloak"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "sso",
+      "name": "oauth2-proxy",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "oauth2-proxy"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": 4180,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "sso",
+      "name": "openldap",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "openldap"
+      },
+      "ports": [
+        {
+          "name": "ldap",
+          "port": 389,
+          "targetPort": "ldap",
+          "protocol": "TCP"
+        },
+        {
+          "name": "ldaps",
+          "port": 636,
+          "targetPort": "ldaps",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "sui-metrics",
+      "name": "sui-metrics",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "sui-metrics"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 8429,
+          "targetPort": 8429,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "traefik",
+      "name": "traefik-metrics",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "traefik"
+      },
+      "ports": [
+        {
+          "name": "metrics",
+          "port": 9100,
+          "targetPort": "metrics",
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "vault",
+      "name": "vault",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "vault"
+      },
+      "ports": [
+        {
+          "name": "api",
+          "port": 8200,
+          "targetPort": 8200,
+          "protocol": "TCP"
+        },
+        {
+          "name": "cluster",
+          "port": 8201,
+          "targetPort": 8201,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "vault",
+      "name": "vault-internal",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "vault"
+      },
+      "ports": [
+        {
+          "name": "api",
+          "port": 8200,
+          "targetPort": 8200,
+          "protocol": "TCP"
+        },
+        {
+          "name": "cluster",
+          "port": 8201,
+          "targetPort": 8201,
+          "protocol": "TCP"
+        }
+      ]
+    },
+    {
+      "namespace": "vaultwarden",
+      "name": "vaultwarden-service",
+      "type": "ClusterIP",
+      "selector": {
+        "app": "vaultwarden"
+      },
+      "ports": [
+        {
+          "name": "http",
+          "port": 80,
+          "targetPort": "http",
+          "protocol": "TCP"
+        }
+      ]
+    }
+  ],
+  "http_endpoints": [
+    {
+      "host": "auth.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "sso",
+        "service": "oauth2-proxy",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "oauth2-proxy"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "oauth2-proxy",
+        "source": "oauth2-proxy"
+      }
+    },
+    {
+      "host": "bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "bstein-dev-home",
+        "service": "bstein-dev-home-frontend",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "bstein-dev-home-frontend"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "bstein-dev-home",
+        "source": "bstein-dev-home"
+      }
+    },
+    {
+      "host": "bstein.dev",
+      "path": "/.well-known/matrix/client",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-wellknown",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-wellknown"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-wellknown-bstein-dev",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "bstein.dev",
+      "path": "/.well-known/matrix/server",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-wellknown",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-wellknown"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-wellknown-bstein-dev",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "bstein.dev",
+      "path": "/api",
+      "backend": {
+        "namespace": "bstein-dev-home",
+        "service": "bstein-dev-home-backend",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "bstein-dev-home-backend"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "bstein-dev-home",
+        "source": "bstein-dev-home"
+      }
+    },
+    {
+      "host": "call.live.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "comms",
+        "service": "element-call",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "element-call"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "element-call",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "chat.ai.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "bstein-dev-home",
+        "service": "chat-ai-gateway",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "chat-ai-gateway"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "bstein-dev-home",
+        "source": "bstein-dev-home"
+      }
+    },
+    {
+      "host": "ci.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "jenkins",
+        "service": "jenkins",
+        "port": "http",
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "jenkins"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "jenkins",
+        "source": "jenkins"
+      }
+    },
+    {
+      "host": "cloud.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "nextcloud",
+        "service": "nextcloud",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "nextcloud"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "nextcloud",
+        "source": "nextcloud"
+      }
+    },
+    {
+      "host": "kit.live.bstein.dev",
+      "path": "/livekit/jwt",
+      "backend": {
+        "namespace": "comms",
+        "service": "livekit-token-service",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "livekit-token-service"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "livekit-jwt-ingress",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "kit.live.bstein.dev",
+      "path": "/livekit/sfu",
+      "backend": {
+        "namespace": "comms",
+        "service": "livekit",
+        "port": 7880,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "livekit"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "livekit-ingress",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "live.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "comms",
+        "service": "othrys-element-element-web",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "othrys-element-element-web"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "othrys-element-element-web",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "live.bstein.dev",
+      "path": "/.well-known/matrix/client",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-wellknown",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-wellknown"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-wellknown",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "live.bstein.dev",
+      "path": "/.well-known/matrix/server",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-wellknown",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-wellknown"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-wellknown",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "live.bstein.dev",
+      "path": "/_matrix",
+      "backend": {
+        "namespace": "comms",
+        "service": "othrys-synapse-matrix-synapse",
+        "port": 8008,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "othrys-synapse-matrix-synapse"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "longhorn.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "longhorn-system",
+        "service": "oauth2-proxy-longhorn",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "oauth2-proxy-longhorn"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "longhorn-ingress",
+        "source": "longhorn-ui"
+      }
+    },
+    {
+      "host": "mail.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "mailu-mailserver",
+        "service": "mailu-front",
+        "port": 443,
+        "workloads": []
+      },
+      "via": {
+        "kind": "IngressRoute",
+        "name": "mailu",
+        "source": "mailu"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-authentication-service",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-authentication-service"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/.well-known/matrix/client",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-wellknown",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-wellknown"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-wellknown-matrix-live",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/.well-known/matrix/server",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-wellknown",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-wellknown"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-wellknown-matrix-live",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_matrix",
+      "backend": {
+        "namespace": "comms",
+        "service": "othrys-synapse-matrix-synapse",
+        "port": 8008,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "othrys-synapse-matrix-synapse"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_matrix/client/r0/register",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-guest-register",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-guest-register"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_matrix/client/v3/login",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-authentication-service",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-authentication-service"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_matrix/client/v3/logout",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-authentication-service",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-authentication-service"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_matrix/client/v3/refresh",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-authentication-service",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-authentication-service"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_matrix/client/v3/register",
+      "backend": {
+        "namespace": "comms",
+        "service": "matrix-guest-register",
+        "port": 8080,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "matrix-guest-register"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "matrix.live.bstein.dev",
+      "path": "/_synapse",
+      "backend": {
+        "namespace": "comms",
+        "service": "othrys-synapse-matrix-synapse",
+        "port": 8008,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "othrys-synapse-matrix-synapse"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "matrix-routing",
+        "source": "communication"
+      }
+    },
+    {
+      "host": "monero.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "crypto",
+        "service": "monerod",
+        "port": 18081,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "monerod"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "monerod",
+        "source": "monerod"
+      }
+    },
+    {
+      "host": "office.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "nextcloud",
+        "service": "collabora",
+        "port": 9980,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "collabora"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "collabora",
+        "source": "nextcloud"
+      }
+    },
+    {
+      "host": "pegasus.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "jellyfin",
+        "service": "pegasus",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "pegasus"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "pegasus",
+        "source": "pegasus"
+      }
+    },
+    {
+      "host": "scm.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "gitea",
+        "service": "gitea",
+        "port": 3000,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "gitea"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "gitea-ingress",
+        "source": "gitea"
+      }
+    },
+    {
+      "host": "secret.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "vault",
+        "service": "vault",
+        "port": 8200,
+        "workloads": [
+          {
+            "kind": "StatefulSet",
+            "name": "vault"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "vault",
+        "source": "vault"
+      }
+    },
+    {
+      "host": "sso.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "sso",
+        "service": "keycloak",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "keycloak"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "keycloak",
+        "source": "keycloak"
+      }
+    },
+    {
+      "host": "stream.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "jellyfin",
+        "service": "jellyfin",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "jellyfin"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "jellyfin",
+        "source": "jellyfin"
+      }
+    },
+    {
+      "host": "vault.bstein.dev",
+      "path": "/",
+      "backend": {
+        "namespace": "vaultwarden",
+        "service": "vaultwarden-service",
+        "port": 80,
+        "workloads": [
+          {
+            "kind": "Deployment",
+            "name": "vaultwarden"
+          }
+        ]
+      },
+      "via": {
+        "kind": "Ingress",
+        "name": "vaultwarden-ingress",
+        "source": "vaultwarden"
+      }
+    }
+  ],
+  "helmrelease_host_hints": {
+    "gitops-ui:flux-system/weave-gitops": [
+      "cd.bstein.dev"
+    ],
+    "harbor:harbor/harbor": [
+      "registry.bstein.dev"
+    ],
