Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4cff1b5e48769474ebbbd5cfabf5db664f258085
documentation/05-network-architecture.md
jarvis 4cff1b5e48 Initial: Iron Legion Homelab Services Stack PRD 
Verifies 16 DockerHub images, assigns target nodes per locked policy,
defines 3-phase deployment order (Infra → Media → Polish).

Domain: *.ai.home
No public internet exposure.
Services: Traefik, Technitium DNS, AdGuard Home, Prometheus, Grafana,
Beszel, Dozzle, Portainer, Homepage, Authelia, Vaultwarden, Jellyfin,
Sonarr, Radarr, Prowlarr, Nextcloud
2026-05-25 17:25:40 -04:00

48 lines
2.3 KiB
Markdown
Raw Blame History

# Iron Legion Homelab Services Stack — Network Architecture
## Ingress Flow
```
[Internet] → [Tailscale mesh] → [Mark5: Traefik] → [Target Node: Service Port]
```
## Traefik Role
- **Single entrypoint.** Every HTTP/HTTPS service routes through Traefik on Mark5.
- **Tailscale-native.** Traefik binds to `0.0.0.0:80` and `0.0.0.0:443`. No `tailscale serve`.
- **Service discovery via Docker labels.** Each compose service exposes labels that Traefik reads from the Docker socket on Mark5.
- **Docker socket access restricted.** Traefik mounts a read-only Docker socket. No other service gets socket access.
## Internal Traffic Patterns
| Source | Destination | Protocol | Port | Notes |
|--------|-------------|----------|------|-------|
| Traefik (Mark5) | Any service | HTTP/HTTPS | Varies | Proxied via Tailscale IP |
| Beszel (Mark44) | Any node | HTTP | Varies | Agent polls HTTP metrics endpoints (read-only) |
| Prometheus (Mark44) | Any node | HTTP | 9100 (node-exporter) | Scrapes node and container metrics |
| Prowlarr (Mark44) | Indexer sites | HTTPS | 443 | Outbound only |
| Sonarr/Radarr (Mark44) | Prowlarr | HTTP | 9696 | Internal indexer lookup |
| Nextcloud (Neo) | PostgreSQL (Bones) | TCP | 5432 | DB traffic over Tailscale |
## DNS Resolution
- **Technitium (Bones)** is the authoritative internal DNS for `*.ai.home`.
- **AdGuard Home (Bones)** handles recursive resolution with ad-block lists. Replaces Pi-hole.
- **Chain:** Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)
- **Tailscale MagicDNS** remains enabled as fallback. If Technitium fails, clients fall back to `100.x.x.x` direct resolution.
- **AdGuard Home admin UI** runs on port 3000 by default (separate from Grafana if co-located).
## Port Allocation (Reserved)
| Port | Service |
|------|---------|
| 53 | DNS (Technitium / Pi-hole) |
| 80/443 | HTTP/S (Traefik) |
| 3000 | Grafana |
| 9090 | Prometheus |
| 9000 | Portainer |
| 8096 | Jellyfin |
| 8989 | Sonarr |
| 7878 | Radarr |
| 9696 | Prowlarr |
| 8080 | Authelia (default) |
## TLS Strategy
- **Internal:** Traefik generates self-signed certs for `*.labs.internal`. Authelia can enforce client-cert if needed.
- **External:** Not applicable per no-Tailscale-funnel constraint. If Bobby later wants public access, Let's Encrypt via DNS challenge (Technitium controls the zone).
Reference in New Issue View Git Blame Copy Permalink