Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Iron-Legion:4af50ec883869b6409e298e920951c75b047de77
Branches Tags
Iron-Legion:main
...
compare: Iron-Legion:main
Branches Tags
Iron-Legion:main

38 Commits
4af50ec883 ... main

Author SHA1 Message Date
F.R.I.D.A.Y.
850802b21e PRD: Switch SSH to LAN IP only, add N8N HTTPS endpoint details (Traefik TLS) 2026-06-05 22:12:08 -04:00
F.R.I.D.A.Y.
c7df48b9a0 PRD: Clarify resolved questions in N8N orchestrator (auto-increment, PVE exclusion, LAN only) 2026-06-05 21:59:34 -04:00
F.R.I.D.A.Y.
2e15769409 Draft: N8N webhook orchestrator for terraform LXC + ansible provisioning (v2 - updates per Bobby) 2026-06-05 21:48:01 -04:00
F.R.I.D.A.Y.
df965892d5 Draft: N8N webhook orchestrator for terraform LXC + ansible provisioning 2026-06-05 21:33:47 -04:00
F.R.I.D.A.Y.
bfff090225 Revert "Ansible: add fleet_update play, managed_nodes group, refactor to roles (prepare, nfs_client, lxc_common)" 
This reverts commit 87fb0ebe02.
 2026-06-05 21:03:59 -04:00
F.R.I.D.A.Y.
87fb0ebe02 Ansible: add fleet_update play, managed_nodes group, refactor to roles (prepare, nfs_client, lxc_common) 2026-06-05 20:58:05 -04:00
F.R.I.D.A.Y.
0e42f6189e Draft: Phase 3 PRD - Terraform LXC to Ansible provisioning pipeline 2026-06-05 19:54:47 -04:00
F.R.I.D.A.Y.
3f0e36c8bb Promote all operational PRDs to Deployed status 
- terraform-lxc-deployment.md: Deployed (Phase 1 single-LXC baseline)
- terraform-lxc-deployment-batch.md: Deployed (Phase 2 batch/dynamic template, validated N=4/N=7)
- ansible-base-testing.md: Deployed (base testing environment, validated fleet ping/playbook)
- ansible-playbook.md: Deployed (NFS client role, validated MK7 + Swarm workers)

All four PRDs now in PRDs/ with status Deployed.
 2026-06-05 08:55:27 -04:00
F.R.I.D.A.Y.
3f5bc49e8b Restore single-LXC PRD alongside batch PRD 
- terraform-lxc-deployment.md: Phase 1 single-LXC baseline (restored from 520da27)
- terraform-lxc-deployment-batch.md: Phase 2 batch/dynamic template (ff60037)

Both documents coexist as separate canonical references.
 2026-06-05 08:40:32 -04:00
F.R.I.D.A.Y.
ff60037860 Terraform LXC: promote batch PRD to canonical, Phase 2 validated 
- terraform-lxc-deployment.md -> terraform-lxc-deployment-batch.md
- Phase 2 validated at N=4 and N=7 on MK33 (pve-swarm)
- All dynamic derivation rules tested and confirmed
- Runtime behavior notes: auto.tfvars vs TF_VAR_*, -auto-approve, PVE race conditions
 2026-06-05 08:38:02 -04:00
F.R.I.D.A.Y.
520da27cd3 Fix: remove non-existent terraform-pve repo reference from fleet notes 
The repo Iron-Legion/terraform-pve.git never existed on Gitea.
Code remains local at ~/docker/terraform-pve/.
 2026-06-05 07:54:15 -04:00
F.R.I.D.A.Y.
4d0e7d8ff1 Terraform LXC PRD: remove stale draft, commit Phase 1 validation updates 
- Remove PRD Drafts/terraform-lxc-deployment.md (stale F.R.I.D.A.Y. draft superseded by validated PRD)
- Commit uncommitted Phase 1 updates to PRDs/terraform-lxc-deployment.md (validated configs, fixes)
- Update token expiry warnings in git-repo-setup-peer-review.md
 2026-06-05 07:49:51 -04:00
F.R.I.D.A.Y.
c1bb49d51a Terraform LXC PRD: promote validated draft to PRDs, archive stale F.R.I.D.A.Y. draft 
- terraform-lxc-deployment.md → PRDs/ (validated, tested, canonical)
- terraform-proxmox-lxc-automation.md → ARCHIVED- (superseded by live POC)
- Matches Phase 1 POC results from terraform-pve repo
 2026-06-04 22:58:19 -04:00
F.R.I.D.A.Y.
bc8d7c8449 Terraform LXC deployment PRD + Phase 1 scaffold (Dockerfile, compose, run.sh, providers) 2026-06-04 21:38:49 -04:00
F.R.I.D.A.Y.
3dd46ca963 PVE cluster formation: MK33/MK34/MK39 as pve-swarm. NFS active. HA groups configured. N150 corrected. 2026-06-04 20:59:11 -04:00
F.R.I.D.A.Y.
c879051b86 Add NetBird domain column to standalone nodes — mslnath.me (Igor/MK-46), bobbysh.me (Neo) 2026-06-04 15:57:07 -04:00
F.R.I.D.A.Y.
43ed44e09a Add MK-46 (Homecoming) — HP Elitedesk, Trilium/ARR stack, 192.168.26.130 2026-06-04 15:55:13 -04:00
F.R.I.D.A.Y.
69ae7ff9ae Split Igor: 192.168.10.211 is Ugreen DXP4800 NAS. 192.168.26.130 is HP Elitedesk (Trilium/ARR) 2026-06-04 15:47:54 -04:00
F.R.I.D.A.Y.
6135fdf6ae Update Igor IP: 192.168.26.130 — ZimaOS NAS, Trilium, ARR Media Stack, Beszel agent 2026-06-04 15:45:19 -04:00
F.R.I.D.A.Y.
ba84a78268 procedures/ansible-playbook: Add NFS client role documentation 
- Full README.md with task breakdown, inventory targeting, TrueNAS requirements
- ADDITIONAL_NOTES.md with per-node key nuances, repogroup mapping, mount opts evolution
- Included canonical copies of: inventory.yml, main.yml, roles/nfs_client/tasks/main.yml
- Covers TrueNAS maproot/ACL interaction and jarvis write access patterns
 2026-06-04 09:28:50 -04:00
F.R.I.D.A.Y.
26917ecdd7 draft: Ansible Base Testing Environment PRD (validated 10/10 green) 2026-06-03 20:02:13 -04:00
F.R.I.D.A.Y.
f624bf03db draft: Add fleet inventory.yml appendix to Ansible WebUI PRD 2026-06-03 13:51:00 -04:00
F.R.I.D.A.Y.
dbeaeab60d draft: Git Repo Setup & Peer Review PRD (v1) 2026-06-03 10:02:20 -04:00
F.R.I.D.A.Y.
d6ed7f6ead draft: Fleet User Standard PRD (v1) 2026-06-03 09:30:16 -04:00
F.R.I.D.A.Y.
1b6c73d13b docs: Update vscode-server procedure for Traefik file provider 
- Remove host port publish (8443) from compose
- Document Traefik file provider route requirement
- Add example dynamic config for vscode.ai.home
- Fix DNS guidance: CNAME to traefik.ai.home
 2026-06-02 21:35:01 -04:00
F.R.I.D.A.Y.
11d70c9531 docs: Add VS Code: Server MK7 deployment procedure 
- Documents openvscode-server on MK7 Swarm
- Enables native Remote-SSH via Microsoft marketplace
- Includes compose, DNS, and SSH config setup
- Notes PVE nodes deferred for key deployment
 2026-06-02 21:08:36 -04:00
F.R.I.D.A.Y.
0962ea5cad Update pveuser integration chart - both nas-iso and nas-repo now active (2026-06-02) 2026-06-02 14:01:21 -04:00
F.R.I.D.A.Y.
75b0bd8f8d Add TrueNAS pveuser + PVE mk33 integration chart - 2026-06-02 2026-06-02 09:59:45 -04:00
F.R.I.D.A.Y.
5ef8314c0e Add TrueNAS hardening changelog JSONL - 2026-06-02 2026-06-02 09:34:44 -04:00
F.R.I.D.A.Y.
9372e0fe69 Add TrueNAS hardening execution chart - 2026-06-02 2026-06-02 09:34:38 -04:00
F.R.I.D.A.Y.
ce06f845e0 Add TrueNAS security audit report - 2026-06-02 2026-06-02 08:31:47 -04:00
F.R.I.D.A.Y.
fa7a6a2669 PRD Updates: Fix MK7/Neo references; add Atlantis section; new Ansible Web UI comparison PRD 2026-06-02 06:32:16 -04:00
F.R.I.D.A.Y.
4377ffaffa Add PRD: Terraform LXC Automation for Proxmox VE 9.2 
New directories:
- PRD Drafts/      — Active PRDs pending review
- PRD archived/    — Approved/archived PRDs

Adds terraform-proxmox-lxc-automation.md:
- Provider: bpg/proxmox (actively maintained, 11M+ downloads)
- Scope: LXC creation, networking, storage, auth patterns
- Includes complete sample project tree with working HCL
- Covers API token, cloud-init, DHCP/static IP, mount points
- State backend + CI/CD integration guidance

Author: F.R.I.D.A.Y.
Date: 2026-06-01
 2026-06-01 14:48:14 -04:00
F.R.I.D.A.Y.
3da2689e4d Add fleet operational reports 
- mk7-service-restoration-report.md: Restored Swarm stacks after relocation, fixed NTP drift, rejoined MK-42 as worker
- netbird-evaluation-report.md: Full evaluation of self-hosted Netbird control plane for tailscale coexistence/replacement

Author: F.R.I.D.A.Y.
 2026-06-01 07:45:13 -04:00
F.R.I.D.A.Y.
2175a93312 fix(fleet): correct admin cheat sheet armor names, DNS, Igor 
Changes:
- Fix armor codenames: MK-34=Southpaw (was Igor), MK-39=Gemini (was Starboost), MK-42=Extremis (was Bones)
- Add Igor (MK-38) as utility node (192.168.10.211, ZimaOS NAS)
- Add DNS Configuration section with correct fallbacks (192.168.18.1, 1.1.1.1)
- Add Cinnamint portable host entry
- Add DNS Reminders table
- Add Shield IP drift note
- Fix SSH topology notes (friday@hermes key, ts- prefix)
- Add igor.ai.home A record
 2026-05-31 22:26:01 -04:00
F.R.I.D.A.Y.
784e6ab658 fix(procedure): correct DNS fallbacks in PVE post-install 2026-05-31 22:25:50 -04:00
F.R.I.D.A.Y.
794ed411e0 docs(fleet): add PegaProx users table to admin cheat sheet 
- Document 3 admin accounts: pegaprox, artemis, friday
- Add connected clusters table (ID, host, status)
- Clean up PegaProx section into Users/Clusters/API subsections
 2026-05-31 22:16:06 -04:00
F.R.I.D.A.Y.
8df3127ff2 Add PVE post-install optimization procedure 
Covers:
- LVM thin pool removal and root expansion
- Proxmox storage.cfg cleanup (local-lvm removal)
- Adding disk images and containers to local storage
- Disabling enterprise AND ceph repos
- No-subscription repo setup
- Subscription nag screen removal
- DNS resolution fix for PXE-installed nodes
- Full verification checklist

Author: F.R.I.D.A.Y.
Date: 2026-05-31
 2026-05-31 22:00:19 -04:00
27 changed files with 5183 additions and 57 deletions
Expand all files Collapse all files

635
PRD Drafts/ARCHIVED-terraform-proxmox-lxc-automation.md Normal file
View File

@@ -0,0 +1,635 @@
# PRD: Terraform LXC Automation for Proxmox VE 9.2
**Status:** Draft — Pending Commander Bobby Review
**Author:** F.R.I.D.A.Y.
**Date:** 2026-06-01
**Provider:** `bpg/proxmox` (actively maintained, 11M+ downloads)
**Target:** Proxmox VE 9.2 / Debian Trixie
---
## 1. Purpose & Scope
This PRD defines the architecture, configuration patterns, and operational workflow for automating LXC container lifecycle management on Proxmox VE 9.2 clusters using Terraform and the actively maintained `bpg/proxmox` provider.
**In scope:**
- Terraform provider configuration and authentication
- LXC resource definitions (`proxmox_virtual_environment_container`)
- Cloud-init / template-based provisioning
- Network configuration (static IP, DHCP, bridge)
- Storage allocation (rootfs on any PVE backend)
- State management and CI/CD integration patterns
**Out of scope:**
- VM (QEMU/KVM) provisioning
- PVE cluster topology changes
- Backup/restore automation (separate PRD)
---
## 2. Success Criteria
| # | Criterion | How Verified |
|---|-----------|-------------|
| 1 | A single `terraform apply` creates a working LXC with SSH access | `ssh root@<lxc-ip>` succeeds |
| 2 | LXCs are provisioned from official cloud-image templates | Template downloaded via `proxmox_virtual_environment_download_file` |
| 3 | Network is configurable per-LXC (DHCP or static CIDR) | `ip addr` inside container matches TF config |
| 4 | Rootfs lives on user-selected storage (not hardcoded to `local-lvm`) | `pvesm status` shows volume on target datastore |
| 5 | State is stored remotely (S3-compatible or Terraform Cloud) | `terraform state list` works from any machine |
| 6 | Destroy and recreate is idempotent | `terraform destroy && terraform apply` yields identical result |
---
## 3. Provider Selection
### Why `bpg/proxmox` (not `telmate/proxmox`)
| Provider | Maintenance | Downloads | LXC Support | Notes |
|----------|-------------|-----------|-------------|-------|
| `bpg/proxmox` | ✅ Active (v0.108.0, June 2026) | 11.8M+ | Full | Community-tier, comprehensive docs, supports PVE 9.x |
| `telmate/proxmox` | ❌ Stale (last release ~2023) | Legacy | Partial | Deprecated; lacks PVE 9.x features |
**Decision:** Use `bpg/proxmox` exclusively. The `telmate` provider is unmaintained and incompatible with PVE 9.2 API changes.
**Provider block (minimum):**
```hcl
terraform {
required_providers {
proxmox = {
source = "bpg/proxmox"
version = "~> 0.108"
}
}
}
provider "proxmox" {
endpoint = "https://192.168.7.33:8006/"
username = "root@pam"
password = var.proxmox_password # or PROXMOX_VE_PASSWORD env var
insecure = true # self-signed TLS
}
```
---
## 4. Authentication Matrix
| Method | Use Case | Config | Security |
|--------|----------|--------|----------|
| **API Token** | Production, CI/CD | `api_token = "root@pam!mytoken=abc123…"` | Highest — revocable, fine-grained |
| **Username/Password** | Development, one-offs | `username = "root@pam"`, `password = "…"` | Medium — password in env |
| **Auth Ticket** | TOTP-enabled accounts | Pre-authenticate, pass ticket | High — short-lived |
**Recommendation for Iron Legion:**
- **Development:** Use `PROXMOX_VE_PASSWORD` environment variable
- **CI/CD (future):** Create a PVE API token with `PVEFarmAdmin` or custom role, store in CI secrets
---
## 5. Sample Project Structure
```
terraform-proxmox-lxc/
├── README.md
├── main.tf # Provider + backend config
├── variables.tf # Input variables
├── terraform.tfvars.example # Sample values (gitignored)
├── outputs.tf # Useful outputs (IPs, IDs)
├── versions.tf # Required providers + TF version
├── modules/
│ └── lxc/
│ ├── main.tf # proxmox_virtual_environment_container resource
│ ├── variables.tf # Module inputs
│ └── outputs.tf # Module outputs
├── environments/
│ ├── dev/
│ │ ├── main.tf # Calls modules with dev vars
│ │ └── terraform.tfvars
│ └── prod/
│ ├── main.tf
│ └── terraform.tfvars
└── templates/
└── ubuntu-25.04-cloudimg.yaml # Cloud-init user-data (optional)
```
### Key Files
#### `versions.tf`
```hcl
terraform {
required_version = ">= 1.5.0"
required_providers {
proxmox = {
source = "bpg/proxmox"
version = "~> 0.108"
}
random = {
source = "hashicorp/random"
version = "~> 3.6"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
}
# Remote state — S3-compatible (Minio, Garage, AWS S3)
backend "s3" {
bucket = "iron-legion-terraform"
key = "proxmox-lxc/terraform.tfstate"
region = "us-east-1"
endpoint = "https://s3.nb.bobbysh.me"
use_path_style = true
# Skip AWS-specific validations for self-hosted S3
skip_credentials_validation = true
skip_metadata_api_check = true
skip_region_validation = true
skip_requesting_account_id = true
}
}
```
#### `variables.tf`
```hcl
variable "proxmox_endpoint" {
description = "PVE API URL"
type = string
default = "https://192.168.7.33:8006/"
}
variable "proxmox_node" {
description = "Target PVE node name"
type = string
default = "mk33"
}
variable "ssh_public_key" {
description = "SSH public key for root access"
type = string
}
variable "lxc_configs" {
description = "Map of LXC configurations"
type = map(object({
vm_id = number
hostname = string
cores = optional(number, 2)
memory = optional(number, 2048)
disk_size = optional(number, 8)
datastore_id = optional(string, "local-lvm")
ip_address = optional(string, "dhcp")
gateway = optional(string, null)
template_url = optional(string, "https://mirrors.servercentral.com/ubuntu-cloud-images/releases/25.04/release/ubuntu-25.04-server-cloudimg-amd64-root.tar.xz")
features = optional(object({
nesting = optional(bool, true)
fuse = optional(bool, false)
keyctl = optional(bool, false)
}), {})
}))
}
```
#### `modules/lxc/main.tf`
```hcl
resource "proxmox_virtual_environment_download_file" "lxc_template" {
for_each = var.lxc_configs
content_type = "vztmpl"
datastore_id = "local"
node_name = var.proxmox_node
url = each.value.template_url
file_name = "${each.key}-template.tar.xz"
overwrite = false
}
resource "proxmox_virtual_environment_container" "lxc" {
for_each = var.lxc_configs
node_name = var.proxmox_node
vm_id = each.value.vm_id
description = "Managed by Terraform — ${each.key}"
unprivileged = true
features {
nesting = each.value.features.nesting
fuse = each.value.features.fuse
keyctl = each.value.features.keyctl
}
cpu {
cores = each.value.cores
units = 1024
}
memory {
dedicated = each.value.memory
swap = 0
}
disk {
datastore_id = each.value.datastore_id
size = each.value.disk_size
}
initialization {
hostname = each.value.hostname
ip_config {
ipv4 {
address = each.value.ip_address
gateway = each.value.gateway
}
}
user_account {
keys = [var.ssh_public_key]
password = random_password.lxc_root[each.key].result
}
}
network_interface {
name = "veth0"
bridge = "vmbr0"
}
operating_system {
template_file_id = proxmox_virtual_environment_download_file.lxc_template[each.key].id
type = "ubuntu"
}
startup {
order = "3"
up_delay = "60"
down_delay = "60"
}
depends_on = [proxmox_virtual_environment_download_file.lxc_template]
}
resource "random_password" "lxc_root" {
for_each = var.lxc_configs
length = 16
special = true
override_special = "_%@"
}
```
#### `modules/lxc/variables.tf`
```hcl
variable "proxmox_node" {
type = string
}
variable "ssh_public_key" {
type = string
}
variable "lxc_configs" {
type = map(object({
vm_id = number
hostname = string
cores = optional(number, 2)
memory = optional(number, 2048)
disk_size = optional(number, 8)
datastore_id = optional(string, "local-lvm")
ip_address = optional(string, "dhcp")
gateway = optional(string, null)
template_url = optional(string)
features = optional(object({
nesting = optional(bool, true)
fuse = optional(bool, false)
keyctl = optional(bool, false)
}), {})
}))
}
```
#### `modules/lxc/outputs.tf`
```hcl
output "lxc_ids" {
description = "Map of LXC names to VM IDs"
value = { for k, v in proxmox_virtual_environment_container.lxc : k => v.vm_id }
}
output "lxc_ips" {
description = "Map of LXC names to IPv4 addresses"
value = { for k, v in proxmox_virtual_environment_container.lxc : k => v.ipv4 }
}
output "lxc_passwords" {
description = "Map of LXC names to root passwords (sensitive)"
value = { for k, v in random_password.lxc_root : k => v.result }
sensitive = true
}
```
#### `environments/dev/main.tf`
```hcl
module "dev_lxcs" {
source = "../../modules/lxc"
proxxmox_node = "mk33"
ssh_public_key = file("~/.ssh/id_ed25519.pub")
lxc_configs = {
"dev-nextcloud" = {
vm_id = 2100
hostname = "dev-nextcloud"
cores = 4
memory = 4096
disk_size = 16
datastore_id = "local-zfs"
ip_address = "192.168.7.100/24"
gateway = "192.168.7.1"
}
"dev-vaultwarden" = {
vm_id = 2101
hostname = "dev-vaultwarden"
cores = 2
memory = 2048
disk_size = 8
datastore_id = "local-zfs"
ip_address = "192.168.7.101/24"
gateway = "192.168.7.1"
}
}
}
```
---
## 6. Resource Reference — `proxmox_virtual_environment_container`
### Critical Arguments
| Block | Key | Required | Default | Description |
|-------|-----|----------|---------|-------------|
| — | `node_name` | ✅ | — | PVE node to create on |
| — | `vm_id` | ✅ | — | Unique numeric ID (100999999999) |
| — | `unprivileged` | ❌ | `true` | Run as unprivileged container |
| `features` | `nesting` | ❌ | `false` | Enable nested containers (needed for Docker-in-LXC) |
| `features` | `fuse` | ❌ | `false` | Enable FUSE mounts |
| `cpu` | `cores` | ❌ | `1` | vCPU cores |
| `memory` | `dedicated` | ❌ | `512` | RAM in MB |
| `disk` | `datastore_id` | ❌ | `local` | Storage pool for rootfs |
| `disk` | `size` | ❌ | `4` | Rootfs size in GB |
| `initialization` | `hostname` | ✅ | — | DNS-compatible hostname |
| `initialization.ip_config.ipv4` | `address` | ✅ | — | CIDR or `dhcp` |
| `initialization.ip_config.ipv4` | `gateway` | ❌ | — | Required for static IP |
| `initialization.user_account` | `keys` | ❌ | — | SSH authorized_keys |
| `network_interface` | `name` | ✅ | — | `veth0` |
| `network_interface` | `bridge` | ❌ | `vmbr0` | Bridge to attach |
| `operating_system` | `template_file_id` | ✅ | — | Downloaded template or `local:vztmpl/…` |
| `operating_system` | `type` | ❌ | `unmanaged` | `ubuntu`, `debian`, `alpine`, etc. |
### Important Notes
- **Template download** uses `proxmox_virtual_environment_download_file` — caches template per-node, avoids re-download
- **Cloud-init** is embedded in the `initialization` block — no separate cloud-init drive needed for LXC
- **Nesting = true** is required for any LXC running Docker or systemd-nspawn
- **Datastore** is backend-agnostic: `local-lvm`, `local-zfs`, `tank-zfs`, `ceph-rbd`, NFS, etc. all work
---
## 7. Data Sources
Use data sources to query existing infrastructure without managing it:
```hcl
data "proxmox_virtual_environment_datastores" "available" {
node_name = var.proxmox_node
}
data "proxmox_virtual_environment_nodes" "cluster" {}
data "proxmox_virtual_environment_container" "existing" {
node_name = var.proxmox_node # or specify target node explicitly
vm_id = 2001
}
```
**Common use cases:**
- Validate a datastore exists before creating a disk
- Read an existing LXCs IP to populate a DNS record (Technitium)
- List nodes for multi-node placement logic
---
## 8. State Management
### Recommended: S3-Compatible Backend
Iron Legion already runs self-hosted services. A Garage or Minio instance on a fleet storage node (e.g., Neo) can serve as the Terraform state backend:
```hcl
terraform {
backend "s3" {
bucket = "iron-legion-terraform"
key = "proxmox-lxc/dev.tfstate"
region = "us-east-1"
endpoint = "https://s3.nb.bobbysh.me"
use_path_style = true
skip_credentials_validation = true
skip_metadata_api_check = true
skip_region_validation = true
skip_requesting_account_id = true
}
}
```
### State Locking (Critical for Team Use)
Add a DynamoDB-compatible table or use a native locking mechanism. If S3 backend does not support locking, wrap `terraform apply` in a CI pipeline that serializes runs.
---
## Optional: Atlantis Web UI for Terraform PR Automation
### What Atlantis Is
Atlantis is a self-hosted web application that listens for webhook events from Git repositories and runs `terraform plan` / `terraform apply` automatically inside PR/MR workflows. It posts plan output back to the PR as comments, enforces approval gates, and locks workspaces to prevent concurrent applies.
### Can Atlantis Manage LXC Resources via `bpg/proxmox`?
**Yes.** Atlantis is a Terraform orchestration layer, not a provider. It supports any Terraform provider including `bpg/proxmox`. The workflow is:
1. Developer opens a PR adding/modifying `.tf` files defining LXC containers
2. Atlantis receives the webhook and runs `terraform plan` in a isolated directory
3. Plan output posted as a PR comment — team reviews before approval
4. After approval (or `atlantis apply` comment), Atlantis runs `terraform apply`
### Atlantis Docker Compose (Self-Hosted)
```yaml
services:
atlantis:
image: ghcr.io/runatlantis/atlantis:latest
ports:
- "4141:4141"
volumes:
- ${HOME}/.ssh:/home/atlantis/.ssh:ro # Git SSH key
- /var/run/docker.sock:/var/run/docker.sock:ro # if using Docker TF provider
- atlantis-data:/home/atlantis/.atlantis
environment:
ATLANTIS_GH_USER: "iron-legion-bot" # or ATLANTIS_GITLAB_USER / ATLANTIS_GITEA_USER
ATLANTIS_GH_TOKEN: "${ATLANTIS_GH_TOKEN}" # personal access token
ATLANTIS_REPO_ALLOWLIST: "github.com/Iron-Legion/*"
ATLANTIS_GH_WEBHOOK_SECRET: "${WEBHOOK_SECRET}"
# For Gitea:
# ATLANTIS_GITEA_USER: "iron-legion-bot"
# ATLANTIS_GITEA_TOKEN: "${GITEA_TOKEN}"
# ATLANTIS_GITEA_WEBHOOK_SECRET: "${WEBHOOK_SECRET}"
command: server
restart: unless-stopped
# Optional: Redis for distributed locking in multi-replica setups
# redis:
# image: redis:8-alpine
# volumes:
# - redis-data:/data
# restart: always
volumes:
atlantis-data:
driver: local
```
### Key Features
- **Plan Comments:** Every PR gets an auto-generated `terraform plan` comment
- **Apply Locking:** One apply at a time per workspace; concurrent PRs queue
- **Policy Checks:** Integrate OPA (Open Policy Agent) or custom scripts to block non-compliant changes
- **Custom Workflows:** Define per-repo or per-directory workflows (e.g., plan-only for dev, auto-apply for staging)
- **Self-Hosted SCM:** Native webhook support for GitHub, GitLab, Bitbucket, **and Gitea**
### Resource Footprint
- Atlantis container: ~100200 MB RAM, minimal CPU
- Optional Redis: ~20 MB RAM
- Total: fits comfortably on any Iron Legion node (MK7, MK3342, Neo)
### Gitea Integration Notes
- Atlantis supports Gitea via the `--gitea-user`, `--gitea-token`, `--gitea-webhook-secret` flags
- Must expose Atlantis endpoint to Gitea (Tailscale funnel, reverse proxy, or LAN if Gitea is in-network)
- Webhook URL: `http://atlantis-host:4141/events`
---
## 9. Operational Workflow
### Day 0 — Bootstrap
```bash
# 1. Clone repo
git clone ssh://git@100.99.123.16:2222/Iron-Legion/terraform-proxmox-lxc.git
cd terraform-proxmox-lxc/environments/dev
# 2. Set credentials
export PROXMOX_VE_PASSWORD="your-pve-password"
# OR for API token:
export PROXMOX_VE_API_TOKEN="root@pam!mytoken=abc123"
# 3. Initialize
terraform init
# 4. Plan
terraform plan -out=tfplan
# 5. Apply
terraform apply tfplan
```
### Day N — Add a Container
1. Add entry to `lxc_configs` map in `environments/dev/main.tf`
2. `terraform plan` — review VM ID collision, IP conflict, storage capacity
3. `terraform apply`
4. Verify: `ssh root@<new-ip>`
### Day N — Destroy a Container
1. Remove entry from `lxc_configs` map
2. `terraform apply` — resource destroyed
3. Or: `terraform destroy -target='module.dev_lxcs.proxmox_virtual_environment_container.lxc["dev-nextcloud"]'`
---
## 10. Risks & Mitigations
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| VM ID collision | Medium | High | Maintain a fleet-wide VM ID registry; use `proxmox_virtual_environment_vms` data source to check |
| IP overlap with DHCP pool | Medium | High | Reserve static IPs in Technitium DNS; use `dns` data source to verify |
| Template download fails (slow mirror) | Low | Medium | Pre-seed templates on PVE nodes; use `pvesm` to verify before `apply` |
| State file corruption | Low | Critical | S3 versioning + periodic `terraform state pull` backups |
| Privilege escalation via privileged LXC | Low | High | Default `unprivileged = true`; explicit override required |
| Provider breaking change | Medium | Medium | Pin provider version `~> 0.108`; test upgrades in dev environment first |
---
## 11. Open Questions
1. **Do we pre-create cloud-image templates on each PVE node, or let Terraform download per-node?**
- Per-node: slower first deploy, but self-contained
- Pre-seeded: faster, requires manual `pvesm` or Ansible step
2. **Should LXCs register themselves in Technitium DNS via Terraform, or rely on DHCP + DNS integration?**
- Terraform can call a `dns_a_record` module (if Technitium provider exists)
- Or: use PVE's built-in DHCP + DNSMASQ if configured
3. **CI/CD pipeline: GitHub Actions runner, or local Gitea Actions on the fleet SCM host?**
- Gitea Actions keeps secrets in-network
- GitHub Actions requires Tailscale funnel or external exposure
4. **Do we want a dedicated LXC "Terraform runner" inside the cluster, or run from Artemis/operator workstation?**
- In-cluster runner: always has LAN access to PVE API
- External: requires Tailscale or VPN for API reachability
---
## 12. Appendix
### A. Provider Documentation Links
- **Registry:** https://registry.terraform.io/providers/bpg/proxmox/latest
- **GitHub:** https://github.com/bpg/terraform-provider-proxmox
- **LXC Resource Docs:** https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_container
- **Download File Resource:** https://registry.terraform.io/providers/bpg/proxmox/latest/docs/resources/virtual_environment_download_file
### B. Useful PVE CLI Commands (for verification)
```bash
# List containers on a node
pct list
# List templates
pvesm list local --content vztmpl
# Check datastore usage
pvesm status
# Enter a container
pct enter <vm_id>
```
### C. Terraform Commands Reference
```bash
terraform init # Download providers, configure backend
terraform validate # Syntax check
terraform plan # Preview changes
terraform apply # Execute changes
terraform destroy # Tear down everything
terraform state list # Show managed resources
terraform state show <addr> # Show one resource's attributes
terraform output # Display output values
terraform fmt -recursive # Format all .tf files
```
---
*End of PRD. Ready for Commander Bobby review and approval.*

