# Iron Legion Homelab Services Stack — Data & Persistence ## Volume Strategy Every service with persistent state uses **bind mounts to on-node directories**. No named volumes, no NFS, no distributed storage. ## Directory Convention ``` /opt/iron-legion/ ├── service-name/ │ ├── data/ # Application data (databases, config, state) │ ├── config/ # Static config files mounted read-only where possible │ └── logs/ # Log output (optional, if not sent to stdout) ``` ## Per-Service Persistence | Service | Data Path | Backup Target | Size Estimate | |---------|-----------|---------------|---------------| | **Traefik** | `/opt/iron-legion/traefik/config/` `/opt/iron-legion/traefik/certs/` | MK7 (daily rsync) | < 50 MB | | **Technitium DNS** | `/opt/iron-legion/technitium/config/` | MK7 | < 10 MB | | **AdGuard Home** | `/opt/iron-legion/adguard/work/` `/opt/iron-legion/adguard/conf/` | MK7 | < 500 MB | | **Prometheus** | `/opt/iron-legion/prometheus/data/` | MK7 (retention: 15d local, 90d backup) | 5–20 GB | | **Grafana** | `/opt/iron-legion/grafana/data/` | MK7 | < 500 MB | | **Beszel** | `/opt/iron-legion/beszel/data/` | MK7 | < 1 GB | | **Portainer** | `/opt/iron-legion/portainer/data/` | MK7 | < 100 MB | | **Homepage** | `/opt/iron-legion/homepage/config/` | MK7 | < 10 MB | | **Vaultwarden** | `/opt/iron-legion/vaultwarden/data/` | MK7 (encrypted) | < 500 MB | | **Authelia** | `/opt/iron-legion/authelia/config/` | MK7 | < 10 MB | | **Jellyfin** | `/opt/iron-legion/jellyfin/config/` `/opt/iron-legion/jellyfin/media/` | **None** (media too large) | < 1 GB config; media drive separate | | **Sonarr** | `/opt/iron-legion/sonarr/config/` | MK7 | < 1 GB | | **Radarr** | `/opt/iron-legion/radarr/config/` | MK7 | < 1 GB | | **Prowlarr** | `/opt/iron-legion/prowlarr/config/` | MK7 | < 100 MB | | **Nextcloud** | `/opt/iron-legion/nextcloud/data/` | MK7 (snapshots) | 10–50 GB | ## Media Storage Exception - **Jellyfin media** lives on a separate mount (likely external USB/NVMe on MK7). Not backed up via rsync. - **Sonarr/Radarr** download staging to a shared `/downloads` bind mount, then hardlink/copy to Jellyfin media library. ## Backup Tooling - **Primary:** `rsync -a --delete` to MK7 secondary storage daily at 03:00 local. - **Vaultwarden:** `rsqlite3` dump + `rsync` (encrypted at rest on MK7). - **Prometheus:** `snapshot API` → rsync (not raw WAL files). ## Secret Management - `.env` files live in `/opt/iron-legion/service-name/.env`, mode `0600`. - Compose files use `${VAR_NAME}` syntax, never literal strings. - Vaultwarden stores shared secrets (DB passwords, API keys). Artemis holds no secrets in memory.