Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fea42f892b23877aa2e9dd565d273329dbc31aed
documentation/05-network-architecture.md
jarvis fea42f892b Remove Mark5/Bones/Neo/Mark44 — G9 Swarm Cluster is the ONLY deployment target 
All services reassigned to MK7 (Swarm Manager) or swarm-distributed.
Per Bobby: Mark5, Bones, Neo, Mark44 are NOT part of this homelab services stack.

Phase 1 infra (Traefik, DNS, AdGuard, Portainer, Prometheus, Beszel, Dozzle, Authelia, Homepage) → MK7
Phase 2 media (Jellyfin, Sonarr, Radarr, Prowlarr) → Swarm distributed
Phase 3 dashboards (Grafana, Homepage) → Swarm distributed

Also updates:
- Backup target: MK7 secondary storage (was Bones)
- Network/DNS/Security model: all refs to Bones/Neo/Mark5/Mark44 corrected
2026-05-25 18:24:22 -04:00

2.3 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Network Architecture

Ingress Flow

[Internet] → [Tailscale mesh] → [MK7: Traefik] → [Target Node: Service Port]

Traefik Role

  • Single entrypoint. Every HTTP/HTTPS service routes through Traefik on MK7.
  • Tailscale-native. Traefik binds to 0.0.0.0:80 and 0.0.0.0:443. No tailscale serve.
  • Service discovery via Docker labels. Each compose service exposes labels that Traefik reads from the Docker socket on MK7.
  • Docker socket access restricted. Traefik mounts a read-only Docker socket. No other service gets socket access.

Internal Traffic Patterns

Source Destination Protocol Port Notes
Traefik (MK7) Any service HTTP/HTTPS Varies Proxied via Tailscale IP
Beszel (MK7) Any node HTTP Varies Agent polls HTTP metrics endpoints (read-only)
Prometheus (MK7) Any node HTTP 9100 (node-exporter) Scrapes node and container metrics
Prowlarr (MK7) Indexer sites HTTPS 443 Outbound only
Sonarr/Radarr (MK7) Prowlarr HTTP 9696 Internal indexer lookup
Nextcloud (MK7) PostgreSQL (MK7) TCP 5432 DB traffic over Tailscale

DNS Resolution

  • Technitium (MK7) is the authoritative internal DNS for *.ai.home.
  • AdGuard Home (MK7) handles recursive resolution with ad-block lists. Replaces Pi-hole.
  • Chain: Client → Technitium (local record?) → AdGuard Home (recursive + blocklist) → Upstream (Cloudflare/Quad9)
  • Tailscale MagicDNS remains enabled as fallback. If Technitium fails, clients fall back to 100.x.x.x direct resolution.
  • AdGuard Home admin UI runs on port 3000 by default (separate from Grafana if co-located).

Port Allocation (Reserved)

Port Service
53 DNS (Technitium / Pi-hole)
80/443 HTTP/S (Traefik)
3000 Grafana
9090 Prometheus
9000 Portainer
8096 Jellyfin
8989 Sonarr
7878 Radarr
9696 Prowlarr
8080 Authelia (default)

TLS Strategy

  • Internal: Traefik generates self-signed certs for *.labs.internal. Authelia can enforce client-cert if needed.
  • External: Not applicable per no-Tailscale-funnel constraint. If Bobby later wants public access, Let's Encrypt via DNS challenge (Technitium controls the zone).
Reference in New Issue View Git Blame Copy Permalink