+    "mailu:mailu-mailserver/mailu": [
+      "bstein.dev",
+      "mail.bstein.dev"
+    ],
+    "monitoring:monitoring/alertmanager": [
+      "alerts.bstein.dev"
+    ],
+    "monitoring:monitoring/grafana": [
+      "metrics.bstein.dev",
+      "sso.bstein.dev"
+    ]
+  }
+}
diff --git a/services/comms/knowledge/catalog/atlas.yaml b/services/comms/knowledge/catalog/atlas.yaml
new file mode 100644
index 0000000..06e2469
--- /dev/null
+++ b/services/comms/knowledge/catalog/atlas.yaml
@@ -0,0 +1,1799 @@
+# Generated by scripts/knowledge_render_atlas.py (do not edit by hand)
+cluster: atlas
+sources:
+- name: ai-llm
+  path: services/ai-llm
+  targetNamespace: ai
+- name: bstein-dev-home
+  path: services/bstein-dev-home
+  targetNamespace: bstein-dev-home
+- name: ci-demo
+  path: services/ci-demo
+  targetNamespace: null
+- name: communication
+  path: services/comms
+  targetNamespace: comms
+- name: core
+  path: infrastructure/core
+  targetNamespace: null
+- name: crypto
+  path: services/crypto
+  targetNamespace: crypto
+- name: flux-system
+  path: clusters/atlas/flux-system
+  targetNamespace: null
+- name: gitea
+  path: services/gitea
+  targetNamespace: gitea
+- name: gitops-ui
+  path: services/gitops-ui
+  targetNamespace: flux-system
+- name: harbor
+  path: services/harbor
+  targetNamespace: harbor
+- name: helm
+  path: infrastructure/sources/helm
+  targetNamespace: flux-system
+- name: jellyfin
+  path: services/jellyfin
+  targetNamespace: jellyfin
+- name: jenkins
+  path: services/jenkins
+  targetNamespace: jenkins
+- name: keycloak
+  path: services/keycloak
+  targetNamespace: sso
+- name: longhorn-ui
+  path: infrastructure/longhorn/ui-ingress
+  targetNamespace: longhorn-system
+- name: mailu
+  path: services/mailu
+  targetNamespace: mailu-mailserver
+- name: metallb
+  path: infrastructure/metallb
+  targetNamespace: metallb-system
+- name: monerod
+  path: services/crypto/monerod
+  targetNamespace: crypto
+- name: monitoring
+  path: services/monitoring
+  targetNamespace: null
+- name: nextcloud
+  path: services/nextcloud
+  targetNamespace: nextcloud
+- name: nextcloud-mail-sync
+  path: services/nextcloud-mail-sync
+  targetNamespace: nextcloud
+- name: oauth2-proxy
+  path: services/oauth2-proxy
+  targetNamespace: sso
+- name: openldap
+  path: services/openldap
+  targetNamespace: sso
+- name: pegasus
+  path: services/pegasus
+  targetNamespace: jellyfin
+- name: sui-metrics
+  path: services/sui-metrics/overlays/atlas
+  targetNamespace: sui-metrics
+- name: traefik
+  path: infrastructure/traefik
+  targetNamespace: traefik
+- name: vault
+  path: services/vault
+  targetNamespace: vault
+- name: vault-csi
+  path: infrastructure/vault-csi
+  targetNamespace: kube-system
+- name: vaultwarden
+  path: services/vaultwarden
+  targetNamespace: vaultwarden
+- name: xmr-miner
+  path: services/crypto/xmr-miner
+  targetNamespace: crypto
+workloads:
+- kind: Deployment
+  namespace: ai
+  name: ollama
+  labels:
+    app: ollama
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - ollama/ollama:latest
+- kind: Deployment
+  namespace: bstein-dev-home
+  name: bstein-dev-home-backend
+  labels:
+    app: bstein-dev-home-backend
+  serviceAccountName: bstein-dev-home
+  nodeSelector:
+    kubernetes.io/arch: arm64
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - registry.bstein.dev/bstein/bstein-dev-home-backend:0.1.1-84
+- kind: Deployment
+  namespace: bstein-dev-home
+  name: bstein-dev-home-frontend
+  labels:
+    app: bstein-dev-home-frontend
+  serviceAccountName: null
+  nodeSelector:
+    kubernetes.io/arch: arm64
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - registry.bstein.dev/bstein/bstein-dev-home-frontend:0.1.1-84
+- kind: Deployment
+  namespace: bstein-dev-home
+  name: chat-ai-gateway
+  labels:
+    app: chat-ai-gateway
+  serviceAccountName: null
+  nodeSelector:
+    kubernetes.io/arch: arm64
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - python:3.11-slim
+- kind: Deployment
+  namespace: ci-demo
+  name: ci-demo
+  labels:
+    app.kubernetes.io/name: ci-demo
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi4
+  images:
+  - registry.bstein.dev/infra/ci-demo:v0.0.0-3
+- kind: Deployment
+  namespace: comms
+  name: atlasbot
+  labels:
+    app: atlasbot
+  serviceAccountName: atlasbot
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - python:3.11-slim
+- kind: Deployment
+  namespace: comms
+  name: coturn
+  labels:
+    app: coturn
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - ghcr.io/coturn/coturn:4.6.2
+- kind: Deployment
+  namespace: comms
+  name: element-call
+  labels:
+    app: element-call
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - ghcr.io/element-hq/element-call:latest
+- kind: Deployment
+  namespace: comms
+  name: livekit
+  labels:
+    app: livekit
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - livekit/livekit-server:v1.9.0
+- kind: Deployment
+  namespace: comms
+  name: livekit-token-service
+  labels:
+    app: livekit-token-service
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - ghcr.io/element-hq/lk-jwt-service:0.3.0
+- kind: Deployment
+  namespace: comms
+  name: matrix-authentication-service
+  labels:
+    app: matrix-authentication-service
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - ghcr.io/element-hq/matrix-authentication-service:1.8.0
+- kind: Deployment
+  namespace: comms
+  name: matrix-guest-register
+  labels:
+    app.kubernetes.io/name: matrix-guest-register
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - python:3.11-slim
+- kind: Deployment
+  namespace: comms
+  name: matrix-wellknown
+  labels:
+    app: matrix-wellknown
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - nginx:1.27-alpine
+- kind: Deployment
+  namespace: comms
+  name: othrys-element-element-web
+  labels:
+    app.kubernetes.io/instance: othrys-element
+    app.kubernetes.io/name: element-web
+  serviceAccountName: othrys-element-element-web
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - ghcr.io/element-hq/element-web:v1.12.6
+- kind: Deployment
+  namespace: comms
+  name: othrys-synapse-matrix-synapse
+  labels:
+    app.kubernetes.io/component: synapse
+    app.kubernetes.io/instance: othrys-synapse
+    app.kubernetes.io/name: matrix-synapse
+  serviceAccountName: default
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - ghcr.io/element-hq/synapse:v1.144.0
+- kind: Deployment
+  namespace: comms
+  name: othrys-synapse-redis-master
+  labels:
+    app.kubernetes.io/component: master
+    app.kubernetes.io/instance: othrys-synapse
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: redis
+    helm.sh/chart: redis-17.17.1
+  serviceAccountName: othrys-synapse-redis
+  nodeSelector: {}
+  images:
+  - docker.io/bitnamilegacy/redis:7.0.12-debian-11-r34
+- kind: DaemonSet
+  namespace: crypto
+  name: monero-xmrig
+  labels:
+    app: monero-xmrig
+  serviceAccountName: null
+  nodeSelector:
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - ghcr.io/tari-project/xmrig:latest
+- kind: Deployment
+  namespace: crypto
+  name: monero-p2pool
+  labels:
+    app: monero-p2pool
+  serviceAccountName: null
+  nodeSelector:
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - debian:bookworm-slim
+- kind: Deployment
+  namespace: crypto
+  name: monerod
+  labels:
+    app: monerod
+  serviceAccountName: null
+  nodeSelector:
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - registry.bstein.dev/crypto/monerod:0.18.4.1
+- kind: Deployment
+  namespace: flux-system
+  name: helm-controller
+  labels:
+    app: helm-controller
+    app.kubernetes.io/component: helm-controller
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.7.5
+  serviceAccountName: helm-controller
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - ghcr.io/fluxcd/helm-controller:v1.4.5
+- kind: Deployment
+  namespace: flux-system
+  name: image-automation-controller
+  labels:
+    app: image-automation-controller
+    app.kubernetes.io/component: image-automation-controller
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.7.5
+  serviceAccountName: image-automation-controller
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - ghcr.io/fluxcd/image-automation-controller:v1.0.4
+- kind: Deployment
+  namespace: flux-system
+  name: image-reflector-controller
+  labels:
+    app: image-reflector-controller
+    app.kubernetes.io/component: image-reflector-controller
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.7.5
+  serviceAccountName: image-reflector-controller
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - ghcr.io/fluxcd/image-reflector-controller:v1.0.4
+- kind: Deployment
+  namespace: flux-system
+  name: kustomize-controller
+  labels:
+    app: kustomize-controller
+    app.kubernetes.io/component: kustomize-controller
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.7.5
+  serviceAccountName: kustomize-controller
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - ghcr.io/fluxcd/kustomize-controller:v1.7.3
+- kind: Deployment
+  namespace: flux-system
+  name: notification-controller
+  labels:
+    app: notification-controller
+    app.kubernetes.io/component: notification-controller
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.7.5
+  serviceAccountName: notification-controller
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - ghcr.io/fluxcd/notification-controller:v1.7.5
+- kind: Deployment
+  namespace: flux-system
+  name: source-controller
+  labels:
+    app: source-controller
+    app.kubernetes.io/component: source-controller
+    app.kubernetes.io/instance: flux-system
+    app.kubernetes.io/part-of: flux
+    app.kubernetes.io/version: v2.7.5
+  serviceAccountName: source-controller
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - ghcr.io/fluxcd/source-controller:v1.7.4
+- kind: Deployment
+  namespace: gitea
+  name: gitea
+  labels:
+    app: gitea
+  serviceAccountName: null
+  nodeSelector:
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - gitea/gitea:1.23
+- kind: Deployment
+  namespace: jellyfin
+  name: jellyfin
+  labels:
+    app: jellyfin
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - docker.io/jellyfin/jellyfin:10.11.5
+- kind: Deployment
+  namespace: jellyfin
+  name: pegasus
+  labels:
+    app: pegasus
+  serviceAccountName: null
+  nodeSelector:
+    kubernetes.io/arch: arm64
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - alpine:3.20
+  - registry.bstein.dev/streaming/pegasus:1.2.32
+- kind: Deployment
+  namespace: jenkins
+  name: jenkins
+  labels:
+    app: jenkins
+  serviceAccountName: jenkins
+  nodeSelector:
+    kubernetes.io/arch: arm64
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - jenkins/jenkins:2.528.3-jdk21
+- kind: DaemonSet
+  namespace: kube-system
+  name: nvidia-device-plugin-jetson
+  labels:
+    app.kubernetes.io/instance: jetson
+    app.kubernetes.io/name: nvidia-device-plugin
+  serviceAccountName: null
+  nodeSelector:
+    jetson: 'true'
+    kubernetes.io/arch: arm64
+  images:
+  - nvcr.io/nvidia/k8s-device-plugin:v0.16.2
+- kind: DaemonSet
+  namespace: kube-system
+  name: nvidia-device-plugin-minipc
+  labels:
+    app.kubernetes.io/instance: titan22
+    app.kubernetes.io/name: nvidia-device-plugin
+  serviceAccountName: null
+  nodeSelector:
+    kubernetes.io/arch: amd64
+    kubernetes.io/hostname: titan-22
+  images:
+  - nvcr.io/nvidia/k8s-device-plugin:v0.16.2
+- kind: DaemonSet
+  namespace: kube-system
+  name: nvidia-device-plugin-tethys
+  labels:
+    app.kubernetes.io/instance: titan24
+    app.kubernetes.io/name: nvidia-device-plugin
+  serviceAccountName: null
+  nodeSelector:
+    kubernetes.io/arch: amd64
+    kubernetes.io/hostname: titan-24
+  images:
+  - nvcr.io/nvidia/k8s-device-plugin:v0.16.2
+- kind: DaemonSet
+  namespace: kube-system
+  name: vault-csi-provider
+  labels:
+    app.kubernetes.io/name: vault-csi-provider
+  serviceAccountName: vault-csi-provider
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - hashicorp/vault-csi-provider:1.7.0
+- kind: Deployment
+  namespace: longhorn-system
+  name: oauth2-proxy-longhorn
+  labels:
+    app: oauth2-proxy-longhorn
+  serviceAccountName: null
+  nodeSelector:
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+- kind: DaemonSet
+  namespace: mailu-mailserver
+  name: vip-controller
+  labels:
+    app: vip-controller
+  serviceAccountName: vip-controller
+  nodeSelector:
+    mailu.bstein.dev/vip: 'true'
+  images:
+  - lachlanevenson/k8s-kubectl:latest
+- kind: Deployment
+  namespace: mailu-mailserver
+  name: mailu-sync-listener
+  labels:
+    app: mailu-sync-listener
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - python:3.11-alpine
+- kind: DaemonSet
+  namespace: metallb-system
+  name: metallb-speaker
+  labels:
+    app.kubernetes.io/component: speaker
+    app.kubernetes.io/instance: metallb
+    app.kubernetes.io/name: metallb
+  serviceAccountName: metallb-speaker
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - quay.io/frrouting/frr:10.4.1
+  - quay.io/metallb/speaker:v0.15.3
+- kind: Deployment
+  namespace: metallb-system
+  name: metallb-controller
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: metallb
+    app.kubernetes.io/name: metallb
+  serviceAccountName: metallb-controller
+  nodeSelector:
+    kubernetes.io/os: linux
+  images:
+  - quay.io/metallb/controller:v0.15.3
