jarvis
484b2e6272
- Remove AdGuard Home from all service catalogs, deployment phases, persistence tables, and network architecture docs - Update Technitium notes: authoritative .ai.home zone, recursive resolver, DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking - Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout) - Add dns-topology.md: complete DNS architecture diagram, zone details, client assignments, Tailscale integration, troubleshooting table, migration history (AdGuard deployed → paused → removed)
54 lines
3.1 KiB
Markdown
54 lines
3.1 KiB
Markdown
# Iron Legion Homelab Services Stack — Deployment Phases
|
||
|
||
## Phase 1: Infrastructure (Critical Path)
|
||
**Goal:** Get DNS, proxy, and basic monitoring alive. Everything else depends on this.
|
||
|
||
| Order | Service | Target Node | Why First | Dependencies |
|
||
|-------|---------|-------------|-----------|--------------|
|
||
| 1 | **Technitium DNS** | MK7 | Name resolution for internal services | None |
|
||
| 2 | **Technitium DNS** | MK7 | Authoritative + recursive + ad-block | N/A — single service |
|
||
| ~~AdGuard Home~~ | ~~Removed~~ | ~~Technitium replaces AdGuard~~ |
|
||
| 3 | **Traefik** | MK7 | Edge router for all HTTP ingress | DNS (needs `*.labs.internal` to resolve) |
|
||
| 4 | **Authelia** | MK7 | Auth layer before exposing any mgmt UI | Traefik (depends on ForwardAuth middleware) |
|
||
| 5 | **Portainer** | MK7 | Container management UI | Traefik + Authelia (for secured access) |
|
||
| 6 | **Prometheus** | MK7 | Metrics collection baseline | None (scrape targets added in Phase 2) |
|
||
| 7 | **Beszel** | MK7 | Fleet resource overview | None (agents installed per-node) |
|
||
| 8 | **Dozzle** | MK7 | Real-time log viewing | None |
|
||
|
||
**Phase 1 milestone:** All nodes report healthy in Beszel. Portainer accessible via auth portal. DNS resolves.
|
||
|
||
---
|
||
|
||
## Phase 2: Media & File Collaboration
|
||
**Goal:** Self-hosted media acquisition and file sync.
|
||
|
||
| Order | Service | Target Node | Why Now | Dependencies |
|
||
|-------|---------|-------------|---------|--------------|
|
||
| 9 | **Jellyfin** | MK7 | Media playback (GPU transcode if MK7 has dGPU) | None (file ingest later) |
|
||
| 10 | **Sonarr** | MK7 | TV management | Jellyfin (pushes organized files) |
|
||
| 11 | **Radarr** | MK7 | Movie management | Jellyfin (pushes organized files) |
|
||
| 12 | **Prowlarr** | MK7 | Indexer aggregation | Sonarr + Radarr (feeds them) |
|
||
| 13 | **Nextcloud** | MK7 | File sync/collaboration | PostgreSQL (on MK7) |
|
||
| 14 | **Vaultwarden** | MK7 | Password management | None (standalone) |
|
||
|
||
**Phase 2 milestone:** Media acquisition pipeline works end-to-end. Nextcloud syncs. Vaultwarden stores secrets.
|
||
|
||
---
|
||
|
||
## Phase 3: Polish & Expansion
|
||
**Goal:** Dashboards, advanced monitoring, nice-to-haves.
|
||
|
||
| Order | Service | Target Node | Why Deferred | Dependencies |
|
||
|-------|---------|-------------|--------------|--------------|
|
||
| 15 | **Grafana** | MK7 | Dashboards need metrics to be interesting | Prometheus (needs data history) |
|
||
| 16 | **Homepage** | MK7 | Custom dashboard for everything | All Phase 1+2 services (needs endpoints) |
|
||
| – | **Promtail + Loki** | TBD | Centralized logging | Only if Dozzle is insufficient |
|
||
| – | **Uptime-Kuma** | TBD | External uptime monitoring | Only if Beszel alerting is insufficient |
|
||
|
||
**Phase 3 milestone:** Single-pane dashboard (Homepage) shows all services. Alerts route to Discord or email.
|
||
|
||
## Deployment Cadence
|
||
- **One service per session.** No mass deployments. Validate each before proceeding.
|
||
- **Rollback plan:** `docker compose down` + `mv /opt/iron-legion/service{,-failed-$(date +%s)}`. Snapshot taken before each compose up.
|
||
- **Bobby approval required before Phase 2 begins.** Phase 1 success must be demonstrated.
|