Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6135fdf6ae3f3f12001ac3c9ad71dc97672eb2f1
documentation/03-constraints.md
jarvis 484b2e6272 DNS topology: AdGuard removed, Technitium authoritative + DoT + ad blocking 
- Remove AdGuard Home from all service catalogs, deployment phases,
  persistence tables, and network architecture docs
- Update Technitium notes: authoritative .ai.home zone, recursive resolver,
  DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking
- Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout)
- Add dns-topology.md: complete DNS architecture diagram, zone details,
  client assignments, Tailscale integration, troubleshooting table,
  migration history (AdGuard deployed → paused → removed)
2026-05-29 21:01:24 -04:00

2.2 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Constraints

Hard Constraints (Non-Negotiable)

  1. Bare metal over abstraction. Direct deployments preferred. Compose files are acceptable as orchestration glue, but no Docker Swarm mode, no Kubernetes, no abstraction layers Bobby cannot ssh into and debug.
  2. No nginx. Traefik is the sole edge router. No nginx reverse proxies, no nginx sidecars.
  3. No Tailscale serve/funnel. Services bind to 0.0.0.0 on their assigned node and are reachable via Tailscale mesh IP + port. No tailscale serve, no tailscale funnel.
  4. Node assignments locked. Services do not migrate between nodes without Bobby's explicit written direction.
  5. Patch upstream source when loopback/bind restrictions block direct deployment. Do not re-architect around the constraint.

Node Assignment Policy (as of 2026-05-25)

The G9 Swarm Cluster is the ONLY deployment target. Mark5, Bones, Neo, and Mark44 are NOT part of this homelab services stack.

Node Role Services Assigned
MK7 (mark-vii.ai.home) Swarm Manager ALL Phase 1 infrastructure: Traefik, Technitium DNS, Portainer, Prometheus, Beszel, Dozzle, Authelia, Homepage
MK33, MK34, MK39, MK42 Swarm Workers Phase 2 media stack (Jellyfin, Sonarr, Radarr, Prowlarr), distributed workloads, Vaultwarden, Nextcloud
Artemis AI Foreman / JARVIS Hermes Agent, Ansible-pull control plane — NOT a service host

Soft Constraints (Bobby Approval Required to Override)

  • Data residency: All persistent volumes live on-node. No NFS, no Ceph, no distributed storage unless explicitly approved.
  • Secret management: No plain-text secrets in compose files. Use .env files with file: mode 0600, or Vaultwarden if a secret store is needed.
  • Backup cadence: Every service with persistent state must have a documented backup target. Default: daily rsync to MK7 secondary storage.

Environment Assumptions

  • All nodes run Debian Trixie or compatible.
  • Docker Engine (not Docker Desktop) is installed on all target nodes.
  • Tailscale is up and meshed. All inter-node traffic is over Tailscale IPs.
  • docker compose plugin (v2) available, not legacy docker-compose standalone.
Reference in New Issue View Git Blame Copy Permalink