Files

Artemis (Iron Legion) d60bc96f1d Add homelab services stack PRD

Verifies 16 DockerHub images, assigns target nodes per locked policy,
defines 3-phase deployment order (Infra → Media → Polish),
and captures open questions for Bobby.

Services: Traefik, Technitium DNS, AdGuard Home, Prometheus, Grafana,
Beszel, Dozzle, Portainer, Homepage, Authelia, Vaultwarden, Jellyfin,
Sonarr, Radarr, Prowlarr, Nextcloud

Domain: *.ai.home
No public internet exposure.

2026-05-25 17:17:23 -04:00

2.3 KiB

Raw Blame History

Iron Legion Homelab Services Stack — Network Architecture

Ingress Flow

[Internet] → [Tailscale mesh] → [Mark5: Traefik] → [Target Node: Service Port]

Traefik Role

Single entrypoint. Every HTTP/HTTPS service routes through Traefik on Mark5.
Tailscale-native. Traefik binds to 0.0.0.0:80 and 0.0.0.0:443. No tailscale serve.
Service discovery via Docker labels. Each compose service exposes labels that Traefik reads from the Docker socket on Mark5.
Docker socket access restricted. Traefik mounts a read-only Docker socket. No other service gets socket access.

Internal Traffic Patterns

Source	Destination	Protocol	Port	Notes
Traefik (Mark5)	Any service	HTTP/HTTPS	Varies	Proxied via Tailscale IP
Beszel (Mark44)	Any node	HTTP	Varies	Agent polls HTTP metrics endpoints (read-only)
Prometheus (Mark44)	Any node	HTTP	9100 (node-exporter)	Scrapes node and container metrics
Prowlarr (Mark44)	Indexer sites	HTTPS	443	Outbound only
Sonarr/Radarr (Mark44)	Prowlarr	HTTP	9696	Internal indexer lookup
Nextcloud (Neo)	PostgreSQL (Bones)	TCP	5432	DB traffic over Tailscale

DNS Resolution

Technitium (Bones) is the authoritative internal DNS for *.ai.home.
AdGuard Home (Bones) handles recursive resolution with ad-block lists. Replaces Pi-hole.
Chain: Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)
Tailscale MagicDNS remains enabled as fallback. If Technitium fails, clients fall back to 100.x.x.x direct resolution.
AdGuard Home admin UI runs on port 3000 by default (separate from Grafana if co-located).

Port Allocation (Reserved)

Port	Service
53	DNS (Technitium / Pi-hole)
80/443	HTTP/S (Traefik)
3000	Grafana
9090	Prometheus
9000	Portainer
8096	Jellyfin
8989	Sonarr
7878	Radarr
9696	Prowlarr
8080	Authelia (default)

TLS Strategy

Internal: Traefik generates self-signed certs for *.labs.internal. Authelia can enforce client-cert if needed.
External: Not applicable per no-Tailscale-funnel constraint. If Bobby later wants public access, Let's Encrypt via DNS challenge (Technitium controls the zone).

2.3 KiB Raw Blame History

Iron Legion Homelab Services Stack — Network Architecture

Ingress Flow

Traefik Role

Internal Traffic Patterns

DNS Resolution

Port Allocation (Reserved)

TLS Strategy

2.3 KiB

Raw Blame History