319
PRD Drafts/ai-agent-knowledge-management.md Normal file
View File

@@ -0,0 +1,319 @@
# AI Agent Knowledge Management System PRD
**Status:** Draft | **Author:** Artemis (AI Foreman) | **Date:** 2026-06-04
---
## 1. Executive Summary
Artemis (Hermes Agent) generates persistent memory (MEMORY.md, USER.md), skills (SKILL.md files), operational logs, and PRD drafts. These `.md` files currently live in `~/.hermes/` and `~/documentation/` on the Artemis host. Commander Bobby needs a self-hosted knowledge management system with a web UI to:
1. **Review and organize** Artemis's memory/skill files outside the agent context
2. **Bidirectionally sync** edits from the UI back to the filesystem
3. **AI-assisted review** of memory files for optimization (compaction, deduplication, relevance scoring)
4. **Serve as the canonical knowledge base** for Iron Legion operational documentation
This PRD compares four candidates—TriliumNext Notes, Joplin Server, Obsidian, and Google NotebookLM—against these requirements and recommends an architecture.
---
## 2. Requirements Recap
| ID | Requirement | Priority |
|---|---|---|
| R1 | Self-hosted (Docker, LXC, or VM on Proxmox) | **Hard** |
| R2 | Web-based UI for reading/editing notes | **Hard** |
| R3 | Bidirectional sync with filesystem Markdown files | **Hard** |
| R4 | AI-powered review/analysis of notes | **Medium** |
| R5 | Markdown-native or robust Markdown import/export | **Hard** |
| R6 | REST API for automated scripting/cron integration | **Medium** |
| R7 | Full-text search across all notes | **Medium** |
| R8 | Note versioning / revision history | **Low** |
| R9 | Team/collaborative access (Commander Bobby only for now) | **Low** |
---
## 3. Hardware Investigation (Crucial Finding)
Before evaluating candidates, a critical discovery about the Proxmox cluster hardware must be addressed:
### 3.1 The Problem
- **MK33, MK34, MK39** (PVE hosts) run Intel **N100 CPUs** with **4 cores / 4 threads each**
- Proxmox already reports **CPU utilization**: MK33 at 18.50%, MK34 at 32.42%, MK39 at 19.89%
- A medium-weight Node.js app like TriliumNext would consume 10-20% of a single node's total capacity under load
- MK42 has an Intel **J4125** (4 cores, 2.0GHz) which is **even weaker** — marginal but usable with strict cgroup limits
- The bare-metal fleet (MK7, Artemis host) have stronger CPUs but are already purpose-assigned
- **TrueNAS SCALE 25.10.2** (Beelink mini PC): 4-core CPU, 11GB RAM (3.5GB available), load 0.09 — substantial headroom confirmed via live check
### 3.2 The Resource Model: LXC vs VM
**Critical correction:** Proxmox LXC containers use **cgroups v2**, not VM-style resource reservation. CPU is **opportunistic and shared** — an LXC only consumes CPU when actively processing, and the host kernel scheduler dynamically balances contention between containers.
Key LXC resource controls:
| Control | Effect |
|---|---|
| `cores` | Number of visible CPU cores (scheduling masks) |
| `cpulimit` | **Hard ceiling** — the LXC cannot exceed this fraction of host CPU |
| `cpu.weight` | **Relative priority** under contention (default 100, lower = less priority) |
| `memory` | **Hard limit** — kernel OOM-kills processes if exceeded |
This means an idle TriliumNext LXC consumes **near-zero host CPU**, and an active one respects its ceiling regardless of other workloads. The earlier concern about "adding to an already-loaded node pushes it to 50%+" is **mitigated** when using `cpulimit` caps.
### 3.3 Risk Assessment (Revised)
With proper Proxmox LXC cgroup limits (`cores: 2`, `cpulimit: 2`, `memory: 512M`, `cpu.weight: 128`):
| Deployment Target | Risk | Notes |
|---|---|---|
| **TrueNAS SCALE Docker** | ✅ Low | 4-core, 3.5GB free RAM, load 0.09. Preferred target |
| **MK33 PVE LXC** | ⚠️ Medium | 18% baseline, N100. Manageable with cpulimit=1.5 |
| **MK34 PVE LXC** | ⚠️ Medium | 32% baseline, N100. Needs cpulimit=1.0 |
| **MK39 PVE LXC** | ⚠️ Medium | 20% baseline, N100. Manageable with cpulimit=1.5 |
| **MK42 PVE LXC** | ⚠️ High | J4125 2.0GHz, weakest CPU. cpulimit=0.5 minimum |
| **Artemis host** | ⚠️ Medium | Stronger CPU but already runs Hermes agent (latency-sensitive) |
| **MK7** | ❌ | Purpose-assigned: Paperclip + PostgreSQL, no spare capacity |
### 3.4 Recommended Path
**Primary: TrueNAS SCALE 25.10.2 Docker Compose** (confirmed 4-core, 11GB RAM, 0.09 load — ample headroom). **Fallback: PVE LXC on MK34 or MK39** with strict cgroup limits (cpulimit=1.0, memory=512M). Both approaches are viable; TrueNAS is preferred for CPU headroom.
---
## 4. Candidate Evaluation
### 4.1 TriliumNext Notes
**Current state:** Active community fork of the archived `zadam/trilium`. Latest release `v0.103.0` (2026-05-13). 36,300+ GitHub stars. Commits daily.
| Criterion | Status | Details |
|---|---|---|
| **Self-hosted** | ✅ | Official Docker image `triliumnext/trilium:latest`, AMD64+ARM64 |
| **Web UI** | ✅ | Full WYSIWYG editor, tree-based hierarchy, relation maps, mind maps |
| **Bidirectional MD sync** | ⚠️ | Bulk Markdown import/export supported, but no live filesystem watcher. Requires cron + ETAPI scripting |
| **AI integration** | ⚠️ | No built-in AI. JavaScript scripting engine can call external APIs (Ollama). Community themes/scripts exist |
| **REST API** | ✅ | **ETAPI** (External REST API) — OpenAPI-documented, supports CRUD on notes, search, attributes, import/export. Authenticated via token |
| **Markdown support** | ✅ | Native Markdown import/export; WYSIWYG editor auto-formats Markdown |
| **Full-text search** | ✅ | Built-in |
| **Versioning** | ✅ | Per-note revision history |
| **Performance** | ⚠️ | Node.js app. Idle ~150MB RAM, moderate CPU. Scales to 100K+ notes. **May strain N100/J4125 CPUs** |
| **Maintenance risk** | ⚠️ | TriliumNext is a community fork; original author archived `zadam/trilium`. Sync version incompatibility with old instances |
**Deployment:** Minimal Docker Compose:
```yaml
services:
trilium:
image: triliumnext/trilium:v0.103.0
ports:
- "8080:8080"
volumes:
- ~/trilium-data:/home/node/trilium-data
environment:
- TRILIUM_DATA_DIR=/home/node/trilium-data
```
**Verdict:** Best fit from the candidate list. Self-hosted, API-driven, Markdown-capable. AI gap is bridgeable via scripting + Ollama. Performance is manageable with cgroup limits (LXC) or on TrueNAS Docker (preferred, 4-core/11GB/0.09 load).
---
### 4.2 Joplin Server
**Current state:** Actively maintained by `laurent22`. Stable. Docker image `joplin/server:latest`. Sync server for Joplin desktop/mobile clients.
| Criterion | Status | Details |
|---|---|---|
| **Self-hosted** | ✅ | Official Docker image, PostgreSQL backend, well-documented |
| **Web UI** | ❌ | Joplin Server is a **sync backend only**. The web client is minimal (basic note listing). Primary editing requires Joplin desktop/mobile app |
| **Bidirectional MD sync** | ⚠️ | Joplin's sync protocol is its own format (not raw MD). Export to raw Markdown requires the desktop app. Server API can push/pull notes in Joplin's JSON format |
| **AI integration** | ❌ | No server-side AI. Desktop plugins exist (e.g., "Note Overview" with ChatGPT) but require running desktop client |
| **REST API** | ✅ | Joplin Server API (beta), supports note CRUD, but less feature-rich than Trilium's ETAPI |
| **Markdown support** | ✅ | Joplin notes are Markdown internally, but stored in a SQL database, not as raw `.md` files |
| **Full-text search** | ✅ | Via PostgreSQL FTS in Joplin Server 3.x |
| **Versioning** | ✅ | Note history API available |
| **Maintenance risk** | ✅ | Low. Actively maintained, stable releases. Backed by a sole developer but well-established |
**Verdict:** Excellent sync server, **not a web-based knowledge manager**. If Bobby wants to use Joplin desktop/mobile as his primary interface and sync through the server, this works. But requirement R2 (web-based UI) is essentially unmet. No AI pathway without desktop client.
---
### 4.3 Obsidian
**Current state:** Proprietary Electron desktop app. Extremely popular (100K+ GitHub stars for plugin API). No server edition.
| Criterion | Status | Details |
|---|---|---|
| **Self-hosted** | ❌ | **No.** Desktop app only. Obsidian Sync ($5/mo) and Publish ($10/mo) are proprietary cloud services. No official Docker image or server mode |
| **Web UI** | ❌ | No. Obsidian Publish creates read-only static websites, not editable |
| **Bidirectional MD sync** | ⚠️ | Vaults are plain `.md` folders on disk — trivially scriptable. But editing requires the desktop app open. Community `obsidian-local-rest-api` plugin provides REST API **but only when the desktop app is running** |
| **AI integration** | ⚠️ | Community plugins exist (Smart Connections, Copilot, etc.). Local LLM integration possible via plugins. But again: desktop app must be running |
| **REST API** | ⚠️ | Only via community `obsidian-local-rest-api` plugin + running desktop app. Not headless |
| **Markdown support** | ✅ | Gold standard. Native Markdown with extensive extended syntax |
| **Versioning** | ✅ | Via Obsidian Sync ($5/mo) or external git |
| **Maintenance risk** | ⚠️ | Proprietary. Future licensing changes could affect workflows. Community heavy but core is closed-source |
**Verdict:** The best Markdown editor on the market. **Entirely wrong architecture for this use case.** Cannot run headless on a server. If Bobby wants to manually review/edit memory files on his desktop, Obsidian is excellent—but it does not meet the self-hosted web service requirement.
---
### 4.4 Google NotebookLM
**Current state:** Google cloud service. Upload documents → AI-powered Q&A, summaries, audio overviews. No self-hosted edition.
| Criterion | Status | Details |
|---|---|---|
| **Self-hosted** | ❌ | **No.** Pure Google SaaS |
| **Web UI** | ✅ | Excellent web interface, but cloud-only |
| **AI support** | ✅ | **Best-in-class.** Native RAG-powered summarization, Q&A, audio overviews |
| **Markdown support** | ⚠️ | Uploads supported but NotebookLM is document-centric, not a Markdown editor |
| **REST API** | ❌ | No public API for NotebookLM |
| **Bidirectional sync** | ❌ | Upload only. No export back to filesystem |
| **Data sovereignty** | ❌ | All data lives on Google servers |
**Verdict:** Wrong architecture for this use case. No self-hosting. No bidirectional sync. No API.
**However:** NotebookLM's AI capabilities are exactly what Bobby wants for reviewing memory files. See Section 5 for open-source RAG alternatives.
---
## 5. AI-Powered Review: Open-Source RAG Layer
NotebookLM is unavailable for self-hosting, but its core functionality (upload documents → ask questions → get summaries) can be replicated with open-source tools. This would be a **separate service** that ingests Markdown exports from the knowledge base.
### 5.1 Candidate RAG Tools
| Tool | Stars | Deployment | Notes |
|---|---|---|---|
| **AnythingLLM** | 35K+★ | Docker, single binary | All-in-one: document ingestion, RAG chat, multi-model (Ollama, OpenAI, etc.). Agent support. Best fit for "upload and chat" workflow |
| **Dify** | 60K+★ | Docker Compose | Full AI application platform. RAG pipeline builder, chat UI, workflow automation. Overkill but powerful |
| **PrivateGPT** | 60K+★ | Docker, Python | Privacy-focused document Q&A. Simpler than Dify. Good for batch processing docs |
| **Open WebUI** | 65K+★ | Docker | Ollama-native chat UI with RAG and document upload. Already running on the fleet? |
| **Flowise** | 35K+★ | Docker, Node.js | Low-code LLM workflow builder. Drag-and-drop RAG pipeline. Good for custom ingestion chains |
### 5.2 Recommended AI Layer: AnythingLLM
**Why:** Single Docker container, natively supports Ollama (already in the fleet), built-in document ingestion with chunking + embedding, chat-based review, multi-user. Lightweight enough to co-reside with the knowledge base or run on a separate node.
**Architecture:** TriliumNext exports `.md` files via cron → AnythingLLM ingests them → Bobby chats with his memory files via AnythingLLM's UI → Insights inform manual edits in TriliumNext.
---
## 6. Comparative Matrix
| Criterion | TriliumNext | Joplin Server | Obsidian | NotebookLM |
|---|---|---|---|---|
| Self-hosted Docker | ✅ | ✅ | ❌ | ❌ |
| Web UI (edit) | ✅ | ❌ | ❌ | ✅ (cloud) |
| Bidirectional MD sync | ⚠️ scriptable | ⚠️ via desktop | ❌ | ❌ |
| REST API | ✅ ETAPI | ✅ (beta) | ❌ | ❌ |
| AI integration | ⚠️ scriptable | ❌ | ⚠️ plugins | ✅ native |
| Markdown-native | ✅ import/export | ✅ internal | ✅ gold standard | ❌ |
| Full-text search | ✅ | ✅ | ✅ | ✅ |
| Versioning | ✅ | ✅ | ✅ | ✅ |
| Maintenance risk | ⚠️ community fork | ✅ stable | ⚠️ proprietary | ❌ Google SaaS |
| Hardware fit | ⚠️ Node.js on N100 | ⚠️ PostgreSQL needed | N/A | N/A |
---
## 7. Recommended Architecture
### 7.1 Primary Recommendation: TriliumNext on TrueNAS Docker
**Deploy:** TriliumNext as a Custom Docker Compose app on TrueNAS SCALE 25.10.2 (hardware pre-check pending).
**Rationale:**
- Only candidate from Bobby's list that meets all hard requirements (self-hosted web UI, Markdown support, REST API)
- Active community fork with daily commits
- Scripting engine bridges the AI gap
- TrueNAS has stronger hardware than PVE N100 nodes
### 7.2 AI Layer (Phase 2): AnythingLLM alongside TriliumNext
1. Cron job exports Trilium notes as `.md` to a shared volume
2. AnythingLLM watches the volume and ingests new/changed docs
3. Bobby uses AnythingLLM's chat UI for AI-powered memory review
4. Insights from AI review → manual edits in TriliumNext web UI
5. TriliumNext edits → cron syncs back to Artemis `~/.hermes/` filesystem
### 7.3 Bidirectional Sync Flow
```
Artemis ~/.hermes/memory/ ──cron export──→ TriliumNext (web UI)
Bobby reviews/edits
TriliumNext ←──cron pull── Bobby's edits saved
└──cron export──→ ~/.hermes/memory/ (Artemis reads updated files)
```
### 7.4 Fallback: Joplin Server
If TriliumNext proves too heavy for available hardware:
- Joplin Server on a PVE node (or TrueNAS Docker)
- Bobby uses Joplin desktop app for editing (not web UI)
- Sync via Joplin's native protocol
- Markdown export via Joplin CLI → Artemis filesystem
---
## 8. Deployment Plan (Proposed)
### Phase 1: TrueNAS Hardware Verification
1. SSH to TrueNAS — check CPU load, available RAM, Docker compatibility
2. Verify TrueNAS SCALE 25.10.2 supports privileged Custom Docker Compose apps
3. Test-deploy TriliumNext with resource limits (`cpus: 1.0`, `memory: 512M`)
4. Measure idle CPU/RAM consumption
### Phase 2: TriliumNext Deployment
1. Deploy TriliumNext via TrueNAS Docker Compose UI
2. Configure ETAPI token for automation
3. Import existing `~/.hermes/memory/` and `~/.hermes/skills/` as note trees
4. Set up cron for bidirectional `.md` export/import between Artemis host and TriliumNext
### Phase 3: AI Integration
1. Deploy AnythingLLM as a companion Docker Compose app on TrueNAS
2. Configure Ollama backend (point to fleet Ollama instance)
3. Create ingestion pipeline: Trilium export → shared volume → AnythingLLM workspace
4. Test AI-assisted review workflow
### Phase 4: Productionize
1. Document sync schedule and retention policy
2. Add healthcheck monitoring
3. (Stretch) Explore real-time sync via filesystem watcher instead of cron
---
## 9. Open Questions
1. **TrueNAS Docker suitability?** Can TrueNAS SCALE 25.10.2's Docker Compose app platform run a Node.js app with moderate CPU/RAM usage without impacting NAS performance?
2. **Alternative deployment target?** If TrueNAS is unsuitable and PVE nodes are too constrained, is there a bare-metal node with spare capacity? MK7 is assigned to Paperclip + PostgreSQL. Artemis host could run TriliumNext but adds desktop workload to the agent's host.
3. **NotebookLM "light"?** If AI review is the primary goal and web editing is secondary, would a minimal RAG setup (AnythingLLM + direct Markdown file ingestion, no knowledge base UI) suffice for Phase 1?
4. **Sync frequency?** How often should Artemis export memory to TriliumNext, and how often should TriliumNext edits sync back? 5-minute cron? Hourly? Manual trigger?
5. **Scope of "bidirectional"?** Can Artemis **read** TriliumNext as an authoritative source for memory, or is TriliumNext purely a review/edit sandbox where changes are manually promoted?
---
## 10. Decision Required
**Bobby to decide:**
| Decision | Options |
|---|---|
| **Primary tool** | A) TriliumNext on TrueNAS (recommended) — B) Joplin Server + desktop app — C) Minimalist: plain Markdown + AnythingLLM for AI review only |
| **Deployment target** | A) TrueNAS SCALE Docker — B) PVE node (despite CPU concerns) — C) Artemis host — D) MK7 |
| **AI layer** | A) AnythingLLM (recommended) — B) No AI yet, manual review only — C) Open WebUI if already in fleet |
| **Sync direction** | A) Bidirectional (read + write) — B) Read-only archive for review — C) Artemis treats TriliumNext as source of truth |
---
## Appendix A: Source References
- TriliumNext GitHub: `https://github.com/TriliumNext/Trilium` (36.3K ★, active)
- TriliumNext Docker Hub: `triliumnext/trilium` (2.6M pulls)
- Joplin Server: `https://github.com/laurent22/joplin` (47K ★)
- Obsidian Local REST API: `https://github.com/coddingtonbear/obsidian-local-rest-api` (2.4K ★)
- AnythingLLM: `https://github.com/Mintplex-Labs/anything-llm` (35K+ ★)
- TrueNAS SCALE 25.10.2 release notes: Apps migrated to Docker Compose from Kubernetes
- Research conducted: 2026-06-04 via web scraping of official sites, GitHub APIs, and Docker Hub