+- kind: DaemonSet
+  namespace: monitoring
+  name: dcgm-exporter
+  labels:
+    app: dcgm-exporter
+  serviceAccountName: default
+  nodeSelector: {}
+  images:
+  - registry.bstein.dev/monitoring/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04
+- kind: Deployment
+  namespace: monitoring
+  name: postmark-exporter
+  labels:
+    app: postmark-exporter
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - python:3.12-alpine
+- kind: Deployment
+  namespace: nextcloud
+  name: collabora
+  labels:
+    app: collabora
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - collabora/code:latest
+- kind: Deployment
+  namespace: nextcloud
+  name: nextcloud
+  labels:
+    app: nextcloud
+  serviceAccountName: null
+  nodeSelector:
+    hardware: rpi5
+  images:
+  - nextcloud:29-apache
+- kind: Deployment
+  namespace: sso
+  name: keycloak
+  labels:
+    app: keycloak
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - quay.io/keycloak/keycloak:26.0.7
+- kind: Deployment
+  namespace: sso
+  name: oauth2-proxy
+  labels:
+    app: oauth2-proxy
+  serviceAccountName: null
+  nodeSelector:
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+- kind: StatefulSet
+  namespace: sso
+  name: openldap
+  labels:
+    app: openldap
+  serviceAccountName: null
+  nodeSelector:
+    kubernetes.io/arch: arm64
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - docker.io/osixia/openldap:1.5.0
+- kind: Deployment
+  namespace: sui-metrics
+  name: sui-metrics
+  labels:
+    app: sui-metrics
+  serviceAccountName: sui-metrics
+  nodeSelector:
+    kubernetes.io/hostname: titan-24
+  images:
+  - victoriametrics/vmagent:v1.103.0
+- kind: Deployment
+  namespace: traefik
+  name: traefik
+  labels:
+    app: traefik
+  serviceAccountName: traefik-ingress-controller
+  nodeSelector:
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - traefik:v3.3.3
+- kind: StatefulSet
+  namespace: vault
+  name: vault
+  labels:
+    app: vault
+  serviceAccountName: vault
+  nodeSelector:
+    kubernetes.io/arch: arm64
+    node-role.kubernetes.io/worker: 'true'
+  images:
+  - hashicorp/vault:1.17.6
+- kind: Deployment
+  namespace: vaultwarden
+  name: vaultwarden
+  labels:
+    app: vaultwarden
+  serviceAccountName: null
+  nodeSelector: {}
+  images:
+  - vaultwarden/server:1.33.2
+services:
+- namespace: ai
+  name: ollama
+  type: ClusterIP
+  selector:
+    app: ollama
+  ports:
+  - name: http
+    port: 11434
+    targetPort: 11434
+    protocol: TCP
+- namespace: bstein-dev-home
+  name: bstein-dev-home-backend
+  type: ClusterIP
+  selector:
+    app: bstein-dev-home-backend
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+    protocol: TCP
+- namespace: bstein-dev-home
+  name: bstein-dev-home-frontend
+  type: ClusterIP
+  selector:
+    app: bstein-dev-home-frontend
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    protocol: TCP
+- namespace: bstein-dev-home
+  name: chat-ai-gateway
+  type: ClusterIP
+  selector:
+    app: chat-ai-gateway
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+    protocol: TCP
+- namespace: ci-demo
+  name: ci-demo
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: ci-demo
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+- namespace: comms
+  name: coturn
+  type: LoadBalancer
+  selector:
+    app: coturn
+  ports:
+  - name: turn-udp
+    port: 3478
+    targetPort: 3478
+    protocol: UDP
+  - name: turn-tcp
+    port: 3478
+    targetPort: 3478
+    protocol: TCP
+  - name: turn-tls
+    port: 5349
+    targetPort: 5349
+    protocol: TCP
+  - name: relay-50000
+    port: 50000
+    targetPort: 50000
+    protocol: UDP
+  - name: relay-50001
+    port: 50001
+    targetPort: 50001
+    protocol: UDP
+  - name: relay-50002
+    port: 50002
+    targetPort: 50002
+    protocol: UDP
+  - name: relay-50003
+    port: 50003
+    targetPort: 50003
+    protocol: UDP
+  - name: relay-50004
+    port: 50004
+    targetPort: 50004
+    protocol: UDP
+  - name: relay-50005
+    port: 50005
+    targetPort: 50005
+    protocol: UDP
+  - name: relay-50006
+    port: 50006
+    targetPort: 50006
+    protocol: UDP
+  - name: relay-50007
+    port: 50007
+    targetPort: 50007
+    protocol: UDP
+  - name: relay-50008
+    port: 50008
+    targetPort: 50008
+    protocol: UDP
+  - name: relay-50009
+    port: 50009
+    targetPort: 50009
+    protocol: UDP
+  - name: relay-50010
+    port: 50010
+    targetPort: 50010
+    protocol: UDP
+  - name: relay-50011
+    port: 50011
+    targetPort: 50011
+    protocol: UDP
+  - name: relay-50012
+    port: 50012
+    targetPort: 50012
+    protocol: UDP
+  - name: relay-50013
+    port: 50013
+    targetPort: 50013
+    protocol: UDP
+  - name: relay-50014
+    port: 50014
+    targetPort: 50014
+    protocol: UDP
+  - name: relay-50015
+    port: 50015
+    targetPort: 50015
+    protocol: UDP
+  - name: relay-50016
+    port: 50016
+    targetPort: 50016
+    protocol: UDP
+  - name: relay-50017
+    port: 50017
+    targetPort: 50017
+    protocol: UDP
+  - name: relay-50018
+    port: 50018
+    targetPort: 50018
+    protocol: UDP
+  - name: relay-50019
+    port: 50019
+    targetPort: 50019
+    protocol: UDP
+  - name: relay-50020
+    port: 50020
+    targetPort: 50020
+    protocol: UDP
+  - name: relay-50021
+    port: 50021
+    targetPort: 50021
+    protocol: UDP
+  - name: relay-50022
+    port: 50022
+    targetPort: 50022
+    protocol: UDP
+  - name: relay-50023
+    port: 50023
+    targetPort: 50023
+    protocol: UDP
+  - name: relay-50024
+    port: 50024
+    targetPort: 50024
+    protocol: UDP
+  - name: relay-50025
+    port: 50025
+    targetPort: 50025
+    protocol: UDP
+  - name: relay-50026
+    port: 50026
+    targetPort: 50026
+    protocol: UDP
+  - name: relay-50027
+    port: 50027
+    targetPort: 50027
+    protocol: UDP
+  - name: relay-50028
+    port: 50028
+    targetPort: 50028
+    protocol: UDP
+  - name: relay-50029
+    port: 50029
+    targetPort: 50029
+    protocol: UDP
+  - name: relay-50030
+    port: 50030
+    targetPort: 50030
+    protocol: UDP
+  - name: relay-50031
+    port: 50031
+    targetPort: 50031
+    protocol: UDP
+  - name: relay-50032
+    port: 50032
+    targetPort: 50032
+    protocol: UDP
+  - name: relay-50033
+    port: 50033
+    targetPort: 50033
+    protocol: UDP
+  - name: relay-50034
+    port: 50034
+    targetPort: 50034
+    protocol: UDP
+  - name: relay-50035
+    port: 50035
+    targetPort: 50035
+    protocol: UDP
+  - name: relay-50036
+    port: 50036
+    targetPort: 50036
+    protocol: UDP
+  - name: relay-50037
+    port: 50037
+    targetPort: 50037
+    protocol: UDP
+  - name: relay-50038
+    port: 50038
+    targetPort: 50038
+    protocol: UDP
+  - name: relay-50039
+    port: 50039
+    targetPort: 50039
+    protocol: UDP
+  - name: relay-50040
+    port: 50040
+    targetPort: 50040
+    protocol: UDP
+  - name: relay-50041
+    port: 50041
+    targetPort: 50041
+    protocol: UDP
+  - name: relay-50042
+    port: 50042
+    targetPort: 50042
+    protocol: UDP
+  - name: relay-50043
+    port: 50043
+    targetPort: 50043
+    protocol: UDP
+  - name: relay-50044
+    port: 50044
+    targetPort: 50044
+    protocol: UDP
+  - name: relay-50045
+    port: 50045
+    targetPort: 50045
+    protocol: UDP
+  - name: relay-50046
+    port: 50046
+    targetPort: 50046
+    protocol: UDP
+  - name: relay-50047
+    port: 50047
+    targetPort: 50047
+    protocol: UDP
+  - name: relay-50048
+    port: 50048
+    targetPort: 50048
+    protocol: UDP
+  - name: relay-50049
+    port: 50049
+    targetPort: 50049
+    protocol: UDP
+  - name: relay-50050
+    port: 50050
+    targetPort: 50050
+    protocol: UDP
+- namespace: comms
+  name: element-call
+  type: ClusterIP
+  selector:
+    app: element-call
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+    protocol: TCP
+- namespace: comms
+  name: livekit
+  type: LoadBalancer
+  selector:
+    app: livekit
+  ports:
+  - name: http
+    port: 7880
+    targetPort: 7880
+    protocol: TCP
+  - name: rtc-tcp
+    port: 7881
+    targetPort: 7881
+    protocol: TCP
+  - name: rtc-udp-7882
+    port: 7882
+    targetPort: 7882
+    protocol: UDP
+  - name: rtc-udp-7883
+    port: 7883
+    targetPort: 7883
+    protocol: UDP
+- namespace: comms
+  name: livekit-token-service
+  type: ClusterIP
+  selector:
+    app: livekit-token-service
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+- namespace: comms
+  name: matrix-authentication-service
+  type: ClusterIP
+  selector:
+    app: matrix-authentication-service
+  ports:
+  - name: http
+    port: 8080
+    targetPort: http
+    protocol: TCP
+  - name: internal
+    port: 8081
+    targetPort: internal
+    protocol: TCP
+- namespace: comms
+  name: matrix-guest-register
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: matrix-guest-register
+  ports:
+  - name: http
+    port: 8080
+    targetPort: http
+    protocol: TCP
+- namespace: comms
+  name: matrix-wellknown
+  type: ClusterIP
+  selector:
+    app: matrix-wellknown
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    protocol: TCP
+- namespace: comms
+  name: othrys-element-element-web
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/instance: othrys-element
+    app.kubernetes.io/name: element-web
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+- namespace: comms
+  name: othrys-synapse-matrix-synapse
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/component: synapse
+    app.kubernetes.io/instance: othrys-synapse
+    app.kubernetes.io/name: matrix-synapse
+  ports:
+  - name: http
+    port: 8008
+    targetPort: http
+    protocol: TCP
+- namespace: comms
+  name: othrys-synapse-redis-headless
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/instance: othrys-synapse
+    app.kubernetes.io/name: redis
+  ports:
+  - name: tcp-redis
+    port: 6379
+    targetPort: redis
+    protocol: TCP
+- namespace: comms
+  name: othrys-synapse-redis-master
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/component: master
+    app.kubernetes.io/instance: othrys-synapse
+    app.kubernetes.io/name: redis
+  ports:
+  - name: tcp-redis
+    port: 6379
+    targetPort: redis
+    protocol: TCP
+- namespace: comms
+  name: othrys-synapse-replication
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/component: synapse
+    app.kubernetes.io/instance: othrys-synapse
+    app.kubernetes.io/name: matrix-synapse
+  ports:
+  - name: replication
+    port: 9093
+    targetPort: replication
+    protocol: TCP
+- namespace: crypto
+  name: monerod
+  type: ClusterIP
+  selector:
+    app: monerod
+  ports:
+  - name: rpc
+    port: 18081
+    targetPort: 18081
+    protocol: TCP
+  - name: p2p
+    port: 18080
+    targetPort: 18080
+    protocol: TCP
+  - name: zmq
+    port: 18083
+    targetPort: 18083
+    protocol: TCP
+- namespace: crypto
+  name: p2pool
+  type: ClusterIP
+  selector:
+    app: p2pool
+  ports:
+  - name: stratum
+    port: 3333
+    targetPort: 3333
+    protocol: TCP
+- namespace: flux-system
+  name: notification-controller
+  type: ClusterIP
+  selector:
+    app: notification-controller
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+- namespace: flux-system
+  name: source-controller
+  type: ClusterIP
+  selector:
+    app: source-controller
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+- namespace: flux-system
+  name: webhook-receiver
+  type: ClusterIP
+  selector:
+    app: notification-controller
+  ports:
+  - name: http
+    port: 80
+    targetPort: http-webhook
+    protocol: TCP
+- namespace: gitea
+  name: gitea
+  type: ClusterIP
+  selector:
+    app: gitea
+  ports:
+  - name: http
+    port: 3000
+    targetPort: 3000
+    protocol: TCP
+- namespace: gitea
+  name: gitea-ssh
+  type: NodePort
+  selector:
+    app: gitea
+  ports:
+  - name: ssh
+    port: 2242
+    targetPort: 2242
+    protocol: TCP
+- namespace: jellyfin
+  name: jellyfin
+  type: ClusterIP
+  selector:
+    app: jellyfin
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8096
+    protocol: TCP
+- namespace: jellyfin
+  name: pegasus
+  type: ClusterIP
+  selector:
+    app: pegasus
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+- namespace: jenkins
+  name: jenkins
+  type: ClusterIP
+  selector:
+    app: jenkins
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  - name: agent-listener
+    port: 50000
+    targetPort: 50000
+    protocol: TCP
+- namespace: kube-system
+  name: traefik
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/instance: traefik-kube-system
+    app.kubernetes.io/name: traefik
+  ports:
+  - name: web
+    port: 80
+    targetPort: web
+    protocol: TCP
+  - name: websecure
+    port: 443
+    targetPort: websecure
+    protocol: TCP
+- namespace: longhorn-system
+  name: oauth2-proxy-longhorn
+  type: ClusterIP
+  selector:
+    app: oauth2-proxy-longhorn
+  ports:
+  - name: http
+    port: 80
+    targetPort: 4180
+    protocol: TCP
+- namespace: mailu-mailserver
+  name: mailu-front-lb
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/component: front
+    app.kubernetes.io/instance: mailu
+    app.kubernetes.io/name: mailu
+  ports:
+  - name: smtp
+    port: 25
+    targetPort: 25
+    protocol: TCP
+  - name: smtps
+    port: 465
+    targetPort: 465
+    protocol: TCP
