Update Path A: remove AdGuard/Media stack, add excluded Neo services, add network topology note

README.md

@@ -9,7 +9,7 @@
 ## Path A: "Iron Stack Blueprint" — $149
 
 ### What You Are Selling
-Your swarm topology decisions as a deployable reference for homelabers: sanitized compose files, network diagram, port allocation table, AdGuard → Technitium forwarding logic, and the "deploy in this exact order or it breaks" decision tree. Homelabers fail at the intersection of DNS, reverse proxy, and monitoring — you solved it.
+Your swarm topology decisions as a deployable reference for homelabers: sanitized compose files, network diagram, port allocation table, Technitium DNS resolution logic, and the "deploy in this exact order or it breaks" decision tree. Homelabers fail at the intersection of DNS, reverse proxy, and monitoring — you solved it.
 
 ### Why It Sells
 - Homelab subreddit has 2M+ members. Every week someone posts: *"What do you use for reverse proxy + DNS + monitoring?"* You hand them the answer for $149.
@@ -85,13 +85,20 @@ Your ansible-pull CI/CD pattern as a standalone template: systemd auto-update ti
 ## Content Checklist
 
 ### Path A: Iron Stack Blueprint
-- [ ] Sanitized compose files (Traefik, AdGuard, Technitium, Prometheus, Beszel, Portainer, Homepage)
+- [ ] Sanitized compose files (Traefik, Technitium, Prometheus, Node Exporter, Beszel Hub, Portainer CE, Dozzle, Homepage)
 - [ ] Port allocation table (reserved + why)
 - [ ] Deploy order decision tree (with rollback steps)
-- [ ] DNS forwarding chain diagram (Technitium → AdGuard → upstream)
-- [ ] "Common failure modes" appendix (port collision, socket permissions, label constraints)
+- [ ] DNS resolution diagram (Technitium authoritative → upstream)
+- [ ] "Common failure modes" appendix (port collision, `systemd-resolved` disable, socket permissions, label constraints)
 - [ ] 2-min Loom walkthrough
 
+**Explicitly NOT in this blueprint:**
+- **Media stack** (Jellyfin, Sonarr, Radarr, Prowlarr) — hosted on a separate storage device outside the swarm
+- **Nextcloud AIO** — runs on Neo (Nebuchadnezzar), exposed via NetBird, not part of the swarm
+- **Vaultwarden** — runs on Neo (Nebuchadnezzar), exposed via NetBird, not part of the swarm
+- **Dockhand** — runs on Neo (Nebuchadnezzar), exposed via NetBird, not part of the swarm
+- **Trilium Notes** — runs on Neo (Nebuchadnezzar), exposed via NetBird, not part of the swarm
+
 ### Path B: Fleet Bootstrap Toolkit
 - [ ] Ansible-pull playbook (generic)
 - [ ] Node-join wrapper script
@@ -102,6 +109,18 @@ Your ansible-pull CI/CD pattern as a standalone template: systemd auto-update ti
 
 ---
 
+## Network Topology Note
+
+The Iron Legion fleet uses **two distinct overlay networks** with zero overlap:
+
+- **Tailscale (`100.x.x.x`)** — Strictly for admin/management traffic. Used by Artemis (AI Foreman), Mark44 (Ollama backend), Mark5 (research agent), and MK7 (swarm manager) for SSH access, monitoring, and agent orchestration. Not exposed to end-user services.
+- **NetBird (`100.x.x.x`, separate tailnet)** — Used for user-facing services on Neo: Nextcloud AIO, Vaultwarden, Dockhand, and Trilium Notes. These services are reachable by crew members via NetBird, not Tailscale. Separate tailnet from the Tailscale mesh; both use CGNAT `100.x.x.x` ranges.
+- **LAN (`192.168.0.0/18`)** — Fleet subnet via Beryl router. Swarm nodes (MK33–42, MK7) communicate here. External services on Neo do NOT bridge into this subnet.
+
+**Implication for the blueprint buyer:** The Swarm stack (Path A) is entirely self-contained on the LAN segment. Technitium handles internal DNS. Traefik routes HTTP internally. If a buyer wants NetBird-style user-facing services, those are a separate deployment pattern not covered here.
+
+---
+
 ## Notes
 - All content derived from live Iron Legion fleet. Sanitized before publication per Commander approval.
 - One-and-done digital products. No support obligation. Optional $19/mo update tier if demand confirmed.