homelab/ansible/archive/documentation/contracts/ControlPlane.md

✅ Point 1 – Control Plane (“Watchtower”) – FINAL

Node

• Raspberry Pi 5
• OS: Raspberry Pi OS Lite (64-bit)

Purpose

• Out-of-band control
• Automation authority
• Monitoring vantage point
• Recovery access when everything else is down

---

Allowed services (explicit)

• VS Code Tunnel

• Ansible controller

• Tailscale (always-on)

• Uptime Kuma

  • Single container
  • Bound to Tailscale IP only
  • No reverse proxy
  • No public ports
  • Outbound alerts only (email / Discord / etc.)

Explicit exclusions

• No Traefik
• No Authentik
• No Swarm membership
• No shared storage
• No stateful apps beyond Kuma’s local data

Security posture

• SSH key-only
• Non-root admin
• Firewall: SSH + Tailscale
• Consider SD → NAS image backups

Operational contract

• If this node is down: changes pause, nothing breaks
• If everything else is down: this node is how you recover

---