+  - name: submission
+    port: 587
+    targetPort: 587
+    protocol: TCP
+  - name: imaps
+    port: 993
+    targetPort: 993
+    protocol: TCP
+  - name: pop3s
+    port: 995
+    targetPort: 995
+    protocol: TCP
+  - name: sieve
+    port: 4190
+    targetPort: 4190
+    protocol: TCP
+- namespace: mailu-mailserver
+  name: mailu-sync-listener
+  type: ClusterIP
+  selector:
+    app: mailu-sync-listener
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+- namespace: metallb-system
+  name: metallb-webhook-service
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: metallb
+    app.kubernetes.io/name: metallb
+  ports:
+  - name: null
+    port: 443
+    targetPort: 9443
+    protocol: TCP
+- namespace: monitoring
+  name: dcgm-exporter
+  type: ClusterIP
+  selector:
+    app: dcgm-exporter
+  ports:
+  - name: metrics
+    port: 9400
+    targetPort: metrics
+    protocol: TCP
+- namespace: monitoring
+  name: postmark-exporter
+  type: ClusterIP
+  selector:
+    app: postmark-exporter
+  ports:
+  - name: http
+    port: 8000
+    targetPort: http
+    protocol: TCP
+- namespace: nextcloud
+  name: collabora
+  type: ClusterIP
+  selector:
+    app: collabora
+  ports:
+  - name: http
+    port: 9980
+    targetPort: http
+    protocol: TCP
+- namespace: nextcloud
+  name: nextcloud
+  type: ClusterIP
+  selector:
+    app: nextcloud
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+- namespace: sso
+  name: keycloak
+  type: ClusterIP
+  selector:
+    app: keycloak
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+- namespace: sso
+  name: oauth2-proxy
+  type: ClusterIP
+  selector:
+    app: oauth2-proxy
+  ports:
+  - name: http
+    port: 80
+    targetPort: 4180
+    protocol: TCP
+- namespace: sso
+  name: openldap
+  type: ClusterIP
+  selector:
+    app: openldap
+  ports:
+  - name: ldap
+    port: 389
+    targetPort: ldap
+    protocol: TCP
+  - name: ldaps
+    port: 636
+    targetPort: ldaps
+    protocol: TCP
+- namespace: sui-metrics
+  name: sui-metrics
+  type: ClusterIP
+  selector:
+    app: sui-metrics
+  ports:
+  - name: http
+    port: 8429
+    targetPort: 8429
+    protocol: TCP
+- namespace: traefik
+  name: traefik-metrics
+  type: ClusterIP
+  selector:
+    app: traefik
+  ports:
+  - name: metrics
+    port: 9100
+    targetPort: metrics
+    protocol: TCP
+- namespace: vault
+  name: vault
+  type: ClusterIP
+  selector:
+    app: vault
+  ports:
+  - name: api
+    port: 8200
+    targetPort: 8200
+    protocol: TCP
+  - name: cluster
+    port: 8201
+    targetPort: 8201
+    protocol: TCP
+- namespace: vault
+  name: vault-internal
+  type: ClusterIP
+  selector:
+    app: vault
+  ports:
+  - name: api
+    port: 8200
+    targetPort: 8200
+    protocol: TCP
+  - name: cluster
+    port: 8201
+    targetPort: 8201
+    protocol: TCP
+- namespace: vaultwarden
+  name: vaultwarden-service
+  type: ClusterIP
+  selector:
+    app: vaultwarden
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+    protocol: TCP
+http_endpoints:
+- host: auth.bstein.dev
+  path: /
+  backend:
+    namespace: sso
+    service: oauth2-proxy
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: oauth2-proxy
+  via:
+    kind: Ingress
+    name: oauth2-proxy
+    source: oauth2-proxy
+- host: bstein.dev
+  path: /
+  backend:
+    namespace: bstein-dev-home
+    service: bstein-dev-home-frontend
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: bstein-dev-home-frontend
+  via:
+    kind: Ingress
+    name: bstein-dev-home
+    source: bstein-dev-home
+- host: bstein.dev
+  path: /.well-known/matrix/client
+  backend:
+    namespace: comms
+    service: matrix-wellknown
+    port: 80
+    workloads: &id001
+    - kind: Deployment
+      name: matrix-wellknown
+  via:
+    kind: Ingress
+    name: matrix-wellknown-bstein-dev
+    source: communication
+- host: bstein.dev
+  path: /.well-known/matrix/server
+  backend:
+    namespace: comms
+    service: matrix-wellknown
+    port: 80
+    workloads: *id001
+  via:
+    kind: Ingress
+    name: matrix-wellknown-bstein-dev
+    source: communication
+- host: bstein.dev
+  path: /api
+  backend:
+    namespace: bstein-dev-home
+    service: bstein-dev-home-backend
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: bstein-dev-home-backend
+  via:
+    kind: Ingress
+    name: bstein-dev-home
+    source: bstein-dev-home
+- host: call.live.bstein.dev
+  path: /
+  backend:
+    namespace: comms
+    service: element-call
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: element-call
+  via:
+    kind: Ingress
+    name: element-call
+    source: communication
+- host: chat.ai.bstein.dev
+  path: /
+  backend:
+    namespace: bstein-dev-home
+    service: chat-ai-gateway
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: chat-ai-gateway
+  via:
+    kind: Ingress
+    name: bstein-dev-home
+    source: bstein-dev-home
+- host: ci.bstein.dev
+  path: /
+  backend:
+    namespace: jenkins
+    service: jenkins
+    port: http
+    workloads:
+    - kind: Deployment
+      name: jenkins
+  via:
+    kind: Ingress
+    name: jenkins
+    source: jenkins
+- host: cloud.bstein.dev
+  path: /
+  backend:
+    namespace: nextcloud
+    service: nextcloud
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: nextcloud
+  via:
+    kind: Ingress
+    name: nextcloud
+    source: nextcloud
+- host: kit.live.bstein.dev
+  path: /livekit/jwt
+  backend:
+    namespace: comms
+    service: livekit-token-service
+    port: 8080
+    workloads:
+    - kind: Deployment
+      name: livekit-token-service
+  via:
+    kind: Ingress
+    name: livekit-jwt-ingress
+    source: communication
+- host: kit.live.bstein.dev
+  path: /livekit/sfu
+  backend:
+    namespace: comms
+    service: livekit
+    port: 7880
+    workloads:
+    - kind: Deployment
+      name: livekit
+  via:
+    kind: Ingress
+    name: livekit-ingress
+    source: communication
+- host: live.bstein.dev
+  path: /
+  backend:
+    namespace: comms
+    service: othrys-element-element-web
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: othrys-element-element-web
+  via:
+    kind: Ingress
+    name: othrys-element-element-web
+    source: communication
+- host: live.bstein.dev
+  path: /.well-known/matrix/client
+  backend:
+    namespace: comms
+    service: matrix-wellknown
+    port: 80
+    workloads: *id001
+  via:
+    kind: Ingress
+    name: matrix-wellknown
+    source: communication
+- host: live.bstein.dev
+  path: /.well-known/matrix/server
+  backend:
+    namespace: comms
+    service: matrix-wellknown
+    port: 80
+    workloads: *id001
+  via:
+    kind: Ingress
+    name: matrix-wellknown
+    source: communication
+- host: live.bstein.dev
+  path: /_matrix
+  backend:
+    namespace: comms
+    service: othrys-synapse-matrix-synapse
+    port: 8008
+    workloads: &id002
+    - kind: Deployment
+      name: othrys-synapse-matrix-synapse
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: longhorn.bstein.dev
+  path: /
+  backend:
+    namespace: longhorn-system
+    service: oauth2-proxy-longhorn
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: oauth2-proxy-longhorn
+  via:
+    kind: Ingress
+    name: longhorn-ingress
+    source: longhorn-ui
+- host: mail.bstein.dev
+  path: /
+  backend:
+    namespace: mailu-mailserver
+    service: mailu-front
+    port: 443
+    workloads: []
+  via:
+    kind: IngressRoute
+    name: mailu
+    source: mailu
+- host: matrix.live.bstein.dev
+  path: /
+  backend:
+    namespace: comms
+    service: matrix-authentication-service
+    port: 8080
+    workloads: &id003
+    - kind: Deployment
+      name: matrix-authentication-service
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /.well-known/matrix/client
+  backend:
+    namespace: comms
+    service: matrix-wellknown
+    port: 80
+    workloads: *id001
+  via:
+    kind: Ingress
+    name: matrix-wellknown-matrix-live
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /.well-known/matrix/server
+  backend:
+    namespace: comms
+    service: matrix-wellknown
+    port: 80
+    workloads: *id001
+  via:
+    kind: Ingress
+    name: matrix-wellknown-matrix-live
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_matrix
+  backend:
+    namespace: comms
+    service: othrys-synapse-matrix-synapse
+    port: 8008
+    workloads: *id002
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_matrix/client/r0/register
+  backend:
+    namespace: comms
+    service: matrix-guest-register
+    port: 8080
+    workloads: &id004
+    - kind: Deployment
+      name: matrix-guest-register
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_matrix/client/v3/login
+  backend:
+    namespace: comms
+    service: matrix-authentication-service
+    port: 8080
+    workloads: *id003
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_matrix/client/v3/logout
+  backend:
+    namespace: comms
+    service: matrix-authentication-service
+    port: 8080
+    workloads: *id003
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_matrix/client/v3/refresh
+  backend:
+    namespace: comms
+    service: matrix-authentication-service
+    port: 8080
+    workloads: *id003
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_matrix/client/v3/register
+  backend:
+    namespace: comms
+    service: matrix-guest-register
+    port: 8080
+    workloads: *id004
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: matrix.live.bstein.dev
+  path: /_synapse
+  backend:
+    namespace: comms
+    service: othrys-synapse-matrix-synapse
+    port: 8008
+    workloads: *id002
+  via:
+    kind: Ingress
+    name: matrix-routing
+    source: communication
+- host: monero.bstein.dev
+  path: /
+  backend:
+    namespace: crypto
+    service: monerod
+    port: 18081
+    workloads:
+    - kind: Deployment
+      name: monerod
+  via:
+    kind: Ingress
+    name: monerod
+    source: monerod
+- host: office.bstein.dev
+  path: /
+  backend:
+    namespace: nextcloud
+    service: collabora
+    port: 9980
+    workloads:
+    - kind: Deployment
+      name: collabora
+  via:
+    kind: Ingress
+    name: collabora
+    source: nextcloud
+- host: pegasus.bstein.dev
+  path: /
+  backend:
+    namespace: jellyfin
+    service: pegasus
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: pegasus
+  via:
+    kind: Ingress
+    name: pegasus
+    source: pegasus
+- host: scm.bstein.dev
+  path: /
+  backend:
+    namespace: gitea
+    service: gitea
+    port: 3000
+    workloads:
+    - kind: Deployment
+      name: gitea
+  via:
+    kind: Ingress
+    name: gitea-ingress
+    source: gitea
+- host: secret.bstein.dev
+  path: /
+  backend:
+    namespace: vault
+    service: vault
+    port: 8200
+    workloads:
+    - kind: StatefulSet
+      name: vault
+  via:
+    kind: Ingress
+    name: vault
+    source: vault
+- host: sso.bstein.dev
+  path: /
+  backend:
+    namespace: sso
+    service: keycloak
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: keycloak
+  via:
+    kind: Ingress
+    name: keycloak
+    source: keycloak
+- host: stream.bstein.dev
+  path: /
+  backend:
+    namespace: jellyfin
+    service: jellyfin
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: jellyfin
+  via:
+    kind: Ingress
+    name: jellyfin
+    source: jellyfin
+- host: vault.bstein.dev
+  path: /
+  backend:
+    namespace: vaultwarden
+    service: vaultwarden-service
+    port: 80
+    workloads:
+    - kind: Deployment
+      name: vaultwarden
+  via:
+    kind: Ingress
+    name: vaultwarden-ingress
+    source: vaultwarden
+helmrelease_host_hints:
+  gitops-ui:flux-system/weave-gitops:
+  - cd.bstein.dev
+  harbor:harbor/harbor:
+  - registry.bstein.dev
+  mailu:mailu-mailserver/mailu:
+  - bstein.dev
+  - mail.bstein.dev
+  monitoring:monitoring/alertmanager:
+  - alerts.bstein.dev
+  monitoring:monitoring/grafana:
+  - metrics.bstein.dev
+  - sso.bstein.dev
diff --git a/services/comms/knowledge/catalog/runbooks.json b/services/comms/knowledge/catalog/runbooks.json
new file mode 100644
index 0000000..d7356ca
--- /dev/null
+++ b/services/comms/knowledge/catalog/runbooks.json
@@ -0,0 +1,73 @@
+[
+  {
+    "path": "runbooks/ci-gitea-jenkins.md",
+    "title": "CI: Gitea \u2192 Jenkins pipeline",
+    "tags": [
+      "atlas",
+      "ci",
+      "gitea",
+      "jenkins"
+    ],
+    "entrypoints": [
+      "scm.bstein.dev",
+      "ci.bstein.dev"
+    ],
+    "source_paths": [
+      "services/gitea",
+      "services/jenkins",
+      "scripts/jenkins_cred_sync.sh",
+      "scripts/gitea_cred_sync.sh"
+    ],
+    "body": "# CI: Gitea \u2192 Jenkins pipeline\n\n## What this is\nAtlas uses Gitea for source control and Jenkins for CI. Authentication is via Keycloak (SSO).\n\n## Where it is configured\n- Gitea manifests: `services/gitea/`\n- Jenkins manifests: `services/jenkins/`\n- Credential sync helpers: `scripts/gitea_cred_sync.sh`, `scripts/jenkins_cred_sync.sh`\n\n## What users do (typical flow)\n- Create a repo in Gitea.\n- Create/update a Jenkins job/pipeline that can fetch the repo.\n- Configure a webhook (or SCM polling) so pushes trigger builds.\n\n## Troubleshooting (common)\n- \u201cWebhook not firing\u201d: confirm ingress host, webhook URL, and Jenkins job is reachable.\n- \u201cAuth denied cloning\u201d: confirm Keycloak group membership and that Jenkins has a valid token/credential configured."
