Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
documentation/06-data-and-persistence.md
jarvis 484b2e6272 DNS topology: AdGuard removed, Technitium authoritative + DoT + ad blocking 
- Remove AdGuard Home from all service catalogs, deployment phases,
  persistence tables, and network architecture docs
- Update Technitium notes: authoritative .ai.home zone, recursive resolver,
  DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking
- Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout)
- Add dns-topology.md: complete DNS architecture diagram, zone details,
  client assignments, Tailscale integration, troubleshooting table,
  migration history (AdGuard deployed → paused → removed)
2026-05-29 21:01:24 -04:00

47 lines
2.7 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Iron Legion Homelab Services Stack — Data & Persistence
## Volume Strategy
Every service with persistent state uses **bind mounts to on-node directories**. No named volumes, no NFS, no distributed storage.
## Directory Convention
```
/opt/iron-legion/
├── service-name/
│ ├── data/ # Application data (databases, config, state)
│ ├── config/ # Static config files mounted read-only where possible
│ └── logs/ # Log output (optional, if not sent to stdout)
```
## Per-Service Persistence
| Service | Data Path | Backup Target | Size Estimate |
|---------|-----------|---------------|---------------|
| **Traefik** | `/opt/iron-legion/traefik/config/` `/opt/iron-legion/traefik/certs/` | MK7 (daily rsync) | < 50 MB |
| **Technitium DNS** | `/opt/iron-legion/technitium/config/` | MK7 | < 10 MB |
| **~~AdGuard Home~~** | ~~`/opt/iron-legion/adguard/work/`~~ ~~`/opt/iron-legion/adguard/conf/`~~ | ~~Removed~~ | ~~N/A~~ |
| **Prometheus** | `/opt/iron-legion/prometheus/data/` | MK7 (retention: 15d local, 90d backup) | 520 GB |
| **Grafana** | `/opt/iron-legion/grafana/data/` | MK7 | < 500 MB |
| **Beszel** | `/opt/iron-legion/beszel/data/` | MK7 | < 1 GB |
| **Portainer** | `/opt/iron-legion/portainer/data/` | MK7 | < 100 MB |
| **Homepage** | `/opt/iron-legion/homepage/config/` | MK7 | < 10 MB |
| **Vaultwarden** | `/opt/iron-legion/vaultwarden/data/` | MK7 (encrypted) | < 500 MB |
| **Authelia** | `/opt/iron-legion/authelia/config/` | MK7 | < 10 MB |
| **Jellyfin** | `/opt/iron-legion/jellyfin/config/` `/opt/iron-legion/jellyfin/media/` | **None** (media too large) | < 1 GB config; media drive separate |
| **Sonarr** | `/opt/iron-legion/sonarr/config/` | MK7 | < 1 GB |
| **Radarr** | `/opt/iron-legion/radarr/config/` | MK7 | < 1 GB |
| **Prowlarr** | `/opt/iron-legion/prowlarr/config/` | MK7 | < 100 MB |
| **Nextcloud** | `/opt/iron-legion/nextcloud/data/` | MK7 (snapshots) | 1050 GB |
## Media Storage Exception
- **Jellyfin media** lives on a separate mount (likely external USB/NVMe on MK7). Not backed up via rsync.
- **Sonarr/Radarr** download staging to a shared `/downloads` bind mount, then hardlink/copy to Jellyfin media library.
## Backup Tooling
- **Primary:** `rsync -a --delete` to MK7 secondary storage daily at 03:00 local.
- **Vaultwarden:** `rsqlite3` dump + `rsync` (encrypted at rest on MK7).
- **Prometheus:** `snapshot API` → rsync (not raw WAL files).
## Secret Management
- `.env` files live in `/opt/iron-legion/service-name/.env`, mode `0600`.
- Compose files use `${VAR_NAME}` syntax, never literal strings.
- Vaultwarden stores shared secrets (DB passwords, API keys). Artemis holds no secrets in memory.
Reference in New Issue View Git Blame Copy Permalink