Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
32570cb40da47cb7aa837102aba0b67a8de09791
documentation/05-network-architecture.md
jarvis a3fc718a34 fix(Chunk2): reconcile PRD with live fleet state 
- AdGuard Home: Replicated(2) → Replicated(1) (single instance on MK7)
- Portainer: Manager Constraint → Replicated(1) (deployed as replicated, not manager-only)
- Beszel Agent: Global → Pending (not yet deployed across workers)
- DNS Resolution: Added status table — Technitium deployed but *.ai.home zone not yet authoritative
- Swarm service count: 16 → 15 active + 1 pending

All changes mirrored to split files and master PRD.
2026-05-27 12:03:06 -04:00

2.6 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Network Architecture

Ingress Flow

[Internet] → [Tailscale mesh] → [MK7: Traefik] → [Target Node: Service Port]

Traefik Role

  • Single entrypoint. Every HTTP/HTTPS service routes through Traefik on MK7.
  • Tailscale-native. Traefik binds to 0.0.0.0:80 and 0.0.0.0:443. No tailscale serve.
  • Service discovery via Docker labels. Each compose service exposes labels that Traefik reads from the Docker socket on MK7.
  • Docker socket access restricted. Traefik mounts a read-only Docker socket. No other service gets socket access.

Internal Traffic Patterns

Source Destination Protocol Port Notes
Traefik (MK7) Any service HTTP/HTTPS Varies Proxied via Tailscale IP
Beszel (MK7) Any node HTTP Varies Agent polls HTTP metrics endpoints (read-only)
Prometheus (MK7) Any node HTTP 9100 (node-exporter) Scrapes node and container metrics
Prowlarr (MK7) Indexer sites HTTPS 443 Outbound only
Sonarr/Radarr (MK7) Prowlarr HTTP 9696 Internal indexer lookup
Nextcloud (MK7) PostgreSQL (MK7) TCP 5432 DB traffic over Tailscale

DNS Resolution

Component Status Detail
Technitium (MK7) Deployed Container running, port 53/5380 open
*.ai.home zone Pending Not yet configured as authoritative — Tailscale MagicDNS currently handles name resolution
AdGuard Home (MK7) Active Recursive resolver + blocklists on port 3000. Replaces Pi-hole.

Planned Chain (not yet active):

Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)

Current Fallback: Tailscale MagicDNS provides *.ai.home resolution via Tailscale IP addresses. Technitium will assume authority once zone records are populated.

  • AdGuard Home admin UI runs on port 3000.

Port Allocation (Reserved)

Port Service
53 DNS (Technitium / Pi-hole)
80/443 HTTP/S (Traefik)
3000 Grafana
9090 Prometheus
9000 Portainer
8096 Jellyfin
8989 Sonarr
7878 Radarr
9696 Prowlarr
8080 Authelia (default)

TLS Strategy

  • Internal: Traefik generates self-signed certs for *.labs.internal. Authelia can enforce client-cert if needed.
  • External: Not applicable per no-Tailscale-funnel constraint. If Bobby later wants public access, Let's Encrypt via DNS challenge (Technitium controls the zone).
Reference in New Issue View Git Blame Copy Permalink