+  },
+  {
+    "path": "runbooks/kb-authoring.md",
+    "title": "KB authoring: what to write (and what not to)",
+    "tags": [
+      "atlas",
+      "kb",
+      "runbooks"
+    ],
+    "entrypoints": [],
+    "source_paths": [
+      "knowledge/runbooks",
+      "scripts/knowledge_render_atlas.py"
+    ],
+    "body": "# KB authoring: what to write (and what not to)\n\n## The goal\nGive Atlas assistants enough grounded, Atlas-specific context to answer \u201chow do I\u2026?\u201d questions without guessing.\n\n## What to capture (high value)\n- User workflows: \u201cclick here, set X, expected result\u201d\n- Operator workflows: \u201cedit these files, reconcile this kustomization, verify with these commands\u201d\n- Wiring: \u201cthis host routes to this service; this service depends on Postgres/Vault/etc\u201d\n- Failure modes: exact error messages + the 2\u20135 checks that usually resolve them\n- Permissions: Keycloak groups/roles and what they unlock\n\n## What to avoid (low value / fluff)\n- Generic Kubernetes explanations (link to upstream docs instead)\n- Copy-pasting large manifests (prefer file paths + small snippets)\n- Anything that will drift quickly (render it from GitOps instead)\n- Any secret values (reference Secret/Vault locations by name only)\n\n## Document pattern (recommended)\nEach runbook should answer:\n- \u201cWhat is this?\u201d\n- \u201cWhat do users do?\u201d\n- \u201cWhat do operators change (where in Git)?\u201d\n- \u201cHow do we verify it works?\u201d\n- \u201cWhat breaks and how to debug it?\u201d"
+  },
+  {
+    "path": "runbooks/observability.md",
+    "title": "Observability: Grafana + VictoriaMetrics (how to query safely)",
+    "tags": [
+      "atlas",
+      "monitoring",
+      "grafana",
+      "victoriametrics"
+    ],
+    "entrypoints": [
+      "metrics.bstein.dev",
+      "alerts.bstein.dev"
+    ],
+    "source_paths": [
+      "services/monitoring"
+    ],
+    "body": "# Observability: Grafana + VictoriaMetrics (how to query safely)\n\n## Where it is configured\n- `services/monitoring/helmrelease.yaml` (Grafana + Alertmanager + VM values)\n- `services/monitoring/grafana-dashboard-*.yaml` (dashboards and their PromQL)\n\n## Using metrics as a \u201ctool\u201d for Atlas assistants\nThe safest pattern is: map a small set of intents \u2192 fixed PromQL queries, then summarize results.\n\nExamples (intents)\n- \u201cIs the cluster healthy?\u201d \u2192 node readiness + pod restart rate\n- \u201cWhy is Element Call failing?\u201d \u2192 LiveKit/coturn pod restarts + synapse errors + ingress 5xx\n- \u201cIs Jenkins slow?\u201d \u2192 pod CPU/memory + HTTP latency metrics (if exported)\n\n## Why dashboards are not the KB\nDashboards are great references, but the assistant should query VictoriaMetrics directly for live answers and keep the\nKB focused on wiring, runbooks, and stable conventions."
+  },
+  {
+    "path": "runbooks/template.md",
+    "title": "<short title>",
+    "tags": [
+      "atlas",
+      "<service>",
+      "<topic>"
+    ],
+    "entrypoints": [
+      "<hostnames if relevant>"
+    ],
+    "source_paths": [
+      "services/<svc>",
+      "clusters/atlas/<...>"
+    ],
+    "body": "# <Short title>\n\n## What this is\n\n## For users (how to)\n\n## For operators (where configured)\n\n## Troubleshooting (symptoms \u2192 checks)"
+  }
+]
diff --git a/services/comms/knowledge/diagrams/atlas-http.mmd b/services/comms/knowledge/diagrams/atlas-http.mmd
new file mode 100644
index 0000000..ddd33d8
--- /dev/null
+++ b/services/comms/knowledge/diagrams/atlas-http.mmd
@@ -0,0 +1,189 @@
+flowchart LR
+  host_auth_bstein_dev["auth.bstein.dev"]
+  svc_sso_oauth2_proxy["sso/oauth2-proxy (Service)"]
+  host_auth_bstein_dev --> svc_sso_oauth2_proxy
+  wl_sso_oauth2_proxy["sso/oauth2-proxy (Deployment)"]
+  svc_sso_oauth2_proxy --> wl_sso_oauth2_proxy
+  host_bstein_dev["bstein.dev"]
+  svc_bstein_dev_home_bstein_dev_home_frontend["bstein-dev-home/bstein-dev-home-frontend (Service)"]
+  host_bstein_dev --> svc_bstein_dev_home_bstein_dev_home_frontend
+  wl_bstein_dev_home_bstein_dev_home_frontend["bstein-dev-home/bstein-dev-home-frontend (Deployment)"]
+  svc_bstein_dev_home_bstein_dev_home_frontend --> wl_bstein_dev_home_bstein_dev_home_frontend
+  svc_comms_matrix_wellknown["comms/matrix-wellknown (Service)"]
+  host_bstein_dev --> svc_comms_matrix_wellknown
+  wl_comms_matrix_wellknown["comms/matrix-wellknown (Deployment)"]
+  svc_comms_matrix_wellknown --> wl_comms_matrix_wellknown
+  svc_bstein_dev_home_bstein_dev_home_backend["bstein-dev-home/bstein-dev-home-backend (Service)"]
+  host_bstein_dev --> svc_bstein_dev_home_bstein_dev_home_backend
+  wl_bstein_dev_home_bstein_dev_home_backend["bstein-dev-home/bstein-dev-home-backend (Deployment)"]
+  svc_bstein_dev_home_bstein_dev_home_backend --> wl_bstein_dev_home_bstein_dev_home_backend
+  host_call_live_bstein_dev["call.live.bstein.dev"]
+  svc_comms_element_call["comms/element-call (Service)"]
+  host_call_live_bstein_dev --> svc_comms_element_call
+  wl_comms_element_call["comms/element-call (Deployment)"]
+  svc_comms_element_call --> wl_comms_element_call
+  host_chat_ai_bstein_dev["chat.ai.bstein.dev"]
+  svc_bstein_dev_home_chat_ai_gateway["bstein-dev-home/chat-ai-gateway (Service)"]
+  host_chat_ai_bstein_dev --> svc_bstein_dev_home_chat_ai_gateway
+  wl_bstein_dev_home_chat_ai_gateway["bstein-dev-home/chat-ai-gateway (Deployment)"]
+  svc_bstein_dev_home_chat_ai_gateway --> wl_bstein_dev_home_chat_ai_gateway
+  host_ci_bstein_dev["ci.bstein.dev"]
+  svc_jenkins_jenkins["jenkins/jenkins (Service)"]
+  host_ci_bstein_dev --> svc_jenkins_jenkins
+  wl_jenkins_jenkins["jenkins/jenkins (Deployment)"]
+  svc_jenkins_jenkins --> wl_jenkins_jenkins
+  host_cloud_bstein_dev["cloud.bstein.dev"]
+  svc_nextcloud_nextcloud["nextcloud/nextcloud (Service)"]
+  host_cloud_bstein_dev --> svc_nextcloud_nextcloud
+  wl_nextcloud_nextcloud["nextcloud/nextcloud (Deployment)"]
+  svc_nextcloud_nextcloud --> wl_nextcloud_nextcloud
+  host_kit_live_bstein_dev["kit.live.bstein.dev"]
+  svc_comms_livekit_token_service["comms/livekit-token-service (Service)"]
+  host_kit_live_bstein_dev --> svc_comms_livekit_token_service
+  wl_comms_livekit_token_service["comms/livekit-token-service (Deployment)"]
+  svc_comms_livekit_token_service --> wl_comms_livekit_token_service
+  svc_comms_livekit["comms/livekit (Service)"]
+  host_kit_live_bstein_dev --> svc_comms_livekit
+  wl_comms_livekit["comms/livekit (Deployment)"]
+  svc_comms_livekit --> wl_comms_livekit
+  host_live_bstein_dev["live.bstein.dev"]
+  svc_comms_othrys_element_element_web["comms/othrys-element-element-web (Service)"]
+  host_live_bstein_dev --> svc_comms_othrys_element_element_web
+  wl_comms_othrys_element_element_web["comms/othrys-element-element-web (Deployment)"]
+  svc_comms_othrys_element_element_web --> wl_comms_othrys_element_element_web
+  host_live_bstein_dev --> svc_comms_matrix_wellknown
+  svc_comms_othrys_synapse_matrix_synapse["comms/othrys-synapse-matrix-synapse (Service)"]
+  host_live_bstein_dev --> svc_comms_othrys_synapse_matrix_synapse
+  wl_comms_othrys_synapse_matrix_synapse["comms/othrys-synapse-matrix-synapse (Deployment)"]
+  svc_comms_othrys_synapse_matrix_synapse --> wl_comms_othrys_synapse_matrix_synapse
+  host_longhorn_bstein_dev["longhorn.bstein.dev"]
+  svc_longhorn_system_oauth2_proxy_longhorn["longhorn-system/oauth2-proxy-longhorn (Service)"]
+  host_longhorn_bstein_dev --> svc_longhorn_system_oauth2_proxy_longhorn
+  wl_longhorn_system_oauth2_proxy_longhorn["longhorn-system/oauth2-proxy-longhorn (Deployment)"]
+  svc_longhorn_system_oauth2_proxy_longhorn --> wl_longhorn_system_oauth2_proxy_longhorn
+  host_mail_bstein_dev["mail.bstein.dev"]
+  svc_mailu_mailserver_mailu_front["mailu-mailserver/mailu-front (Service)"]
+  host_mail_bstein_dev --> svc_mailu_mailserver_mailu_front
+  host_matrix_live_bstein_dev["matrix.live.bstein.dev"]
+  svc_comms_matrix_authentication_service["comms/matrix-authentication-service (Service)"]
+  host_matrix_live_bstein_dev --> svc_comms_matrix_authentication_service
+  wl_comms_matrix_authentication_service["comms/matrix-authentication-service (Deployment)"]
+  svc_comms_matrix_authentication_service --> wl_comms_matrix_authentication_service
+  host_matrix_live_bstein_dev --> svc_comms_matrix_wellknown
+  host_matrix_live_bstein_dev --> svc_comms_othrys_synapse_matrix_synapse
+  svc_comms_matrix_guest_register["comms/matrix-guest-register (Service)"]
+  host_matrix_live_bstein_dev --> svc_comms_matrix_guest_register
+  wl_comms_matrix_guest_register["comms/matrix-guest-register (Deployment)"]
+  svc_comms_matrix_guest_register --> wl_comms_matrix_guest_register
+  host_monero_bstein_dev["monero.bstein.dev"]
+  svc_crypto_monerod["crypto/monerod (Service)"]
+  host_monero_bstein_dev --> svc_crypto_monerod
+  wl_crypto_monerod["crypto/monerod (Deployment)"]
+  svc_crypto_monerod --> wl_crypto_monerod
+  host_office_bstein_dev["office.bstein.dev"]
+  svc_nextcloud_collabora["nextcloud/collabora (Service)"]
+  host_office_bstein_dev --> svc_nextcloud_collabora
+  wl_nextcloud_collabora["nextcloud/collabora (Deployment)"]
+  svc_nextcloud_collabora --> wl_nextcloud_collabora
+  host_pegasus_bstein_dev["pegasus.bstein.dev"]
+  svc_jellyfin_pegasus["jellyfin/pegasus (Service)"]
+  host_pegasus_bstein_dev --> svc_jellyfin_pegasus
+  wl_jellyfin_pegasus["jellyfin/pegasus (Deployment)"]
+  svc_jellyfin_pegasus --> wl_jellyfin_pegasus
+  host_scm_bstein_dev["scm.bstein.dev"]
+  svc_gitea_gitea["gitea/gitea (Service)"]
+  host_scm_bstein_dev --> svc_gitea_gitea
+  wl_gitea_gitea["gitea/gitea (Deployment)"]
+  svc_gitea_gitea --> wl_gitea_gitea
+  host_secret_bstein_dev["secret.bstein.dev"]
+  svc_vault_vault["vault/vault (Service)"]
+  host_secret_bstein_dev --> svc_vault_vault
+  wl_vault_vault["vault/vault (StatefulSet)"]
+  svc_vault_vault --> wl_vault_vault
+  host_sso_bstein_dev["sso.bstein.dev"]
+  svc_sso_keycloak["sso/keycloak (Service)"]
+  host_sso_bstein_dev --> svc_sso_keycloak
+  wl_sso_keycloak["sso/keycloak (Deployment)"]