464
PRD Drafts/ansible-automation-webui-comparison.md Normal file
View File

@@ -0,0 +1,464 @@
# Ansible Automation Web UI Comparison PRD
**Status:** Draft | **Author:** F.R.I.D.A.Y. (Hermes Agent) | **Date:** 2026-06-02
---
## 1. Purpose & Scope
This PRD evaluates web-based UIs for running and managing Ansible playbooks in the Iron Legion fleet. The focus is on self-hosted, Docker-friendly solutions that integrate with our existing Gitea SCM and are deployable on Swarm or standalone nodes.
**Tools Evaluated:**
1. Semaphore UI (Ansible-native) — RECOMMENDED
2. Kestra (Generic orchestration, Ansible-compatible)
3. AWX (Official Red Hat Ansible platform)
4. Rundeck (Ops automation with Ansible plugin)
5. Jenkins + Ansible Plugin (CI/CD generalist)
---
## 2. Requirements
**Must-Have:**
- [x] Docker Compose or Swarm deployable
- [x] Ansible playbook execution (not just shell scripts calling ansible)
- [x] Web UI for triggering runs, viewing logs, managing inventories
- [x] Self-hosted (no cloud dependency)
- [x] Works on Iron Legion architecture (x86_64, moderate RAM)
**Nice-to-Have:**
- [ ] Gitea webhook integration (auto-trigger on push)
- [ ] RBAC / multi-user access
- [ ] API for automation
- [ ] Scheduled runs (cron-like)
- [ ] Low resource footprint (fit on G9 nodes)
---
## 3. Comparison Matrix
| Criterion | Semaphore UI | Kestra | AWX | Rundeck | Jenkins + Ansible |
|-----------|-------------|--------|-----|---------|-------------------|
| **Primary Purpose** | Ansible-native runner | Generic workflow engine | Enterprise Ansible platform | Ops automation | CI/CD generalist |
| **Docker Compose** | ✅ Simple | ✅ Simple | ⚠️ Complex (K8s preferred) | ✅ Simple | ✅ Simple |
| **RAM Needed** | ~256 MB | ~512 MB | ~4 GB (6+ GB recommended) | ~512 MB | ~1 GB |
| **Ansible Integration** | Native | Via shell/HTTP tasks | Native | Plugin-based | Plugin-based |
| **Inventory Management** | Built-in (static + dynamic) | Via external files | Advanced (sources, scripts) | Basic | Via files/plugins |
| **Gitea Webhooks** | ✅ Supported | ✅ Supported | ⚠️ Requires AWX project sync | ✅ Via plugin | ✅ Via SCM polling |
| **RBAC / Multi-user** | ✅ | ✅ | ✅ Enterprise-grade | ✅ | ✅ Plugin-based |
| **Scheduled Runs** | ✅ Cron UI | ✅ Triggers | ✅ Schedules | ✅ Jobs scheduler | ✅ Cron trigger plugin |
| **Log Viewer** | ✅ Real-time | ✅ Real-time | ✅ Real-time + facts | ✅ | ✅ Plugin-dependent |
| **Vault Integration** | ✅ Key store built-in | Via secrets | ✅ Native | Via plugins | Via plugins |
| **Complexity** | Low | Medium | High | Medium | High |
---
## 4. Tool Deep-Dives
### 4.1 Semaphore UI (RECOMMENDED)
**Why it wins:** Purpose-built for Ansible, minimal footprint, fast UI, and fits Iron Legion constraints.
**Docker Compose:**
```yaml
services:
mysql:
image: mysql:8.0
environment:
MYSQL_ROOT_PASSWORD: semaphore-db-password
MYSQL_DATABASE: semaphore
MYSQL_USER: semaphore
MYSQL_PASSWORD: semaphore-db-password
volumes:
- semaphore-mysql:/var/lib/mysql
restart: unless-stopped
semaphore:
image: semaphoreui/semaphore:latest
ports:
- "3000:3000"
environment:
SEMAPHORE_DB_DIALECT: mysql
SEMAPHORE_DB_HOST: mysql
SEMAPHORE_DB_NAME: semaphore
SEMAPHORE_DB_USER: semaphore
SEMAPHORE_DB_PASS: semaphore-db-password
SEMAPHORE_ADMIN_PASSWORD: admin-password
SEMAPHORE_ADMIN_NAME: admin
SEMAPHORE_ADMIN_EMAIL: admin@localhost
SEMAPHORE_ADMIN: admin
# Optional: Telegram / Slack / Gitea integration
SEMAPHORE_WEBHOOK: "1"
volumes:
- semaphore-config:/etc/semaphore
- /path/to/ansible/playbooks:/playbooks:ro
- /path/to/inventories:/inventories:ro
- /path/to/ssh/keys:/ssh:ro
depends_on:
- mysql
restart: unless-stopped
volumes:
semaphore-mysql:
driver: local
semaphore-config:
driver: local
```
**Key Features:**
- **Project-centric:** Organize playbooks into projects with separate inventories, env vars, and access
- **Task Templates:** Define reusable job definitions with variables and surveys
- **Key Store:** Built-in encrypted vault for SSH keys, passwords, Ansible vault passwords
- **Cron Schedules:** UI-driven scheduling without crontab
- **Real-time Logs:** WebSocket-based live log streaming
- **Gitea Integration:** Add a Gitea repository as a project, clone on each run, webhooks for auto-trigger
**Resource Footprint:**
- MySQL: ~200 MB RAM
- Semaphore: ~50100 MB RAM
- Total: **~300 MB** — deployable on any G9 worker node
**Cons:**
- Smaller community than AWX/Jenkins
- Less granular RBAC than AWX
- No built-in credential plugins (e.g., HashiCorp Vault) — must use env vars or files
---
### 4.2 Kestra
**What it is:** Language-agnostic workflow orchestration platform with a visual DAG editor. Not Ansible-specific, but can invoke Ansible via `io.kestra.plugin.scripts.shell.Commands` or `io.kestra.plugin.core.http.Request`.
**Docker Compose:**
```yaml
volumes:
postgres-data:
driver: local
kestra-data:
driver: local
services:
postgres:
image: postgres:18
volumes:
- postgres-data:/var/lib/postgresql
environment:
POSTGRES_DB: kestra
POSTGRES_USER: kestra
POSTGRES_PASSWORD: k3str4
kestra:
image: kestra/kestra:latest
user: "root"
command: server standalone
volumes:
- kestra-data:/app/storage
- /var/run/docker.sock:/var/run/docker.sock
- /tmp/kestra-wd:/tmp/kestra-wd
- /path/to/ansible:/ansible:ro
environment:
KESTRA_CONFIGURATION: |
datasources:
postgres:
url: jdbc:postgresql://postgres:5432/kestra
password: k3str4
repository:
type: postgres
storage:
type: local
local:
base-path: "/app/storage"
queue:
type: postgres
url: http://localhost:8080/
ports:
- "8080:8080"
depends_on:
- postgres
```
**Key Features:**
- **Visual DAG Editor:** Drag-and-drop workflow construction
- **Rich Triggers:** Schedule, webhook, event-driven (Kafka, S3, HTTP)
- **Plugin Ecosystem:** 400+ plugins (not Ansible-native — invoke via shell)
- **Scalability:** Built for large-scale data pipelines; may be overkill for fleet Ansible
**Resource Footprint:**
- PostgreSQL: ~300 MB RAM
- Kestra: ~512 MB1 GB RAM
- Total: **~1 GB** — heavier than Semaphore
**Verdict for Iron Legion:** Powerful but misaligned. We need Ansible-native execution, not generic workflow orchestration. Use Kestra for data/ETL pipelines, not playbook management.
---
### 4.3 AWX
**What it is:** The upstream open-source project behind Ansible Automation Platform (formerly Ansible Tower). Full-featured enterprise Ansible management.
**Key Features:**
- **Projects:** Link to Git repos (Gitea supported), auto-sync on push
- **Inventories:** Static, dynamic (custom scripts, cloud providers), smart inventories
- **Job Templates:** Parameterized with surveys, credentials, and RBAC
- **Workflows:** Chain multiple job templates into visual pipelines
- **RBAC:** Teams, organizations, user roles — most granular of all options
- **Notifications:** Email, Slack, webhook on job success/failure
**Deployment:**
- Docker Compose exists but is officially a **development** target; production requires Kubernetes
- Requires Redis, PostgreSQL, memcached, and multiple AWX services
- Total RAM: **46 GB minimum**
**Verdict for Iron Legion:** Overkill. Our fleet nodes (G9: ~11 GB RAM) could run AWX, but it would consume half a node's capacity. G9 nodes are better used as PVE workers with LXCs. AWX belongs on a dedicated management VM or MK7 if hardware permits.
---
### 4.4 Rundeck
**What it is:** Open-source operations automation platform with an Ansible plugin.
**Docker Compose:** Simple single-container deployment with external database.
**Key Features:**
- **Job Definitions:** YAML or XML, supports Ansible ad-hoc and playbook execution
- **Node Inventory:** Static or dynamic via Ansible inventory scripts
- **ACL Policies:** File-based RBAC
- **Scheduled Executions:** Built-in scheduler
- **Plugin Architecture:** Ansible, Slack, HTTP webhooks
**Resource Footprint:**
- Rundeck: ~512 MB RAM
- MySQL/PostgreSQL: ~200300 MB
- Total: **~700800 MB**
**Verdict for Iron Legion:** Viable middle-ground. Better than Jenkins for Ansible, but Semaphore is purpose-built and lighter. Rundeck's strength is multi-tool orchestration (Ansible + scripts + HTTP APIs), which we don't need yet.
---
### 4.5 Jenkins + Ansible Plugin
**What it is:** General-purpose CI/CD platform with Ansible integration via plugins.
**Docker Compose:**
```yaml
services:
jenkins:
image: jenkins/jenkins:lts
ports:
- "8080:8080"
- "50000:50000"
volumes:
- jenkins-data:/var/jenkins_home
- /path/to/ansible/playbooks:/playbooks:ro
- /path/to/inventories:/inventories:ro
restart: unless-stopped
volumes:
jenkins-data:
driver: local
```
**Key Features:**
- **Pipelines:** Groovy-based Jenkinsfile pipelines for Ansible execution
- **Blue Ocean:** Modern UI for pipeline visualization
- **Plugin Ecosystem:** Massive library (Ansible, Slack, Git, Gitea)
- **Distributed Builds:** Agent nodes for parallel playbook runs
**Resource Footprint:**
- Jenkins: ~1 GB RAM (grows with plugin load)
- Optional agents: variable
- Total: **~12 GB**
**Verdict for Iron Legion:** Wrong tool for the job. Jenkins excels at CI/CD pipelines (build → test → deploy), not at day-to-day Ansible playbook management. The UI is pipeline-centric, not inventory- or template-centric. Use Jenkins for software CI/CD, not fleet automation.
---
## 5. Recommendation
| Use Case | Recommended Tool |
|----------|---------------|
| **Primary Ansible playbook runner** | **Semaphore UI** |
| Complex enterprise RBAC + workflows | AWX (on dedicated VM) |
| Generic workflow orchestration (not Ansible-specific) | Kestra |
| Multi-tool ops automation (Ansible + scripts + APIs) | Rundeck |
| Software CI/CD pipelines | Jenkins |
**Iron Legion Path Forward:**
1. **Deploy Semaphore UI** on MK7 Swarm or a lightweight LXC on MK33
2. Create a Project pointing to `Iron-Legion/ansible-playbooks` on Gitea
3. Configure inventories, task templates, and schedules
4. Add Gitea webhook to auto-trigger Semaphore tasks on push to `main`
5. **Optional:** Evaluate AWX later if RBAC/complexity demands grow — deploy on a dedicated management LXC with 4 GB RAM reservation
---
## 6. Open Questions
1. **Should Semaphore run as a standalone Docker Compose stack or as a Swarm service?**
- Standalone: simpler, survives Swarm reconfiguration
- Swarm: automatic placement, Traefik ingress, less manual maintenance
2. **Where does the Ansible inventory live?**
- Option A: In the Gitea repo alongside playbooks (version-controlled)
- Option B: Static files on the Semaphore host (faster Semaphore startup)
- Option C: Dynamic inventory script pulling from Technitium DNS/PVE API
3. **Gitea webhook reachability:**
- Gitea on Neo (`192.168.192.24`) → Semaphore on MK7 or G9 node
- Must ensure Semaphore endpoint is reachable from Neo (LAN routing)
- Can use Tailscale as fallback
---
*End of PRD — Iron Legion Labs*
---
## Appendix: Iron Legion Fleet Inventory (`inventory.yml`)
This inventory file is the authoritative source for Ansible targeting across the fleet. It is structured for **Semaphore UI**, **AWX**, or **command-line Ansible** consumption.
**File:** `inventories/iron-legion.yml`
```yaml
# Iron Legion Fleet Inventory
# Generated: 2026-06-03
# Source: fleet documentation + live SSH config
---
all:
children:
fleet_nodes:
children:
core_services:
hosts:
mk7:
ansible_host: 192.168.7.7
ansible_user: jarvis
node_role: swarm_manager
docker_host: true
nebuchadnezzar:
ansible_host: 192.168.192.24
ansible_user: jarvis
node_role: docker_host
docker_host: true
pve_workers:
hosts:
mk33:
ansible_host: 192.168.7.33
ansible_user: root
node_role: pve_worker
pve_api_url: "https://192.168.7.33:8006/"
mk34:
ansible_host: 192.168.7.34
ansible_user: root
node_role: pve_worker
pve_api_url: "https://192.168.7.34:8006/"
mk39:
ansible_host: 192.168.7.39
ansible_user: root
node_role: pve_worker
pve_api_url: "https://192.168.7.39:8006/"
physical_agents:
hosts:
artemis:
ansible_host: 192.168.15.182
ansible_user: jarvis
node_role: discord_gateway
hermes_agent: true
mark44:
ansible_host: 192.168.5.214
ansible_user: jarvis
node_role: gpu_host
gpu: true
mark5:
ansible_host: 192.168.6.5
ansible_user: jarvis
node_role: tbd
mk42:
ansible_host: 192.168.0.196
ansible_user: jarvis
node_role: pve_worker
infrastructure:
hosts:
shield:
ansible_host: 192.168.27.205
ansible_user: jarvis
node_role: pxe_server
igor:
ansible_host: 192.168.10.211
ansible_user: jarvis
node_role: nas
tailscale_fallback:
hosts:
ts-mk7:
ansible_host: 100.66.70.51
ansible_user: jarvis
ts-mk33:
ansible_host: 100.125.155.41
ansible_user: jarvis
ts-mk34:
ansible_host: 100.94.190.43
ansible_user: jarvis
docker_hosts:
children:
swarm_manager:
hosts:
mk7:
standalone_docker:
hosts:
nebuchadnezzar:
vars:
ansible_ssh_private_key_file: "~/.ssh/artemis_key"
ansible_python_interpreter: /usr/bin/python3
ansible_connection: ssh
ansible_ssh_common_args: ">-
-o StrictHostKeyChecking=accept-new
-o ConnectTimeout=5"
fleet_domain: ai.home
pve_workers:
vars:
ansible_ssh_private_key_file: "~/.ssh/vscode_ed25519"
ansible_become: true
ansible_become_user: root
core_services:
vars:
ansible_become: true
ansible_become_user: root
ansible_ssh_private_key_file: "~/.ssh/artemis_key"
physical_agents:
vars:
ansible_become: false
ansible_ssh_private_key_file: "~/.ssh/artemis_key"
```
**Usage:**
```bash
# Test reachability
ansible all -m ping -i inventories/iron-legion.yml
# Target PVE workers only
ansible pve_workers -m setup -i inventories/iron-legion.yml
# Check Docker services on swarm manager
ansible swarm_manager -a "docker service ls" -i inventories/iron-legion.yml
```

241
PRD Drafts/ansible-base-testing.md Normal file
View File

@@ -0,0 +1,241 @@
# Ansible Base Testing Environment PRD
**Status:** Draft | **Author:** Artemis (AI Foreman) | **Date:** 2026-06-03
---
## 1. Purpose & Scope
A minimal, containerized Ansible environment for playbook development and ad-hoc fleet testing. This is the Iron Legion standard for validating inventories and playbooks before promoting to production.
---
## 2. Directory Structure
```
~/docker/ansible-push/
├── docker-compose.yml # Ansible runner container definition
├── dockerfile # Build: Python 3.14 Alpine + Ansible 14
├── run.sh # One-shot test runner
├── inventory.yml # Iron Legion fleet inventory (YAML format)
└── keys/
├── id_ed25519 # Private key (chmod 600)
├── id_ed25519.pub # Public key (chmod 644)
└── known_hosts # Auto-populated by successful connections
```
---
## 3. docker-compose.yml
```yaml
services:
ansible:
build: .
container_name: ansible
image: ansible
environment:
- ANSIBLE_HOST_KEY_CHECKING=false
- ANSIBLE_PYTHON_INTERPRETER=/usr/bin/python3.12
volumes:
- .:/ansible
- ./keys:/root/.ssh
working_dir: /ansible
entrypoint: ["/bin/sh", "-c"]
command: ["tail -f /dev/null"]
```
---
## 4. dockerfile
```dockerfile
FROM python:3.14.5-alpine3.23
RUN pip install --no-cache-dir ansible==14.0.0 && apk add --no-cache curl openssh-client
```
---
## 5. run.sh
```bash
docker compose up -d
docker exec -it ansible ansible all -m ping -i inventory.yml
docker compose down
```
---
## 6. Key Management
The `keys/` directory is bind-mounted to `/root/.ssh` inside the container. SSH auto-discovers the standard `id_ed25519` key — no explicit `ansible_ssh_private_key_file` needed for passwordless hosts.
- **File:** `id_ed25519` → Container: `/root/.ssh/id_ed25519` → Perms: `600`
- **File:** `id_ed25519.pub` → Container: `/root/.ssh/id_ed25519.pub` → Perms: `644`
- **File:** `known_hosts` → Container: `/root/.ssh/known_hosts` → Auto-populated
---
## 7. Working inventory.yml (Validated: 10/10 green)
```yaml
# Iron Legion Fleet Inventory
# Generated: 2026-06-03
# Source: fleet documentation + live SSH config
#
# Usage with Ansible:
# ansible all -m ping -i inventory.yml
# ansible pve_workers -m setup -i inventory.yml
# ansible swarm_manager -a "docker service ls" -i inventory.yml
#
# FIX: Group-specific variables (e.g. pve_workers:) were previously
# placed outside `all:` scope, breaking inventory parsing.
# All group vars are now merged into the group definitions below.
---
all:
children:
# ──────────────────────────────────────────
# Physical / Virtual Fleet Nodes
# ──────────────────────────────────────────
fleet_nodes:
children:
# Core fleet services
core_services:
hosts:
mk7:
ansible_host: 192.168.7.7
ansible_user: jarvis
node_role: swarm_manager
docker_host: true
description: "Swarm manager + Traefik + service stack host"
# PVE Worker nodes
pve_workers:
vars:
ansible_user: root
ansible_ssh_pass: "proxmox12"
ansible_become: true
ansible_python_interpreter: /usr/bin/python3
hosts:
mk33:
ansible_host: 192.168.7.33
node_role: pve_worker
pve_api_url: "https://192.168.7.33:8006/"
description: "PVE Silver Centurion"
mk34:
ansible_host: 192.168.7.34
node_role: pve_worker
pve_api_url: "https://192.168.7.34:8006/"
description: "PVE Southpaw"
mk39:
ansible_host: 192.168.7.39
node_role: pve_worker
pve_api_url: "https://192.168.7.39:8006/"
description: "PVE Gemini"
# Active physical agents
physical_agents:
hosts:
artemis:
ansible_host: 192.168.15.182
ansible_user: jarvis
node_role: discord_gateway
hermes_agent: true
description: "Primary AI orchestrator + Discord gateway"
mark44:
ansible_host: 192.168.5.214
ansible_user: jarvis
node_role: gpu_host
gpu: true
description: "Hulkbuster — GPU/Ollama standby"
mark5:
ansible_host: 192.168.6.5
ansible_user: jarvis
node_role: tbd
description: "Mark 5 — being repurposed"
mk42:
ansible_host: 192.168.0.196
ansible_user: jarvis
node_role: pve_worker
description: "PVE Extremis"
# Infrastructure / support nodes
infrastructure:
hosts:
shield:
ansible_host: 192.168.27.205
ansible_user: jarvis
node_role: pxe_server
description: "iVentoy PXE deployment server"
igor:
ansible_host: 192.168.10.211
ansible_user: jarvis
node_role: nas
description: "ZimaOS NAS (MK-38)"
# Tailscale fallback aliases (uncomment if LAN fails)
# tailscale_fallback:
# hosts:
# ts-mk7:
# ansible_host: 100.66.70.51
# ansible_user: jarvis
# ts-mk33:
# ansible_host: 100.125.155.41
# ansible_user: jarvis
# ts-mk34:
# ansible_host: 100.94.190.43
# ansible_user: jarvis
# ts-nebuchadnezzar:
# ansible_host: 100.99.123.16
# ansible_user: jarvis
# Docker host targeting groups (uncomment when needed)
# docker_hosts:
# children:
# swarm_manager:
# hosts:
# mk7:
# standalone_docker:
# hosts:
# nebuchadnezzar:
```
---
## 8. Notes on Inventory Design
- **YAML format:** `all: children:` nesting required. Orphaned top-level keys like `pve_workers:` outside `all:` scope cause "invalid characters in hostnames" errors.
- **Group-level auth:** PVE workers use `vars:` under their group for `ansible_user`, `ansible_ssh_pass`, `ansible_become`, and `ansible_python_interpreter` — keeps host entries DRY.
- **SSH key auto-discovery:** No explicit `ansible_ssh_private_key_file` needed when the key is named `id_ed25519` and mounted to `/root/.ssh` inside the container.
- **Host key checking:** `ANSIBLE_HOST_KEY_CHECKING=false` in compose handles first-contact acceptance automatically.
---
## 9. Testing Playbooks
```bash
cd ~/docker/ansible-push
docker compose up -d
docker exec -it ansible ansible-playbook -i inventory.yml playbook.yml
docker compose down
```
---
## 10. Validation Log
| Date | Hosts Tested | Result |
|------|-------------|--------|
| 2026-06-03 | 10/10 (all groups) | ✅ Green |

132
PRD Drafts/fleet-user-standard.md Normal file
View File

@@ -0,0 +1,132 @@
# Fleet User Standard PRD
**Status:** Draft — Pending Commander Bobby Review
**Author:** Artemis
**Date:** 2026-06-03
---
## 1. Purpose & Scope
This PRD defines the **canonical user account standard** for all Iron Legion fleet nodes. It eliminates UID/GID mismatches that cause permission failures in bind-mounted containers (VS Code: Server, Paperclip, etc.) and ensures every node behaves identically for automation.
**In scope:**
- Canonical user `jarvis` — UID/GID, groups, home directory
- Container `PUID`/`PGID` mapping rules
- Provisioning enforcement (MAAS autoinstall, Ansible, manual install)
- Migration path for non-compliant nodes (MK7, Nebuchadnezzar)
**Out of scope:**
- Service-specific runtime users inside containers
- TrueNAS / external appliance user models (already documented separately)
---
## 2. Success Criteria
| # | Criterion | How Verified |
|---|-----------|-------------|
| 1 | Every fleet node has `jarvis` at UID 1000 / GID 1000 | `id jarvis` returns `uid=1000` |
| 2 | No node has a competing UID 1000 user (e.g. "ubuntu") | `awk -F: '$3==1000 {print $1}' /etc/passwd` returns only "jarvis" |
| 3 | Container compose files use `PUID=1000` / `PGID=1000` without node-specific overrides | `grep -r 'PUID' /opt/iron-legion/docker-swarm/` |
| 4 | MAAS/cloud-init autoinstall scripts create jarvis FIRST at UID 1000 | Inspect autoinstall user-data |
| 5 | Nebuchadnezzar + MK7 migrated to compliant state | Re-run audit script |
---
## 3. The Standard
### 3.1 Canonical User: `jarvis`
```yaml
username: jarvis
uid: 1000
gid: 1000
home: /home/jarvis
shell: /bin/bash
groups: [sudo, docker] # node-local groups added post-provision
ssh_key_source: ~/.ssh/artemis_key.pub # deployed at provision time
```
### 3.2 Container Mapping Rule
All LinuxServer.io and similar images MUST use:
```yaml
environment:
- PUID=1000
- PGID=1000
```
**No exceptions.** If a node cannot satisfy this, the node is non-compliant and must be migrated — not the compose.
### 3.3 Provisioning Enforcement
| Provision Method | Enforcement |
|----------------|-------------|
| **Manual install** | `useradd -m -u 1000 -s /bin/bash jarvis` before any other human user |
| **MAAS autoinstall** | Subiquity `identity` section MUST target `jarvis:1000` **before** cloud-init creates "ubuntu" |
| **Ansible playbook** | `ansible.builtin.user:` with `uid: 1000`, `name: jarvis` |
| **Docker host (Nebuchadnezzar)** | Base image or `useradd` in Dockerfile prior to app user creation |
---
## 4. Fleet Audit Results (Current State)
| Node | jarvis UID | Competing UID 1000 | Status |
|------|-----------|-------------------|--------|
| artemis | 1000 | None | ✅ Compliant |
| mark44 | 1000 | None | ✅ Compliant |
| mark5 | 1000 | None | ✅ Compliant |
| mk42 | 1000 | None | ✅ Compliant |
| shield | 1000 | None | ✅ Compliant |
| igor | 1000 | None | ✅ Compliant |
| truenas | 1000 | None | ✅ Compliant |
| **mk7** | **1001** | **ubuntu 1000** | ⚠️ **Non-compliant** |
| **nebuchadnezzar** | **1002** | **ubuntu 1000, caddy 1001** | ⚠️ **Non-compliant** |
**Root cause:** MK7 and Nebuchadnezzar were provisioned via cloud-init/MAAS, which created "ubuntu" at UID 1000 before jarvis was added. All manually-built nodes are clean.
---
## 5. Remediation Plan
### 5.1 MK7
1. Remove or reassign `ubuntu` user (UID 1000 → 65534 or delete)
2. Change `jarvis` UID from 1001 → 1000
3. `chown -R jarvis:jarvis /home/jarvis`
4. Update VS Code: Server container ownership: `chown -R jarvis:jarvis /home/jarvis/.vscode-ssh`
5. Verify compose still works with `PUID=1000`
### 5.2 Nebuchadnezzar
1. Remove or reassign `ubuntu` user
2. Remove or reassign `caddy` user (or shift to UID > 2000)
3. Change `jarvis` UID from 1002 → 1000
4. `chown -R jarvis:jarvis /home/jarvis`
5. Audit any container bind mounts for ownership drift
---
## 6. Open Questions
1. **Should we document this in the MAAS curtin preseed** so new PXE-built nodes are auto-compliant?
2. **Should we add a fleet-wide Ansible user-enforcement task** that fails the playbook if UID 1000 ≠ jarvis?
3. **Is TrueNAS user model** (jarvis=1000, jumpbox=3000, bobby=3001) the exception we keep, or do we align TrueNAS too?
---
## 7. Gitea Branch Protection Setup (For Draft → Canon Workflow)
To enforce peer review for PRDs and all documentation:
1. **Gitea UI** → Iron-Legion/documentation → Settings → Branches → `main`**Add Protection Rule**
2. Enable:
-**Enable branch protection**
-**Require pull request reviews** → Minimum approvers: **1**
-**Dismiss stale approvals when new commits are pushed**
-**Block merge if required reviewers not approved**
3. This forces every PR to have at least one human review before merge.
Once enabled:
- Draft PRDs go to `PRD Drafts/` via fork + PR
- Approved PRDs get moved to `PRDs/` (canonical) in the approval commit
- All operational docs follow the same fork → PR → review → merge flow

149
PRD Drafts/git-repo-setup-peer-review.md Normal file
View File

@@ -0,0 +1,149 @@
# Git Repo Setup & Peer Review PRD
**Status:** Draft — Pending Commander Bobby Review
**Author:** Artemis
**Date:** 2026-06-03
---
## 1. Purpose & Scope
This PRD defines the **standard Git repository setup** for all Iron Legion Labs projects hosted on Gitea. Every new repo — whether fleet config, documentation, or service-specific — must follow this pattern so that **drafts live in forks/PRs** and **canonical docs live on protected branches**.
**In scope:**
- Branch protection rules (mandatory)
- Fork + PR workflow for documentation and PRDs
- Credential/token management for CI/automation
- Gitea API token reference for Artemis automation
**Out of scope:**
- Code review style guides (covered per-project)
- CI/CD pipeline definitions (separate PRDs)
---
## 2. Success Criteria
| # | Criterion | How Verified |
|---|-----------|-------------|
| 1 | Every new repo has `main` branch protected on creation | API query or UI inspection |
| 2 | Direct push to `main` is blocked without PR + review | Attempt push, expect 403 or pre-receive hook rejection |
| 3 | All PRDs and docs go through fork → PR → review → merge | Git log shows merge commits from PRs |
| 4 | Artemis can automate via Gitea API using stored R/W token | `curl -H "Authorization: token ..."` returns 200 |
---
## 3. Gitea Token Reference
Tokens are stored in **two places** depending on scope:
| Token | Purpose | Storage | Scope |
|-------|---------|---------|-------|
| `gitea_deploy_token` | Read-only for ansible-pull nodes | `/home/jarvis/.ansible/secrets/deploy_token` | repo:read |
| `gitea_rw_token` | Read-write for Artemis automation | `/home/jarvis/.ansible/secrets/deploy_token` | repo:write, organization |
**Both are also mirrored to:**
`~/.hermes/credentials/fleet.env` (mode 600) for runtime access by Artemis.
---
## 4. Branch Protection Rules (Mandatory for Every Repo)
Apply these rules to the `main` branch on repo creation:
| Setting | Value | Why |
|---------|-------|-----|
| Enable branch protection | ✅ ON | Prevents accidental force-push |
| Require pull request reviews | ✅ ON, minimum **1** approver | Ensures human review |
| Dismiss stale approvals | ✅ ON | Re-review after new commits |
| Block merge without approval | ✅ ON | No self-merge loophole |
| Enable push whitelist | ✅ ON, deploy keys only | CI can push; humans cannot |
| Require status checks | ❌ OFF (until CI is configured) | No false blocking |
**API method** (for Artemis automation):
```bash
curl -sk "https://gitea.nb.bobbysh.me/api/v1/repos/<org>/<repo>/branch_protections" \
-H "Authorization: token $GITEA_RW_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"branch_name": "main",
"required_approvals": 1,
"enable_approvals_whitelist": false,
"enable_merge_whitelist": false,
"enable_push": true,
"enable_push_whitelist": true,
"push_whitelist_deploy_keys": true,
"enable_pr": true
}'
```
**UI method** (for manual setup):
1. Repo → Settings → Branches → `main`**Add Protection Rule**
2. Check the boxes above → Save
---
## 5. Draft → Canon Workflow
```
┌─────────────┐ ┌──────────────┐ ┌──────────────┐
│ PRD Draft │ ───▶ │ Fork/PR │ ───▶ │ Review │
│ PRD Drafts/│ │ (any dev) │ │ (Bobby) │
└─────────────┘ └──────────────┘ └──────┬───────┘
┌───────────────────────▼───────┐
│ Approved → merge to main │
│ Move file: PRD Drafts/ → │
│ PRDs/ (canonical) │
└──────────────────────────────┘
```
### For Artemis (automation):
- Drafts are written to `PRD Drafts/` directly during active work sessions
- Bobby approves → Artemis moves to `PRDs/` in a follow-up commit
- No PR needed for Artemis-authored drafts (Bobby reviews inline)
### For F.R.I.D.A.Y. / human contributors:
- Fork the repo
- Push draft to fork branch
- Open PR against `main`
- Bobby (or designated reviewer) approves
- Merge → file lands in `PRDs/`
---
## 6. Repo Setup Checklist
Use this for every new repo:
- [ ] Create repo under `Iron-Legion/` org
- [ ] Initialize with `main` branch only (delete `master` if auto-created)
- [ ] Apply branch protection rules (Section 4)
- [ ] Add `README.md` with scope statement
- [ ] Add `.gitignore` for secrets/build artifacts
- [ ] If CI/automation needed: register deploy key or token
- [ ] Document in `Iron-Legion/documentation` fleet registry
---
## 7. Open Questions
1. **Should we create a Gitea org-level default branch protection template?** (Applies to all new repos automatically)
2. **Should F.R.I.D.A.Y. also store the R/W token?** (Currently only Artemis has it in `fleet.env`)
3. **Do we want a CODEOWNERS file** in each repo to auto-assign reviewers?
---
## 8. Fleet Credential Store Update
> ⚠️ **Status:** Tokens documented here are **EXPIRED / REVOKED** (confirmed 2026-06-05 via 401 on Gitea API).
> **Action required:** Generate new tokens via Gitea UI → User Settings → Applications → Generate New Token.
> **Updated token values should be written to `~/.ansible/secrets/deploy_token` and `~/.hermes/credentials/fleet.env`.**
Original values (for reference — **DO NOT USE**):
```
GITEA_DEPLOY_TOKEN=226c3ef38eb35914ae6b647803c2e597f66f28cb # EXPIRED
GITEA_RW_TOKEN=968e86d51ab9b6b2a3eb5e97b391ce8c6534ec2d # EXPIRED
```
Source of truth: `/home/jarvis/.ansible/secrets/deploy_token` (must be updated with new tokens).

