412friendly/side-hustle-in-48h
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

v2 topology: Neo dual-homed — Tailscale for SSH mgmt, NetBird for services; clarify service isolation

Browse Source
This commit is contained in:
jarvis
2026-05-30 00:58:03 -04:00
parent aa729590cf
commit c2833e72d2
3 changed files with 25 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -125,7 +125,7 @@ The Iron Legion fleet runs **two completely separate mesh VPN overlays** managed
2. **Same CGNAT range does not mean same network.** Both Tailscale and NetBird default to `100.64.0.0/10` for overlay addressing, but devices on one cannot reach devices on the other. The coordination servers (Tailscale Inc. cloud vs. NetBird cloud/self-hosted) are completely isolated. 2. **Same CGNAT range does not mean same network.** Both Tailscale and NetBird default to `100.64.0.0/10` for overlay addressing, but devices on one cannot reach devices on the other. The coordination servers (Tailscale Inc. cloud vs. NetBird cloud/self-hosted) are completely isolated.
3. **Neo is the boundary.** Neo runs the NetBird client for user-facing services. Neo does **not** participate in the Tailscale tailnet. User-facing services are isolated from the admin/management plane by design. 3. **Neo is dual-homed but services are intentionally isolated.** Neo runs the Tailscale client so Artemis can SSH-manage the node. Neo also runs the NetBird client — but the services (Nextcloud, Vaultwarden, Dockhand, Trilium) are exposed **only** through NetBird. They are intentionally unreachable via Tailscale or LAN. This is the boundary between admin and user planes.
4. **The Swarm stack (Path A) is LAN-contained.** Traefik on MK7 routes HTTP internally. Technitium handles LAN DNS. Neither Tailscale nor NetBird is required for the blueprint buyer's stack to function. 4. **The Swarm stack (Path A) is LAN-contained.** Traefik on MK7 routes HTTP internally. Technitium handles LAN DNS. Neither Tailscale nor NetBird is required for the blueprint buyer's stack to function.

