Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
490b22a927d2f5b311660d1dffaff90d1f2523cb
documentation/05-network-architecture.md
jarvis f18b978602 fix(Chunk4): purge all Pi-hole references from split files 
- 08-deployment-phases: Pi-hole → AdGuard Home in Phase 1 order
- 09-open-questions: blocker replaced, decision marked resolved
- 10-appendix: removed from DockerHub table, count 16→15, dir pihole/→adguard/
- 05-network-architecture: port allocation DNS label updated
- All mirrored to master PRD
2026-05-27 13:10:35 -04:00

58 lines
2.6 KiB
Markdown
Raw Blame History

# Iron Legion Homelab Services Stack — Network Architecture
## Ingress Flow
```
[Internet] → [Tailscale mesh] → [MK7: Traefik] → [Target Node: Service Port]
```
## Traefik Role
- **Single entrypoint.** Every HTTP/HTTPS service routes through Traefik on MK7.
- **Tailscale-native.** Traefik binds to `0.0.0.0:80` and `0.0.0.0:443`. No `tailscale serve`.
- **Service discovery via Docker labels.** Each compose service exposes labels that Traefik reads from the Docker socket on MK7.
- **Docker socket access restricted.** Traefik mounts a read-only Docker socket. No other service gets socket access.
## Internal Traffic Patterns
| Source | Destination | Protocol | Port | Notes |
|--------|-------------|----------|------|-------|
| Traefik (MK7) | Any service | HTTP/HTTPS | Varies | Proxied via Tailscale IP |
| Beszel (MK7) | Any node | HTTP | Varies | Agent polls HTTP metrics endpoints (read-only) |
| Prometheus (MK7) | Any node | HTTP | 9100 (node-exporter) | Scrapes node and container metrics |
| Prowlarr (MK7) | Indexer sites | HTTPS | 443 | Outbound only |
| Sonarr/Radarr (MK7) | Prowlarr | HTTP | 9696 | Internal indexer lookup |
| Nextcloud (MK7) | PostgreSQL (MK7) | TCP | 5432 | DB traffic over Tailscale |
## DNS Resolution
| Component | Status | Detail |
|-----------|--------|--------|
| **Technitium (MK7)** | ✅ Deployed | Container running, port 53/5380 open |
| **`*.ai.home` zone** | ⏳ Pending | Not yet configured as authoritative — Tailscale MagicDNS currently handles name resolution |
| **AdGuard Home (MK7)** | ✅ Active | Recursive resolver + blocklists on port 3000. Replaces Pi-hole. |
**Planned Chain (not yet active):**
```
Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)
```
**Current Fallback:** Tailscale MagicDNS provides `*.ai.home` resolution via Tailscale IP addresses. Technitium will assume authority once zone records are populated.
- **AdGuard Home admin UI** runs on port 3000.
## Port Allocation (Reserved)
| Port | Service |
|------|---------|
| 53 | DNS (Technitium / AdGuard) |
| 80/443 | HTTP/S (Traefik) |
| 3000 | Grafana |
| 9090 | Prometheus |
| 9000 | Portainer |
| 8096 | Jellyfin |
| 8989 | Sonarr |
| 7878 | Radarr |
| 9696 | Prowlarr |
| 8080 | Authelia (default) |
## TLS Strategy
- **Internal:** Traefik generates self-signed certs for `*.labs.internal`. Authelia can enforce client-cert if needed.
- **External:** Not applicable per no-Tailscale-funnel constraint. If Bobby later wants public access, Let's Encrypt via DNS challenge (Technitium controls the zone).
Reference in New Issue View Git Blame Copy Permalink