+  svc_sso_keycloak --> wl_sso_keycloak
+  host_stream_bstein_dev["stream.bstein.dev"]
+  svc_jellyfin_jellyfin["jellyfin/jellyfin (Service)"]
+  host_stream_bstein_dev --> svc_jellyfin_jellyfin
+  wl_jellyfin_jellyfin["jellyfin/jellyfin (Deployment)"]
+  svc_jellyfin_jellyfin --> wl_jellyfin_jellyfin
+  host_vault_bstein_dev["vault.bstein.dev"]
+  svc_vaultwarden_vaultwarden_service["vaultwarden/vaultwarden-service (Service)"]
+  host_vault_bstein_dev --> svc_vaultwarden_vaultwarden_service
+  wl_vaultwarden_vaultwarden["vaultwarden/vaultwarden (Deployment)"]
+  svc_vaultwarden_vaultwarden_service --> wl_vaultwarden_vaultwarden
+
+  subgraph bstein_dev_home[bstein-dev-home]
+    svc_bstein_dev_home_bstein_dev_home_frontend
+    wl_bstein_dev_home_bstein_dev_home_frontend
+    svc_bstein_dev_home_bstein_dev_home_backend
+    wl_bstein_dev_home_bstein_dev_home_backend
+    svc_bstein_dev_home_chat_ai_gateway
+    wl_bstein_dev_home_chat_ai_gateway
+  end
+  subgraph comms[comms]
+    svc_comms_matrix_wellknown
+    wl_comms_matrix_wellknown
+    svc_comms_element_call
+    wl_comms_element_call
+    svc_comms_livekit_token_service
+    wl_comms_livekit_token_service
+    svc_comms_livekit
+    wl_comms_livekit
+    svc_comms_othrys_element_element_web
+    wl_comms_othrys_element_element_web
+    svc_comms_othrys_synapse_matrix_synapse
+    wl_comms_othrys_synapse_matrix_synapse
+    svc_comms_matrix_authentication_service
+    wl_comms_matrix_authentication_service
+    svc_comms_matrix_guest_register
+    wl_comms_matrix_guest_register
+  end
+  subgraph crypto[crypto]
+    svc_crypto_monerod
+    wl_crypto_monerod
+  end
+  subgraph gitea[gitea]
+    svc_gitea_gitea
+    wl_gitea_gitea
+  end
+  subgraph jellyfin[jellyfin]
+    svc_jellyfin_pegasus
+    wl_jellyfin_pegasus
+    svc_jellyfin_jellyfin
+    wl_jellyfin_jellyfin
+  end
+  subgraph jenkins[jenkins]
+    svc_jenkins_jenkins
+    wl_jenkins_jenkins
+  end
+  subgraph longhorn_system[longhorn-system]
+    svc_longhorn_system_oauth2_proxy_longhorn
+    wl_longhorn_system_oauth2_proxy_longhorn
+  end
+  subgraph mailu_mailserver[mailu-mailserver]
+    svc_mailu_mailserver_mailu_front
+  end
+  subgraph nextcloud[nextcloud]
+    svc_nextcloud_nextcloud
+    wl_nextcloud_nextcloud
+    svc_nextcloud_collabora
+    wl_nextcloud_collabora
+  end
+  subgraph sso[sso]
+    svc_sso_oauth2_proxy
+    wl_sso_oauth2_proxy
+    svc_sso_keycloak
+    wl_sso_keycloak
+  end
+  subgraph vault[vault]
+    svc_vault_vault
+    wl_vault_vault
+  end
+  subgraph vaultwarden[vaultwarden]
+    svc_vaultwarden_vaultwarden_service
+    wl_vaultwarden_vaultwarden
+  end
diff --git a/services/comms/kustomization.yaml b/services/comms/kustomization.yaml
index 393be76..99b0b4a 100644
--- a/services/comms/kustomization.yaml
+++ b/services/comms/kustomization.yaml
@@ -1,5 +1,46 @@
 # services/comms/kustomization.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: comms
 resources:
   - namespace.yaml
+  - atlasbot-rbac.yaml
+  - synapse-rendered.yaml
+  - synapse-signingkey-ensure-job.yaml
+  - synapse-seeder-admin-ensure-job.yaml
+  - mas-configmap.yaml
+  - mas-admin-client-secret-ensure-job.yaml
+  - mas-deployment.yaml
+  - element-rendered.yaml
+  - livekit-config.yaml
+  - livekit.yaml
+  - coturn.yaml
+  - livekit-token-deployment.yaml
+  - livekit-ingress.yaml
+  - livekit-middlewares.yaml
+  - element-call-config.yaml
+  - element-call-deployment.yaml
+  - reset-othrys-room-job.yaml
+  - bstein-force-leave-job.yaml
+  - pin-othrys-job.yaml
+  - guest-name-job.yaml
+  - guest-register-configmap.yaml
+  - guest-register-deployment.yaml
+  - guest-register-service.yaml
+  - matrix-ingress.yaml
+  - atlasbot-configmap.yaml
+  - atlasbot-deployment.yaml
+  - seed-othrys-room.yaml
+  - wellknown.yaml
+
+patches:
+  - path: synapse-deployment-strategy-patch.yaml
+
+configMapGenerator:
+  - name: atlas-kb
+    files:
+      - INDEX.md=knowledge/INDEX.md
+      - atlas.json=knowledge/catalog/atlas.json
+      - atlas-summary.json=knowledge/catalog/atlas-summary.json
+      - runbooks.json=knowledge/catalog/runbooks.json
+      - atlas-http.mmd=knowledge/diagrams/atlas-http.mmd
diff --git a/services/communication/livekit-config.yaml b/services/comms/livekit-config.yaml
similarity index 93%
rename from services/communication/livekit-config.yaml
rename to services/comms/livekit-config.yaml
index c39c783..8b977a4 100644
--- a/services/communication/livekit-config.yaml
+++ b/services/comms/livekit-config.yaml
@@ -1,4 +1,4 @@
-# services/communication/livekit-config.yaml
+# services/comms/livekit-config.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/services/communication/livekit-ingress.yaml b/services/comms/livekit-ingress.yaml
similarity index 90%
rename from services/communication/livekit-ingress.yaml
rename to services/comms/livekit-ingress.yaml
index c6f1dae..ba30ae3 100644
--- a/services/communication/livekit-ingress.yaml
+++ b/services/comms/livekit-ingress.yaml
@@ -1,9 +1,8 @@
-# services/communication/livekit-ingress.yaml
+# services/comms/livekit-ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: livekit-ingress
-  namespace: communication
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
diff --git a/services/communication/livekit-middlewares.yaml b/services/comms/livekit-middlewares.yaml
similarity index 88%
rename from services/communication/livekit-middlewares.yaml
rename to services/comms/livekit-middlewares.yaml
index 76632fc..f1b74ed 100644
--- a/services/communication/livekit-middlewares.yaml
+++ b/services/comms/livekit-middlewares.yaml
@@ -1,9 +1,8 @@
-# services/communication/livekit-middlewares.yaml
+# services/comms/livekit-middlewares.yaml
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: livekit-sfu-strip
-  namespace: communication
 spec:
   stripPrefix:
     prefixes:
@@ -13,7 +12,6 @@ apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: livekit-jwt-strip
-  namespace: communication
 spec:
   stripPrefix:
     prefixes:
@@ -23,7 +21,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: livekit-jwt-ingress
-  namespace: communication
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
diff --git a/services/communication/livekit-token-deployment.yaml b/services/comms/livekit-token-deployment.yaml
similarity index 96%
rename from services/communication/livekit-token-deployment.yaml
rename to services/comms/livekit-token-deployment.yaml
index f9d1a87..1b4cdca 100644
--- a/services/communication/livekit-token-deployment.yaml
+++ b/services/comms/livekit-token-deployment.yaml
@@ -1,4 +1,4 @@
-# services/communication/livekit-token-deployment.yaml
+# services/comms/livekit-token-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/services/communication/livekit.yaml b/services/comms/livekit.yaml
similarity index 99%
rename from services/communication/livekit.yaml
rename to services/comms/livekit.yaml
index 6de11e4..46d57f8 100644
--- a/services/communication/livekit.yaml
+++ b/services/comms/livekit.yaml
@@ -1,4 +1,4 @@
-# services/communication/livekit.yaml
+# services/comms/livekit.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/services/communication/mas-admin-client-secret-ensure-job.yaml b/services/comms/mas-admin-client-secret-ensure-job.yaml
similarity index 97%
rename from services/communication/mas-admin-client-secret-ensure-job.yaml
rename to services/comms/mas-admin-client-secret-ensure-job.yaml
index ff8d282..3843877 100644
--- a/services/communication/mas-admin-client-secret-ensure-job.yaml
+++ b/services/comms/mas-admin-client-secret-ensure-job.yaml
@@ -1,4 +1,4 @@
-# services/communication/mas-admin-client-secret-ensure-job.yaml
+# services/comms/mas-admin-client-secret-ensure-job.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
diff --git a/services/communication/mas-configmap.yaml b/services/comms/mas-configmap.yaml
similarity index 97%
rename from services/communication/mas-configmap.yaml
rename to services/comms/mas-configmap.yaml
index ea5c33c..a41ebeb 100644
--- a/services/communication/mas-configmap.yaml
+++ b/services/comms/mas-configmap.yaml
@@ -1,9 +1,8 @@
-# services/communication/mas-configmap.yaml
+# services/comms/mas-configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: matrix-authentication-service-config
-  namespace: communication
 data:
   config.yaml: |
     http:
diff --git a/services/communication/mas-deployment.yaml b/services/comms/mas-deployment.yaml
similarity index 97%
rename from services/communication/mas-deployment.yaml
rename to services/comms/mas-deployment.yaml
index 7034fc7..ed88328 100644
--- a/services/communication/mas-deployment.yaml
+++ b/services/comms/mas-deployment.yaml
@@ -1,9 +1,8 @@
-# services/communication/mas-deployment.yaml
+# services/comms/mas-deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: matrix-authentication-service
-  namespace: communication
   labels:
     app: matrix-authentication-service
 spec:
@@ -139,7 +138,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: matrix-authentication-service
-  namespace: communication
 spec:
   selector:
     app: matrix-authentication-service
diff --git a/services/communication/mas-ingress.yaml b/services/comms/matrix-ingress.yaml
similarity index 50%
rename from services/communication/mas-ingress.yaml
rename to services/comms/matrix-ingress.yaml
index b6e4bda..caaa593 100644
--- a/services/communication/mas-ingress.yaml
+++ b/services/comms/matrix-ingress.yaml
@@ -1,50 +1,41 @@
-# services/communication/mas-ingress.yaml
+# services/comms/matrix-ingress.yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: matrix-authentication-service
-  namespace: communication
+  name: matrix-routing
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     cert-manager.io/cluster-issuer: letsencrypt
 spec:
+  ingressClassName: traefik
   tls:
     - hosts:
         - matrix.live.bstein.dev
       secretName: matrix-live-tls
+    - hosts:
+        - live.bstein.dev
+      secretName: live-othrys-tls
+  # Consolidated Matrix routing: MAS for auth/UI, Synapse for Matrix APIs, guest-register for guest joins.