172
PRD Drafts/n8n-terraform-ansible-orchestrator.md Normal file
View File

@@ -0,0 +1,172 @@
# N8N Webhook Orchestrator — Terraform LXC + Ansible Provisioning
**Status:** Draft | **Author:** Artemis | **Date:** 2026-06-05
> **Purpose:** N8N on MK7 receives Telegram-triggered webhooks, SSHs to Artemis, and executes existing terraform/ansible containers. No new infrastructure — orchestrates what already exists.
---
## 1. Architecture
```
[Telegram: Bobby] → Artemis (parse intent) → POST to N8N (MK7)
↓ SSH (jarvis@192.168.15.182)
Artemis (this machine)
[A] ~/docker/terraform-pve/run.sh apply
LXC created + inventory generated
[B] ~/docker/ansible-push/lxc-common.sh
LXC provisioned (jarvis + git + ansible)
```
**N8N role:** Trigger + SSH executor only. No Docker socket, no state awareness, no config generation.
**Artemis role:** Hosts existing run.sh + lxc-common.sh. Owns terraform state, ansible inventory, SSH keys.
---
## 2. Workflow A: `/build` — Create and Provision LXCs
### 2.1 Telegram Input
```
You: "/build 5 lxcs"
Artemis parses → count=5, vmid_base=auto (next available)
You: "/build 5 lxcs at vmid 62128"
Artemis parses → vmid_base=62128 (explicit override), count=5
```
### 2.2 Webhook Payload (POST to N8N)
```json
{
"action": "lxc_build",
"vmid_base": 62128,
"lxc_count": 5,
"specs": "default"
}
```
### 2.3 N8N Execution Steps
| Step | Node | Command |
|------|------|---------|
| 1 | Webhook trigger | Receive JSON payload |
| 2 | Set SSH env vars | Export `TF_VAR_lxc_count=5 TF_VAR_vmid_base=62128` |
|| 3 | Execute SSH | `ssh jarvis@192.168.15.182 "cd ~/docker/terraform-pve && ./run.sh apply -auto-approve"` |
| 4 | Wait | Poll until `run.sh` exits (blocks until completion) |
| 5 | Verify inventory | Check `~/docker/ansible-push/terraform-prefill/inventory-lxc.yml` exists |
|| 6 | Execute SSH | `ssh jarvis@192.168.15.182 "cd ~/docker/ansible-push && ./lxc-common.sh"` |
| 7 | Notify | POST result back to Telegram/Discord |
### 2.4 Constraints
- **Specs locked to "default" for POC** (2 cores, 2GB RAM, 8GB disk)
- **Custom specs deferred to Phase 4** — requires terraform variable expansion
- **vmid_base range:** Must not overlap existing PVE VMs/LXCs (check before apply)
- **lxc_count max:** Phase 2 validated at N=7; N=4 had transient 500 race condition
---
## 3. Workflow B: `/fleet-update` — Apt Update + Upgrade
### 3.1 Telegram Input
```
You: "/fleet-update"
Artemis parses → action=fleet_update
```
### 3.2 Webhook Payload (POST to N8N)
```json
{
"action": "fleet_update"
}
```
### 3.3 N8N Execution Steps
| Step | Node | Command |
|------|------|---------|
| 1 | Webhook trigger | Receive JSON payload |
|| 2 | Execute SSH | `ssh jarvis@192.168.15.182 "cd ~/docker/ansible-push && docker compose up -d && docker exec ansible ansible-playbook playbooks/main.yml -i inventory.yml --tags fleet_update"` |
| 3 | Wait | Poll until ansible exits |
| 4 | Notify | POST result back to Telegram/Discord |
### 3.4 Target Scope
| Included | Excluded |
|----------|----------|
| `managed_nodes` group (from inventory.yml) | `pve_hosts` (MK33/34/39) — PVE self-manages |
| `physical_agents` | Neo (ZimaOS, not Debian) |
| `core_services` (MK7) | `igor` (ZimaOS NAS) |
| | Ephemeral LXCs — rebuilt from scratch |
---
## 4. N8N Requirements (MK7)
### 4.1 Container Mounts
- **SSH client:** `openssh-client` package installed in N8N image
- **Private key:** Mount `~/.ssh/artemis_key``/root/.ssh/id_ed25519` inside N8N container
- **Known hosts:** Pre-populated `~/.ssh/known_hosts` for `192.168.15.182`
### 4.2 N8N Endpoint
- **Webhook URL:** `https://n8n.ai.home` (Traefik-routed, TLS-terminated)
- **DNS:** CNAME `n8n.ai.home``traefik.ai.home` (Technitium DNS)
- **Network:** LAN-only (`192.168.x.x`), no external access
### 4.3 N8N Credentials
- **SSH Private Key:** Store `artemis_key` in N8N "Credentials" → SSH type
- **SSH Host:** `192.168.15.182` (LAN IP, no DNS resolution dependency)
- **SSH User:** `jarvis`
- **SSH Port:** `22`
### 4.3 Security Constraints
- N8N connects **to Artemis only** — never to PVE nodes, Neo, or LXCs directly
- N8N never sees PVE API tokens or sudo passwords
- All terraform/ansible state stays on Artemis filesystem (not in N8N container)
---
## 5. Artemis Prerequisites (Already Exists)
| Component | Path | Status |
|-----------|------|--------|
| Terraform container | `~/docker/terraform-pve/` | ✅ Validated Phase 2 |
| Ansible container | `~/docker/ansible-push/` | ✅ Validated |
| Run script | `./run.sh` | ✅ Forwards TF_VAR_*, supports init/plan/apply/destroy |
| LXC provision script | `./lxc-common.sh` | ✅ Runs lxc_common role |
| Inventory template | `terraform/inventory-lxc.tmpl` | ✅ Auto-generates ansible_host |
---
## 6. Error Handling
| Scenario | N8N Action |
|----------|------------|
| Terraform apply fails | Abort, notify with stderr |
| Inventory not generated after apply | Retry once, then fail |
| Ansible unreachable | Report per-host, continue others |
| SSH connection refused | Retry 3× with backoff, then alert |
---
## 7. Resolved Questions
| # | Question | Decision |
|---|----------|----------|
| 1 | Should `/build` auto-increment `vmid_base`? | **Yes** — default to auto-increment with optional explicit override |
| 2 | Should N8N trigger Gitea commit of generated inventory? | **No** — LXCs are ephemeral, inventory is temporary |
| 3 | Should `/fleet-update` include PVE nodes? | **No** — PVE self-managed, separate workflow later |
| 4 | N8N webhook via Tailscale or LAN? | **LAN IP only**`192.168.15.182`, no prod server access |
## 8. Decision Points
| Decision | Options | Recommended |
|----------|---------|-------------|
| N8N SSH key | `artemis_key` vs dedicated `n8n_key` | `artemis_key` for POC; rotate to dedicated key later |
| Notification target | Telegram vs Discord vs both | Both via existing gateway webhook |
| vmid_base tracking | Manual vs auto-increment | Auto-increment via PVE API query before apply |
| Fleet-update schedule | On-demand vs cron | On-demand only via `/fleet-update` |

139
PRD Drafts/pve-three-node-ha-cluster.md Normal file
View File

@@ -0,0 +1,139 @@
# PVE 3-Node HA Cluster for Iron Legion
**Status:** Draft | **Author:** Artemis | **Date:** 2026-06-04
## 1. Objective
Configure MK33, MK34, and MK39 as a Proxmox VE 3-node cluster with shared NFS storage from TrueNAS. Enable manual live migration of VMs/LXCs between nodes, and optionally automatic HA failover for critical workloads.
## 2. Current State
| Node | CPU | RAM | Storage | Role |
|------|-----|-----|---------|------|
| MK33 (Silver Centurion) | Intel N150 4c/4t | 16GB | Local SSD | PVE HA |
| MK34 (Southpaw) | Intel N150 4c/4t | 16GB | Local SSD | PVE HA |
| MK39 (Gemini) | Intel N150 4c/4t | 16GB | Local SSD | PVE HA (spare)
| TrueNAS SCALE | 4c | 11GB | HDD pool | NFS server |
All nodes on `192.168.0.0/18`. TrueNAS at `192.168.16.254`.
## 3. Architecture
### 3.1 Cluster Model: Proxmox 3-Node Cluster (No Ceph)
```
MK33 (192.168.7.33) ──┐
├─ Corosync Ring ── Shared NFS (TrueNAS)
MK34 (192.168.7.34) ──┤
MK39 (192.168.7.39) ──┘
```
- **Quorum:** 3-node cluster = 2 votes needed for quorum. If one node dies, remaining 2 form quorum.
- **Shared storage:** TrueNAS NFSv4.2 export `/mnt/Ice/Backup`
- **HA manager:** Proxmox HA services (`pve-ha-crm`, `pve-ha-lrm`) for automatic restart
### 3.2 Storage Flow
```
Build on local disk → Test workload → Shutdown → Move disk to NFS → Restart on NFS
If node fails: HA manager detects → Restarts VM/LXC on surviving node (same NFS disk)
```
### 3.3 Workload Planning
| Type | Count per node | Resources each |
|------|---------------|----------------|
| VM (general) | 1 | 4 vCPU, 4096 MB RAM |
| LXC (lightweight) | 510 | 1 vCPU, 5121024 MB RAM |
**Total per node estimated:** 914 vCPUs (but N100 is 4c/4t — LXCs share cores opportunistically via cgroups)
**Total RAM per node:** VM 4GB + 5×1GB LXCs = ~9GB allocated, 7GB headroom
## 4. Pros vs Cons
### 4.1 3-Node Cluster (Recommended)
**Pros:**
- Unified web UI for all 3 nodes from any one node
- Live migration of VMs/LXCs between nodes (zero downtime)
- Automatic HA failover for critical VMs/LXCs
- Quorum maintained with 2 of 3 nodes online
- Shared NFS storage means VMs are portable across nodes
**Cons:**
- Corosync ring traffic adds minor network overhead
- If 2 nodes fail simultaneously, quorum lost, cluster stops
- HA failover is restart (brief downtime), not live migration
- N100 CPU is modest — 3 VMs + 15 LXCs across cluster is tight but workable
### 4.2 Standalone Nodes (Current)
**Pros:**
- Simple, no cluster complexity
- Node failure doesn't affect others
- No Corosync network overhead
**Cons:**
- No live migration — moving a VM requires export/import
- No automatic failover — manual intervention if node dies
- 3 separate web UIs to manage
## 5. Implementation Plan
### Phase 1: Cluster Formation
1. Add all 3 nodes to `/etc/hosts` on each node (or DNS via Technitium)
2. On MK33: `pvecm create iron-legion`
3. On MK34/MK39: `pvecm add 192.168.7.33`
4. Verify: `pvecm status` shows 3 nodes, quorum 2/3
### Phase 2: NFS Storage Setup
1. Ensure TrueNAS exports `/mnt/Ice/Backup` with:
- NFSv4.2
- `maproot` or `mapall` to `root` (PVE nodes need root access)
- ACL allows `192.168.0.0/18`
2. On PVE Datacenter → Storage → Add → NFS:
- ID: `truenas-backup`
- Server: `192.168.16.254`
- Export: `/mnt/Ice/Backup`
- Content: `images,rootdir`
3. Verify storage shows on all 3 nodes
### Phase 3: HA Configuration
1. Proxmox HA → Add groups:
- `critical`: nodes mk33,mk34,mk39 (any node)
- `local-only`: single-node constraint for local-disk VMs
2. For each VM/LXC on NFS storage:
- Datacenter → HA → Add → Select VM → Group `critical` → Start on any
3. Start fencing daemon if IPMI/ watchdog available (optional for N100)
### Phase 4: Workload Migration Testing
1. Build a test LXC on local storage
2. Migrate disk to NFS: `Move disk` → target `truenas-backup`
3. Verify LXC starts from NFS
4. Test live migration: right-click → Migrate → select target node
5. Test HA failover: power off source node, verify restart on surviving node
## 6. Open Questions
1. Do we need HA fencing? (IPMI not available on N100 — watchdog only)
2. Should we reserve one node as "management" and only run LXCs on two?
3. What's the Tailscale story — do we bind Corosync to LAN only or also Tailscale?
## 7. Decision Points
| Decision | Option A | Option B |
|----------|----------|----------|
| Cluster type | 3-node with quorum (recommended) | 2-node + witness (not recommended) |
| HA level | Manual migration only | Full HA with auto-restart |
| Storage | NFS only (current) | Add local Ceph later |
| Resource reserve | 1 node mostly idle | Distribute evenly |
---
**Awaiting Commander Bobby review and approval.**

178
PRD Drafts/terraform-lxc-deployment-phase3.md Normal file
View File

@@ -0,0 +1,178 @@
# Terraform LXC Deployment — Phase 3: Ansible-Integrated Pipeline
**Status:** Draft | **Author:** Artemis | **Date:** 2026-06-05
> **Goal:** Extend the validated Phase 2 batch pipeline into a complete **create-and-provision** workflow. Terraform generates LXCs + Ansible inventory; Ansible provisions git, python3-pip, and ansible on each LXC. Future Stage 4 adds N8N orchestration.
---
## 1. Pipeline Overview
```
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Trigger │────▶│ Terraform │────▶│ Inventory │────▶│ Ansible │
│ (manual / │ │ (Docker) │ │ (YAML) │ │ (Docker) │
│ N8N) │ │ Creates │ │ Generated │ │ Provisions │
└─────────────┘ │ LXCs on │ │ per apply │ │ LXC group │
│ PVE │ └─────────────┘ └─────────────┘
└─────────────┘
```
---
## 2. Stage 1: Terraform LXC Batch Factory (Complete)
**Status:** ✅ Validated at N=4 and N=7 on MK33
### 2.1 Dynamic Derivation
| Input | Example | Description |
|-------|---------|-------------|
| `vmid_base` | `5050` | Starting VMID |
| `lxc_count` | `4` | Number of LXCs |
| `subnet_prefix` | `192.168` | First two octets |
**Auto-derived per LXC (index `i`):**
- **VMID:** `vmid_base + i`
- **Hostname:** `lxc-${vmid}`
- **IPv4:** `${subnet_prefix}.${first2(vmid)}.${last2(vmid)}/18`
- **IPv4 host (Ansible):** bare IP (CIDR stripped)
### 2.2 Inventory Generation (NEW)
Two files written on every `terraform apply`:
- `inventory-lxc.yml` — latest, overwritten
- `inventory-lxc-<timestamp>.yml` — archive
Both written to `/ansible-push/terraform-prefill/` via Docker compose mount.
### 2.3 Generated Inventory Format
```yaml
all:
children:
lxcs:
hosts:
lxc-5050:
ansible_host: 192.168.50.50
ansible_user: root
ansible_password: ubuntu
ansible_port: 22
ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
ansible_python_interpreter: auto_silent
```
---
## 3. Stage 2: Ansible Provisioning (Complete)
**Status:** ✅ Validated against 5 LXCs (vmid_base=338, lxc_count=5)
### 3.1 Playbook Structure
```
~/docker/ansible-push/playbooks/
├── main.yml # Entry point
├── roles/
│ ├── prepare/ # apt update/upgrade
│ ├── nfs_client/ # NFS mount (fleet nodes)
│ └── lxc_common/ # LXC bootstrap
│ └── tasks/main.yml
```
### 3.2 lxc_common Role (Updated 2026-06-05)
Tasks execute in order:
1. **Ensure apt cache updated** (`no_log: true`)
2. **Install git** (`no_log: true`)
3. **Install python3-pip** (`no_log: true`)
4. **Create jarvis user** (UID 1000, sudo group)
5. **Ensure jarvis .ssh directory**
6. **Copy root authorized_keys to jarvis**
7. **Passwordless sudo for jarvis**
8. **Install ansible via pip** (`no_log: true`, `break_system_packages: true`)
### 3.3 Output Noise Reduction
`ansible.cfg` at `~/docker/ansible-push/ansible.cfg`:
- `stdout_callback = dense` — grid layout instead of raw dpkg
- `deprecation_warnings = False` — silence `ansible_os_family` nag
### 3.4 Execution Pattern
```bash
# 1. Terraform creates LXCs + generates inventory
cd ~/docker/terraform-pve
TF_VAR_vmid_base=5050 TF_VAR_lxc_count=4 ./run.sh apply -auto-approve
# 2. Fix inventory ownership (terraform container writes as root)
sudo chown jarvis:jarvis ~/docker/ansible-push/terraform-prefill/inventory-lxc.yml
# 3. Ansible provisions
cd ~/docker/ansible-push
docker compose up -d
docker exec -it ansible ansible-playbook playbooks/main.yml \
-i terraform-prefill/inventory-lxc.yml \
--limit lxcs \
--tags lxc_common,prepare
```
---
## 4. Open Questions / Phase 4
| Item | Status | Notes |
|------|--------|-------|
| Adjustable CPU/RAM/HDD | ❌ Deferred | Currently fixed 1vCPU/2GB/8GB |
| Vaulted secrets | ❌ Deferred | `ansible_password` in plaintext inventory |
| N8N orchestration | ❌ Deferred | Webhook trigger from Gitea? |
| User switch post-bootstrap | ❌ Blocked | First run must be `root`; jarvis created during run |
---
## 5. Known Issues
### 5.1 PVE Parallel Start Race Condition
- Creating multiple LXCs in parallel can hit HTTP 500 "already running"
- Transient; re-run `apply` resolves it
- No terraform-level workaround needed
### 5.2 Root-Only First Run
- Fresh LXCs only have `root` user with SSH key
- `ansible_user: root` required for initial provisioning
- `jarvis` user is created during the playbook, not before
### 5.3 Inventory Ownership
- Terraform container runs as `root`, writes inventory as `root`
- `jarvis` cannot modify without `chown`
- Future fix: run terraform container as `jarvis` UID
### 5.4 Variable Precedence Trap
- `terraform.auto.tfvars` outranks `TF_VAR_*` env vars
- Dynamic vars (`lxc_count`, `vmid_base`) must NOT be in `.tfvars`
---
## 6. File Locations
| Component | Path |
|-----------|------|
| Terraform code | `~/docker/terraform-pve/terraform/` |
| Ansible code | `~/docker/ansible-push/playbooks/` |
| Generated inventory | `~/docker/ansible-push/terraform-prefill/inventory-lxc.yml` |
| PRD canonical | `~/documentation/PRDs/terraform-lxc-deployment-batch.md` |
| This draft | `~/documentation/PRD Drafts/terraform-lxc-deployment-phase3.md` |
---
## 7. Decision Log
| Decision | Chosen | Date |
|----------|--------|------|
| `ansible_user` | `root` for all runs | 2026-06-05 |
| `ansible_password` | `ubuntu` (matches fleet) | 2026-06-05 |
| SSH key discovery | Container mount `/root/.ssh/` auto-discovers `id_ed25519` | 2026-06-05 |
| `no_log` on apt | Enabled to suppress dpkg noise | 2026-06-05 |
| `dense` callback | Enabled in `ansible.cfg` | 2026-06-05 |
| Inventory output | Dual: `inventory-lxc.yml` + timestamped archive | 2026-06-05 |

243
PRDs/ansible-base-testing.md Normal file
View File

@@ -0,0 +1,243 @@
# Ansible Base Testing Environment PRD
**Status:** Deployed | **Author:** Artemis (AI Foreman) | **Date:** 2026-06-03
> **Validated:** Ansible base testing environment deployed at `~/docker/ansible-push/`. Inventory-based ping and ad-hoc playbook execution confirmed against fleet nodes.
---
## 1. Purpose & Scope
A minimal, containerized Ansible environment for playbook development and ad-hoc fleet testing. This is the Iron Legion standard for validating inventories and playbooks before promoting to production.
---
## 2. Directory Structure
```
~/docker/ansible-push/
├── docker-compose.yml # Ansible runner container definition
├── dockerfile # Build: Python 3.14 Alpine + Ansible 14
├── run.sh # One-shot test runner
├── inventory.yml # Iron Legion fleet inventory (YAML format)
└── keys/
├── id_ed25519 # Private key (chmod 600)
├── id_ed25519.pub # Public key (chmod 644)
└── known_hosts # Auto-populated by successful connections
```
---
## 3. docker-compose.yml
```yaml
services:
ansible:
build: .
container_name: ansible
image: ansible
environment:
- ANSIBLE_HOST_KEY_CHECKING=false
- ANSIBLE_PYTHON_INTERPRETER=/usr/bin/python3.12
volumes:
- .:/ansible
- ./keys:/root/.ssh
working_dir: /ansible
entrypoint: ["/bin/sh", "-c"]
command: ["tail -f /dev/null"]
```
---
## 4. dockerfile
```dockerfile
FROM python:3.14.5-alpine3.23
RUN pip install --no-cache-dir ansible==14.0.0 && apk add --no-cache curl openssh-client
```
---
## 5. run.sh
```bash
docker compose up -d
docker exec -it ansible ansible all -m ping -i inventory.yml
docker compose down
```
---
## 6. Key Management
The `keys/` directory is bind-mounted to `/root/.ssh` inside the container. SSH auto-discovers the standard `id_ed25519` key — no explicit `ansible_ssh_private_key_file` needed for passwordless hosts.
- **File:** `id_ed25519` → Container: `/root/.ssh/id_ed25519` → Perms: `600`
- **File:** `id_ed25519.pub` → Container: `/root/.ssh/id_ed25519.pub` → Perms: `644`
- **File:** `known_hosts` → Container: `/root/.ssh/known_hosts` → Auto-populated
---
## 7. Working inventory.yml (Validated: 10/10 green)
```yaml
# Iron Legion Fleet Inventory
# Generated: 2026-06-03
# Source: fleet documentation + live SSH config
#
# Usage with Ansible:
# ansible all -m ping -i inventory.yml
# ansible pve_workers -m setup -i inventory.yml
# ansible swarm_manager -a "docker service ls" -i inventory.yml
#
# FIX: Group-specific variables (e.g. pve_workers:) were previously
# placed outside `all:` scope, breaking inventory parsing.
# All group vars are now merged into the group definitions below.
---
all:
children:
# ──────────────────────────────────────────
# Physical / Virtual Fleet Nodes
# ──────────────────────────────────────────
fleet_nodes:
children:
# Core fleet services
core_services:
hosts:
mk7:
ansible_host: 192.168.7.7
ansible_user: jarvis
node_role: swarm_manager
docker_host: true
description: "Swarm manager + Traefik + service stack host"
# PVE Worker nodes
pve_workers:
vars:
ansible_user: root
ansible_ssh_pass: "proxmox12"
ansible_become: true
ansible_python_interpreter: /usr/bin/python3
hosts:
mk33:
ansible_host: 192.168.7.33
node_role: pve_worker
pve_api_url: "https://192.168.7.33:8006/"
description: "PVE Silver Centurion"
mk34:
ansible_host: 192.168.7.34
node_role: pve_worker
pve_api_url: "https://192.168.7.34:8006/"
description: "PVE Southpaw"
mk39:
ansible_host: 192.168.7.39
node_role: pve_worker
pve_api_url: "https://192.168.7.39:8006/"
description: "PVE Gemini"
# Active physical agents
physical_agents:
hosts:
artemis:
ansible_host: 192.168.15.182
ansible_user: jarvis
node_role: discord_gateway
hermes_agent: true
description: "Primary AI orchestrator + Discord gateway"
mark44:
ansible_host: 192.168.5.214
ansible_user: jarvis
node_role: gpu_host
gpu: true
description: "Hulkbuster — GPU/Ollama standby"
mark5:
ansible_host: 192.168.6.5
ansible_user: jarvis
node_role: tbd
description: "Mark 5 — being repurposed"
mk42:
ansible_host: 192.168.0.196
ansible_user: jarvis
node_role: pve_worker
description: "PVE Extremis"
# Infrastructure / support nodes
infrastructure:
hosts:
shield:
ansible_host: 192.168.27.205
ansible_user: jarvis
node_role: pxe_server
description: "iVentoy PXE deployment server"
igor:
ansible_host: 192.168.10.211
ansible_user: jarvis
node_role: nas
description: "ZimaOS NAS (MK-38)"
# Tailscale fallback aliases (uncomment if LAN fails)
# tailscale_fallback:
# hosts:
# ts-mk7:
# ansible_host: 100.66.70.51
# ansible_user: jarvis
# ts-mk33:
# ansible_host: 100.125.155.41
# ansible_user: jarvis
# ts-mk34:
# ansible_host: 100.94.190.43
# ansible_user: jarvis
# ts-nebuchadnezzar:
# ansible_host: 100.99.123.16
# ansible_user: jarvis
# Docker host targeting groups (uncomment when needed)
# docker_hosts:
# children:
# swarm_manager:
# hosts:
# mk7:
# standalone_docker:
# hosts:
# nebuchadnezzar:
```
---
## 8. Notes on Inventory Design
- **YAML format:** `all: children:` nesting required. Orphaned top-level keys like `pve_workers:` outside `all:` scope cause "invalid characters in hostnames" errors.
- **Group-level auth:** PVE workers use `vars:` under their group for `ansible_user`, `ansible_ssh_pass`, `ansible_become`, and `ansible_python_interpreter` — keeps host entries DRY.
- **SSH key auto-discovery:** No explicit `ansible_ssh_private_key_file` needed when the key is named `id_ed25519` and mounted to `/root/.ssh` inside the container.
- **Host key checking:** `ANSIBLE_HOST_KEY_CHECKING=false` in compose handles first-contact acceptance automatically.
---
## 9. Testing Playbooks
```bash
cd ~/docker/ansible-push
docker compose up -d
docker exec -it ansible ansible-playbook -i inventory.yml playbook.yml
docker compose down
```
---
## 10. Validation Log
| Date | Hosts Tested | Result |
|------|-------------|--------|
| 2026-06-03 | 10/10 (all groups) | ✅ Green |

144
PRDs/ansible-playbook.md Normal file
View File

@@ -0,0 +1,144 @@
# Ansible Playbook — NFS Client Role PRD
**Status:** Deployed | **Author:** Artemis | **Date:** 2026-06-04
> **Deployed:** Standardized NFS client mount for fleet Debian nodes. Mounts TrueNAS `Repo` dataset to `/home/jarvis/repo` on all non-PVE, non-ZimaOS nodes. Role tested and validated against MK7 and Swarm workers.
---
## 1. Purpose
Standardized NFS client mounting for fleet Debian nodes. Ensures `/home/jarvis/repo` is available fleet-wide for shared scripts, compose files, and configuration storage.
---
## 2. Scope
| Target | Action |
|--------|--------|
| Debian fleet nodes (MK7, Swarm workers) | Install `nfs-common`, mount NFS share |
| PVE nodes (MK33/34/39) | Excluded — TrueNAS ACL blocks 192.168.192.0/27 |
| ZimaOS (igor, MK-46) | Excluded — `ansible_os_family != "Debian"` |
---
## 3. Files
| File | Location | Purpose |
|------|----------|---------|
| `main.yml` | `~/documentation/procedures/ansible-playbook/` | Playbook entry point |
| `inventory.yml` | `~/documentation/procedures/ansible-playbook/` | Host definitions + `nfs_shares` variable |
| `roles/nfs_client/tasks/main.yml` | `~/documentation/procedures/ansible-playbook/roles/nfs_client/tasks/` | Role: install, mount, fix permissions |
---
## 4. Role Task Breakdown
### 4.1 Install nfs-common
```yaml
- name: Install nfs-common
ansible.builtin.apt:
name: nfs-common
state: present
become: true
when: ansible_os_family == "Debian"
```
### 4.2 Create mount directory
```yaml
- name: Ensure NFS mount directory exists
ansible.builtin.file:
path: "{{ item.local_path }}"
state: directory
owner: "jarvis"
group: "jarvis"
mode: '0755'
become: true
loop: "{{ nfs_shares }}"
```
### 4.3 Mount NFS share
```yaml
- name: Mount NFS share
ansible.posix.mount:
src: "{{ item.server }}:{{ item.remote_path }}"
path: "{{ item.local_path }}"
fstype: nfs
opts: "{{ item.options | default('defaults') }}"
state: mounted
become: true
loop: "{{ nfs_shares }}"
```
### 4.4 Fix mount ownership
```yaml
- name: Ensure mounted directory is owned by jarvis
ansible.builtin.file:
path: "{{ item.local_path }}"
owner: "jarvis"
group: "jarvis"
recurse: yes
become: true
loop: "{{ nfs_shares }}"
```
---
## 5. Inventory Variables
```yaml
nfs_shares:
- server: "192.168.16.254"
remote_path: "/mnt/Ice/Repo"
local_path: "/home/jarvis/repo"
options: "vers=4.2,proto=tcp"
```
---
## 6. Deployment Notes
| Decision | Value | Rationale |
|----------|-------|-----------|
| NFS version | `4.2` | TrueNAS SCALE 25.10.2 default |
| Transport | `tcp` | Required for NFSv4.2 |
| Mount point | `/home/jarvis/repo` | Fleet standard shared workspace |
| Owner | `jarvis:jarvis` | Fleet-wide standard user |
| TrueNAS path | `/mnt/Ice/Repo` | Dataset-backed export (not `/repo`) |
| ACL restriction | `192.168.0.0/18` | Neo (192.168.192.0/27) excluded |
---
## 7. Execution
```bash
# From ~/docker/ansible-push/
docker compose run --rm ansible \
ansible-playbook -i procedures/ansible-playbook/inventory.yml \
procedures/ansible-playbook/main.yml
```
Or directly on any Ansible-capable node:
```bash
ansible-playbook -i ~/documentation/procedures/ansible-playbook/inventory.yml \
~/documentation/procedures/ansible-playbook/main.yml
```
---
## 8. Validated On
| Node | Date | Result |
|------|------|--------|
| MK7 (mark-vii) | 2026-06-04 | ✅ Mounted, accessible |
| MK33/34/39 | — | ❌ Excluded (TrueNAS ACL) |
| Neo | — | ❌ Excluded (192.168.192.0/27) |
| Igor (MK-38) | — | ❌ Excluded (ZimaOS, not Debian) |
---
## 9. Future Work
- Phase 2: Expand to additional NFS exports (`/mnt/Ice/Backup`)
- Phase 3: Add `fstab` persistence check and remount logic
- Phase 4: Create separate playbook for Neo NFS proxy via MK7 jump host

