From f18b978602a689ca4ba5d03979a13e40369f62c6 Mon Sep 17 00:00:00 2001 From: jarvis Date: Wed, 27 May 2026 13:10:35 -0400 Subject: [PATCH] fix(Chunk4): purge all Pi-hole references from split files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 08-deployment-phases: Pi-hole → AdGuard Home in Phase 1 order - 09-open-questions: blocker replaced, decision marked resolved - 10-appendix: removed from DockerHub table, count 16→15, dir pihole/→adguard/ - 05-network-architecture: port allocation DNS label updated - All mirrored to master PRD --- 05-network-architecture.md | 2 +- 08-deployment-phases.md | 2 +- 09-open-questions.md | 4 ++-- 10-appendix.md | 5 ++--- homelab-services-stack-prd.md | 2 +- 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/05-network-architecture.md b/05-network-architecture.md index ff60582..2bedcb1 100644 --- a/05-network-architecture.md +++ b/05-network-architecture.md @@ -41,7 +41,7 @@ Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) ## Port Allocation (Reserved) | Port | Service | |------|---------| -| 53 | DNS (Technitium / Pi-hole) | +| 53 | DNS (Technitium / AdGuard) | | 80/443 | HTTP/S (Traefik) | | 3000 | Grafana | | 9090 | Prometheus | diff --git a/08-deployment-phases.md b/08-deployment-phases.md index 96d45ec..26bbd8c 100644 --- a/08-deployment-phases.md +++ b/08-deployment-phases.md @@ -6,7 +6,7 @@ | Order | Service | Target Node | Why First | Dependencies | |-------|---------|-------------|-----------|--------------| | 1 | **Technitium DNS** | MK7 | Name resolution for internal services | None | -| 2 | **Pi-hole** | MK7 | Recursive DNS + ad-block | Technitium (via conditional forwarding) | +| 2 | **AdGuard Home** | MK7 | Recursive DNS + ad-block | Technitium (via conditional forwarding) | | 3 | **Traefik** | MK7 | Edge router for all HTTP ingress | DNS (needs `*.labs.internal` to resolve) | | 4 | **Authelia** | MK7 | Auth layer before exposing any mgmt UI | Traefik (depends on ForwardAuth middleware) | | 5 | **Portainer** | MK7 | Container management UI | Traefik + Authelia (for secured access) | diff --git a/09-open-questions.md b/09-open-questions.md index 62b1117..64f7ff1 100644 --- a/09-open-questions.md +++ b/09-open-questions.md @@ -5,7 +5,7 @@ |---|----------|--------|----------------------| | 1 | **Domain name** — Does Bobby own a domain (e.g., `bobbysh.me`) or do we use a fake TLD (`labs.internal`)? | **Critical** — TLS certs, Authelia, and DNS all depend on this. | Use `labs.internal` + self-signed CA | | 2 | **Technitium upstream** — DoH, DoT, or plain UDP to upstream resolver (e.g., Cloudflare 1.1.1.1)? | Low — can default to DoH | DoH → `https://cloudflare-dns.com/dns-query` | -| 3 | **Pi-hole vs Technitium conflict** — Both run on MK7 port 53. Run Pi-hole on non-standard port with Technitium as conditional forwarder? Or separate nodes? | **Critical** — port 53 collision | Technitium on 53, Pi-hole on 5053, forward to Pi-hole from Technitium | +| 3 | **AdGuard Home vs Technitium layout** — AdGuard runs on port 3000, Technitium on 53. No collision, but conditional forwarding from Technitium to AdGuard needs config. | Low — both run independently | Technitium uses upstream AdGuard for recursive queries | | 4 | **Jellyfin media storage** — External USB on MK7? SMB share? NVMe? | Medium | External USB mounted at `/media` on MK7 | | 5 | **Backup target on MK7** — Capacity? Dedicated drive? Rsync target path? | Medium | `/backups//` on MK7 secondary storage | | 6 | **Nextcloud database** — Use existing PostgreSQL on MK7, or deploy Nextcloud AIO (bundled)? | Medium — affects resource allocation on MK7 | Deploy standalone PostgreSQL container on MK7 for Nextcloud AIO is too heavy | @@ -15,6 +15,6 @@ | 10 | **Beszel alert thresholds** — CPU %, memory %, disk % triggers not defined. | Low | Defaults in Beszel container | ## Outstanding Decisions Required -1. **Pi-hole inclusion** — Not in Bobby's original list. I added it as a DNS-layer complement to Technitium. **Remove if Bobby doesn't want it.** +1. ~~Pi-hole inclusion~~ — **Resolved.** AdGuard Home replaces Pi-hole in Phase 1. 2. **Authelia two-factor method** — TOTP via app (Google Authenticator) vs WebAuthn/FIDO2 keys? 3. **Home vs remote access** — If Bobby wants to share Jellyfin with friends/family outside Tailscale, public domain + Authelia guard is required. diff --git a/10-appendix.md b/10-appendix.md index a83a3a8..43b264b 100644 --- a/10-appendix.md +++ b/10-appendix.md @@ -18,10 +18,9 @@ | Prowlarr | `linuxserver/prowlarr` | `linuxserver` | 35,913,487 | 403 | 2026-05-25 | ✅ 200 | | Vaultwarden | `vaultwarden/server` | `vaultwarden` | 287,182,978 | 1,454 | 2026-05-17 | ✅ 200 | | Nextcloud | `nextcloud` | `library` | 1,011,978,204 | 4,485 | 2026-05-23 | ✅ 200 | -| Pi-hole | `pihole/pihole` | `pihole` | 961,220,209 | 2,943 | 2026-05-25 | ✅ 200 | | Authelia | `authelia/authelia` | `authelia` | 75,183,682 | 208 | 2026-05-25 | ✅ 200 | -**Total unique images:** 16 (including Pi-hole) +**Total unique images:** 15 **Community health indicator:** All images have > 10 stars, > 1M pulls (except Beszel 32 stars, Homepage 40 stars — acceptable for young projects) **Freshness:** All updated within 90 days except Beszel (30 days — still acceptable) @@ -30,7 +29,7 @@ ~/.ansible-repo/new-build/ ├── phase-1/ # Infrastructure │ ├── technitium/ -│ ├── pihole/ +│ ├── adguard/ │ ├── traefik/ │ ├── authelia/ │ ├── portainer/ diff --git a/homelab-services-stack-prd.md b/homelab-services-stack-prd.md index 953a487..76bac33 100644 --- a/homelab-services-stack-prd.md +++ b/homelab-services-stack-prd.md @@ -432,7 +432,7 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/ ~/.ansible-repo/new-build/ ├── phase-1/ # Infrastructure │ ├── technitium/ -│ ├── pihole/ +│ ├── adguard/ │ ├── traefik/ │ ├── authelia/ │ ├── portainer/