   rules:
     - host: matrix.live.bstein.dev
       http:
         paths:
-          - path: /
+          - path: /_matrix/client/v3/register
             pathType: Prefix
             backend:
               service:
-                name: matrix-authentication-service
+                name: matrix-guest-register
+                port:
+                  number: 8080
+          - path: /_matrix/client/r0/register
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-guest-register
                 port:
                   number: 8080
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: matrix-authentication-service-compat
-  namespace: communication
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  tls:
-    - hosts:
-        - matrix.live.bstein.dev
-      secretName: matrix-live-tls
-  rules:
-    - host: matrix.live.bstein.dev
-      http:
-        paths:
           - path: /_matrix/client/v3/login
             pathType: Prefix
             backend:
@@ -66,3 +57,34 @@ spec:
                 name: matrix-authentication-service
                 port:
                   number: 8080
+          - path: /_matrix
+            pathType: Prefix
+            backend:
+              service:
+                name: othrys-synapse-matrix-synapse
+                port:
+                  number: 8008
+          - path: /_synapse
+            pathType: Prefix
+            backend:
+              service:
+                name: othrys-synapse-matrix-synapse
+                port:
+                  number: 8008
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-authentication-service
+                port:
+                  number: 8080
+    - host: live.bstein.dev
+      http:
+        paths:
+          - path: /_matrix
+            pathType: Prefix
+            backend:
+              service:
+                name: othrys-synapse-matrix-synapse
+                port:
+                  number: 8008
diff --git a/services/communication/pin-othrys-job.yaml b/services/comms/pin-othrys-job.yaml
similarity index 99%
rename from services/communication/pin-othrys-job.yaml
rename to services/comms/pin-othrys-job.yaml
index b0a4c4d..c42c815 100644
--- a/services/communication/pin-othrys-job.yaml
+++ b/services/comms/pin-othrys-job.yaml
@@ -1,4 +1,4 @@
-# services/communication/pin-othrys-job.yaml
+# services/comms/pin-othrys-job.yaml
 apiVersion: batch/v1
 kind: CronJob
 metadata:
diff --git a/services/communication/reset-othrys-room-job.yaml b/services/comms/reset-othrys-room-job.yaml
similarity index 99%
rename from services/communication/reset-othrys-room-job.yaml
rename to services/comms/reset-othrys-room-job.yaml
index e282b44..1ae22ca 100644
--- a/services/communication/reset-othrys-room-job.yaml
+++ b/services/comms/reset-othrys-room-job.yaml
@@ -1,4 +1,4 @@
-# services/communication/reset-othrys-room-job.yaml
+# services/comms/reset-othrys-room-job.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
diff --git a/services/communication/seed-othrys-room.yaml b/services/comms/seed-othrys-room.yaml
similarity index 99%
rename from services/communication/seed-othrys-room.yaml
rename to services/comms/seed-othrys-room.yaml
index a80b388..5085aa3 100644
--- a/services/communication/seed-othrys-room.yaml
+++ b/services/comms/seed-othrys-room.yaml
@@ -1,4 +1,4 @@
-# services/communication/seed-othrys-room.yaml
+# services/comms/seed-othrys-room.yaml
 apiVersion: batch/v1
 kind: CronJob
 metadata:
diff --git a/services/communication/synapse-deployment-strategy-patch.yaml b/services/comms/synapse-deployment-strategy-patch.yaml
similarity index 74%
rename from services/communication/synapse-deployment-strategy-patch.yaml
rename to services/comms/synapse-deployment-strategy-patch.yaml
index 0a795c6..59b8e32 100644
--- a/services/communication/synapse-deployment-strategy-patch.yaml
+++ b/services/comms/synapse-deployment-strategy-patch.yaml
@@ -1,4 +1,4 @@
-# services/communication/synapse-deployment-strategy-patch.yaml
+# services/comms/synapse-deployment-strategy-patch.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/services/communication/synapse-rendered.yaml b/services/comms/synapse-rendered.yaml
similarity index 91%
rename from services/communication/synapse-rendered.yaml
rename to services/comms/synapse-rendered.yaml
index 9155044..aa6c9d8 100644
--- a/services/communication/synapse-rendered.yaml
+++ b/services/comms/synapse-rendered.yaml
@@ -5,7 +5,6 @@ kind: ServiceAccount
 automountServiceAccountToken: true
 metadata:
   name: othrys-synapse-redis
-  namespace: "communication"
   labels:
     app.kubernetes.io/instance: othrys-synapse
     app.kubernetes.io/managed-by: Helm
@@ -57,7 +56,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: othrys-synapse-redis-configuration
-  namespace: "communication"
   labels:
     app.kubernetes.io/instance: othrys-synapse
     app.kubernetes.io/managed-by: Helm
@@ -89,7 +87,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: othrys-synapse-redis-health
-  namespace: "communication"
   labels:
     app.kubernetes.io/instance: othrys-synapse
     app.kubernetes.io/managed-by: Helm
@@ -196,7 +193,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: othrys-synapse-redis-scripts
-  namespace: "communication"
   labels:
     app.kubernetes.io/instance: othrys-synapse
     app.kubernetes.io/managed-by: Helm
@@ -313,12 +309,6 @@ data:
     ## Registration ##
 
     enable_registration: false
-    modules:
-      - module: guest_register.GuestRegisterModule
-        config:
-          shared_secret: "@@GUEST_REGISTER_SECRET@@"
-          header_name: x-guest-register-secret
-          path: /_matrix/_guest_register
 
     ## Metrics ###
 
@@ -415,7 +405,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: othrys-synapse-redis-headless
-  namespace: "communication"
   labels:
     app.kubernetes.io/instance: othrys-synapse
     app.kubernetes.io/managed-by: Helm
@@ -439,7 +428,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: othrys-synapse-redis-master
-  namespace: "communication"
   labels:
     app.kubernetes.io/instance: othrys-synapse
     app.kubernetes.io/managed-by: Helm
@@ -511,7 +499,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: othrys-synapse-redis-master
-  namespace: "communication"
   labels:
     app.kubernetes.io/instance: othrys-synapse
     app.kubernetes.io/managed-by: Helm
@@ -708,7 +695,6 @@ spec:
               export OIDC_CLIENT_SECRET_ESCAPED=$(echo "${OIDC_CLIENT_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
               export TURN_SECRET_ESCAPED=$(echo "${TURN_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
               export MAS_SHARED_SECRET_ESCAPED=$(echo "${MAS_SHARED_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
-              export GUEST_REGISTER_SECRET_ESCAPED=$(echo "${GUEST_REGISTER_SECRET:-}" | sed 's/[\\/&]/\\&/g') && \
               export MACAROON_SECRET_KEY_ESCAPED=$(echo "${MACAROON_SECRET_KEY:-}" | sed 's/[\\/&]/\\&/g') && \
               cat /synapse/secrets/*.yaml | \
                 sed -e "s/@@POSTGRES_PASSWORD@@/${POSTGRES_PASSWORD:-}/" \
@@ -725,9 +711,6 @@ spec:
               if [ -n "${MAS_SHARED_SECRET_ESCAPED}" ]; then \
                 sed -i "s/@@MAS_SHARED_SECRET@@/${MAS_SHARED_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
               fi; \
-              if [ -n "${GUEST_REGISTER_SECRET_ESCAPED}" ]; then \
-                sed -i "s/@@GUEST_REGISTER_SECRET@@/${GUEST_REGISTER_SECRET_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
-              fi; \
               if [ -n "${MACAROON_SECRET_KEY_ESCAPED}" ]; then \
                 sed -i "s/@@MACAROON_SECRET_KEY@@/${MACAROON_SECRET_KEY_ESCAPED}/g" /synapse/runtime-config/homeserver.yaml; \
               fi
@@ -760,18 +743,11 @@ spec:
                 secretKeyRef:
                   name: mas-secrets-runtime
                   key: matrix_shared_secret
-            - name: GUEST_REGISTER_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: guest-register-shared-secret-runtime
-                  key: secret
             - name: MACAROON_SECRET_KEY
               valueFrom:
                 secretKeyRef:
                   name: synapse-macaroon
                   key: macaroon_secret_key
-            - name: PYTHONPATH
-              value: /synapse/modules
           image: "ghcr.io/element-hq/synapse:v1.144.0"
           imagePullPolicy: IfNotPresent
           securityContext:
@@ -808,9 +784,6 @@ spec:
               mountPath: /synapse/config/conf.d
             - name: secrets
               mountPath: /synapse/secrets
-            - name: modules
-              mountPath: /synapse/modules
-              readOnly: true
             - name: signingkey
               mountPath: /synapse/keys
             - name: media
@@ -831,12 +804,6 @@ spec:
         - name: secrets
           secret:
             secretName: othrys-synapse-matrix-synapse
-        - name: modules
-          configMap:
-            name: synapse-guest-register-module
-            items:
-              - key: guest_register.py
-                path: guest_register.py
         - name: signingkey
           secret:
             secretName: "othrys-synapse-signingkey"
@@ -866,73 +833,6 @@ spec:
                 - rpi4
             weight: 50
 ---
-# Source: matrix-synapse/templates/ingress.yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: othrys-synapse-matrix-synapse
-  labels:
-    helm.sh/chart: matrix-synapse-3.12.17
-    app.kubernetes.io/name: matrix-synapse
-    app.kubernetes.io/instance: othrys-synapse
-    app.kubernetes.io/version: "1.144.0"
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-spec:
-  ingressClassName: traefik
-  tls:
-    - hosts:
-        - "matrix.live.bstein.dev"
-        - "live.bstein.dev"
-      secretName: matrix-live-tls
-  rules:
-    - host: "live.bstein.dev"
-      http:
-        paths:
-          - path: /_matrix
-            backend:
-              service:
-                name: othrys-synapse-matrix-synapse
-                port:
-                  number: 8008
-            pathType: Prefix
-          - path: /.well-known/matrix
-            backend:
-              service:
-                name: othrys-synapse-matrix-synapse
-                port:
-                  number: 8008
-            pathType: Prefix
-    - host: "matrix.live.bstein.dev"
-      http:
-        paths:
-          - path: /_matrix
-            backend:
-              service:
-                name: othrys-synapse-matrix-synapse
-                port:
-                  number: 8008
-            pathType: Prefix
-          - path: /_synapse
-            backend:
-              service:
-                name: othrys-synapse-matrix-synapse
-                port:
-                  number: 8008
-            pathType: Prefix
-    - host: "bstein.dev"
-      http:
-        paths:
-          - path: /.well-known/matrix
-            backend:
-              service:
-                name: othrys-synapse-matrix-synapse
-                port:
-                  number: 8008
-            pathType: Prefix
----
 # Source: matrix-synapse/templates/signing-key-job.yaml
 apiVersion: v1
 kind: ServiceAccount
diff --git a/services/communication/synapse-seeder-admin-ensure-job.yaml b/services/comms/synapse-seeder-admin-ensure-job.yaml
similarity index 93%
rename from services/communication/synapse-seeder-admin-ensure-job.yaml
rename to services/comms/synapse-seeder-admin-ensure-job.yaml
index b21f573..0885722 100644
--- a/services/communication/synapse-seeder-admin-ensure-job.yaml
+++ b/services/comms/synapse-seeder-admin-ensure-job.yaml
@@ -1,4 +1,4 @@
-# services/communication/synapse-seeder-admin-ensure-job.yaml
+# services/comms/synapse-seeder-admin-ensure-job.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
diff --git a/services/communication/synapse-signingkey-ensure-job.yaml b/services/comms/synapse-signingkey-ensure-job.yaml
similarity index 95%
rename from services/communication/synapse-signingkey-ensure-job.yaml
rename to services/comms/synapse-signingkey-ensure-job.yaml
index 06e8fa8..a76948d 100644
--- a/services/communication/synapse-signingkey-ensure-job.yaml
+++ b/services/comms/synapse-signingkey-ensure-job.yaml
@@ -1,4 +1,4 @@
-# services/communication/synapse-signingkey-ensure-job.yaml
+# services/comms/synapse-signingkey-ensure-job.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
diff --git a/services/communication/values-element.yaml b/services/comms/values-element.yaml
similarity index 96%
rename from services/communication/values-element.yaml
rename to services/comms/values-element.yaml
index 9ab91de..b8c7d87 100644
--- a/services/communication/values-element.yaml
+++ b/services/comms/values-element.yaml
@@ -1,4 +1,4 @@
-# services/communication/values-element.yaml
+# services/comms/values-element.yaml
 replicaCount: 1
 
 defaultServer:
diff --git a/services/communication/values-synapse.yaml b/services/comms/values-synapse.yaml
similarity index 98%
rename from services/communication/values-synapse.yaml
rename to services/comms/values-synapse.yaml
index 7df16b6..650d0e8 100644
--- a/services/communication/values-synapse.yaml
+++ b/services/comms/values-synapse.yaml
@@ -1,4 +1,4 @@
-# services/communication/values-synapse.yaml
+# services/comms/values-synapse.yaml
 serverName: live.bstein.dev
 publicServerName: matrix.live.bstein.dev
 
diff --git a/services/communication/wellknown.yaml b/services/comms/wellknown.yaml
similarity index 82%
rename from services/communication/wellknown.yaml
rename to services/comms/wellknown.yaml
index d09ce27..601bafa 100644
--- a/services/communication/wellknown.yaml
+++ b/services/comms/wellknown.yaml
@@ -1,9 +1,8 @@
-# services/communication/wellknown.yaml
+# services/comms/wellknown.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: matrix-wellknown
-  namespace: communication
 data:
   client.json: |
     {
@@ -30,7 +29,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: matrix-wellknown-nginx
-  namespace: communication
 data:
   default.conf: |
     server {
@@ -57,7 +55,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: matrix-wellknown
-  namespace: communication
   labels:
     app: matrix-wellknown
 spec:
@@ -102,7 +99,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: matrix-wellknown
-  namespace: communication
 spec:
   selector:
     app: matrix-wellknown
@@ -115,7 +111,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: matrix-wellknown
-  namespace: communication
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -149,7 +144,6 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: matrix-wellknown-matrix-live