210
PRDs/terraform-lxc-deployment-batch.md Normal file
View File

@@ -0,0 +1,210 @@
# Terraform LXC Deployment — Batch/Dynamic Template PRD
**Status:** Deployed | **Author:** Artemis | **Date:** 2026-06-05
> **Phase 2 validated:** Batch/dynamic template tested at N=4 and N=7 on MK33. All derivation rules confirmed.
## 1. Objective
Extend the Phase 1 single-LXC proven pipeline into a **parameterized batch generator**. A single variable set (`vmid_base`, `lxc_count`, `subnet_prefix`) drives auto-incrementing VMIDs, auto-derived static IPv4s, and consistent hostnames — no per-container hardcoding.
## 2. Dynamic Derivation Rules
### 2.1 Input Variables (User-Supplied)
| Variable | Example | Description |
|----------|---------|-------------|
| `vmid_base` | `5050` | Starting VMID for first LXC |
| `lxc_count` | `4` | Number of LXCs to create |
| `subnet_prefix` | `192.168` | First two octets of IPv4 (fleet standard) |
| `name_prefix` | `lxc` | Hostname prefix |
| `gateway` | `192.168.18.1` | Default gateway |
| `dns_servers` | `["192.168.7.7", "1.1.1.1"]` | DNS list |
### 2.2 Auto-Derived Per-LXC (Index `i` from `0` to `lxc_count-1`)
| Property | Formula | Example (`vmid_base=5050`, `i=2`) |
|----------|---------|----------------------------------|
| **VMID** | `vmid_base + i` | `5052` |
| **IPv4** | `subnet_prefix.${first2(vmid)}.${last2(vmid)}/18` | `192.168.50.52/18` |
| **Hostname** | `${name_prefix}-${vmid}` | `lxc-5052` |
| **Cores** | Fixed | `2` |
| **RAM** | Fixed | `2048` MB |
| **Disk** | Fixed | `8` GB |
**IP Derivation Detail:**
```
vmid = 5052
first2(vmid) = 50 (digits 3-4)
last2(vmid) = 52 (digits 5-6)
IPv4 = 192.168.50.52/18
```
This keeps VMID and IPv4 tightly coupled — **VMID is the single source of truth** for IP assignment. All IPs fall within the fleet `/18` subnet (`192.168.0.0/18`).
### 2.3 Example Runs
```bash
# Create 4 LXCs: lxc-5050 → lxc-5053
# IPs: 192.168.50.50 → 192.168.50.53
TF_VAR_vmid_base=5050 TF_VAR_lxc_count=4 ./run.sh apply -auto-approve
# Create 2 LXCs starting at 5100
# IPs: 192.168.51.00, 192.168.51.01
TF_VAR_vmid_base=5100 TF_VAR_lxc_count=2 ./run.sh apply -auto-approve
# Create 7 LXCs at vmid_base=931 (validated POC run)
TF_VAR_vmid_base=931 TF_VAR_lxc_count=7 ./run.sh apply -auto-approve
```
## 2. Architecture
### 2.1 Docker Image
**Base:** `hashicorp/terraform:latest` with `bpg/proxmox` provider downloaded at container init
**Provider:** `bpg/proxmox` v0.70.0
**Pattern:** Lazy automator — local workspace mounted into container, credentials via `terraform.auto.tfvars`
```dockerfile
FROM hashicorp/terraform:latest
WORKDIR /workspace
COPY run.sh /usr/local/bin/run
RUN chmod +x /usr/local/bin/run
ENTRYPOINT ["bash"]
```
### 2.2 Credential Model
Native Terraform variable loading via `terraform.auto.tfvars` (no Docker env-file mapping):
```hcl
# terraform/terraform.auto.tfvars
pm_api_url = "https://192.168.7.33:8006/api2/json"
pm_api_token_id = "root@pam!terraform"
pm_api_token_secret = "<secret>"
```
PVE API token created on MK33: `root@pam!terraform`. Token stored in fleet credential store.
### 2.3 Runtime Parameterization (Phase 2)
| Parameter | Example | Effect |
|-----------|---------|--------|
| `count` | `4` | Number of LXCs to create |
| `vmid_base` | `5050` | Starting VMID |
Auto-derived per LXC (index `i` from 0 to `count-1`):
- **VMID:** `vmid_base + i`
- **Name:** `lxc-${vmid}`
- **IPv4:** `192.168.${first2digits(vmid)}.${last2digits(vmid)}/18`
### 2.4 LXC Configuration (Validated)
- **OS:** Debian 12 (`debian-12-standard_12.2-1_amd64.tar.zst`)
- **CPU:** 1 vCPU
- **RAM:** 2048 MB
- **Storage:** 8GB rootfs on `local` directory (test phase)
- **Network:** Static IPv4, gateway `192.168.18.1`, subnet `/18`
- **DNS:** `192.168.7.7`, `192.168.18.1`, `1.1.1.1`
- **Privilege:** Unprivileged (`unprivileged = true`)
- **Features:** Nesting enabled (`features { nesting = true }`)
### 2.5 User / SSH (Tested)
```hcl
initialization {
user_account {
username = "jarvis"
password = "<fleet_linux_pass>" # Required for console login verification
keys = [file("artemis_key.pub")]
}
}
```
## 3. Phase Breakdown
### Phase 1 — Single LXC (Plan/Build/Destroy) ✅ COMPLETE
**Completed:** 2026-06-04 on MK33 (pve-swarm, cluster node 33)
**Results:**
- `Dockerfile` — simplified to official `hashicorp/terraform:latest` image
- `docker-compose.yml` — workspace mount, no env-file credential mapping
- `run.sh` — wrapper for `terraform plan/apply/destroy`
- `terraform/providers.tf``bpg/proxmox` v0.70.0
- `terraform/main.tf` — single LXC resource (VMID 5050)
- `terraform/terraform.auto.tfvars` — native Terraform credential loading
**Validated:**
```bash
./run.sh plan # ✅ Validated
./run.sh apply # ✅ Created lxc-5050 (debian-12, 192.168.50.50/18)
./run.sh destroy # ✅ Clean teardown
```
**Key fixes discovered during testing:**
- Storage pool: `local-lvm` missing → used `local` (Directory)
- Template path: `nas-ct-stor:vztmpl/` (NFS shared templates)
- Unprivileged required: `unprivileged = true` + `features { nesting = true }`
- Password injection: `user_account.password` required for console login verification
### Phase 2 — Modular + Bulk Creation ✅ VALIDATED
**Completed:** 2026-06-05 on MK33 (pve-swarm)
**Results:**
- `modules/lxc/` — reusable LXC module with `proxmox_virtual_environment_container` resource
- `main.tf``for_each` over module with `lxc_count` parameterization
- `run.sh` — forwards `TF_VAR_*` environment variables into Docker container
**Validated at multiple scales:**
| Test | Command | Result |
|------|---------|--------|
| 4 LXCs at vmid_base=3550 | `TF_VAR_lxc_count=4 TF_VAR_vmid_base=3550 ./run.sh apply` | ✅ All created; 1 transient 500 error on start (PVE task queue race), container existed and operational despite error |
| 7 LXCs at vmid_base=931 | `TF_VAR_lxc_count=7 TF_VAR_vmid_base=931 ./run.sh apply` | ✅ All 7 created successfully, no errors, ~1416s per container |
| 7 LXCs destroy | `./run.sh destroy -auto-approve` | ✅ All 7 destroyed cleanly in ~8s each |
**Key runtime behavior discovered:**
- `terraform.auto.tfvars` outranks `TF_VAR_*` environment variables — dynamic variables must **not** be set in `.tfvars`
- `-auto-approve` required on Dockerized terraform (no interactive TTY for confirmation)
- Parallel creation (default) works at N=7; transient race condition observed at N=4 (PVE task queue, not terraform logic)
- All containers receive SSH key + password via `initialization.user_account` block
## 4. File Structure
```
~/docker/terraform-pve/
├── Dockerfile
├── docker-compose.yml
├── run.sh
├── terraform/
│ ├── .terraform/
│ ├── main.tf
│ ├── providers.tf
│ ├── terraform.auto.tfvars # Credentials (not committed)
│ ├── terraform.tfstate
│ ├── variables.tf
│ └── artemis_key.pub
```
## 5. Resolved Decisions
| Decision | Chosen | Notes |
|----------|--------|-------|
| Debian template | **12** | `debian-12-standard_12.2-1_amd64.tar.zst` on `nas-ct-stor` |
| Gateway | **192.168.18.1** | Router IP for 192.168.0.0/18 subnet |
| DNS | **192.168.7.7, 192.168.18.1, 1.1.1.1** | Technitium primary + fallback |
| SSH key | **artemis_key.pub** | Already registered fleet-wide |
| Storage (Phase 1) | **local** | `local-lvm` missing on nodes; migrate to `truenas-nfs` in Phase 2 |
| Privilege | **Unprivileged** | `unprivileged = true` with `nesting = true` for systemd 252 |
| Credential loading | **terraform.auto.tfvars** | Native Terraform pattern; no Docker env-file complexity |
## 6. Fleet Notes
- PVE API token: `root@pam!terraform` (Secret: fleet credential store)
- PVE root password: `proxmox12` (fleet credential store)
- Cluster: `pve-swarm` (MK33, MK34, MK39)
- Template storage: `nas-ct-stor` (NFS from TrueNAS)
- Disk storage (test): `local`
- **Code location:** `~/docker/terraform-pve/` — local only, not in any Gitea repo

153
PRDs/terraform-lxc-deployment.md Normal file
View File

@@ -0,0 +1,153 @@
# Terraform LXC Deployment for Iron Legion — PRD
**Status:** Deployed | **Author:** Artemis | **Date:** 2026-06-04
> **Phase 1 validation:** Single LXC plan/build/destroy completed successfully on MK33 (pve-swarm). All open questions resolved. Phase 2 (batch) in separate PRD.
## 1. Objective
Deploy Proxmox LXC containers via Terraform using the `bpg/proxmox` provider, running inside a custom Docker container (lazy automator pattern). Support runtime parameterization for bulk LXC creation with auto-incrementing VMID, IPv4, and naming.
## 2. Architecture
### 2.1 Docker Image
**Base:** `hashicorp/terraform:latest` with `bpg/proxmox` provider downloaded at container init
**Provider:** `bpg/proxmox` v0.70.0
**Pattern:** Lazy automator — local workspace mounted into container, credentials via `terraform.auto.tfvars`
```dockerfile
FROM hashicorp/terraform:latest
WORKDIR /workspace
COPY run.sh /usr/local/bin/run
RUN chmod +x /usr/local/bin/run
ENTRYPOINT ["bash"]
```
### 2.2 Credential Model
Native Terraform variable loading via `terraform.auto.tfvars` (no Docker env-file mapping):
```hcl
# terraform/terraform.auto.tfvars
pm_api_url = "https://192.168.7.33:8006/api2/json"
pm_api_token_id = "root@pam!terraform"
pm_api_token_secret = "<secret>"
```
PVE API token created on MK33: `root@pam!terraform`. Token stored in fleet credential store.
### 2.3 Runtime Parameterization (Phase 2)
| Parameter | Example | Effect |
|-----------|---------|--------|
| `count` | `4` | Number of LXCs to create |
| `vmid_base` | `5050` | Starting VMID |
Auto-derived per LXC (index `i` from 0 to `count-1`):
- **VMID:** `vmid_base + i`
- **Name:** `lxc-${vmid}`
- **IPv4:** `192.168.${first2digits(vmid)}.${last2digits(vmid)}/18`
### 2.4 LXC Configuration (Validated)
- **OS:** Debian 12 (`debian-12-standard_12.2-1_amd64.tar.zst`)
- **CPU:** 1 vCPU
- **RAM:** 2048 MB
- **Storage:** 8GB rootfs on `local` directory (test phase)
- **Network:** Static IPv4, gateway `192.168.18.1`, subnet `/18`
- **DNS:** `192.168.7.7`, `192.168.18.1`, `1.1.1.1`
- **Privilege:** Unprivileged (`unprivileged = true`)
- **Features:** Nesting enabled (`features { nesting = true }`)
### 2.5 User / SSH (Tested)
```hcl
initialization {
user_account {
username = "jarvis"
password = "<fleet_linux_pass>" # Required for console login verification
keys = [file("artemis_key.pub")]
}
}
```
## 3. Phase Breakdown
### Phase 1 — Single LXC (Plan/Build/Destroy) ✅ COMPLETE
**Completed:** 2026-06-04 on MK33 (pve-swarm, cluster node 33)
**Results:**
- `Dockerfile` — simplified to official `hashicorp/terraform:latest` image
- `docker-compose.yml` — workspace mount, no env-file credential mapping
- `run.sh` — wrapper for `terraform plan/apply/destroy`
- `terraform/providers.tf``bpg/proxmox` v0.70.0
- `terraform/main.tf` — single LXC resource (VMID 5050)
- `terraform/terraform.auto.tfvars` — native Terraform credential loading
**Validated:**
```bash
./run.sh plan # ✅ Validated
./run.sh apply # ✅ Created lxc-5050 (debian-12, 192.168.50.50/18)
./run.sh destroy # ✅ Clean teardown
```
**Key fixes discovered during testing:**
- Storage pool: `local-lvm` missing → used `local` (Directory)
- Template path: `nas-ct-stor:vztmpl/` (NFS shared templates)
- Unprivileged required: `unprivileged = true` + `features { nesting = true }`
- Password injection: `user_account.password` required for console login verification
### Phase 2 — Modular + Bulk Creation
**Goal:** Add `count`, `vmid_base`, and auto-derived naming/IP.
**Deliverables:**
- `modules/lxc/` — reusable LXC module
- `locals.tf` — VMID/IP/name calculation logic
- `main.tf` — uses module with `count = var.lxc_count`
**Example execution:**
```bash
TF_VAR_lxc_count=4 TF_VAR_vmid_base=5050 ./run.sh apply
# Creates: lxc-5050, lxc-5051, lxc-5052, lxc-5053
```
## 4. File Structure
```
~/docker/terraform-pve/
├── Dockerfile
├── docker-compose.yml
├── run.sh
├── terraform/
│ ├── .terraform/
│ ├── main.tf
│ ├── providers.tf
│ ├── terraform.auto.tfvars # Credentials (not committed)
│ ├── terraform.tfstate
│ ├── variables.tf
│ └── artemis_key.pub
```
## 5. Resolved Decisions
| Decision | Chosen | Notes |
|----------|--------|-------|
| Debian template | **12** | `debian-12-standard_12.2-1_amd64.tar.zst` on `nas-ct-stor` |
| Gateway | **192.168.18.1** | Router IP for 192.168.0.0/18 subnet |
| DNS | **192.168.7.7, 192.168.18.1, 1.1.1.1** | Technitium primary + fallback |
| SSH key | **artemis_key.pub** | Already registered fleet-wide |
| Storage (Phase 1) | **local** | `local-lvm` missing on nodes; migrate to `truenas-nfs` in Phase 2 |
| Privilege | **Unprivileged** | `unprivileged = true` with `nesting = true` for systemd 252 |
| Credential loading | **terraform.auto.tfvars** | Native Terraform pattern; no Docker env-file complexity |
## 6. Fleet Notes
- PVE API token: `root@pam!terraform` (Secret: fleet credential store)
- PVE root password: `proxmox12` (fleet credential store)
- Cluster: `pve-swarm` (MK33, MK34, MK39)
- Template storage: `nas-ct-stor` (NFS from TrueNAS)
- Disk storage (test): `local`
- **Code location:** `~/docker/terraform-pve/` — local only, not in any Gitea repo

16
audits/2026-06-02-truenas-hardening-changelog.jsonl Normal file
View File

@@ -0,0 +1,16 @@
{"timestamp": "2026-06-02T13:23:15.746711+00:00", "dataset": "ISOs", "action": "nfs_restrict", "before": {"id": 3, "path": "/mnt/Ice/ISOs", "aliases": [], "comment": "", "networks": [], "hosts": [], "ro": false, "maproot_user": null, "maproot_group": null, "mapall_user": null, "mapall_group": null, "security": [], "enabled": true, "locked": false, "expose_snapshots": false}, "after": {"id": 3, "path": "/mnt/Ice/ISOs", "aliases": [], "comment": "", "networks": ["192.168.0.0/18"], "hosts": [], "ro": false, "maproot_user": "nobody", "maproot_group": "nogroup", "mapall_user": null, "mapall_group": null, "security": [], "enabled": true, "locked": false, "expose_snapshots": false}}
{"timestamp": "2026-06-02T13:23:17.898501+00:00", "dataset": "ISOs", "action": "smb_readonly", "before": {"id": 3, "purpose": "DEFAULT_SHARE", "name": "ISOs", "path": "/mnt/Ice/ISOs", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": false, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}, "after": {"id": 3, "purpose": "DEFAULT_SHARE", "name": "ISOs", "path": "/mnt/Ice/ISOs", "enabled": true, "comment": "", "readonly": true, "browsable": true, "access_based_share_enumeration": false, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}}
{"timestamp": "2026-06-02T13:23:18.873819+00:00", "dataset": "ISOs", "action": "acl_remove_everyone", "before": {"path": "/mnt/Ice/ISOs", "user": null, "group": null, "uid": 0, "gid": 0, "acltype": "NFS4", "acl": [{"tag": "owner@", "type": "ALLOW", "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "group@", "type": "ALLOW", "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "everyone@", "type": "ALLOW", "perms": {"BASIC": "READ"}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "USER", "type": "ALLOW", "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "INHERIT"}, "id": 3001, "who": null}, {"tag": "USER", "type": "ALLOW", "perms": {"BASIC": "TRAVERSE"}, "flags": {"BASIC": "INHERIT"}, "id": 986, "who": null}], "aclflags": {"autoinherit": false, "protected": false, "defaulted": false}, "trivial": false}, "after": 46730}
{"timestamp": "2026-06-02T13:23:39.838810+00:00", "dataset": "Archive", "action": "nfs_restrict", "before": {"id": 1, "path": "/mnt/Ice/Archive", "aliases": [], "comment": "", "networks": [], "hosts": [], "ro": false, "maproot_user": null, "maproot_group": null, "mapall_user": null, "mapall_group": null, "security": [], "enabled": true, "locked": false, "expose_snapshots": false}, "after": {"id": 1, "path": "/mnt/Ice/Archive", "aliases": [], "comment": "", "networks": ["192.168.0.0/18"], "hosts": [], "ro": false, "maproot_user": "nobody", "maproot_group": "nogroup", "mapall_user": null, "mapall_group": null, "security": [], "enabled": true, "locked": false, "expose_snapshots": false}}
{"timestamp": "2026-06-02T13:23:41.521837+00:00", "dataset": "Archive", "action": "smb_access_based_enumeration", "before": {"id": 1, "purpose": "DEFAULT_SHARE", "name": "Archive", "path": "/mnt/Ice/Archive", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": false, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}, "after": {"id": 1, "purpose": "DEFAULT_SHARE", "name": "Archive", "path": "/mnt/Ice/Archive", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": true, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}}
{"timestamp": "2026-06-02T13:23:42.623695+00:00", "dataset": "Archive", "action": "acl_remove_everyone", "before": {"path": "/mnt/Ice/Archive", "user": null, "group": null, "uid": 0, "gid": 568, "acltype": "NFS4", "acl": [{"tag": "owner@", "type": "ALLOW", "perms": {"READ_DATA": true, "WRITE_DATA": true, "APPEND_DATA": true, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": true, "EXECUTE": true, "DELETE": false, "DELETE_CHILD": true, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": true, "READ_ACL": true, "WRITE_ACL": true, "WRITE_OWNER": true, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "group@", "type": "ALLOW", "perms": {"READ_DATA": true, "WRITE_DATA": true, "APPEND_DATA": true, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": false, "EXECUTE": true, "DELETE": false, "DELETE_CHILD": true, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": false, "READ_ACL": true, "WRITE_ACL": false, "WRITE_OWNER": false, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "everyone@", "type": "ALLOW", "perms": {"READ_DATA": false, "WRITE_DATA": false, "APPEND_DATA": false, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": false, "EXECUTE": false, "DELETE": false, "DELETE_CHILD": false, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": false, "READ_ACL": true, "WRITE_ACL": false, "WRITE_OWNER": false, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}], "aclflags": {"autoinherit": false, "protected": false, "defaulted": false}, "trivial": true}, "after": 46743}
{"timestamp": "2026-06-02T13:24:18.519424+00:00", "dataset": "lab-dash", "action": "smb_access_based_enumeration", "before": {"id": 5, "purpose": "DEFAULT_SHARE", "name": "lab-dash", "path": "/mnt/FastPool/dockge/configs/lab-dash", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": false, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}, "after": {"id": 5, "purpose": "DEFAULT_SHARE", "name": "lab-dash", "path": "/mnt/FastPool/dockge/configs/lab-dash", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": true, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}}
{"timestamp": "2026-06-02T13:24:19.543463+00:00", "dataset": "lab-dash", "action": "acl_remove_everyone", "before": {"path": "/mnt/FastPool/dockge/configs/lab-dash", "user": null, "group": null, "uid": 0, "gid": 0, "acltype": "NFS4", "acl": [{"tag": "owner@", "type": "ALLOW", "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "INHERIT"}, "id": -1, "who": null}, {"tag": "group@", "type": "ALLOW", "perms": {"BASIC": "MODIFY"}, "flags": {"BASIC": "INHERIT"}, "id": -1, "who": null}, {"tag": "GROUP", "type": "ALLOW", "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "INHERIT"}, "id": 545, "who": null}, {"tag": "GROUP", "type": "ALLOW", "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "INHERIT"}, "id": 544, "who": null}], "aclflags": {"autoinherit": false, "protected": false, "defaulted": false}, "trivial": false}, "after": 46748}
{"timestamp": "2026-06-02T13:24:21.339419+00:00", "dataset": "arr-zimaos", "action": "smb_access_based_enumeration", "before": {"id": 8, "purpose": "MULTIPROTOCOL_SHARE", "name": "arr-zimaos", "path": "/mnt/Ice/Backup/Arr-ZimaOS", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": false, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}, "after": {"id": 8, "purpose": "MULTIPROTOCOL_SHARE", "name": "arr-zimaos", "path": "/mnt/Ice/Backup/Arr-ZimaOS", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": true, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}}
{"timestamp": "2026-06-02T13:24:22.410784+00:00", "dataset": "arr-zimaos", "action": "acl_remove_everyone", "before": {"path": "/mnt/Ice/Backup/Arr-ZimaOS", "user": null, "group": null, "uid": 0, "gid": 0, "acltype": "NFS4", "acl": [{"tag": "owner@", "type": "ALLOW", "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "INHERIT"}, "id": -1, "who": null}, {"tag": "group@", "type": "ALLOW", "perms": {"BASIC": "MODIFY"}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "everyone@", "type": "ALLOW", "perms": {"BASIC": "TRAVERSE"}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "USER", "type": "ALLOW", "perms": {"BASIC": "FULL_CONTROL"}, "flags": {"BASIC": "INHERIT"}, "id": 3001, "who": null}], "aclflags": {"autoinherit": false, "protected": false, "defaulted": false}, "trivial": false}, "after": 46753}
{"timestamp": "2026-06-02T13:25:33.784352+00:00", "dataset": "hermes_agent", "action": "smb_access_based_enumeration", "before": {"id": 9, "purpose": "MULTIPROTOCOL_SHARE", "name": "hermes_agent", "path": "/mnt/FastPool/dockge/configs/hermes_agent", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": false, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}, "after": {"id": 9, "purpose": "MULTIPROTOCOL_SHARE", "name": "hermes_agent", "path": "/mnt/FastPool/dockge/configs/hermes_agent", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": true, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}}
{"timestamp": "2026-06-02T13:25:34.296749+00:00", "dataset": "hermes_agent", "action": "acl_already_minimal", "before": {"path": "/mnt/FastPool/dockge/configs/hermes_agent", "user": null, "group": null, "uid": 0, "gid": 568, "acltype": "POSIX1E", "acl": [{"tag": "USER_OBJ", "perms": {"READ": true, "WRITE": true, "EXECUTE": true}, "default": false, "id": -1, "who": null}, {"tag": "GROUP_OBJ", "perms": {"READ": true, "WRITE": true, "EXECUTE": true}, "default": false, "id": -1, "who": null}, {"tag": "OTHER", "perms": {"READ": true, "WRITE": true, "EXECUTE": true}, "default": false, "id": -1, "who": null}], "trivial": true}, "after": {"path": "/mnt/FastPool/dockge/configs/hermes_agent", "user": null, "group": null, "uid": 0, "gid": 568, "acltype": "POSIX1E", "acl": [{"tag": "USER_OBJ", "perms": {"READ": true, "WRITE": true, "EXECUTE": true}, "default": false, "id": -1, "who": null}, {"tag": "GROUP_OBJ", "perms": {"READ": true, "WRITE": true, "EXECUTE": true}, "default": false, "id": -1, "who": null}, {"tag": "OTHER", "perms": {"READ": true, "WRITE": true, "EXECUTE": true}, "default": false, "id": -1, "who": null}], "trivial": true}}
{"timestamp": "2026-06-02T13:26:12.388923+00:00", "dataset": "Repo", "action": "nfs_restrict", "before": {"id": 6, "path": "/mnt/Ice/Repo", "aliases": [], "comment": "", "networks": [], "hosts": [], "ro": false, "maproot_user": null, "maproot_group": null, "mapall_user": null, "mapall_group": null, "security": [], "enabled": true, "locked": false, "expose_snapshots": false}, "after": {"id": 6, "path": "/mnt/Ice/Repo", "aliases": [], "comment": "", "networks": ["192.168.0.0/18"], "hosts": [], "ro": false, "maproot_user": "nobody", "maproot_group": "nogroup", "mapall_user": null, "mapall_group": null, "security": [], "enabled": true, "locked": false, "expose_snapshots": false}}
{"timestamp": "2026-06-02T13:26:13.721341+00:00", "dataset": "Repo", "action": "smb_access_based_enumeration", "before": {"id": 7, "purpose": "DEFAULT_SHARE", "name": "Repo", "path": "/mnt/Ice/Repo", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": false, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}, "after": {"id": 7, "purpose": "DEFAULT_SHARE", "name": "Repo", "path": "/mnt/Ice/Repo", "enabled": true, "comment": "", "readonly": false, "browsable": true, "access_based_share_enumeration": true, "locked": false, "audit": {"enable": false, "watch_list": [], "ignore_list": []}, "options": {"aapl_name_mangling": false, "hostsallow": [], "hostsdeny": []}}}
{"timestamp": "2026-06-02T13:26:14.846935+00:00", "dataset": "Repo", "action": "acl_remove_everyone", "before": {"path": "/mnt/Ice/Repo", "user": null, "group": null, "uid": 0, "gid": 568, "acltype": "NFS4", "acl": [{"tag": "owner@", "type": "ALLOW", "perms": {"READ_DATA": true, "WRITE_DATA": true, "APPEND_DATA": true, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": true, "EXECUTE": true, "DELETE": false, "DELETE_CHILD": true, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": true, "READ_ACL": true, "WRITE_ACL": true, "WRITE_OWNER": true, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "group@", "type": "ALLOW", "perms": {"READ_DATA": true, "WRITE_DATA": true, "APPEND_DATA": true, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": false, "EXECUTE": true, "DELETE": false, "DELETE_CHILD": true, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": false, "READ_ACL": true, "WRITE_ACL": false, "WRITE_OWNER": false, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}, {"tag": "everyone@", "type": "ALLOW", "perms": {"READ_DATA": true, "WRITE_DATA": true, "APPEND_DATA": true, "READ_NAMED_ATTRS": true, "WRITE_NAMED_ATTRS": false, "EXECUTE": true, "DELETE": false, "DELETE_CHILD": true, "READ_ATTRIBUTES": true, "WRITE_ATTRIBUTES": false, "READ_ACL": true, "WRITE_ACL": false, "WRITE_OWNER": false, "SYNCHRONIZE": true}, "flags": {"BASIC": "NOINHERIT"}, "id": -1, "who": null}], "aclflags": {"autoinherit": false, "protected": false, "defaulted": false}, "trivial": true}, "after": 46772}
{"timestamp": "2026-06-02T13:27:11.126868+00:00", "dataset": "Backup", "action": "nfs_restrict", "before": {"id": 2, "path": "/mnt/Ice/Backup", "aliases": [], "comment": "", "networks": [], "hosts": [], "ro": false, "maproot_user": null, "maproot_group": null, "mapall_user": null, "mapall_group": null, "security": [], "enabled": true, "locked": false, "expose_snapshots": false}, "after": {"id": 2, "path": "/mnt/Ice/Backup", "aliases": [], "comment": "", "networks": ["192.168.0.0/18"], "hosts": [], "ro": false, "maproot_user": "nobody", "maproot_group": "nogroup", "mapall_user": null, "mapall_group": null, "security": [], "enabled": true, "locked": false, "expose_snapshots": false}}

