## ✅ **Point 1 – Control Plane (“Watchtower”) – FINAL**

### **Node**

* **Raspberry Pi 5**
* OS: Raspberry Pi OS Lite (64-bit)

### **Purpose**

* Out-of-band control
* Automation authority
* Monitoring vantage point
* Recovery access when everything else is down

---

### **Allowed services (explicit)**

* VS Code Tunnel
* Ansible controller
* Tailscale (always-on)
* **Uptime Kuma**

  * Single container
  * Bound to Tailscale IP only
  * No reverse proxy
  * No public ports
  * Outbound alerts only (email / Discord / etc.)

### **Explicit exclusions**

* No Traefik
* No Authentik
* No Swarm membership
* No shared storage
* No stateful apps beyond Kuma’s local data

### **Security posture**

* SSH key-only
* Non-root admin
* Firewall: SSH + Tailscale
* Consider SD → NAS image backups

### **Operational contract**

* If this node is down: changes pause, nothing breaks
* If everything else is down: this node is how you recover

---