Iron-Legion/ansible-pull-deploy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d60bc96f1d8eb21ae5d7d91c097f7bb9608846e9
ansible-pull-deploy/plans/09-open-questions.md
Artemis (Iron Legion) d60bc96f1d Add homelab services stack PRD 
Verifies 16 DockerHub images, assigns target nodes per locked policy,
defines 3-phase deployment order (Infra → Media → Polish),
and captures open questions for Bobby.

Services: Traefik, Technitium DNS, AdGuard Home, Prometheus, Grafana,
Beszel, Dozzle, Portainer, Homepage, Authelia, Vaultwarden, Jellyfin,
Sonarr, Radarr, Prowlarr, Nextcloud

Domain: *.ai.home
No public internet exposure.
2026-05-25 17:17:23 -04:00

2.4 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Open Questions & Blockers

Blocker Status

# Question Impact Default if Unresolved
1 Domain name — Does Bobby own a domain (e.g., bobbysh.me) or do we use a fake TLD (labs.internal)? Critical — TLS certs, Authelia, and DNS all depend on this. Use labs.internal + self-signed CA
2 Technitium upstream — DoH, DoT, or plain UDP to upstream resolver (e.g., Cloudflare 1.1.1.1)? Low — can default to DoH DoH → https://cloudflare-dns.com/dns-query
3 Pi-hole vs Technitium conflict — Both run on Bones port 53. Run Pi-hole on non-standard port with Technitium as conditional forwarder? Or separate nodes? Critical — port 53 collision Technitium on 53, Pi-hole on 5053, forward to Pi-hole from Technitium
4 Jellyfin media storage — External USB on Mark44? SMB share? NVMe? Medium External USB mounted at /media on Mark44
5 Backup target on Bones — Capacity? Dedicated drive? Rsync target path? Medium /backups/<service-name>/ on Bones secondary storage
6 Nextcloud database — Use existing PostgreSQL on Bones, or deploy Nextcloud AIO (bundled)? Medium — affects resource allocation on Bones Deploy standalone PostgreSQL container on Bones for Nextcloud AIO is too heavy
7 GPU on Mark44 — NVIDIA driver runtime for Jellyfin transcode? Low — falls back to CPU transcode Use jellyfin/jellyfin with NVIDIA_VISIBLE_DEVICES env if available
8 Notification routing — Discord webhook? SMTP? File only? Low — default file works File notifications in /opt/iron-legion/authelia/notifications/
9 Tailscale ACL policy — Draft exists in Section 7. Bobby must review and apply in Tailscale admin console. Low Stay permissive until Bobby approves
10 Beszel alert thresholds — CPU %, memory %, disk % triggers not defined. Low Defaults in Beszel container

Outstanding Decisions Required

  1. Pi-hole inclusion — Not in Bobby's original list. I added it as a DNS-layer complement to Technitium. Remove if Bobby doesn't want it.
  2. Authelia two-factor method — TOTP via app (Google Authenticator) vs WebAuthn/FIDO2 keys?
  3. Home vs remote access — If Bobby wants to share Jellyfin with friends/family outside Tailscale, public domain + Authelia guard is required.
Reference in New Issue View Git Blame Copy Permalink