66
audits/2026-06-02-truenas-hardening-chart.md Normal file
View File

@@ -0,0 +1,66 @@
# TrueNAS Security Hardening Chart — 2026-06-02
**Dataset:** beelink-tns (192.168.16.254) | **Hardened by:** Hermes Agent (Iron Legion) | **Total Changes:** 16
---
## Execution Summary (Low-to-High Risk Order)
| Priority | Dataset | Risk Level | NFS Restricted | SMB Enum | SMB Read-Only | ACL Hardened | Status |
|----------|---------|-----------|----------------|----------|---------------|-------------|--------|
| 1 | **ISOs** | Very Low | ✅ | ✅ | ✅ | ✅ | Complete |
| 2 | **Archive** | Low | ✅ | ✅ | — | ✅ | Complete |
| 3 | **lab-dash** | Low-Medium | — | ✅ | — | ✅ | Complete |
| 4 | **arr-zimaos** | Low-Medium | — | ✅ | — | ✅ | Complete |
| 5 | **hermes_agent** | Medium | — | ✅ | — | N/A (POSIX) | Complete |
| 6 | **Repo** | Medium-High | ✅ | ✅ | — | ✅ | Complete |
| 7 | **Backup** | High | ✅ | ⚠️ Blocked (API limit) | — | ✅ | Partial |
## Changes Applied
| Dataset | Action | Before | After |
|---------|--------|--------|-------|
| ISOs | NFS restrict | Open to ALL networks | `192.168.0.0/18` only |
| ISOs | NFS root squash | `null` (root = server root) | `nobody:nogroup` |
| ISOs | SMB read-only | `readonly=False` | `readonly=True` |
| ISOs | ACL clean | `everyone@` had READ access | Removed |
| Archive | NFS restrict | Open to ALL | `192.168.0.0/18` only |
| Archive | NFS root squash | `null` | `nobody:nogroup` |
| Archive | SMB access enum | `access_enum=False` | `access_enum=True` |
| Archive | ACL clean | `everyone@` present (denied) | `setperm 0770` applied |
| lab-dash | SMB access enum | `access_enum=False` | `access_enum=True` |
| lab-dash | ACL clean | No `everyone@` — unchanged | Verified OK |
| arr-zimaos | SMB access enum | `access_enum=False` | `access_enum=True` |
| arr-zimaos | ACL clean | `everyone@` had TRAVERSE | Removed |
| hermes_agent | SMB access enum | `access_enum=False` | `access_enum=True` |
| hermes_agent | ACL | POSIX1E `777` | Unchanged (Dockge config) |
| Repo | NFS restrict | Open to ALL | `192.168.0.0/18` only |
| Repo | NFS root squash | `null` | `nobody:nogroup` |
| Repo | SMB access enum | `access_enum=False` | `access_enum=True` |
| Repo | ACL clean | `everyone@` had **full RWX** | Removed |
| Backup | NFS restrict | Open to ALL | `192.168.0.0/18` only |
| Backup | NFS root squash | `null` | `nobody:nogroup` |
| Backup | SMB access enum | `access_enum=False` | **HTTP 422 — blocked** |
| Backup | ACL clean | `everyone@` had **full RWX** | `setperm 0770` applied |
## Known Limitations
1. **Backup SMB Access Enumeration** (HTTP 422): Blocked by TrueNAS API due to child dataset `proxmox-pool` at `/mnt/Ice/Backup/proxmox-pool` having a POSIX/NFSv4 ACL type mismatch. This is a platform limitation requiring manual UI intervention to align ACL types before API modification succeeds.
2. **hermes_agent ACL**: Uses POSIX1E (traditional Unix) ACLs. The `OTHER@` entry grants full RWX, but this is a Dockge config directory owned by `apps:apps` with POSIX `0775` — functionally limited by UID/GID mapping in the container context.
3. **Proxmox NFS shares (IDs 7-9)**: Already network-restricted to `192.168.0.0/18`. Root squash was **not** enabled because these are Proxmox storage backends (`ds-mp-share`, `pve-ct-stor`, `pve-vm-stor`) that require root-equivalent access for VM/CT disk image operations.
## Recommendations for Future Hardening
1. **Resolve Backup SMB ACL mismatch** via TrueNAS UI: Check child dataset `Ice/Backup/proxmox-pool` ACL type. Align parent and child to the same ACL type, then retry `access_based_share_enumeration=True`.
2. **POSIX → NFSv4 migration** on `hermes_agent` if tighter control is desired. Current POSIX `0775` is acceptable for a single-user apps directory.
3. **Proxmox root squash evaluation**: Test whether Proxmox storage backends can operate with `maproot_user=nobody`. If not, document the permanent exception.
4. **Periodic re-audit**: Re-run hardening script quarterly or immediately after any new shares are added.
---
*Generated: 2026-06-02 | Changelog: `/tmp/truenas_hardening_changelog.jsonl` on Hermes portable host*

84
audits/2026-06-02-truenas-pveuser-proxmox-integration.md Normal file
View File

@@ -0,0 +1,84 @@
# TrueNAS pveuser + Proxmox Storage Integration Chart — 2026-06-02
**TrueNAS:** beelink-tns (192.168.16.254) | **Proxmox:** mk33 (192.168.7.33)
---
## TrueNAS Changes: New User `pveuser`
| Property | Value |
|----------|-------|
| **Username** | `pveuser` |
| **UID** | 3003 |
| **GID** | 3003 |
| **Home** | `/var/empty` |
| **Shell** | `/usr/sbin/nologin` |
| **SMB** | Disabled |
| **Password** | Disabled (SSH key only) |
| **Groups** | `src` (GID 40) |
| **Role** | FULL_ADMIN (TrueNAS API role) |
## TrueNAS Changes: NFS ACL Permissions
| Dataset | Path | pveuser | Other Users | TrueNAS Permission |
|---------|------|---------|-------------|-------------------|
| **Backup** | `/mnt/Ice/Backup` | FULL_CONTROL | owner@, group@ | rw |
| **ISOs** | `/mnt/Ice/ISOs` | READ | owner@, group@ | r |
| **Repo** | `/mnt/Ice/Repo` | FULL_CONTROL | owner@, group@ | rw |
| Archive | `/mnt/Ice/Archive` | — | owner@, group@ | (not mapped) |
> **Important:** `ISOs/template` and `ISOs/template/iso` also received `everyone@ TRAVERSE` so the TrueNAS API user (`jarvis`) can manage child directories during ACL operations. This is a metadata-only change and does not affect file access.
## TrueNAS Changes: NFS Maproot (All Shares)
| Share ID | Path | Previous Maproot | New Maproot |
|----------|------|-----------------|---------|
| 1 | `/mnt/Ice/Archive` | `nobody` | `pveuser` |
| 2 | `/mnt/Ice/Backup` | `nobody` | `pveuser` |
| 3 | `/mnt/Ice/ISOs` | `nobody` | `pveuser` |
| 6 | `/mnt/Ice/Repo` | `nobody` | `pveuser` |
| 7 | `/mnt/Ice/Backup/proxmox-pool/ds-mp-share` | (empty) | `pveuser` |
| 8 | `/mnt/Ice/Backup/proxmox-pool/pve-ct-stor` | (empty) | `pveuser` |
| 9 | `/mnt/Ice/Backup/proxmox-pool/pve-vm-stor` | (empty) | `pveuser` |
> **Note:** Maproot remaps ALL incoming NFS root (UID 0) requests to `pveuser` (UID 3003) on TrueNAS. Any root client (e.g., Proxmox mk33) accessing these shares will appear as `pveuser` on the TrueNAS filesystem, enforcing the ACL permissions above.
## Proxmox Storage Configuration (mk33)
| Storage ID | Type | Server | Export | Content | Options | Status |
|------------|------|--------|--------|---------|---------|--------|
| `nas-backup` | NFS | 192.168.16.254 | `/mnt/Ice/Backup` | backup, images, rootdir, snippets, vztmpl | vers=4.2,proto=tcp | ✅ active |
| `nas-iso` | NFS | 192.168.16.254 | `/mnt/Ice/ISOs` | iso | vers=4.2,proto=tcp | ✅ active (read-only by design, ACL enforced) |
| `nas-repo` | NFS | 192.168.16.254 | `/mnt/Ice/Repo` | snippets | vers=4.2,proto=tcp | ✅ active |
| `nas-ds-mp-share` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/ds-mp-share` | images, rootdir | vers=4.2,proto=tcp | ✅ active |
| `nas-ct-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-ct-stor` | rootdir | vers=4.2,proto=tcp | ✅ active |
| `nas-vm-stor` | NFS | 192.168.16.254 | `/mnt/Ice/Backup/proxmox-pool/pve-vm-stor` | images | vers=4.2,proto=tcp | ✅ active |
## PVE Access Verification
| Mount Point | Writable? | Expected? |
|-------------|-----------|-----------|
| `/mnt/pve/nas-backup` | ✅ Yes | Yes (FULL_CONTROL) |
| `/mnt/pve/nas-iso` | ❌ Read-only | Yes (READ via ACL) |
| `/mnt/pve/nas-repo` | ✅ Yes | Yes (FULL_CONTROL) |
| `/mnt/pve/nas-vm-stor` | ✅ Yes | Yes (Proxmox pool) |
| `/mnt/pve/nas-ct-stor` | ✅ Yes | Yes (Proxmox pool) |
| `/mnt/pve/nas-ds-mp-share` | ✅ Yes | Yes (Proxmox pool) |
## Diagnostic Notes
- `nas-iso` is **active** and read-only by design. Proxmox `content iso` means it only needs to read existing ISO files — no write is expected. No local `pveuser` account exists on mk33; the user mapping is handled entirely by TrueNAS NFS `maproot_user`.
- `nas-repo` is **active** and writable. `pveuser` has `FULL_CONTROL` on `/mnt/Ice/Repo`.
- All NFS exports restricted to `192.168.0.0/18` (enforced during prior hardening).
- TrueNAS API v2.0 (`filesystem.setacl`) uses `dacl` field in SCALE 25.10.2 — earlier versions used `acl`. This was discovered during troubleshooting job 47396.
- `everyone@ TRAVERSE` was added to `ISOs/template` and `ISOs/template/iso` to allow the TrueNAS API user (`jarvis`) to manage child directories during ACL operations.
## Recommendations
1. **ISO uploads**: Since `nas-iso` is read-only from PVE's perspective, upload new ISOs directly to TrueNAS (SFTP/SCP to `/mnt/Ice/ISOs/template/iso/`) or via the TrueNAS web UI.
2. **Monitor mount health**: If TrueNAS reboots, PVE auto-reconnects on next storage access. For immediate recovery, run `pvesm status` or restart `pvedaemon`.
3. **Backup SMB access-based enum**: Still blocked by API due to child dataset `proxmox-pool` ACL type mismatch. If required, fix manually via TrueNAS UI.
---
*Generated: 2026-06-02 | Updated: 2026-06-02*

274
audits/2026-06-02-truenas-security-audit.md Normal file
View File

@@ -0,0 +1,274 @@
# TrueNAS Security Audit Report
**Server:** beelink-tns (192.168.16.254) | **Version:** TrueNAS Scale 25.10.2 | **Date:** 2026-06-02
**Auditor:** F.R.I.D.A.Y. | **Scope:** Read-only review — no changes made
---
## Executive Summary
| Area | Status | Notes |
|------|--------|-------|
| SMB Shares | ⚠️ Review Needed | 7 shares, Guest access disabled (good), but POSIX permissions on some shares are overly permissive |
| NFS Shares | ⚠️ Review Needed | 4 shares open to all networks, no root squash on any share |
| User Access | ✅ Controlled | Only 3 custom users have SMB access |
| Services | ✅ Healthy | CIFS, NFS, SSH running; FTP/iSCSI/SNMP disabled |
| Pools | ✅ Healthy | Both pools online |
---
## 1. System Overview
| Property | Value |
|----------|-------|
| Hostname | beelink-tns |
| Version | TrueNAS Scale 25.10.2 |
| Hardware | Intel N95, 4 cores, 11.5 GB RAM |
| Uptime | 15 days |
| Pools | 2 (FastPool 0.91 TB, Ice 3.62 TB) |
| Datasets | 55 total |
| VMs | 0 configured |
**Running Services:**
- `cifs` — RUNNING
- `nfs` — RUNNING
- `ssh` — RUNNING
**Disabled Services:**
- `ftp` — STOPPED
- `iscsitarget` — STOPPED
- `snmp` — STOPPED
- `ups` — STOPPED
- `nvmet` — STOPPED
---
## 2. SMB Shares (7 Total)
All SMB shares have **Guest OK = False** ✅ — no anonymous access.
| # | Share Name | Path | POSIX Mode | Owner | Group | ACL | Security Notes |
|---|------------|------|------------|-------|-------|-----|----------------|
| 1 | **Archive** | /mnt/Ice/Archive | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
| 2 | **Backup** | /mnt/Ice/Backup | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
| 3 | **ISOs** | /mnt/Ice/ISOs | 777 | `src` | `src` | Enabled | Bobby + libvirt-qemu have explicit entries |
| 4 | **lab-dash** | /mnt/FastPool/dockge/configs/lab-dash | 777 | `src` | `src` | Enabled | builtin_users + builtin_administrators groups |
| 5 | **Repo** | /mnt/Ice/Repo | 777 | `src` | `src` | Disabled | Everyone has RWX ⚠️ |
| 6 | **arr-zimaos** | /mnt/Ice/Backup/Arr-ZimaOS | 777 | `src` | `src` | Enabled | Bobby has explicit entry |
| 7 | **hermes_agent** | /mnt/FastPool/dockge/configs/hermes_agent | 751 | `apps` | `apps` | Disabled | Owner RWX, Group RX, Other X |
### POSIX Mode Interpretation
- **777** = Owner, Group, and Other all have Read, Write, Execute
- **751** = Owner has RWX, Group has RX, Other has Execute only
### SMB-Authorized Users
Only 3 custom users have SMB enabled:
| Username | UID | Home | SMB | Groups |
|----------|-----|------|-----|--------|
| `jumpbox` | 3000 | /var/empty | ✅ | GID 3000 (jumpbox) |
| `bobby` | 3001 | /var/empty | ✅ | GID 3001 (bobby) |
| `jarvis` | 1000 | /mnt/FastPool/home/jarvis | ✅ | GID 40 (src), GID 3002 (jarvis) |
**Key Finding:** All custom SMB users belong to the `src` group (GID 40). Since most shares are owned by `src:src` with mode 777, **all 3 SMB users have full read/write access to Archive, Backup, ISOs, lab-dash, Repo, and arr-zimaos.**
### SMB ACL Details
**Archive:**
- `owner@` — RWX
- `group@` — RWX
- `everyone@` — No access
- ACL disabled; POSIX 777 is effective permission
**Backup:**
- `owner@` — RWX
- `group@` — RWX
- `everyone@` — RWX ⚠️
- ACL disabled; POSIX 777 grants world access
**ISOs:**
- `owner@` — No access
- `group@` — No access
- `everyone@` — No access
- `USER:3001 (bobby)` — explicit entry
- `USER:986 (libvirt-qemu)` — explicit entry
- ACL enabled; effective access determined by ACL evaluation
**lab-dash:**
- `owner@` — No access
- `group@` — No access
- `GROUP:545 (builtin_users)` — explicit entry
- `GROUP:544 (builtin_administrators)` — explicit entry
- ACL enabled; effective access determined by ACL evaluation
**Repo:**
- `owner@` — RWX
- `group@` — RWX
- `everyone@` — RWX ⚠️
- ACL disabled; POSIX 777 grants world access
**arr-zimaos:**
- `owner@` — No access
- `group@` — No access
- `everyone@` — No access
- `USER:3001 (bobby)` — explicit entry
- ACL enabled; effective access determined by ACL evaluation
**hermes_agent:**
- `USER_OBJ` — X only
- `GROUP_OBJ` — X only
- `OTHER` — X only
- POSIX 751; ACL disabled
---
## 3. NFS Shares (7 Total)
| # | Path | Networks | Read-Only | Root Squash | Notes |
|---|------|----------|-----------|-------------|-------|
| 1 | /mnt/Ice/Archive | ALL | No | No ⚠️ | Open to all networks |
| 2 | /mnt/Ice/Backup | ALL | No | No ⚠️ | Open to all networks |
| 3 | /mnt/Ice/ISOs | ALL | No | No ⚠️ | Open to all networks |
| 4 | /mnt/Ice/Repo | ALL | No | No ⚠️ | Open to all networks |
| 5 | /mnt/Ice/Backup/proxmox-pool/ds-mp-share | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
| 6 | /mnt/Ice/Backup/proxmox-pool/pve-ct-stor | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
| 7 | /mnt/Ice/Backup/proxmox-pool/pve-vm-stor | 192.168.0.0/18 | No | No ⚠️ | Restricted to LAN |
### NFS Security Concerns
1. **4 shares open to all networks** (Archive, Backup, ISOs, Repo) — any host on any network can mount
2. **No root squash on any share** — root on client = root on server
3. **No read-only restrictions** — all shares allow writes
4. **No maproot/mapall user set** — NFS clients access with their native UIDs
### NFS Recommendations
- **Restrict networks:** Add `192.168.0.0/18` (or narrower) to Archive, Backup, ISOs, Repo
- **Enable root squash:** Set `Maproot User = root` or `Maproot User = nobody` on all shares
- **Consider read-only** for Archive and ISOs if they don't need writes
- **Add host restrictions** for sensitive shares (Backup, Repo)
---
## 4. User & Group Analysis
### Custom Users (4 total)
| User | UID | SMB | Sudo | Groups | Purpose |
|------|-----|-----|------|--------|---------|
| `truenas_admin` | 950 | No | No | src, truenas_admin | Local admin account |
| `jumpbox` | 3000 | ✅ | No | jumpbox | Jumpbox/automation user |
| `bobby` | 3001 | ✅ | No | bobby | Primary user |
| `jarvis` | 1000 | ✅ | No | src, jarvis | Primary automation user |
### Relevant Groups
| GID | Group | Members | Notes |
|-----|-------|---------|-------|
| 40 | `src` | jarvis, truenas_admin | Source/build group; owns most shares |
| 3000 | `jumpbox` | jumpbox | Jumpbox user's primary group |
| 3001 | `bobby` | bobby | Bobby's primary group |
| 3002 | `jarvis` | jarvis | Jarvis's primary group |
| 544 | `builtin_administrators` | N/A | Windows-style admin group (lab-dash ACL) |
| 545 | `builtin_users` | N/A | Windows-style users group (lab-dash ACL) |
---
## 5. Best Practices Assessment
### ✅ Positive Findings
1. **No guest SMB access** — all shares require authentication
2. **SSH enabled, password auth disabled** (implied by key-based fleet access)
3. **FTP/iSCSI/SNMP disabled** — reduces attack surface
4. **Both pools healthy** — no degradation or errors
5. **Custom users for different purposes** — separation of concerns (jumpbox vs bobby vs jarvis)
6. **ACL enabled on some shares** — ISOs, lab-dash, arr-zimaos use explicit ACLs
7. **Proxmox NFS shares restricted to LAN** — good network segmentation for VM/CT storage
### ⚠️ Areas for Improvement
1. **POSIX 777 on 5 SMB shares** — overly permissive; consider:
- `chmod 770` for shares that only need SMB group access
- `chmod 755` for read-only shares (Archive, ISOs, Repo)
2. **NFS shares 1-4 open to all networks** — high risk:
- Add `192.168.0.0/18` restriction to all shares
- Consider even narrower subnets per share purpose
3. **No root squash on NFS** — root clients have full server root access:
- Set `Maproot User = nobody` on all NFS shares
- This is standard security practice for NFS
4. **hermes_agent share** — POSIX 751 but owner is `apps:apps`:
- Verify `apps` user is expected to own this directory
- Consider if `jarvis` or `bobby` should also have access
5. **Backup share has 777 + everyone RWX** — anyone with SMB can modify backups:
- Restrict to `src` group only (`chmod 770`)
- Remove `other` write permissions
6. **Repo share has 777 + everyone RWX** — code repository is world-writable:
- Restrict to `src` group or narrower
- Consider read-only for most users
---
## 6. Recommendations (No Changes Made)
### Immediate Priority
| Priority | Action | Shares Affected |
|----------|--------|-----------------|
| 🔴 High | Restrict NFS networks to `192.168.0.0/18` | Archive, Backup, ISOs, Repo |
| 🔴 High | Enable root squash on all NFS shares | All 7 NFS shares |
| 🟡 Medium | Tighten POSIX permissions on SMB shares | Backup, Repo (777 → 770) |
| 🟡 Medium | Verify ACL effectiveness on ISOs/lab-dash/arr-zimaos | ISOs, lab-dash, arr-zimaos |
| 🟢 Low | Document share ownership model | All shares |
### Suggested POSIX Changes (Review Before Applying)
```bash
# Backup — restrict to src group only
chmod 770 /mnt/Ice/Backup
# Repo — restrict to src group only
chmod 770 /mnt/Ice/Repo
# Archive — read-only for group
chmod 750 /mnt/Ice/Archive
# ISOs — read-only for group
chmod 750 /mnt/Ice/ISOs
```
### Suggested NFS Changes (Review Before Applying)
```bash
# Add network restrictions to open shares
# In TrueNAS UI: Sharing → NFS → Edit each share
# Set Networks = 192.168.0.0/18
# Enable root squash
# Set Maproot User = nobody
```
---
## 7. Access Matrix
### Who Can Access What
| User | SMB | NFS (LAN) | Primary Shares |
|------|-----|-----------|----------------|
| `bobby` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
| `jarvis` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
| `jumpbox` | ✅ Yes | ✅ Yes (all LAN) | All SMB shares (member of src group) |
| `truenas_admin` | ❌ No | ✅ Yes (root) | Full server access (admin) |
| `root` (remote) | N/A | ✅ Root = Root ⚠️ | Full server access via NFS |
---
*End of Report — No changes were made to the TrueNAS configuration.*

