documentation/swarm.md

Iron Legion Docker Swarm — Fleet Reference

Cluster Topology

Node	Hostname	Role	Tailscale	LAN IP
MK7	mark-vii.ai.home	Manager (Leader)	100.66.70.51	192.168.7.7
MK33	mk-33	Worker	—	192.168.0.190
MK34	mk-34	Worker	—	192.168.0.123
MK39	mk-39	Worker	—	192.168.0.106
MK42	mk-42	Worker	—	192.168.0.196

Worker join token:

SWMTKN-1-01759qgxz7d4x0bl32shlyjed540fgqjhggx0nyrw04d3zt017-blujv5tley9ukl8ke60dvz0ec

Service Catalog

All services deployed on MK7 manager via docker stack deploy.

Stack	Service	Mode	Replicas	Published Ports	Traefik Host
traefik	Traefik v3	global	1/1	80, 8080 (dashboard)	—
node-exporter	Node Exporter	global	5/5	—	—
beszel	Beszel Hub	replicated	1/1	—	beszel.ai.home
homepage	Homepage Dashboard	replicated	1/1	—	dashboard.ai.home
dozzle	Dozzle Logs	replicated	1/1	—	dozzle.ai.home
portainer	Portainer CE	replicated	1/1	9000	portainer.ai.home
prometheus	Prometheus	replicated	1/1	9090	prom.ai.home
technitium	Technitium DNS	replicated	1/1	53/tcp, 53/udp, 5380	dns.ai.home
adguard	AdGuard Home	removed	—	—	adguard.ai.home
authelia	Authelia	deferred	—	—	auth.ai.home

Note: Authelia deferred until local TLS is available (requires https://auth.ai.home).

Network Architecture

Network	Driver	Scope	Attachable	Note
traefik-public	overlay	swarm	✅	Attachable overlay for all web-facing services
ingress	overlay	swarm	—	Built-in swarm ingress
node-exporter_default	overlay	swarm	—	Created by node-exporter stack deploy

Directory Structure (MK7)

/opt/iron-legion/docker-swarm/
├── deploy.sh                  # Master deployment script
├── traefik/compose.yml
├── node-exporter/compose.yml
├── technitium/compose.yml
├── technitium/prometheus.yml  # Prometheus scrape targets
├── adguard/compose.yml
├── prometheus/compose.yml
├── beszel/compose.yml
├── portainer/compose.yml
├── dozzle/compose.yml
├── homepage/compose.yml
├── homepage/config/settings.yaml
└── authelia/
    ├── compose.yml            # Deferred — needs TLS
    ├── config/
    │   ├── configuration.yml
    │   └── users_database.yml

Synced to all workers (/opt/iron-legion/docker-swarm) for failover redundancy. Workers do not execute docker stack deploy — only MK7 manager orchestrates services.

Deploy / Re-Deploy

On MK7:

cd /opt/iron-legion/docker-swarm
./deploy.sh

Or single stack:

cd /opt/iron-legion/docker-swarm
docker stack deploy -c traefik/compose.yml traefik

Worker Join (if node rebuilt)

# On worker node
docker swarm join --token SWMTKN-1-01759qgxz7d4x0bl32shlyjed540fgqjhggx0nyrw04d3zt017-blujv5tley9ukl8ke60dvz0ec 192.168.7.7:2377

Ensure worker has /opt/iron-legion/docker-swarm/ synced for config parity.

Known Issues / Decisions

Item	Status	Detail
systemd-resolved	Disabled on MK7	Port 53 freed for Technitium
Standalone Portainer	Removed	Data backed up to /tmp/portainer-data-backup-20260526-000125.tar.gz on MK7
Authelia	Deferred	Requires TLS (https://auth.ai.home)
Beszel Agents	Pending	Global agent stack to be added across all workers
DNS resolution	Pending	*.ai.home requires Technitium configured as LAN resolver

External Services (NOT in Swarm)

Service	Node	URL	Note
Nextcloud AIO	Neo (100.99.123.16)	https://nextcloud.ai.home	Production, unmanaged
Vaultwarden	Neo (100.99.123.16)	https://vault.ai.home	Production, unmanaged

---

Last updated: 2026-05-26 Gitea repo: Iron-Legion/documentation — push this file there