nathan/homelab
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Releases Wiki Activity
homelab/ansible/archive/documentation/contracts/ControlPlane.md

51 lines
960 B
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## ✅ **Point 1 Control Plane (“Watchtower”) FINAL**
### **Node**
* **Raspberry Pi 5**
* OS: Raspberry Pi OS Lite (64-bit)
### **Purpose**
* Out-of-band control
* Automation authority
* Monitoring vantage point
* Recovery access when everything else is down
---
### **Allowed services (explicit)**
* VS Code Tunnel
* Ansible controller
* Tailscale (always-on)
* **Uptime Kuma**
* Single container
* Bound to Tailscale IP only
* No reverse proxy
* No public ports
* Outbound alerts only (email / Discord / etc.)
### **Explicit exclusions**
* No Traefik
* No Authentik
* No Swarm membership
* No shared storage
* No stateful apps beyond Kumas local data
### **Security posture**
* SSH key-only
* Non-root admin
* Firewall: SSH + Tailscale
* Consider SD → NAS image backups
### **Operational contract**
* If this node is down: changes pause, nothing breaks
* If everything else is down: this node is how you recover
---
Reference in New Issue View Git Blame Copy Permalink