161
fleet/admin-cheat-sheet.md
View File

@@ -1,7 +1,7 @@
# Iron Legion Fleet Admin Cheat Sheet # Iron Legion Fleet Admin Cheat Sheet
Generated: 2026-05-31 **Generated:** 2026-05-31
Maintainer: F.R.I.D.A.Y. (Hermes Agent) **Maintainer:** F.R.I.D.A.Y. (Hermes Agent)
--- ---
@@ -19,6 +19,16 @@ Maintainer: F.R.I.D.A.Y. (Hermes Agent)
| Homepage | https://home.ai.home | Service Portal | | Homepage | https://home.ai.home | Service Portal |
| Prometheus | https://prometheus.ai.home | Metrics DB | | Prometheus | https://prometheus.ai.home | Metrics DB |
| Authelia | https://auth.ai.home | SSO Portal | | Authelia | https://auth.ai.home | SSO Portal |
| Trilium (ZimaOS) | https://trilium.nb.mslnath.me | Personal Knowledge Base |
---
## Standalone Nodes (No Ansible)
|| Hostname | LAN IP | Domain | Role | Beszel | NetBird Domain |
||----------|--------|--------|------|--------|
| igor (MK-38) | 192.168.10.211 | — | ZimaOS NAS (Ugreen DXP4800, 30TB) | NetBird: mslnath.me | — |
| MK-46 (Homecoming) | 192.168.26.130 | trilium.nb.mslnath.me | ZimaOS, Trilium, ARR Media Stack | ✅ | mslnath.me |
--- ---
@@ -26,31 +36,34 @@ Maintainer: F.R.I.D.A.Y. (Hermes Agent)
### Swarm Manager ### Swarm Manager
- Hostname: mark-vii.ai.home - Hostname: mk7.ai.home
- Armor Code: MK-7 - Armor Code: MK-7
- LAN IP: 192.168.7.7 - LAN IP: 192.168.7.7
- Tailscale IP: 100.66.70.51 - Tailscale IP: 100.66.70.51
- Role: Swarm Manager, DNS, Traefik, Portainer, PegaProx - Role: Swarm Manager, Technitium DNS, Traefik, Portainer, PegaProx
- CPUs: 18 | RAM: 15 GB | Disk: 916 GB - CPUs: 18 | RAM: 15 GB | Disk: 916 GB
### Worker Nodes G9 (Proxmox VE) ### Worker Nodes G9 (Proxmox VE)
| Armor | Hostname | LAN IP | Tailscale IP | MAC | Status | | Armor | Name | Hostname | LAN IP | Tailscale IP | MAC | Status |
|-------|----------|--------|--------------|-----|--------| |-------|------|----------|--------|--------------|-----|--------|
| MK-33 | mk33.ai.home | 192.168.7.33 | TBD | E0-51-D8-1C-5D-56 | Online (PVE) | | MK-33 | Silver Centurion | mk33.ai.home | 192.168.7.33 | 100.125.155.41 | E0-51-D8-1C-5D-56 | Online (PVE) |
| MK-34 | mk34.ai.home | 192.168.7.34 | TBD | E0-51-D8-1C-5C-75 | Online (PVE) | | MK-34 | Southpaw | mk34.ai.home | 192.168.7.34 | 100.94.190.43 | E0-51-D8-1C-5C-75 | Online (PVE) |
| MK-39 | mk39.ai.home | 192.168.7.39 | TBD | PENDING | Online (PVE) | | MK-39 | Gemini | mk39.ai.home | 192.168.7.39 | 100.125.155.41 | PENDING | Online (PVE) |
| MK-42 | mk42.ai.home | 192.168.7.42 | TBD | PENDING | Not Installed | | MK-42 | Extremis | mk42.ai.home | 192.168.7.42 | TBD | PENDING | Offline (not installed) |
### Utility Nodes ### Utility Nodes
| Armor | Hostname | LAN IP | Tailscale IP | Role | | Hostname | LAN IP | Tailscale IP | Role |
|-------|----------|--------|--------------|------| |----------|--------|--------------|------|
| Neo | nebuchadnezzar.ai.home | 192.168.192.24 | 100.99.123.16 | Nextcloud AIO, Gitea | | nebuchadnezzar.ai.home | 192.168.192.24 | 100.99.123.16 | Nextcloud AIO, Gitea, Git server | NetBird: bobbysh.me |
| MK-44 | mark44.ai.home | 192.168.5.214 | TBD | Ollama GPU | | mark44.ai.home | 192.168.5.214 | TBD | Ollama GPU |
| MK-5 | mark5.ai.home | 192.168.6.5 | TBD | TBD | | mark5.ai.home | 192.168.6.5 | TBD | TBD |
| Shield | shield.ai.home | 192.168.10.15 / 192.168.27.205 | - | PXE/iVentoy Server | | shield.ai.home | 192.168.10.15 | - | iVentoy PXE Server |
| Artemis | artemis.ai.home | 192.168.15.182 | 100.100.97.18 | Discord Gateway | | artemis.ai.home | 192.168.15.182 | 100.100.97.18 | Discord Gateway |
| igor.ai.home | 192.168.10.211 | TBD | ZimaOS NAS (Ugreen DXP4800, 30TB) |
> **Note:** `igor.ai.home` is a separate physical node (ZimaOS NAS). Do NOT confuse with any armor codename.
### Mission Control ### Mission Control
@@ -58,6 +71,32 @@ Maintainer: F.R.I.D.A.Y. (Hermes Agent)
- OS: Windows 11 - OS: Windows 11
- Role: Workstation - Role: Workstation
- Type: Separate physical machine - Type: Separate physical machine
- Tailscale IP: 100.96.128.121
### Portable Agent Host
- Hostname: cinnamint.ai.home (inferred)
- Role: Hermes Agent USB-portable host
- Tailscale IP: 100.99.65.75
---
## DNS Configuration
**Primary Authoritative DNS:** MK7 (Technitium)
- LAN: 192.168.7.7
- Tailscale: 100.66.70.51
- Web UI: http://dns.ai.home:5380
**Technitium Upstream Forwarder:** tls://1.1.1.1 (Cloudflare DoT)
- Fallback: tls://1.0.0.1
**Fleet Node DNS Fallbacks** (for /etc/resolv.conf when not using DNS proxy):
- Primary: 192.168.7.7 (Technitium)
- Secondary: 192.168.18.1 (Router / Gateway DNS)
- Tertiary: 1.1.1.1 (Cloudflare)
**Internal Domain:** `*.ai.home` — authoritative on Technitium, also via Tailscale MagicDNS split-brain.
--- ---
@@ -84,12 +123,12 @@ Maintainer: F.R.I.D.A.Y. (Hermes Agent)
## iVentoy PXE Configuration ## iVentoy PXE Configuration
- Server: shield.ai.home -- 192.168.10.15/27 - Server: shield.ai.home 192.168.10.15/27
- WebUI: http://192.168.27.205:26000 - WebUI: http://192.168.27.205:26000
- Subnet: 192.168.10.0/27 - Subnet: 192.168.10.0/27
- Pool: 192.168.10.20 to 192.168.10.30 - Pool: 192.168.10.20 to 192.168.10.30
- MAC Filter: Permit mode - MAC Filter: Permit mode
- Edition: **iVentoy Free** (Pro upgrade pending -- private repo link awaited) - Edition: **iVentoy Free** (Pro upgrade pending private repo link awaited)
### Registered ISOs ### Registered ISOs
@@ -116,9 +155,9 @@ Post-Install: Remove MAC from whitelist. Node boots local disk, gets production
### ISO Remastering Notes ### ISO Remastering Notes
All Proxmox auto-install ISOs are **remastered** with: All Proxmox auto-install ISOs are **remastered** with:
1. **Embedded answer URL** -- each ISO points to `http://192.168.10.15:8080/pve/answers/mkNN.toml` (server URL hardcoded; node IP assigned by DHCP) 1. **Embedded answer URL** each ISO points to `http://192.168.10.15:8080/pve/answers/mkNN.toml` (server URL hardcoded; node IP assigned by DHCP)
2. **UEFI gfxmode locked** -- strict `1024x768` (fallback `640x480` removed) 2. **UEFI gfxmode locked** strict `1024x768` (fallback `640x480` removed)
3. **Per-ISO answer files** -- `mk33.toml`, `mk34.toml`, `mk39.toml`, `mk42.toml` in `/opt/iventoy/user/answers/` 3. **Per-ISO answer files** `mk33.toml`, `mk34.toml`, `mk39.toml`, `mk42.toml` in `/opt/iventoy/user/answers/`
> iVentoy Free does NOT support per-MAC ISO binding. Remastered ISOs achieve per-node provisioning via embedded answer URLs. > iVentoy Free does NOT support per-MAC ISO binding. Remastered ISOs achieve per-node provisioning via embedded answer URLs.
@@ -126,7 +165,7 @@ All Proxmox auto-install ISOs are **remastered** with:
## DNS Records ## DNS Records
### CNAME to traefik.ai.home -- A: 192.168.7.7 ### CNAME to traefik.ai.home A: 192.168.7.7
- artemis.ai.home - artemis.ai.home
- hermes.ai.home - hermes.ai.home
@@ -142,22 +181,27 @@ All Proxmox auto-install ISOs are **remastered** with:
### A Records ### A Records
- traefik.ai.home -> 192.168.7.7 | Record | IP |
- mk7.ai.home -> 192.168.7.7 |--------|-----|
- mk33.ai.home -> 192.168.7.33 | traefik.ai.home | 192.168.7.7 |
- mk34.ai.home -> 192.168.7.34 | mk7.ai.home | 192.168.7.7 |
- mk39.ai.home -> 192.168.7.39 | mk33.ai.home | 192.168.7.33 |
- mk42.ai.home -> 192.168.7.42 | mk34.ai.home | 192.168.7.34 |
- mark44.ai.home -> 192.168.5.214 | mk39.ai.home | 192.168.7.39 |
- mark5.ai.home -> 192.168.6.5 | mk42.ai.home | 192.168.7.42 |
- nebuchadnezzar.ai.home -> 192.168.192.24 | mark44.ai.home | 192.168.5.214 |
- shield.ai.home -> 192.168.10.15 | mark5.ai.home | 192.168.6.5 |
| nebuchadnezzar.ai.home | 192.168.192.24 |
| shield.ai.home | 192.168.10.15 |
| artemis.ai.home | 192.168.15.182 |
| igor.ai.home | 192.168.10.211 |
--- ---
## SSH Topology ## SSH Topology
Portable Host (F.R.I.D.A.Y.) ```
Portable Host (F.R.I.D.A.Y.)
| |
+---> artemis.ai.home via id_ed25519 +---> artemis.ai.home via id_ed25519
| +---> mk7.ai.home via artemis_key | +---> mk7.ai.home via artemis_key
@@ -165,13 +209,14 @@ All Proxmox auto-install ISOs are **remastered** with:
+---> shield via jarvis user +---> shield via jarvis user
| +---> PXE subnet 192.168.10.0/27 | +---> PXE subnet 192.168.10.0/27
| |
+---> mk33-42 via bobby user (legacy subnet)
|
+---> nebuchadnezzar via jarvis user +---> nebuchadnezzar via jarvis user
|
+---> mk33-42 via root (key-based, id_ed25519)
```
Key Files: **Key Files:**
- ~/.ssh/id_ed25519 -- bobby@cinnamint - `~/.ssh/id_ed25519` bobby@cinnamint, also injected as `friday@hermes` into PVE nodes
- ~/.ssh/artemis_key -- MK7 jump-host - `~/.ssh/artemis_key` MK7 jump-host
--- ---
@@ -180,27 +225,45 @@ Key Files:
| Code | Name | System | | Code | Name | System |
|------|------|--------| |------|------|--------|
| MK-7 | Mark VII | Swarm Manager | | MK-7 | Mark VII | Swarm Manager |
| MK-33 | Silver Centurion | Worker | | MK-33 | Silver Centurion | PVE Worker |
| MK-34 | Igor | Worker | | MK-34 | Southpaw | PVE Worker |
| MK-39 | Starboost | Worker | | MK-39 | Gemini | PVE Worker |
| MK-42 | Bones | Worker | | MK-42 | Extremis | PVE Worker (offline) |
| MK-44 | Hulkbuster | GPU/Ollama | | MK-44 | Hulkbuster | GPU/Ollama |
| MK-5 | Mark 5 | TBD | | MK-5 | Mark 5 | TBD |
| MK-38 | Igor | ZimaOS NAS (Ugreen DXP4800, 30TB) |
| MK-46 | Homecoming | ZimaOS, Trilium, ARR Media Stack |
| J.A.R.V.I.S. | Judicious Automated... | Dashboard | | J.A.R.V.I.S. | Judicious Automated... | Dashboard |
| F.R.I.D.A.Y. | Field-Ready Runtime... | Portable Agent | | F.R.I.D.A.Y. | Field-Ready Runtime... | Portable Agent |
| A.R.T.E.M.I.S. | Advanced Real-Time... | Discord | | A.R.T.E.M.I.S. | Advanced Real-Time... | Discord Gateway |
| NEO | Nebuchadnezzar | Nextcloud | | NEO | Nebuchadnezzar | Nextcloud/Gitea |
| SHIELD | - | PXE Server | | SHIELD | - | PXE Server |
> **Note:** `Igor` is **MK-38** (ZimaOS NAS at 192.168.10.211 — Ugreen DXP4800, 30TB). It is NOT MK-34.
--- ---
## Notes ## Notes
- iVentoy Free does NOT support per-MAC ISO binding. - iVentoy Free does NOT support per-MAC ISO binding.
- Shield PXE subnet isolated via ip_forward=0. - Shield PXE subnet isolated via ip_forward=0. Canonical wired IP: 192.168.10.15/27.
- Mission Control is separate physical machine. - Shield live state may show 192.168.128.33/27 from DHCP/cloud-init drift — canonical config is source-of-truth.
- All *.ai.home resolve via Technitium DNS. - Mission Control is a separate physical machine — reserved hostname must NOT be used for DNS aliases or services.
- All `*.ai.home` resolve via Technitium DNS (192.168.7.7).
- PegaProx deployed on MK7 Swarm in `host` mode (not routed through Traefik). - PegaProx deployed on MK7 Swarm in `host` mode (not routed through Traefik).
- iVentoy Pro upgrade pending -- private repo link awaited from vendor. - iVentoy Pro upgrade pending private repo link awaited from vendor.
- Gitea: `gitea.nb.bobbysh.me` (ssh://100.99.123.16:2222).
- Hermes portable sessions on Artemis use `HOME=/home/bobby/1/Hermes-USB-Portable-main/.cache/unix-home`.
- Bobby's SSH config on the portable host lives at `/home/bobby/.ssh/config` and uses `ts-` prefix for Tailscale IP aliases. Fleet aliases are primary LAN, Tailscale fallback.
---
## DNS Reminders
| Context | Primary | Fallback | Notes |
|---------|---------|----------|-------|
| PVE nodes /etc/resolv.conf | 192.168.7.7 | 192.168.18.1, 1.1.1.1 | Technitium internal |
| Technitium forwarder | tls://1.1.1.1 | tls://1.0.0.1 | Cloudflare DoT |
| Router default | Cloudflare 1.1.1.1 | — | For non-fleet devices |
Last updated: 2026-05-31 by F.R.I.D.A.Y. Last updated: 2026-05-31 by F.R.I.D.A.Y.

95
procedures/ansible-playbook/ADDITIONAL_NOTES.md Normal file
View File

@@ -0,0 +1,95 @@
# Additional Notes — Ansible NFS Playbook (Iron Legion)
**Date:** 2026-06-04 | **Author:** Artemis (AI Foreman)
---
## Nuance 1: `ansible_ssh_private_key_file` per node
Most fleet nodes use the standard `id_ed25519` key (auto-discovered). Mark44 requires `vscode_ed25519` — the code-server key. Because it's a special case, mark44's inventory block sets:
```yaml
mark44:
ansible_host: 192.168.5.214
ansible_user: jarvis
ansible_ssh_private_key_file: /root/.ssh/vscode_ed25519
```
**Don't change this to `id_ed25519`** — mark44's `authorized_keys` only contains:
1. The Termius key (artemis_key)
2. The vscode_ed25519 key
The artemis_key is NOT auto-discovered by Ansible because the filename is non-standard. Keep the explicit `ansible_ssh_private_key_file` for mark44.
---
## Nuance 2: What the `repogroup` actually is
`repogroup` is a **local alias** for TrueNAS's `apps` group (GID 568). The mapping works like this:
| System | Group Name | GID |
|--------|-----------|-----|
| TrueNAS | `apps` | 568 |
| Client | `repogroup` | 568 |
NFSv4 identity mapping sees the numeric GID only, not the symbolic name. So "jarvis in group 568" on the client maps to "jarvis in group `apps`" on TrueNAS.
**No TrueNAS-side user creation is needed** on clients. We only need the local group with the matching GID.
---
## Nuance 3: NFS mount opts evolution
| Stage | Mount opts | Result |
|-------|-----------|--------|
| Old (broken) | `defaults,_netdev` | Mount failed — TrueNAS rejects unversioned (v3) negotiation |
| Current | `vers=4.2,proto=tcp,_netdev` | Mount succeeds; root can RWX |
The `proto=tcp` is required because UDP negotiation can silently fall back and fail on large packets.
---
## Nuance 4: Why `ansible.posix.mount` instead of `mount` module
The native Ansible `ansible.posix.mount` module handles idempotency correctly:
- If already mounted at the same `src` + `path` + `opts`, reports `ok`
- If opts don't match, reports `changed` and remounts
- If `state: mounted`, ensures `/etc/fstab` entry is added
Manual `shell: mount ...` would create duplicate fstab entries.
---
## Nuance 5: TrueNAS server-side `chmod 775` on `/mnt/Ice/Repo`
This was applied as an emergency fix during debugging. The correct long-term approach would be to add a proper NFS4 ACL entry for `jarvis` (UID 1000) via TrueNAS WebUI or `midclt` API, but the `chmod 775` workaround is sufficient for production.
**Command used (for record):**
```bash
ssh -i ~/.ssh/artemis_key jarvis@192.168.16.254 'sudo chmod 775 /mnt/Ice/Repo'
```
---
## Nuance 6: Host targeting syntax edge cases
Ansible supports two exclusion syntaxes:
1. **Union + subtraction:** `hosts: fleet_nodes:!pve_hosts:!igor` ✅ Working
2. **Direct group list:** `hosts: physical_agents:core_services:infrastructure` ❌ Broken — `nfs_shares` variable is scoped under `fleet_nodes`, not these child groups
The inventory variable `nfs_shares` is defined at `fleet_nodes` level. Exclusion from `fleet_nodes` is the only way to get the variable AND exclude specific children.
---
## Nuance 7: Container vs bare-metal execution
When running Ansible inside the Docker container (`docker exec -it ansible ...`):
- SSH keys mount to `/root/.ssh` inside container
- `ansible.cfg` lives in `/ansible` (container working dir)
When running Ansible on the host (Artemis bare metal):
- SSH keys at `/home/jarvis/.ssh`
- `ansible.cfg` may be in `/home/jarvis/.ansible-repo` or current dir
The playbooks are identical but paths may differ. Always run from the project root where `ansible.cfg` and inventory files exist.

174
procedures/ansible-playbook/README.md Normal file
View File

@@ -0,0 +1,174 @@
# Ansible Playbook — NFS Client Role (Iron Legion)
**Status:** Canonical | **Last updated:** 2026-06-04
## 1. Purpose
Standardized NFS client mounting for fleet Debian nodes. Mounts the TrueNAS `Repo` dataset (`/mnt/Ice/Repo`) to `/home/jarvis/repo` on all non-PVE, non-igor nodes.
---
## 2. Files
| File | Purpose |
|------|---------|
| `roles/nfs_client/tasks/main.yml` | Role tasks: install package, create dirs, create repogroup, mount NFS, fix permissions |
| `inventory.yml` | Host definitions + `nfs_shares` variable |
| `main.yml` | Playbook entry point: target selection |
---
## 3. Role Task Breakdown
### 3.1 Install nfs-common
```yaml
- name: Install nfs-common
ansible.builtin.apt:
name: nfs-common
state: present
become: true
when: ansible_os_family == "Debian"
```
- Guard: only runs on Debian family (excludes ZimaOS/igor).
### 3.2 Create mount directory
```yaml
- name: Ensure NFS mount directories exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: '0755'
owner: jarvis
group: jarvis
become: true
loop: "{{ nfs_shares }}"
```
- Owner set to `jarvis` (NOT root) because user jarvis needs to access files after mount.
### 3.3 Create local `repogroup` (GID 568)
```yaml
- name: Create local repogroup matching TrueNAS GID 568
ansible.builtin.group:
name: repogroup
gid: 568
state: present
become: true
```
- TrueNAS `apps` group uses GID 568. Creating a local group with the same GID maps jarvis's supplementary group across the NFSv4 identity boundary.
### 3.4 Add jarvis to repogroup
```yaml
- name: Add jarvis to repogroup
ansible.builtin.user:
name: jarvis
groups:
- repogroup
append: true
become: true
```
- After relogin (or `sg repogroup`), jarvis inherits group 568 write access.
### 3.5 Mount NFS (root required)
```yaml
- name: Mount an NFS volume (root, because kernel mount)
ansible.posix.mount:
src: "{{ item.src }}"
path: "{{ item.path }}"
opts: "vers=4.2,proto=tcp,_netdev"
state: mounted
fstype: nfs
become: true
loop: "{{ nfs_shares }}"
```
- Kernel mount requires root. `vers=4.2` required because TrueNAS SCALE 25.10.2 exports NFSv4.2 only; `defaults` fails silently.
### 3.6 Fix mount permissions
```yaml
- name: Set mount permissions so jarvis (repogroup member) can write
ansible.builtin.file:
path: "{{ item.path }}"
mode: '0770'
owner: root
group: repogroup
become: true
loop: "{{ nfs_shares }}"
```
- Mountpoint inherits remote permissions from TrueNAS, but the underlying local permission layer is `770` with group `repogroup`.
---
## 4. Inventory Host Targeting
```yaml
- name: Install NFS client
hosts: fleet_nodes:!pve_hosts:!igor
become: false
roles:
- nfs_client
```
**Rationale:**
- PVE nodes (`mk33`, `mk34`, `mk39`) already have TrueNAS mounts via Proxmox integration. Don't double-mount.
- `igor` is ZimaOS (non-Debian) and can't run `apt`.
- Group exclusion syntax: `fleet_nodes:!pve_hosts:!igor`
---
## 5. TrueNAS Server-Side Companion
### Dataset: `/mnt/Ice/Repo`
| Setting | Value |
|---------|-------|
| NFS version | 4.2 |
| Maproot user | `pveuser` (UID 3003) |
| Dataset owner | `root` (UID 0) |
| Dataset group | `apps` (GID 568) |
| Dataset permissions | `775` |
**Why 775 on TrueNAS:**
- Without 775, jarvis (who is `other` in the NFS identity mapping) sees `drwxrwx---` and gets permission denied on listing.
- With 775 (`drwxrwxr-x`), jarvis gains `read + execute` through the "other" bit.
- Through the supplementary group path, jarvis gets `read + write` via group 568 after repogroup is applied.
---
## 6. Tested Behavior
| Action | Result |
|--------|--------|
| `sudo mount` | OK — root mounts, `mountpoint` returns true |
| `ls -la /home/jarvis/repo` | OK — all TrueNAS files visible |
| `touch` without relogin | FAIL — Permission denied (jarvis hasn't picked up new group in current shell) |
| `sg repogroup -c "touch ..."` | OK — works immediately |
| `touch` after relogin | OK — jarvis has repogroup in new shell |
---
## 7. Caveats
1. **NFSv4 identity mapping** requires supplemental groups. They are NOT transmitted across NFSv4 by default in Linux. The local `repogroup` creation is the workaround.
2. **TrueNAS 775** is the non-Negotiable server-side change. Without it, jarvis gets no access.
3. **Reboot or relogin** required on client after first `repogroup` addition. The group change doesn't apply retroactively to existing sessions.
4. **Kernel mount must be root** — don't try user-space NFS (FUSE). It fails for non-root users without `fusermount3` and proper `/etc/fuse.conf`.
---
## 8. Changelog
| Date | Change | Author |
|------|--------|--------|
| 2026-06-03 | Initial playbook + inventory validation | Artemis |
| 2026-06-04 | Added repogroup + permission fix after TrueNAS 775 | Artemis |

140
procedures/ansible-playbook/inventory.yml Normal file
View File

@@ -0,0 +1,140 @@
# Iron Legion Fleet Inventory
# Generated: 2026-06-03
# Source: fleet documentation + live SSH config
#
# Usage with Ansible:
# ansible all -m ping -i inventory.yml
# ansible pve_workers -m setup -i inventory.yml
# ansible swarm_manager -a "docker service ls" -i inventory.yml
#
# FIX: Group-specific variables (e.g. pve_workers:) were previously
# placed outside `all:` scope, breaking inventory parsing.
# All group vars are now merged into the group definitions below.
---
all:
vars:
ansible_ssh_private_key_file: /root/.ssh/id_ed25519
children:
# ──────────────────────────────────────────
# Physical / Virtual Fleet Nodes
# ──────────────────────────────────────────
fleet_nodes:
children:
# Core fleet services
core_services:
hosts:
mk7:
ansible_host: 192.168.7.7
ansible_user: jarvis
node_role: swarm_manager
docker_host: true
description: "Swarm manager + Traefik + service stack host"
# PVE hosts nodes
pve_hosts:
vars:
ansible_user: root
ansible_ssh_pass: "proxmox12"
ansible_become: true
ansible_python_interpreter: /usr/bin/python3
hosts:
mk33:
ansible_host: 192.168.7.33
node_role: pve_worker
pve_api_url: "https://192.168.7.33:8006/"
description: "PVE Silver Centurion"
mk34:
ansible_host: 192.168.7.34
node_role: pve_worker
pve_api_url: "https://192.168.7.34:8006/"
description: "PVE Southpaw"
mk39:
ansible_host: 192.168.7.39
node_role: pve_worker
pve_api_url: "https://192.168.7.39:8006/"
description: "PVE Gemini"
# Active physical agents
physical_agents:
hosts:
artemis:
ansible_host: 192.168.15.182
ansible_user: jarvis
node_role: discord_gateway
hermes_agent: true
description: "Primary AI orchestrator + Discord gateway"
mark44:
ansible_host: 192.168.5.214
ansible_user: jarvis
ansible_ssh_private_key_file: /root/.ssh/vscode_ed25519
node_role: gpu_host
gpu: true
description: "Hulkbuster — GPU/Ollama standby"
mark5:
ansible_host: 192.168.6.5
ansible_user: jarvis
node_role: tbd
description: "Mark 5 — being repurposed"
mk42:
ansible_host: 192.168.0.196
ansible_user: jarvis
ansible_become_pass: "ubuntu"
node_role: swarm_worker
description: "Swarm Extremis"
# Infrastructure / support nodes
infrastructure:
hosts:
shield:
ansible_host: 192.168.27.205
ansible_user: jarvis
ansible_become_pass: "ubuntu"
node_role: pxe_server
description: "iVentoy PXE deployment server"
igor:
ansible_host: 192.168.10.211
ansible_user: jarvis
node_role: nas
description: "ZimaOS NAS (MK-38)"
vars:
nfs_shares:
- src: "192.168.16.254:/mnt/Ice/Repo"
path: "/home/jarvis/repo"
# Tailscale fallback aliases (uncomment if LAN fails)
# tailscale_fallback:
# hosts:
# ts-mk7:
# ansible_host: 100.66.70.51
# ansible_user: jarvis
# ts-mk33:
# ansible_host: 100.125.155.41
# ansible_user: jarvis
# ts-mk34:
# ansible_host: 100.94.190.43
# ansible_user: jarvis
# ts-nebuchadnezzar:
# ansible_host: 100.99.123.16
# ansible_user: jarvis
# Docker host targeting groups (uncomment when needed)
# docker_hosts:
# children:
# swarm_manager:
# hosts:
# mk7:
# standalone_docker:
# hosts:
# nebuchadnezzar:

59
procedures/ansible-playbook/main.yml Normal file
View File

@@ -0,0 +1,59 @@
- name: Install nfs-common
ansible.builtin.apt:
name: nfs-common
state: present
become: true
when: ansible_os_family == "Debian"
- name: Ensure NFS mount directories exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: '0755'
owner: jarvis
group: jarvis
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Directory: {{ item.path }}"
when: ansible_os_family == "Debian"
- name: Create local repogroup matching TrueNAS GID 568
ansible.builtin.group:
name: repogroup
gid: 568
state: present
become: true
- name: Add jarvis to repogroup
ansible.builtin.user:
name: jarvis
groups:
- repogroup
append: true
become: true
- name: Mount an NFS volume (root, because kernel mount)
ansible.posix.mount:
src: "{{ item.src }}"
path: "{{ item.path }}"
opts: "vers=4.2,proto=tcp,_netdev"
state: mounted
fstype: nfs
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Mounted: {{ item.src }}"
when: ansible_os_family == "Debian"
- name: Set mount permissions so jarvis (repogroup member) can write
ansible.builtin.file:
path: "{{ item.path }}"
mode: '0770'
owner: root
group: repogroup
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Permission fix: {{ item.path }}"
when: ansible_os_family == "Debian"

59
procedures/ansible-playbook/roles/nfs_client/tasks/main.yml Normal file
View File

@@ -0,0 +1,59 @@
- name: Install nfs-common
ansible.builtin.apt:
name: nfs-common
state: present
become: true
when: ansible_os_family == "Debian"
- name: Ensure NFS mount directories exists
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
mode: '0755'
owner: jarvis
group: jarvis
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Directory: {{ item.path }}"
when: ansible_os_family == "Debian"
- name: Create local repogroup matching TrueNAS GID 568
ansible.builtin.group:
name: repogroup
gid: 568
state: present
become: true
- name: Add jarvis to repogroup
ansible.builtin.user:
name: jarvis
groups:
- repogroup
append: true
become: true
- name: Mount an NFS volume (root, because kernel mount)
ansible.posix.mount:
src: "{{ item.src }}"
path: "{{ item.path }}"
opts: "vers=4.2,proto=tcp,_netdev"
state: mounted
fstype: nfs
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Mounted: {{ item.src }}"
when: ansible_os_family == "Debian"
- name: Set mount permissions so jarvis (repogroup member) can write
ansible.builtin.file:
path: "{{ item.path }}"
mode: '0770'
owner: root
group: repogroup
become: true
loop: "{{ nfs_shares }}"
loop_control:
label: "Permission fix: {{ item.path }}"
when: ansible_os_family == "Debian"

211
procedures/pve-post-install-optimization.md Normal file
View File

@@ -0,0 +1,211 @@
# Procedure: Proxmox VE Post-Install Optimization
**Scope:** Single-node PVE 9.2 (Debian Trixie) post-install cleanup — storage repartitioning, repository configuration, subscription-nag removal, and DNS fix.
**Author:** F.R.I.D.A.Y.
**Date:** 2026-05-31
**Prerequisites:** PVE 9.2 installed, node reachable via SSH as root, node has internet (or will after DNS fix).
---
## 1. Storage Repartitioning (Remove local-lvm, Expand Root)
**Goal:** Delete the default thin pool and give all disk space to the root volume for LXC/VM root disks.
### 1.1 Remove the LVM Thin Pool and LV
```bash
# Check current layout
lvs
vgs
pvs
# Remove the Proxmox data thin pool LV
lvremove pve/data
# Confirm with "y" when prompted
```
### 1.2 Expand pve/root to Fill Free Space
```bash
# Extend the root logical volume to 100% of free VG space
lvextend -l +100%FREE pve/root
# Resize the ext4 filesystem online (no reboot needed)
resize2fs /dev/mapper/pve-root
# Verify
lvs
df -h /
```
Expected: `pve-root` is now ~930G945G depending on disk size.
### 1.3 Remove local-lvm from Proxmox Storage Config
**Critical:** Deleting the LV does NOT remove the storage definition. The web UI will still show `local-lvm` as missing/unavailable until you do this:
```bash
cfg="/etc/pve/storage.cfg"
# Backup
cp "$cfg" "$cfg.bak"
# Remove the lvmthin: local-lvm block (including all indented lines)
sed -i '/^lvmthin: local-lvm/,/^[^[:space:]]/ { /^lvmthin: local-lvm/d; /^[[:space:]]/d }' "$cfg"
# Trim leading blank lines
sed -i '/./,$!d' "$cfg"
# Restart services
cat "$cfg"
systemctl restart pvestatd pveproxy
```
### 1.4 Add Missing Content Types to local Storage
**Critical:** After removing `local-lvm`, the remaining `dir: local` storage may only have `content iso,vztmpl,backup,import`. You **must** add `images,rootdir` or you cannot create VMs/LXCs — there will be no default storage for disk images and containers.
```bash
cfg="/etc/pve/storage.cfg"
# Ensure local storage has ALL content types
cat > "$cfg" <<'STORAGE_EOF'
dir: local
path /var/lib/vz
content rootdir,images,iso,vztmpl,backup,import
STORAGE_EOF
# Restart to pick up changes
systemctl restart pvestatd pveproxy
```
Verify in web UI: **Datacenter > Storage > local** should show all content types enabled.
---
## 2. Repository Configuration
**Goal:** Disable enterprise/ceph repos (require subscription) and enable the no-subscription repo.
### 2.1 Disable Enterprise Repos
```bash
for f in /etc/apt/sources.list.d/pve-enterprise.list \
/etc/apt/sources.list.d/ceph.list; do
if [ -f "$f" ]; then
mv "$f" "$f.disabled"
echo "Disabled: $f"
fi
done
```
> **Important:** Both `pve-enterprise.list` **AND** `ceph.list` must be disabled. The PVE installer enables both by default.
### 2.2 Add No-Subscription Repo
```bash
cat > /etc/apt/sources.list.d/pve-no-subscription.list <<'REPO_EOF'
deb http://download.proxmox.com/debian/pve trixie pve-no-subscription
REPO_EOF
```
> Note: `trixie` = Debian 13. Adjust if on a different Debian base.
### 2.3 Update Package Lists
```bash
apt update
```
If DNS resolution fails (see Section 4), fix DNS first then re-run `apt update`.
---
## 3. Remove Subscription Nag Screen
**Goal:** Kill the "No valid subscription" warning popup in the web UI.
```bash