36
iron-legion-topology.mmd
View File

@@ -1,37 +1,39 @@
flowchart TB flowchart TB
subgraph TAILSCALE["🛡️ Tailscale Overlay — Tailscale Inc. (Admin/Management)"] subgraph TAILSCALE["🛡️ TAILSCALE OVERLAY — Tailscale Inc. (Admin/Management)"]
direction TB direction TB
TSCOORD["Tailscale Coordination Server<br/>(proprietary SaaS)"] TSCOORD["Tailscale Coordination Server<br/>(proprietary SaaS)"]
TSART["🤖 Artemis (AI Foreman)<br/>100.100.97.18"] TSART["🤖 Artemis (AI Foreman)<br/>100.100.97.18"]
TSM44["🔧 Mark44 (Ollama)<br/>100.75.26.83"] TSM44["🔧 Mark44 (Ollama)<br/>100.75.26.83"]
TSM5["📚 Mark5 (Research)<br/>100.118.67.105"] TSM5["📚 Mark5 (Research)<br/>100.118.67.105"]
TSM7["⚡ MK7 Swarm Manager<br/>100.66.70.51"] TSM7["⚡ MK7 Swarm Manager<br/>100.66.70.51"]
TSNEO["🖥️ Neo (SSH mgmt only)<br/>Tailscale IP — admin access"]
end end
subgraph NETBIRD["🕊️ NetBird Overlay — WireTrustee SA (User-facing)"] subgraph NETBIRD["🕊️ NETBIRD OVERLAY — WireTrustee SA (User-facing)"]
direction TB direction TB
NBCOORD["NetBird Coordination Server<br/>(cloud or self-hosted)"] NBCOORD["NetBird Coordination Server<br/>(cloud or self-hosted)"]
NBNEO["🖥️ Neo (Nebuchadnezzar)<br/>100.92.224.74"] NBNEO["🖥️ Neo (Service host)<br/>NetBird IP — user access"]
NBNC["☁️ Nextcloud AIO"] NBNC["☁️ Nextcloud AIO"]
NBVW["🔐 Vaultwarden"] NBVW["🔐 Vaultwarden"]
NBDOCK["🐳 Dockhand"] NBDOCK["🐳 Dockhand"]
NBTRIL["📝 Trilium Notes"] NBTRIL["📝 Trilium Notes"]
end end
subgraph LAN["🏠 LAN Backbone — Beryl Router (OpenWrt)"] subgraph LAN["🏠 LAN BACKBONE — Beryl Router (OpenWrt)"]
direction TB direction TB
BERYL["🌐 Beryl 7<br/>Gateway + DHCP<br/>192.168.0.0/18"] BERYL["🌐 Beryl 7<br/>Gateway + DHCP<br/>192.168.0.0/18"]
MK7LAN["⚡ MK7<br/>Traefik | Technitium | Prometheus<br/>Beszel Hub | Portainer CE | Dozzle | Homepage<br/>192.168.7.7"] MK7LAN["⚡ MK7<br/>Traefik · Technitium · Prometheus<br/>Beszel Hub · Portainer CE · Dozzle · Homepage<br/>Node Exporter (global)<br/>192.168.7.7"]
WORKERS["🔩 MK33 / MK34 / MK39 / MK42<br/>Swarm Workers (G9 nodes)<br/>192.168.0.x"] WORKERS["🔩 MK33 · MK34 · MK39 · MK42<br/>Swarm Workers (G9 nodes)<br/>192.168.0.x"]
end end
%% Tailscale connections %% Tailscale mesh
TSCOORD ---|"admin mesh<br/>WireGuard tunnel"| TSART TSCOORD ---|"admin mesh<br/>WireGuard tunnel"| TSART
TSCOORD ---|"admin mesh"| TSM44 TSCOORD ---|"admin mesh"| TSM44
TSCOORD ---|"admin mesh"| TSM5 TSCOORD ---|"admin mesh"| TSM5
TSCOORD ---|"admin mesh"| TSM7 TSCOORD ---|"admin mesh"| TSM7
TSCOORD ---|"admin mesh"| TSNEO
%% NetBird connections %% NetBird mesh
NBCOORD ---|"user mesh<br/>WireGuard tunnel"| NBNEO NBCOORD ---|"user mesh<br/>WireGuard tunnel"| NBNEO
NBNEO ---|"Docker Compose"| NBNC NBNEO ---|"Docker Compose"| NBNC
NBNEO ---|"Docker Compose"| NBVW NBNEO ---|"Docker Compose"| NBVW
@@ -43,11 +45,19 @@ flowchart TB
BERYL -.->|"DHCP lease"| WORKERS BERYL -.->|"DHCP lease"| WORKERS
MK7LAN ---|"swarm overlay"| WORKERS MK7LAN ---|"swarm overlay"| WORKERS
%% Cross-plane: management SSH from Tailscale to LAN %% Cross-plane: management SSH from Tailscale to LAN nodes
TSM7 --"SSH mgmt"--> MK7LAN
TSART --"SSH mgmt"--> MK7LAN TSART --"SSH mgmt"--> MK7LAN
TSART --"SSH mgmt"--> TSNEO
TSM7 --"SSH mgmt"--> MK7LAN
%% Neo dual-homed indicator
TSNEO -.->|"same physical host"| NBNEO
%% Isolation boundaries %% Isolation boundaries
NBNEO -.-x|"🔒 ISOLATED<br/>no route"| LAN NBNEO -.-x|"🔒 INTENTIONAL ISOLATION<br/>services NOT on Tailscale"| LAN
TSART -.-x|"🔒 ISOLATED<br/>no route"| NBNEO NBNEO -.-x|"🔒 INTENTIONAL ISOLATION<br/>services NOT on Tailscale"| TAILSCALE
TSM7 -.-x|"🔒 ISOLATED<br/>no route"| NBNEO TSART -.-x|"🔒 no route"| NBNEO
TSM7 -.-x|"🔒 no route"| NBNEO
style TSNEO fill:#2d3748,stroke:#63b3ed,stroke-width:2px,stroke-dasharray: 5 5
style NBNEO fill:#2d3748,stroke:#f6ad55,stroke-width:2px,stroke-dasharray: 5 5

2
iron-legion-topology.svg
View File

File diff suppressed because one or more lines are too long
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 37 KiB

After

Width:  |  Height:  |  Size: 43 KiB