412friendly/side-hustle-in-48h
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v2 topology: Neo dual-homed — Tailscale for SSH mgmt, NetBird for services; clarify service isolation

Browse Source
This commit is contained in:
jarvis
2026-05-30 00:58:03 -04:00
parent aa729590cf
commit c2833e72d2
3 changed files with 25 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -125,7 +125,7 @@ The Iron Legion fleet runs **two completely separate mesh VPN overlays** managed
2. **Same CGNAT range does not mean same network.** Both Tailscale and NetBird default to `100.64.0.0/10` for overlay addressing, but devices on one cannot reach devices on the other. The coordination servers (Tailscale Inc. cloud vs. NetBird cloud/self-hosted) are completely isolated.
3. **Neo is the boundary.** Neo runs the NetBird client for user-facing services. Neo does **not** participate in the Tailscale tailnet. User-facing services are isolated from the admin/management plane by design.
3. **Neo is dual-homed but services are intentionally isolated.** Neo runs the Tailscale client so Artemis can SSH-manage the node. Neo also runs the NetBird client — but the services (Nextcloud, Vaultwarden, Dockhand, Trilium) are exposed **only** through NetBird. They are intentionally unreachable via Tailscale or LAN. This is the boundary between admin and user planes.
4. **The Swarm stack (Path A) is LAN-contained.** Traefik on MK7 routes HTTP internally. Technitium handles LAN DNS. Neither Tailscale nor NetBird is required for the blueprint buyer's stack to function.