-  namespace: communication
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
@@ -177,3 +171,36 @@ spec:
                 name: matrix-wellknown
                 port:
                   number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: matrix-wellknown-bstein-dev
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  tls:
+    - hosts:
+        - bstein.dev
+      secretName: bstein-dev-home-tls
+  rules:
+    - host: bstein.dev
+      http:
+        paths:
+          - path: /.well-known/matrix/client
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-wellknown
+                port:
+                  number: 80
+          - path: /.well-known/matrix/server
+            pathType: Prefix
+            backend:
+              service:
+                name: matrix-wellknown
+                port:
+                  number: 80
diff --git a/services/communication/guest-register-ingress.yaml b/services/communication/guest-register-ingress.yaml
deleted file mode 100644
index c3f38c1..0000000
--- a/services/communication/guest-register-ingress.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-# services/communication/guest-register-ingress.yaml
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: matrix-guest-register
-  annotations:
-    kubernetes.io/ingress.class: traefik
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    cert-manager.io/cluster-issuer: letsencrypt
-spec:
-  tls:
-    - hosts:
-        - matrix.live.bstein.dev
-      secretName: matrix-live-tls
-  rules:
-    - host: matrix.live.bstein.dev
-      http:
-        paths:
-          - path: /_matrix/client/v3/register
-            pathType: Prefix
-            backend:
-              service:
-                name: matrix-guest-register
-                port:
-                  number: 8080
-          - path: /_matrix/client/r0/register
-            pathType: Prefix
-            backend:
-              service:
-                name: matrix-guest-register
-                port:
-                  number: 8080
-
diff --git a/services/communication/guest-register-shared-secret-ensure-job.yaml b/services/communication/guest-register-shared-secret-ensure-job.yaml
deleted file mode 100644
index 06f2440..0000000
--- a/services/communication/guest-register-shared-secret-ensure-job.yaml
+++ /dev/null
@@ -1,86 +0,0 @@
-# services/communication/guest-register-shared-secret-ensure-job.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: guest-register-secret-writer
-  namespace: comms
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: guest-register-secret-writer
-  namespace: comms
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["guest-register-shared-secret-runtime"]
-    verbs: ["get", "patch", "update"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["create"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: guest-register-secret-writer
-  namespace: comms
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: guest-register-secret-writer
-subjects:
-  - kind: ServiceAccount
-    name: guest-register-secret-writer
-    namespace: comms
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: guest-register-shared-secret-ensure-1
-  namespace: comms
-spec:
-  backoffLimit: 2
-  template:
-    spec:
-      serviceAccountName: guest-register-secret-writer
-      restartPolicy: OnFailure
-      volumes:
-        - name: work
-          emptyDir: {}
-      initContainers:
-        - name: generate
-          image: alpine:3.20
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              set -euo pipefail
-              umask 077
-              dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n' > /work/secret
-              chmod 0644 /work/secret
-          volumeMounts:
-            - name: work
-              mountPath: /work
-      containers:
-        - name: write
-          image: bitnami/kubectl:latest
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              set -euo pipefail
-              if kubectl -n comms get secret guest-register-shared-secret-runtime >/dev/null 2>&1; then
-                if kubectl -n comms get secret guest-register-shared-secret-runtime -o jsonpath='{.data.secret}' 2>/dev/null | grep -q .; then
-                  exit 0
-                fi
-              else
-                kubectl -n comms create secret generic guest-register-shared-secret-runtime \
-                  --from-file=secret=/work/secret >/dev/null
-                exit 0
-              fi
-
-              secret_b64="$(base64 /work/secret | tr -d '\n')"
-              payload="$(printf '{\"data\":{\"secret\":\"%s\"}}' \"${secret_b64}\")"
-              kubectl -n comms patch secret guest-register-shared-secret-runtime --type=merge -p \"${payload}\" >/dev/null
-          volumeMounts:
-            - name: work
-              mountPath: /work
-
diff --git a/services/communication/kustomization.yaml b/services/communication/kustomization.yaml
deleted file mode 100644
index d2352b8..0000000
--- a/services/communication/kustomization.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
-# services/communication/kustomization.yaml
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: comms
-resources:
-  - atlasbot-rbac.yaml
-  - synapse-rendered.yaml
-  - synapse-signingkey-ensure-job.yaml
-  - synapse-seeder-admin-ensure-job.yaml
-  - synapse-guest-appservice-secret-ensure-job.yaml
-  - guest-register-shared-secret-ensure-job.yaml
-  - synapse-guest-register-module-configmap.yaml
-  - mas-configmap.yaml
-  - mas-admin-client-secret-ensure-job.yaml
-  - mas-deployment.yaml
-  - mas-ingress.yaml
-  - element-rendered.yaml
-  - livekit-config.yaml
-  - livekit.yaml
-  - coturn.yaml
-  - livekit-token-deployment.yaml
-  - livekit-ingress.yaml
-  - livekit-middlewares.yaml
-  - element-call-config.yaml
-  - element-call-deployment.yaml
-  - reset-othrys-room-job.yaml
-  - bstein-force-leave-job.yaml
-  - pin-othrys-job.yaml
-  - guest-name-job.yaml
-  - guest-register-configmap.yaml
-  - guest-register-deployment.yaml
-  - guest-register-service.yaml
-  - guest-register-ingress.yaml
-  - atlasbot-configmap.yaml
-  - atlasbot-deployment.yaml
-  - seed-othrys-room.yaml
-  - wellknown.yaml
-
-patchesStrategicMerge:
-  - synapse-deployment-strategy-patch.yaml
-
-configMapGenerator:
-  - name: atlas-kb
-    files:
-      - INDEX.md=../../knowledge/INDEX.md
-      - atlas.json=../../knowledge/catalog/atlas.json
-      - atlas-summary.json=../../knowledge/catalog/atlas-summary.json
-      - runbooks.json=../../knowledge/catalog/runbooks.json
-      - atlas-http.mmd=../../knowledge/diagrams/atlas-http.mmd
diff --git a/services/communication/synapse-guest-appservice-secret-ensure-job.yaml b/services/communication/synapse-guest-appservice-secret-ensure-job.yaml
deleted file mode 100644
index 6dd8564..0000000
--- a/services/communication/synapse-guest-appservice-secret-ensure-job.yaml
+++ /dev/null
@@ -1,111 +0,0 @@
-# services/communication/synapse-guest-appservice-secret-ensure-job.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: synapse-guest-appservice-secret-writer
-  namespace: comms
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: synapse-guest-appservice-secret-writer
-  namespace: comms
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    resourceNames: ["synapse-guest-appservice-runtime"]
-    verbs: ["get", "patch", "update"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["create"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: synapse-guest-appservice-secret-writer
-  namespace: comms
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: synapse-guest-appservice-secret-writer
-subjects:
-  - kind: ServiceAccount
-    name: synapse-guest-appservice-secret-writer
-    namespace: comms
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: synapse-guest-appservice-secret-ensure-1
-  namespace: comms
-spec:
-  backoffLimit: 2
-  template:
-    spec:
-      serviceAccountName: synapse-guest-appservice-secret-writer
-      restartPolicy: OnFailure
-      volumes:
-        - name: work
-          emptyDir: {}
-      initContainers:
-        - name: generate
-          image: alpine:3.20
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              set -euo pipefail
-              umask 077
-              AS_TOKEN="$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n')"
-              HS_TOKEN="$(dd if=/dev/urandom bs=32 count=1 2>/dev/null | od -An -tx1 | tr -d ' \n')"
-
-              printf '%s' "${AS_TOKEN}" > /work/as_token
-              printf '%s' "${HS_TOKEN}" > /work/hs_token
-
-              cat > /work/registration.yaml <<EOF
-              id: othrys-guest-register
-              url: http://matrix-guest-register:8080
-              as_token: ${AS_TOKEN}
-              hs_token: ${HS_TOKEN}
-              sender_localpart: guest-register
-              rate_limited: true
-              namespaces:
-                users:
-                  - regex: '@guest-[0-9a-f]+:live.bstein.dev'
-                    exclusive: true
-                aliases: []
-                rooms: []
-              EOF
-
-              chmod 0644 /work/as_token /work/hs_token /work/registration.yaml
-          volumeMounts:
-            - name: work
-              mountPath: /work
-      containers:
-        - name: write
-          image: bitnami/kubectl:latest
-          command: ["/bin/sh", "-c"]
-          args:
-            - |
-              set -euo pipefail
-              if kubectl -n comms get secret synapse-guest-appservice-runtime >/dev/null 2>&1; then
-                if kubectl -n comms get secret synapse-guest-appservice-runtime -o jsonpath='{.data.registration\.yaml}' 2>/dev/null | grep -q .; then
-                  exit 0
-                fi
-              else
-                kubectl -n comms create secret generic synapse-guest-appservice-runtime \
-                  --from-file=registration.yaml=/work/registration.yaml \
-                  --from-file=as_token=/work/as_token \
-                  --from-file=hs_token=/work/hs_token >/dev/null
-                exit 0
-              fi
-
-              reg_b64="$(base64 /work/registration.yaml | tr -d '\n')"
-              as_b64="$(base64 /work/as_token | tr -d '\n')"
-              hs_b64="$(base64 /work/hs_token | tr -d '\n')"
-
-              payload="$(printf '{\"data\":{\"registration.yaml\":\"%s\",\"as_token\":\"%s\",\"hs_token\":\"%s\"}}' \"${reg_b64}\" \"${as_b64}\" \"${hs_b64}\")"
-              kubectl -n comms patch secret synapse-guest-appservice-runtime --type=merge -p \"${payload}\" >/dev/null
-          volumeMounts:
-            - name: work
-              mountPath: /work
-
diff --git a/services/communication/synapse-guest-register-module-configmap.yaml b/services/communication/synapse-guest-register-module-configmap.yaml
deleted file mode 100644
index 3afb3d9..0000000
--- a/services/communication/synapse-guest-register-module-configmap.yaml
+++ /dev/null
@@ -1,89 +0,0 @@
-# services/communication/synapse-guest-register-module-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: synapse-guest-register-module
-data:
-  guest_register.py: |
-    import secrets
-    import random
-
-    import synapse.api.auth
-    from synapse.api.errors import Codes, SynapseError
-    from synapse.http.server import DirectServeJsonResource
-    from synapse.http.servlet import parse_json_object_from_request
-    from synapse.types import UserID, create_requester
-
-
-    class GuestRegisterResource(DirectServeJsonResource):
-        def __init__(self, hs, shared_secret: str, header_name: str):
-            super().__init__(clock=hs.get_clock())
-            self._hs = hs
-            self._shared_secret = shared_secret
-            self._header_name = header_name
-
-            self._adj = ["brisk", "calm", "eager", "gentle", "merry", "nifty", "rapid", "sunny", "witty", "zesty"]
-            self._noun = ["otter", "falcon", "comet", "ember", "grove", "harbor", "meadow", "raven", "river", "summit"]
-
-        async def _async_render_POST(self, request):  # noqa: N802
-            provided = request.requestHeaders.getRawHeaders(self._header_name)
-            if not provided or not secrets.compare_digest(provided[0], self._shared_secret):
-                raise SynapseError(403, "Forbidden", errcode=Codes.FORBIDDEN)
-
-            body = parse_json_object_from_request(request)
-            initial_device_display_name = body.get("initial_device_display_name")
-            if not isinstance(initial_device_display_name, str):
-                initial_device_display_name = None
-
-            reg = self._hs.get_registration_handler()
-            address = request.getClientAddress().host
-
-            user_id = await reg.register_user(make_guest=True, address=address)
-
-            device_id = synapse.api.auth.GUEST_DEVICE_ID
-            device_id, access_token, valid_until_ms, refresh_token = await reg.register_device(
-                user_id,
-                device_id,
-                initial_device_display_name,
-                is_guest=True,
-            )
-
-            displayname = body.get("displayname")
-            if not isinstance(displayname, str) or not displayname.strip():
-                displayname = f"{random.choice(self._adj)}-{random.choice(self._noun)}"
-
-            try:
-                requester = create_requester(user_id, is_guest=True, device_id=device_id)
-                await self._hs.get_profile_handler().set_displayname(
-                    UserID.from_string(user_id),
-                    requester,
-                    displayname,
-                    propagate=False,
-                )
-            except Exception:
-                pass
-
-            result = {
-                "user_id": user_id,
-                "device_id": device_id,
-                "access_token": access_token,
-                "home_server": self._hs.hostname,
-            }
-
-            if valid_until_ms is not None:
-                result["expires_in_ms"] = valid_until_ms - self._hs.get_clock().time_msec()
-
-            if refresh_token is not None:
-                result["refresh_token"] = refresh_token
-
-            return 200, result
-
-
-    class GuestRegisterModule:
-        def __init__(self, config, api):
-            shared_secret = config["shared_secret"]
-            header_name = config.get("header_name", "x-guest-register-secret")
-            path = config.get("path", "/_matrix/_guest_register")
-
-            hs = api._hs  # noqa: SLF001
-            api.register_web_resource(path, GuestRegisterResource(hs, shared_secret, header_name))