Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fae739f3fa33e775247ab8c5c0355fb4e09110af
documentation/03-constraints.md
jarvis fea42f892b Remove Mark5/Bones/Neo/Mark44 — G9 Swarm Cluster is the ONLY deployment target 
All services reassigned to MK7 (Swarm Manager) or swarm-distributed.
Per Bobby: Mark5, Bones, Neo, Mark44 are NOT part of this homelab services stack.

Phase 1 infra (Traefik, DNS, AdGuard, Portainer, Prometheus, Beszel, Dozzle, Authelia, Homepage) → MK7
Phase 2 media (Jellyfin, Sonarr, Radarr, Prowlarr) → Swarm distributed
Phase 3 dashboards (Grafana, Homepage) → Swarm distributed

Also updates:
- Backup target: MK7 secondary storage (was Bones)
- Network/DNS/Security model: all refs to Bones/Neo/Mark5/Mark44 corrected
2026-05-25 18:24:22 -04:00

2.2 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Constraints

Hard Constraints (Non-Negotiable)

  1. Bare metal over abstraction. Direct deployments preferred. Compose files are acceptable as orchestration glue, but no Docker Swarm mode, no Kubernetes, no abstraction layers Bobby cannot ssh into and debug.
  2. No nginx. Traefik is the sole edge router. No nginx reverse proxies, no nginx sidecars.
  3. No Tailscale serve/funnel. Services bind to 0.0.0.0 on their assigned node and are reachable via Tailscale mesh IP + port. No tailscale serve, no tailscale funnel.
  4. Node assignments locked. Services do not migrate between nodes without Bobby's explicit written direction.
  5. Patch upstream source when loopback/bind restrictions block direct deployment. Do not re-architect around the constraint.

Node Assignment Policy (as of 2026-05-25)

The G9 Swarm Cluster is the ONLY deployment target. Mark5, Bones, Neo, and Mark44 are NOT part of this homelab services stack.

Node Role Services Assigned
MK7 (mark-vii.ai.home) Swarm Manager ALL Phase 1 infrastructure: Traefik, Technitium DNS, AdGuard Home, Portainer, Prometheus, Beszel, Dozzle, Authelia, Homepage
MK33, MK34, MK39, MK42 Swarm Workers Phase 2 media stack (Jellyfin, Sonarr, Radarr, Prowlarr), distributed workloads, Vaultwarden, Nextcloud
Artemis AI Foreman / JARVIS Hermes Agent, Ansible-pull control plane — NOT a service host

Soft Constraints (Bobby Approval Required to Override)

  • Data residency: All persistent volumes live on-node. No NFS, no Ceph, no distributed storage unless explicitly approved.
  • Secret management: No plain-text secrets in compose files. Use .env files with file: mode 0600, or Vaultwarden if a secret store is needed.
  • Backup cadence: Every service with persistent state must have a documented backup target. Default: daily rsync to MK7 secondary storage.

Environment Assumptions

  • All nodes run Debian Trixie or compatible.
  • Docker Engine (not Docker Desktop) is installed on all target nodes.
  • Tailscale is up and meshed. All inter-node traffic is over Tailscale IPs.
  • docker compose plugin (v2) available, not legacy docker-compose standalone.
Reference in New Issue View Git Blame Copy Permalink