Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

DNS topology: AdGuard removed, Technitium authoritative + DoT + ad blocking

Browse Source 
- Remove AdGuard Home from all service catalogs, deployment phases,
  persistence tables, and network architecture docs
- Update Technitium notes: authoritative .ai.home zone, recursive resolver,
  DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking
- Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout)
- Add dns-topology.md: complete DNS architecture diagram, zone details,
  client assignments, Tailscale integration, troubleshooting table,
  migration history (AdGuard deployed → paused → removed)
This commit is contained in:
jarvis
2026-05-29 21:01:24 -04:00
parent a7e70726eb
commit 484b2e6272
11 changed files with 179 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
homelab-services-stack-prd.md
View File

@@ -76,7 +76,7 @@ This PRD is append-only for new services. Modifications to existing entries requ
| Node | Role | Services Assigned |
|------|------|-------------------|
| **MK7 (mark-vii.ai.home)** | Swarm Manager | ALL Phase 1 infrastructure: Traefik, Technitium DNS, AdGuard Home, Portainer, Prometheus, Beszel, Dozzle, Authelia, Homepage |
| **MK7 (mark-vii.ai.home)** | Swarm Manager | ALL Phase 1 infrastructure: Traefik, Technitium DNS, Portainer, Prometheus, Beszel, Dozzle, Authelia, Homepage |
| **MK33, MK34, MK39, MK42** | Swarm Workers | Phase 2 media stack (Jellyfin, Sonarr, Radarr, Prowlarr), distributed workloads, Vaultwarden, Nextcloud |
| **Artemis** | AI Foreman / JARVIS | Hermes Agent, Ansible-pull control plane — NOT a service host |
@@ -116,8 +116,8 @@ This PRD is append-only for new services. Modifications to existing entries requ
| Service | Image | Pulls | Stars | Updated | Placement | Notes |
|---------|-------|-------|-------|---------|-----------|-------|
| **Traefik** | `traefik` | 3.49B | 3,634 | 2026-05-13 | **Global** | Every node receives ingress routing + Docker socket read-only |
| **Technitium DNS** | `technitium/dns-server` | 8.99M | 156 | 2026-05-09 | **Manager Constraint** | Single authoritative DNS — port 53 on MK7 only |
| **AdGuard Home** | `adguard/adguardhome` | 170.7M | 1,408 | 2026-05-25 | **Replicated (1)** | Single replica on MK7 — port 3000 |
| **Technitium DNS** | `technitium/dns-server` | 8.99M | 156 | 2026-05-09 | **Manager Constraint** | Authoritative `.ai.home` + recursive DNS with DoT forwarder to Cloudflare, ad blocking enabled — port 53 on MK7 only |
| **~~AdGuard Home~~** | ~~`adguard/adguardhome`~~ | ~~170.7M~~ | ~~1,408~~ | ~~2026-05-25~~ | ~~**Removed**~~ | ~~Replaced by Technitium built-in ad blocking~~ |
### Monitoring / Observability
| Service | Image | Pulls | Stars | Updated | Placement | Notes |
@@ -192,21 +192,22 @@ This PRD is append-only for new services. Modifications to existing entries requ
|-----------|--------|--------|
| **Technitium (MK7)** | ✅ Deployed | Container running, port 53/5380 open |
| **`*.ai.home` zone** | ⏳ Pending | Not yet configured as authoritative — Tailscale MagicDNS currently handles name resolution |
| **AdGuard Home (MK7)** | ✅ Active | Recursive resolver + blocklists on port 3000. Replaces Pi-hole. |
| **Technitium DNS (MK7)** | ✅ Active | Authoritative `.ai.home` + recursive resolver + ad blocking on port 53. |
| **~~AdGuard Home~~** | ~~Removed~~ | ~~Replaced by Technitium built-in ad blocking~~ |
**Planned Chain (not yet active):**
```
Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)
Client → Technitium (authoritative `.ai.home`? → return local record) → Technitium (recursive resolver + blocklist) → Cloudflare DoT / Root Servers
```
**Current Fallback:** Tailscale MagicDNS provides `*.ai.home` resolution via Tailscale IP addresses. Technitium will assume authority once zone records are populated.
- **AdGuard Home admin UI** runs on port 3000.
- **Technitium DNS admin UI** runs on port 5380.
## Port Allocation (Reserved)
| Port | Service |
|------|---------|
| 53 | DNS (Technitium / AdGuard) |
| 53 | DNS (Technitium) |
| 80/443 | HTTP/S (Traefik) |
| 3000 | Grafana |
| 9090 | Prometheus |
@@ -242,7 +243,7 @@ Every service with persistent state uses **bind mounts to on-node directories**.
|---------|-----------|---------------|---------------|
| **Traefik** | `/opt/iron-legion/traefik/config/` `/opt/iron-legion/traefik/certs/` | MK7 (daily rsync) | < 50 MB |
| **Technitium DNS** | `/opt/iron-legion/technitium/config/` | MK7 | < 10 MB |
| **AdGuard Home** | `/opt/iron-legion/adguard/work/` `/opt/iron-legion/adguard/conf/` | MK7 | \u003c 500 MB |
| **~~AdGuard Home~~** | ~~`/opt/iron-legion/adguard/work/`~~ ~~`/opt/iron-legion/adguard/conf/`~~ | ~~Removed~~ | ~~N/A~~ |
| **Prometheus** | `/opt/iron-legion/prometheus/data/` | MK7 (retention: 15d local, 90d backup) | 520 GB |
| **Grafana** | `/opt/iron-legion/grafana/data/` | MK7 | < 500 MB |
| **Beszel** | `/opt/iron-legion/beszel/data/` | MK7 | < 1 GB |
@@ -331,7 +332,8 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
| Order | Service | Target Node | Why First | Dependencies |
|-------|---------|-------------|-----------|--------------|
| 1 | **Technitium DNS** | MK7 | Name resolution for internal services | None |
| 2 | **AdGuard Home** | MK7 | Recursive DNS + ad-block | Technitium (via conditional forwarding) |
| 2 | **Technitium DNS** | MK7 | Authoritative + recursive + ad-block | N/A — single service |
| ~~AdGuard Home~~ | ~~Removed~~ | ~~—~~ | ~~Technitium replaces AdGuard~~ |
| 3 | **Traefik** | MK7 | Edge router for all HTTP ingress | DNS (needs `*.labs.internal` to resolve) |
| 4 | **Authelia** | MK7 | Auth layer before exposing any mgmt UI | Traefik (depends on ForwardAuth middleware) |
| 5 | **Portainer** | MK7 | Container management UI | Traefik + Authelia (for secured access) |
@@ -395,7 +397,7 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
| 10 | **Beszel alert thresholds** — CPU %, memory %, disk % triggers not defined. | Low | Defaults in Beszel container |
## Outstanding Decisions Required
1. ~~Pi-hole inclusion~~**Resolved.** AdGuard Home replaces Pi-hole in Phase 1. Removed from catalog.
1. ~~Pi-hole inclusion~~**Resolved.** Technitium built-in ad blocking replaces Pi-hole.
2. **Authelia two-factor method** — TOTP via app (Google Authenticator) vs WebAuthn/FIDO2 keys?
3. **Home vs remote access** — If Bobby wants to share Jellyfin with friends/family outside Tailscale, public domain + Authelia guard is required.