jarvis
484b2e6272
- Remove AdGuard Home from all service catalogs, deployment phases, persistence tables, and network architecture docs - Update Technitium notes: authoritative .ai.home zone, recursive resolver, DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking - Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout) - Add dns-topology.md: complete DNS architecture diagram, zone details, client assignments, Tailscale integration, troubleshooting table, migration history (AdGuard deployed → paused → removed)
3.1 KiB
3.1 KiB
Iron Legion Homelab Services Stack — Deployment Phases
Phase 1: Infrastructure (Critical Path)
Goal: Get DNS, proxy, and basic monitoring alive. Everything else depends on this.
| Order | Service | Target Node | Why First | Dependencies |
|---|---|---|---|---|
| 1 | Technitium DNS | MK7 | Name resolution for internal services | None |
| 2 | Technitium DNS | MK7 | Authoritative + recursive + ad-block | N/A — single service |
| 3 | Traefik | MK7 | Edge router for all HTTP ingress | DNS (needs *.labs.internal to resolve) |
| 4 | Authelia | MK7 | Auth layer before exposing any mgmt UI | Traefik (depends on ForwardAuth middleware) |
| 5 | Portainer | MK7 | Container management UI | Traefik + Authelia (for secured access) |
| 6 | Prometheus | MK7 | Metrics collection baseline | None (scrape targets added in Phase 2) |
| 7 | Beszel | MK7 | Fleet resource overview | None (agents installed per-node) |
| 8 | Dozzle | MK7 | Real-time log viewing | None |
Phase 1 milestone: All nodes report healthy in Beszel. Portainer accessible via auth portal. DNS resolves.
Phase 2: Media & File Collaboration
Goal: Self-hosted media acquisition and file sync.
| Order | Service | Target Node | Why Now | Dependencies |
|---|---|---|---|---|
| 9 | Jellyfin | MK7 | Media playback (GPU transcode if MK7 has dGPU) | None (file ingest later) |
| 10 | Sonarr | MK7 | TV management | Jellyfin (pushes organized files) |
| 11 | Radarr | MK7 | Movie management | Jellyfin (pushes organized files) |
| 12 | Prowlarr | MK7 | Indexer aggregation | Sonarr + Radarr (feeds them) |
| 13 | Nextcloud | MK7 | File sync/collaboration | PostgreSQL (on MK7) |
| 14 | Vaultwarden | MK7 | Password management | None (standalone) |
Phase 2 milestone: Media acquisition pipeline works end-to-end. Nextcloud syncs. Vaultwarden stores secrets.
Phase 3: Polish & Expansion
Goal: Dashboards, advanced monitoring, nice-to-haves.
| Order | Service | Target Node | Why Deferred | Dependencies |
|---|---|---|---|---|
| 15 | Grafana | MK7 | Dashboards need metrics to be interesting | Prometheus (needs data history) |
| 16 | Homepage | MK7 | Custom dashboard for everything | All Phase 1+2 services (needs endpoints) |
| – | Promtail + Loki | TBD | Centralized logging | Only if Dozzle is insufficient |
| – | Uptime-Kuma | TBD | External uptime monitoring | Only if Beszel alerting is insufficient |
Phase 3 milestone: Single-pane dashboard (Homepage) shows all services. Alerts route to Discord or email.
Deployment Cadence
- One service per session. No mass deployments. Validate each before proceeding.
- Rollback plan:
docker compose down+mv /opt/iron-legion/service{,-failed-$(date +%s)}. Snapshot taken before each compose up. - Bobby approval required before Phase 2 begins. Phase 1 success must be demonstrated.