Iron-Legion/ansible-pull-deploy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d60bc96f1d8eb21ae5d7d91c097f7bb9608846e9
ansible-pull-deploy/plans/03-constraints.md
Artemis (Iron Legion) d60bc96f1d Add homelab services stack PRD 
Verifies 16 DockerHub images, assigns target nodes per locked policy,
defines 3-phase deployment order (Infra → Media → Polish),
and captures open questions for Bobby.

Services: Traefik, Technitium DNS, AdGuard Home, Prometheus, Grafana,
Beszel, Dozzle, Portainer, Homepage, Authelia, Vaultwarden, Jellyfin,
Sonarr, Radarr, Prowlarr, Nextcloud

Domain: *.ai.home
No public internet exposure.
2026-05-25 17:17:23 -04:00

2.2 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Constraints

Hard Constraints (Non-Negotiable)

  1. Bare metal over abstraction. Direct deployments preferred. Compose files are acceptable as orchestration glue, but no Docker Swarm mode, no Kubernetes, no abstraction layers Bobby cannot ssh into and debug.
  2. No nginx. Traefik is the sole edge router. No nginx reverse proxies, no nginx sidecars.
  3. No Tailscale serve/funnel. Services bind to 0.0.0.0 on their assigned node and are reachable via Tailscale mesh IP + port. No tailscale serve, no tailscale funnel.
  4. Node assignments locked. Services do not migrate between nodes without Bobby's explicit written direction.
  5. Patch upstream source when loopback/bind restrictions block direct deployment. Do not re-architect around the constraint.

Node Assignment Policy (as of 2026-05-25)

Node Role Services Assigned
Neo Services node Nextcloud AIO, Vaultwarden, Portainer (UI/mgmt)
Bones Infrastructure node Paperclip + Ollama + PostgreSQL, Technitium DNS (infra DNS)
Mark44 (Hulkbuster) Heavy-lifting / GPU Monitoring stack (Prometheus, Grafana, Beszel), media apps with transcode (Jellyfin)
Mark5 (Suitcase) Research / light-task Traefik (edge router — lightweight, always-on), Homepage (lightweight dashboard)
Artemis AI Foreman / JARVIS Hermes Agent, Ansible-pull control plane

Soft Constraints (Bobby Approval Required to Override)

  • Data residency: All persistent volumes live on-node. No NFS, no Ceph, no distributed storage unless explicitly approved.
  • Secret management: No plain-text secrets in compose files. Use .env files with file: mode 0600, or Vaultwarden if a secret store is needed.
  • Backup cadence: Every service with persistent state must have a documented backup target. Default: daily rsync to Bones secondary storage.

Environment Assumptions

  • All nodes run Debian Trixie or compatible.
  • Docker Engine (not Docker Desktop) is installed on all target nodes.
  • Tailscale is up and meshed. All inter-node traffic is over Tailscale IPs.
  • docker compose plugin (v2) available, not legacy docker-compose standalone.
Reference in New Issue View Git Blame Copy Permalink