js="/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js"
# Backup
cp "$js" "$js.bak"
# Patch: replace the status check with literal false
sed -i "s/data.status !== 'Active'/false/g" "$js"
# Restart web UI
systemctl restart pveproxy
```
Verify: Log into the web UI — no subscription warning should appear.
---
## 4. Fix DNS Resolution
**Problem:** PVE 9.2 PXE installs often get `nameserver 127.0.0.1` in `/etc/resolv.conf`, but no local DNS server is running.
```bash
cat > /etc/resolv.conf <<'DNS_EOF'
search ai.home
nameserver 192.168.7.7
nameserver 192.168.18.1
nameserver 1.1.1.1
DNS_EOF
```
> Adjust nameservers to match your network. `192.168.7.7` is the Technitium DNS in the Iron Legion fleet.
After fixing DNS, re-run:
```bash
apt update
```
---
## 5. Verification Checklist
Run these on each node to confirm everything is clean:
```bash
echo "=== Storage ==="
df -h /
lvs
echo ""
echo "=== Repos ==="
cat /etc/apt/sources.list.d/*.list 2>/dev/null | grep -v disabled || echo "no active list files"
echo ""
echo "=== Nag Patch ==="
grep -c "false" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
echo ""
echo "=== DNS ==="
cat /etc/resolv.conf
echo ""
echo "=== Apt Test ==="
apt update
```
Expected results:
- `pve-root` is ~930G+ and only `root` + `swap` LVs exist
- No `local-lvm` in `/etc/pve/storage.cfg`
- `local` storage has `content rootdir,images,iso,vztmpl,backup,import`
- No `.list` files with `enterprise` or `ceph` in the name (only `pve-no-subscription.list`)
- `proxmoxlib.js` contains `false` in the subscription check line
- `apt update` completes without "Temporary failure resolving" errors
---
## 6. Known Issues & Fixes
| Issue | Cause | Fix |
|-------|-------|-----|
| local-lvm still shows in UI | LV removed but storage.cfg still has definition | Run Section 1.3 |
| Cannot create VM/LXC | `local` storage missing `images,rootdir` | Run Section 1.4 |
| apt update fails with DNS errors | resolv.conf points to 127.0.0.1 | Run Section 4 |
| Enterprise repo still active | Only pve-enterprise disabled, ceph.list left behind | Run Section 2.1 (disable BOTH) |
| Subscription nag still appears | pveproxy not restarted after patch | Run Section 3 + restart pveproxy |
---
*Last updated: 2026-05-31*

213
procedures/vscode-server-mk7-deploy.md Normal file
View File

@@ -0,0 +1,213 @@
# VS Code: Server Deployment Procedure
**Generated:** 2026-06-02
**Maintainer:** Artemis (AI Foreman)
---
## Overview
This document describes the deployment of [Microsoft VS Code: Server](https://code.visualstudio.com/docs/remote/vscode-server) (via LinuxServer `openvscode-server` Docker image) on **MK7** (Swarm Manager) to replace the previous `code-server` deployment on Neo. The primary driver was to enable **native Remote-SSH** support, which is unavailable in OpenVSX-based alternatives.
**Key advantage:** MK7's placement on the `192.168.7.x` LAN grants direct access to all fleet nodes and Proxmox VE workers via their LAN IPs. When deployed on Neo (192.168.192.x), the container was isolated from fleet subnets.
---
## Architecture
| Component | Value |
|-----------|-------|
| **Host** | MK7 (mark-vii.ai.home) |
| **Swarm Mode** | `replicated` with placement constraint `node.hostname == mark-vii.ai.home` |
| **Container IP** | Swarm overlay (10.0.1.x/24) via `traefik-public` network |
| **Internal Service Port** | `3000` |
| **Traefik Endpoint** | `vscode.ai.home``http://192.168.7.7:8443` |
| **DNS Record** | `CNAME` `vscode.ai.home``traefik.ai.home` (Technitium) |
| **Image** | `lscr.io/linuxserver/openvscode-server:latest` |
| **Marketplace** | Microsoft (official) — Remote-SSH available natively |
---
## Prerequisites
- MK7 Docker Swarm active with `traefik-public` overlay network
- Traefik reverse proxy running on `traefik.ai.home`
- Technitium DNS authoritative for `ai.home` zone
- SSH key pair (`vscode_ed25519`) deployed to all fleet nodes
- `/home/jarvis/.vscode-ssh` directory created on MK7 host with:
- `config` — SSH aliases for all fleet nodes
- `vscode_ed25519` — private key (mode 600)
- `vscode_ed25519.pub` — public key (mode 644)
---
## Deployment Steps
### 1. Prepare SSH Key Directory on MK7
```bash
mkdir -p /home/jarvis/.vscode-ssh
chmod 700 /home/jarvis/.vscode-ssh
# Copy vscode_ed25519 key pair + config from source node
scp source:/path/to/vscode_ed25519* /home/jarvis/.vscode-ssh/
chmod 600 /home/jarvis/.vscode-ssh/vscode_ed25519
chmod 644 /home/jarvis/.vscode-ssh/vscode_ed25519.pub
chmod 644 /home/jarvis/.vscode-ssh/config
```
### 2. Compose File (`vscode-server-compose.yaml`)
```yaml
version: '3.8'
services:
vscode:
image: lscr.io/linuxserver/openvscode-server:latest
environment:
- PUID=1000
- PGID=1000
- TZ=America/New_York
# Generate a random hex token: openssl rand -hex 16
- CONNECTION_TOKEN=<RANDOM_HEX_TOKEN>
- DEFAULT_WORKSPACE=/config/workspace
volumes:
- vscode_data:/config/workspace
- type: bind
source: /home/jarvis/.vscode-ssh
target: /config/.ssh
networks:
- traefik-public
deploy:
placement:
constraints:
- node.hostname == mark-vii.ai.home
labels:
- "traefik.enable=true"
- "traefik.http.routers.vscode.rule=Host(`vscode.ai.home`)"
- "traefik.http.routers.vscode.entrypoints=websecure"
- "traefik.http.routers.vscode.tls=true"
- "traefik.http.services.vscode.loadbalancer.server.port=3000"
volumes:
vscode_data:
driver: local
networks:
traefik-public:
external: true
```
**Note:** Traefik on this cluster uses the **file provider** (not Docker provider). Swarm labels are informational only. You must also add a route file to Traefik's dynamic config directory.
### 3a. Traefik Route File
Create `/opt/iron-legion/docker-swarm/traefik/dynamic/vscode.yml` on the MK7 host:
```yaml
http:
routers:
vscode-http:
rule: "Host(`vscode.ai.home`)"
entryPoints:
- web
service: vscode
vscode-https:
rule: "Host(`vscode.ai.home`)"
entryPoints:
- websecure
service: vscode
tls: {}
services:
vscode:
loadBalancer:
servers:
- url: "http://192.168.7.7:8443"
passHostHeader: true
```
Traefik auto-reloads file provider configs on change.
### 3. Deploy via Swarm
```bash
sudo docker stack deploy -c vscode-server-compose.yaml vscode
```
### 4. Verify Startup
```bash
sudo docker service ls | grep vscode
sudo docker service ps vscode_vscode
sudo docker logs $(docker ps -q -f name=vscode)
```
---
## Access URLs
| Direct (HTTP) | `http://192.168.7.7:8443/?tkn=<TOKEN>` | Lan-only, no SSL (if port published) |
| Via Traefik (HTTPS) | `https://vscode.ai.home/?tkn=<TOKEN>` | Recommended — CNAME to traefik.ai.home |
**Token location:** Set in compose `CONNECTION_TOKEN` env var.
---
## Fleet Node SSH Config
The container mounts `/config/.ssh` containing a standard OpenSSH `config` file with all fleet aliases. Remote-SSH extension reads this automatically.
**Format example:**
```ssh-config
Host artemis
HostName 192.168.15.182
User jarvis
IdentityFile ~/.ssh/vscode_ed25519
IdentitiesOnly yes
```
**PVE nodes (mk33/34/39):** Present but `User root` — key deployment pending.
---
## Why MK7 Over Neo
| Factor | Neo (Previous) | MK7 (Current) |
|--------|---------------|----------------|
| Network | Isolated subnet (192.168.192.x) | Core LAN (192.168.7.x) |
| Swarm | Standalone | Manager |
| Traefik | Manual or absent | Already deployed |
| Remote-SSH | Unavailable (OpenVSX) | Available (Microsoft) |
| Fleet Reach | None | Direct SSH to all nodes |
---
## Troubleshooting
**Port 8443 not reachable externally:**
- Check Swarm ingress: `sudo iptables -t nat -L DOCKER-INGRESS | grep 8443`
- Verify container binding: `sudo ss -tlnp | grep 8443`
**Container fails to start with mount error:**
- Ensure `/home/jarvis/.vscode-ssh` exists on MK7 host before deploy
- Swarm bind mounts require host path existence at deploy time
**Token rejected:**
- Tokens must be hex-only characters (0-9, a-f)
- Regenerate with: `openssl rand -hex 16`
**Traefik route not found:**
- Verify `traefik-public` network exists: `docker network ls | grep traefik`
- Check Traefik dashboard at `https://traefik.ai.home:8080`
---
## References
- [LinuxServer OpenVSCode-Server Docker](https://github.com/linuxserver/docker-openvscode-server)
- [VS Code: Server Documentation](https://code.visualstudio.com/docs/remote/vscode-server)
- [Remote-SSH Extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-ssh)
---
*End of document*

149
reports/mk7-service-restoration-report.md Normal file
View File

@@ -0,0 +1,149 @@
# MK7 Service Restoration Report
**Date:** 2026-06-01
**Author:** F.R.I.D.A.Y.
**Status:** All services restored online
---
## Problem
MK7 (Swarm Manager, 192.168.7.7) had all Docker Swarm stacks stopped after physical relocation. Only `pegaprox` stack remained running from a previous manual deployment. Primary services (Traefik, Technitium, Portainer, n8n, Homepage, Beszel, Dozzle, Authelia, Prometheus, node-exporter) were all offline.
---
## Root Causes
1. **Primary cause:** MK7 was physically relocated, Docker Swarm services were intentionally stopped during migration and never restarted.
2. **Secondary cause (Authelia failure):** When services were redeployed, Authelia crashed due to NTP clock synchronization failure. `systemd-timesyncd` was pointing to stale NTP server `192.168.128.33` (Shield PXE DHCP drift), causing certificate validity checks to fail.
3. **Network config drift:** `/etc/systemd/timesyncd.conf.d/` contained a cloud-init NTP config pointing to the wrong IP.
---
## Actions Taken
### Phase 1: Service Redeployment
Located compose files at `/opt/iron-legion/docker-swarm/` and individually deployed all stacks:
```bash
# Deployed stacks
docker stack deploy -c traefik/compose.yml traefik
docker stack deploy -c portainer/compose.yml portainer
docker stack deploy -c technitium/compose.yml technitium
docker stack deploy -c homepage/compose.yml homepage
docker stack deploy -c n8n/n8n-stack.yml n8n
docker stack deploy -c beszel/compose.yml beszel
docker stack deploy -c dozzle/compose.yml dozzle
docker stack deploy -c authelia/compose.yml authelia
docker stack deploy -c prometheus/compose.yml prometheus
docker stack deploy -c node-exporter/compose.yml node-exporter
```
All stacks converged successfully.
### Phase 2: NTP / Authelia Fix
**Problem identified:** Authelia container logs showed:
```
error="the system clock is not synchronized accurately enough with the configured NTP server" provider=ntp
```
**Investigation:**
```bash
systemctl status systemd-timesyncd
# Status: "Connecting to time server 192.168.128.33:123"
```
**Fix applied:**
```bash
# Removed stale cloud-init NTP config
rm -f /etc/systemd/timesyncd.conf.d/*.conf
# Reset timesyncd to default (uses pool.ntp.org fallbacks)
echo '[Time]' | sudo tee /etc/systemd/timesyncd.conf
sudo systemctl restart systemd-timesyncd
# Verified sync
timedatectl status | grep "System clock synchronized: yes"
```
**Result:** `System clock synchronized: yes` — Authelia restarted successfully.
### Phase 3: MK-42 Worker Node Reintegration
**Discovery:** MK-42 (192.168.0.196) was online and had Docker installed but Swarm was inactive.
**Action:**
```bash
# On MK-42
ssh jarvis@192.168.0.196
docker swarm leave --force # Not in swarm, just confirming
docker swarm join --token SWMTKN-1-5po7nh34gige4jj7psqyc2pe8puf66yvpzvq3o4suy2kzqa5om-7tobwwhz2tvmo7wmg5yk7m5jd 192.168.7.7:2377
```
**Result:** MK-42 joined Swarm as a worker node. Now available for workload scheduling.
---
## Final Service Status
| Stack | Service | Status | Replicas | Notes |
|-------|---------|--------|----------|-------|
| traefik | traefik | ✅ Running | 1/1 | Global mode on manager, healthy |
| portainer | portainer | ✅ Running | 1/1 | Replicated on manager |
| technitium | technitium | ✅ Running | 1/1 | Ports 53/5380 exposed (host mode) |
| homepage | homepage | ✅ Running | 1/1 | Replicated on manager |
| n8n | postgres | ✅ Running | 1/1 | Healthy |
| n8n | pgadmin | ✅ Running | 1/1 | — |
| n8n | n8n | ✅ Running | 1/1 | Healthy |
| beszel | beszel-hub | ✅ Running | 1/1 | Port 8090 exposed |
| dozzle | dozzle | ✅ Running | 1/1 | Port 8081 exposed |
| authelia | authelia | ✅ Running | 1/1 | After NTP fix |
| prometheus | prometheus | ✅ Running | 1/1 | — |
| node-exporter | node-exporter | ✅ Running | 1/1 | Global mode |
| pegaprox | pegaprox | ✅ Running | 1/1 | Already running (unchanged) |
**Swarm nodes:**
| ID | Hostname | Status | Availability | Manager |
|----|----------|--------|--------------|---------|
| x6xr2s6... | mark-vii.ai.home | Ready | Active | Leader |
| x46ce7y... | mk-42 | Ready | Active | — (Worker) |
---
## Health Checks Verified
```bash
curl -s http://localhost:8080/ping → OK (Traefik)
curl -s http://localhost:9000/api/status → {"Version":"2.39.2",...} (Portainer)
curl -s http://localhost:5380 → Technitium HTML (DNS UI)
curl -s http://localhost:8090 → Beszel HTML
curl -s http://localhost:5678/healthz → OK (n8n)
curl -s http://localhost:8081/api/health → OK (Dozzle)
```
All services responding on expected ports.
---
## File Changes on MK7
| File | Action | Reason |
|------|--------|--------|
| `/etc/systemd/timesyncd.conf.d/*.conf` | Deleted | Stale cloud-init NTP config pointing to wrong IP |
| `/etc/systemd/timesyncd.conf` | Reset to `[Time]` only | Restore default NTP behavior |
| `/opt/iron-legion/docker-swarm/deploy.sh` | Modified | Removed reference to missing `adguard` stack (not deployed) |
---
## Notes for Future Operations
1. **NTP drift on relocated nodes:** Always verify `timedatectl status` after moving hardware. Cloud-init may inject stale NTP configs.
2. **AdGuard removed:** The `deploy.sh` previously referenced an `adguard` stack that no longer exists (AdGuard was removed in favor of Technitium's built-in blocking). The script was updated to skip it.
3. **MK-42 as Swarm worker:** MK-42 is now available for container scheduling but has not been labeled for specific workloads. If you want PVE services on it, consider deploying a VM first or using it as a bare Swarm worker.
4. **No Tailscale on MK-42:** As requested, MK-42 joins via LAN IP only. No Tailscale client installed.
---
*Last updated: 2026-06-01 by F.R.I.D.A.Y.*

344
reports/netbird-evaluation-report.md Normal file
View File

@@ -0,0 +1,344 @@
# Netbird Self-Hosted Control Plane — Evaluation Report
**Author:** F.R.I.D.A.Y. ( Hermes Agent )
**Date:** 2026-05-31
**Status:** Draft — for Commander review before deployment
**Scope:** Evaluate Netbird self-hosted control plane as a potential replacement or complement to Tailscale mesh networking for the Iron Legion fleet.
---
## Executive Summary
Netbird is an open-source, WireGuard-based mesh VPN that provides peer-to-peer connectivity with a centralized management plane. As of v0.71.4 (May 2026), it now offers **two deployment models** for self-hosting:
1. **Quickstart (single-container, recommended for new deployments)** — Combined management + signal + relay in one `netbird-server` container with embedded Dex IdP. ~5-minute setup via `getting-started.sh` with built-in Traefik and automatic TLS.
2. **Advanced (multi-container, legacy but supported)** — Separate services (management, signal, coturn, relay, dashboard) configured via `management.json` and `docker-compose.yml`.
**Key finding:** Netbird now supports running **behind an existing reverse proxy** (Traefik, Nginx, Caddy) as a first-class deployment option. This is significant for the Iron Legion because MK7 already runs Traefik for `*.ai.home` services — we can integrate Netbird without adding a new public-facing edge.
---
## What Netbird Offers (vs. Tailscale)
| Feature | Tailscale | Netbird |
|---------|-----------|---------|
| Underlay protocol | WireGuard | WireGuard |
| Control plane | Tailscale Co. cloud | **Self-hostable** |
| NAT traversal | DERP relays (cloud-hosted) | Self-hosted Coturn + Relay |
| Identity provider | Tailscale accounts / SSO via Auth0, etc. | **Embedded Dex** / Any OIDC IdP |
| Network routes | ✅ | ✅ |
| DNS split-brain | MagicDNS | Network-wide DNS |
| Reverse proxy / funnel | Tailscale Funnel (public) | **Built-in reverse proxy via Netbird Proxy** |
| Access controls | ACL policies | **Group + peer policies** |
| Linux clients | ✅ | ✅ |
| Windows | ✅ | ✅ |
| Mobile (iOS/Android) | ✅ | ✅ |
| Browser client | ❌ | ✅ |
| Open-source | Client only | **Fully open-source** |
**For the Iron Legion:** The primary advantage of Netbird is **full ownership of the control plane**. Tailscale depends on Tailscale Inc. infrastructure for coordination and DERP relays; Netbird brings both under our control.
---
## Architecture Overview
### Quickstart (v0.29+, Recommended)
```
[Public Internet]
|
+-- TCP 80/443 --> Traefik (built-in or external)
| |
| +-- Dashboard UI (web)
| +-- Management API (gRPC over HTTPS)
| +-- Signal (gRPC over HTTPS, HTTP/2 ALPN)
| +-- Relay (WebSocket over HTTPS)
|
+-- UDP 3478 --> Coturn (STUN/TURN)
|
+-- UDP 49152-65535 --> TURN relay ports (legacy)
```
**Combined server container** (`netbird-server`) consolidates:
- Management Service — peer orchestration, ACLs, routes, DNS
- Signal Service — WebRTC signaling for direct WireGuard connections
- Relay Service — WebSocket relay for fallback when direct p2p fails
- Embedded Dex — built-in identity provider (local users + external OIDC)
- Dashboard — web management UI
**New in v0.29:** Management and Signal share port 443 via HTTP/2 ALPN. Previously required separate ports (33073 for management gRPC, 10000 for signal gRPC, 33080 for relay).
### Advanced (legacy multi-container)
- `management` — API server + dashboard
- `signal` — WebRTC signaling
- `relay` — WebSocket fallback relay
- `coturn` — TURN/STUN server
- `dashboard` — React UI
- External IdP required (or Dex deployed separately)
**Iron Legion recommendation:** Use the **Quickstart model** unless there's a hard requirement for a separate IdP (Authelia, Keycloak, etc.) that cannot run alongside the embedded Dex.
---
## Deployment Options for Iron Legion
### Option A: Docker Swarm on MK7 (Recommended for Low Friction)
Deploy Netbird as a Docker Swarm stack on MK7, using the **existing Traefik** as the reverse proxy.
**Pros:**
- Already running Swarm + Traefik on MK7
- No new VM or LXC to provision
- Can share `traefik-public` network
- Traefik handles TLS certs via internal CA or Let's Encrypt
**Cons:**
- MK7 is already the Swarm manager + DNS + proxy — adding mesh control plane means more load on the same node
- If MK7 goes down, both the mesh *and* the Web UI/proxy go down
**Port mapping on MK7:**
| Port | Protocol | Service |
|------|----------|---------|
| 80 | TCP | HTTP (redirect + ACME challenge) |
| 443 | TCP | HTTPS (Dashboard, Management, Signal, Relay) |
| 3478 | UDP | Coturn STUN/TURN |
> Note: v0.29+ consolidated ports reduce firewall complexity. If all clients run v0.29+, only need 80/443 + 3478. Legacy clients need 33073, 10000, 33080, and UDP 49152-65535.
### Option B: Dedicated LXC on Proxmox (Recommended for Resilience)
Deploy Netbird control plane as an LXC container on one of the Proxmox nodes (MK33/34/39/42), with port forwards via `iptables` or host networking.
**Pros:**
- Isolated from Docker Swarm failures
- Can colocate with MK7 for low latency but separate failure domain
- Easier backups via Proxmox scheduled snapshot
**Cons:**
- Requires provisioning an LXC first
- Need to forward UDP 3478 + TCP 443 from host to container
**Recommended node:** MK39 (Gemini) — currently underutilized, stable node.
### Option C: PVE VM (Heavy, Overkill)
Full VM on Proxmox — unnecessary overhead for a coordination server.
**Verdict:** Option B (LXC on MK39) for resilience, or Option A (Swarm on MK7) if simplicity is preferred.
---
## Reverse Proxy Integration
The `getting-started.sh` script supports **6 reverse proxy modes**:
| Option | Reverse Proxy | Iron Legion Fit |
|--------|-------------|------------------|
| `[0]` | Built-in Traefik (new container) | Works but redundant — we already have Traefik |
| `[1]` | External Traefik (labels only) | **Best fit for Option A** — generates Docker labels for existing Traefik |
| `[2]` | Nginx (config template) | Not needed — already running Traefik |
| `[3]` | Nginx Proxy Manager | Not needed |
| `[4]` | External Caddy | Not needed |
| `[5]` | Other/Manual | Fallback if Traefik ALPN doesn't work |
**Iron Legion choice:** Option `[1]` — "Existing Traefik" labels. This generates:
- `traefik.enable=true`
- `traefik.http.routers.netbird-<service>.rule=Host(...)`
- `traefik.http.services.netbird-<service>.loadbalancer.server.port=...`
- Labels for each endpoint: Dashboard (443), Management gRPC (443), Signal gRPC (443), Relay WebSocket (443)
### Required Traefik EntryPoints
Already configured on MK7 Traefik:
- `web` (:80) — redirect to HTTPS
- `websecure` (:443) — HTTPS + gRPC via HTTP/2
- `traefik-dashboard` (:8080) — dashboard
**No new entrypoints needed.** All Netbird services multiplex over 443 via HTTP/2 ALPN.
---
## DNS Requirements
Netbird needs two DNS records:
| Type | Record | Points To |
|------|--------|-----------|
| A | `netbird.ai.home` | MK7 (192.168.7.7) or MK39 LXC IP |
| CNAME | `*.netbird.ai.home` | `netbird.ai.home` |
The wildcard is required for Netbird Proxy — each exposed internal service gets a subdomain (e.g., `service.netbird.ai.home`).
**Technitium DNS update:** Add:
- `netbird.ai.home` → A → 192.168.7.7 (or LXC IP if Option B)
- `*.netbird.ai.home` → CNAME → `netbird.ai.home`
> Note: Netbird clients on the mesh resolve `*.netbird.selfhosted` internally. The `ai.home` DNS is only needed for the dashboard web UI and proxy subdomains.
---
## Authentication Strategy
Netbird Quickstart includes an **embedded Dex** identity provider with local user management. This is sufficient for Iron Legion's current needs.
**Two paths:**
### Path 1: Embedded Dex Only (Recommended for Review)
- Local user accounts created via Netbird Dashboard
- No dependence on external IdP
- Username/password or personal access tokens
- Can migrate to external IdP later without re-enrolling devices
### Path 2: Integrate with Existing Authelia (Future)
- Authelia on MK7 supports OIDC (added in v4.38+)
- Netbird can authenticate against Authelia as the IdP
- Single sign-on across all fleet services
- More complex setup — save for Phase 2
**Recommendation:** Start with Path 1 (embedded Dex). It's fully functional, requires zero extra infrastructure, and can be migrated to Authelia OIDC later.
---
## Tailscale Coexistence
Netbird and Tailscale **can run simultaneously** on the same nodes because they use different WireGuard interfaces and port ranges:
- Tailscale: UDP 41641 (WireGuard), port 443/TCP (DERP)
- Netbird: UDP 51820 (WireGuard), UDP 3478 (TURN), TCP 443 (management/signal)
**Potential conflicts:**
- Both want UDP high-ports for NAT traversal — OS assigns ephemeral ports, typically fine
- Both manipulate iptables/routing tables — could interfere with default routes
- DNS resolution: Tailscale MagicDNS vs. Netbird DNS — whichever binds `/etc/resolv.conf` last wins
**Recommended coexistence strategy:**
- Primary mesh: Tailscale (currently working, MagicDNS configured for `ai.home`)
- Secondary / evaluation: Netbird on a subset of nodes
- Use Netbird for specific access-control use cases (e.g., expose certain services via Netbird Proxy)
- Do NOT set Netbird as default route unless Tailscale is decommissioned
---
## Netbird Proxy — Replacing Traefik?
**Commander question:** "Run alongside possibly replace Traefik as the reverse proxy"
**Answer:** Netbird Proxy is NOT a reverse proxy replacement for Traefik. It solves a **different problem**:
- **Traefik** (existing on MK7): Routes `*.ai.home` traffic *within* the LAN/WAN to Docker containers. It handles HTTP/HTTPS ingress for services like Portainer, PegaProx, Technitium, etc.
- **Netbird Proxy**: Exposes internal Netbird mesh services *to the public internet* via subdomain routing, secured by Netbird's access policies. Think of it as a Tailscale Funnel equivalent.
**Example:**
- `prometheus.internal.ai.home` is only reachable inside the LAN → traefik routes to Prometheus
- `prometheus.netbird.ai.home` could be exposed to a remote user's laptop via Netbird Proxy with per-user ACLs
**Verdict:** Keep Traefik. Netbird Proxy complements it for selective external exposure, not replaces it.
---
## Resource Requirements
### Quickstart (single container)
| Resource | Min | Recommended |
|----------|-----|-------------|
| CPU | 1 core | 2 cores |
| RAM | 2 GB | 4 GB |
| Disk | 10 GB | 20 GB |
| Network | Public IP + DNS | Same |
### Advanced (multi-container)
| Resource | Min | Recommended |
|----------|-----|-------------|
| CPU | 2 cores | 4 cores |
| RAM | 4 GB | 8 GB |
| Disk | 20 GB | 40 GB |
| Network | Same | Same |
**Iron Legion:** Either MK7 (18 cores, 15 GB RAM) or a Proxmox LXC (easily provisioned with 4 GB RAM, 2 cores) are well within these limits.
---
## Deployment Effort Estimate
| Phase | Task | Time | Notes |
|-------|------|------|-------|
| P0 | Review this report | — | Commander decision point |
| P1 | Add DNS records to Technitium | 15 min | `netbird.ai.home` + wildcard |
| P2 | Deploy Netbird (Quickstart Option A or B) | 30 min | Run `getting-started.sh`, select option [1] or [0] |
| P3 | Create first admin user via `/setup` | 5 min | Web browser |
| P4 | Install Netbird client on test nodes | 20 min | 2-3 nodes for validation |
| P5 | Configure network routes + ACLs | 45 min | Mirror Tailscale access patterns |
| P6 | Evaluate coexistence vs. Tailscale replacement | Ongoing | 1-2 week trial period |
**Total hands-on time (if approved):** ~2 hours (+ evaluation period).
---
## Known Issues / Gotchas
1. **ALPN / HTTP/2 requirement:** Netbird v0.29+ consolidated ports require HTTP/2 + ALPN on the reverse proxy. Traefik supports this natively. Nginx requires explicit `http2` directive on `listen`.
2. **Legacy clients:** If any Iron Legion device runs an older Netbird client (< v0.29), you'll need the legacy ports (33073, 10000, 33080, UDP 49152-65535). Allfleet devices should use latest client.
3. **Coturn on cloud VMs:** Oracle Cloud and Hetzner require firewall rules for UDP 3478 beyond just VM-level. Not applicable for LAN but noted for future cloud expansion.
4. **First user setup:** The `/setup` page is **only accessible when zero users exist**. After first admin creation, it redirects to `/login`. To create additional admins, use Dashboard → Settings → Identity Providers or API with PAT.
5. **NTP dependency:** Authelia failed on MK7 due to unsynchronized clock (see MK7 restoration report). Netbird's management service also checks certificate validity — ensure NTP sync on the host.
6. **Wildcard DNS for Proxy:** If enabling Netbird Proxy, the wildcard CNAME is mandatory. Without it, exposed service subdomains won't resolve.
---
## Recommendations
### Immediate (Pre-Deployment)
1. ✅ Commander reviews this report
2. ✅ Decide Option A (Swarm on MK7) vs. Option B (LXC on MK39)
3. ✅ If Option A: verify Traefik HTTP/2 ALPN is active
### Short-Term (If Approved)
1. Deploy Netbird Quickstart with embedded Dex
2. Add `netbird.ai.home` + wildcard to Technitium DNS
3. Install clients on 2-3 test nodes (Cinnamint, Artemis, MK42)
4. Mirror one Tailscale route in Netbird for comparison
### Long-Term (Evaluation After 2 Weeks)
1. Compare latency/connection reliability vs. Tailscale
2. Evaluate Netbird Proxy for selective external access
3. Decide: coexist, replace Tailscale, or decommission Netbird
4. If replacing: migrate MagicDNS zones to Netbird DNS, update all `.ai.home` client configs
---
## References
- Netbird Docs (Self-Hosted Quickstart): https://docs.netbird.io/selfhosted/selfhosted-quickstart
- Netbird Docs (Advanced Guide): https://docs.netbird.io/selfhosted/selfhosted-guide
- GitHub (infrastructure files): https://github.com/netbirdio/netbird/tree/v0.71.4/infrastructure_files
- Quickstart install script: `curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash`
- Reverse Proxy Configuration: https://docs.netbird.io/selfhosted/reverse-proxy
- Upgrade / Migration Guide: https://docs.netbird.io/selfhosted/maintenance
---
## Appendix: Netbird vs Tailscale Detailed Comparison
| Aspect | Tailscale | Netbird Self-Hosted |
|--------|-----------|---------------------|
| Control plane ownership | ❌ Tailscale Inc. | ✅ Fully owned |
| Relay ownership | ❌ Tailscale DERP | ✅ Self-hosted Coturn |
| Cost | Free tier limited; enterprise paid | Free; unlimited |
| Identity | External IdP or Tailscale | Embedded Dex or any OIDC |
| Web dashboard | ✅ | ✅ (self-hosted) |
| API | ✅ | ✅ (REST + gRPC) |
| SCIM provisioning | ❌ (manual) | ✅ (Enterprise) |
| Network segmentation / ACLs | Yes (JSON ACL) | Yes (groups + policies) |
| Exit nodes | ✅ | ✅ |
| Subnet routers | ✅ | ✅ |
| Browser client | ❌ | ✅ (WebRTC-based) |
| Mobile NAT busting | DERP | TURN + direct p2p |
---
*Report generated 2026-05-31 by F.R.I.D.A.Y. — awaiting Commander review.*