Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9372e0fe69c5fe9d4675b8b07738ef7c612aead8
documentation/05-network-architecture.md
jarvis 484b2e6272 DNS topology: AdGuard removed, Technitium authoritative + DoT + ad blocking 
- Remove AdGuard Home from all service catalogs, deployment phases,
  persistence tables, and network architecture docs
- Update Technitium notes: authoritative .ai.home zone, recursive resolver,
  DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking
- Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout)
- Add dns-topology.md: complete DNS architecture diagram, zone details,
  client assignments, Tailscale integration, troubleshooting table,
  migration history (AdGuard deployed → paused → removed)
2026-05-29 21:01:24 -04:00

2.7 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Network Architecture

Ingress Flow

[Internet] → [Tailscale mesh] → [MK7: Traefik] → [Target Node: Service Port]

Traefik Role

  • Single entrypoint. Every HTTP/HTTPS service routes through Traefik on MK7.
  • Tailscale-native. Traefik binds to 0.0.0.0:80 and 0.0.0.0:443. No tailscale serve.
  • Service discovery via Docker labels. Each compose service exposes labels that Traefik reads from the Docker socket on MK7.
  • Docker socket access restricted. Traefik mounts a read-only Docker socket. No other service gets socket access.

Internal Traffic Patterns

Source Destination Protocol Port Notes
Traefik (MK7) Any service HTTP/HTTPS Varies Proxied via Tailscale IP
Beszel (MK7) Any node HTTP Varies Agent polls HTTP metrics endpoints (read-only)
Prometheus (MK7) Any node HTTP 9100 (node-exporter) Scrapes node and container metrics
Prowlarr (MK7) Indexer sites HTTPS 443 Outbound only
Sonarr/Radarr (MK7) Prowlarr HTTP 9696 Internal indexer lookup
Nextcloud (MK7) PostgreSQL (MK7) TCP 5432 DB traffic over Tailscale

DNS Resolution

Component Status Detail
Technitium (MK7) Deployed Container running, port 53/5380 open
*.ai.home zone Pending Not yet configured as authoritative — Tailscale MagicDNS currently handles name resolution
Technitium DNS (MK7) Active Authoritative .ai.home + recursive resolver + ad blocking on port 53.
AdGuard Home Removed Technitium built-in ad blocking replaces AdGuard

Planned Chain (not yet active):

Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)

Current Fallback: Tailscale MagicDNS provides *.ai.home resolution via Tailscale IP addresses. Technitium will assume authority once zone records are populated.

  • AdGuard Home admin UI runs on port 3000.

Port Allocation (Reserved)

Port Service
53 DNS (Technitium / AdGuard)
80/443 HTTP/S (Traefik)
3000 Grafana
9090 Prometheus
9000 Portainer
8096 Jellyfin
8989 Sonarr
7878 Radarr
9696 Prowlarr
8080 Authelia (default)

TLS Strategy

  • Internal: Traefik generates self-signed certs for *.labs.internal. Authelia can enforce client-cert if needed.
  • External: Not applicable per no-Tailscale-funnel constraint. If Bobby later wants public access, Let's Encrypt via DNS challenge (Technitium controls the zone).
Reference in New Issue View Git Blame Copy Permalink