nathan/homelab
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Releases Wiki Activity
homelab/ansible/archive/documentation/contracts/Handover-AnsibleEngineer.md

56 lines
2.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Homelab Ansible Handover v2 Architecture
## Purpose
This document summarizes the current homelab architecture and operational contracts. It is intended as a handover for an Ansible engineer to begin developing and maintaining infrastructure automation playbooks.
---
## Architecture Overview
- **Control Plane:** Raspberry Pi 5 (“Watchtower”) out-of-band management node. Runs Ansible controller, VS Code Tunnel, Tailscale, and Uptime Kuma. No production workloads or reverse proxies.
- **Compute Plane:** 3× Dell OptiPlex Micro 7010 running Proxmox. Each host runs:
- 1× Swarm Manager VM (control, light infra only)
- 1× Swarm Worker VM (all app workloads)
- **Networking:** Flat LAN (`10.0.0.0/24`), static IPs for infra, IoT/guest VLANs segregated. Future VLAN segmentation planned.
- **Storage:** TerraMaster (primary data), Synology (backup, cloud sync). Rsync and cloud sync jobs run daily.
- **Access & Identity:** Authentik SSO for operator/admin accounts. Remote access via Omada VPN, Tailscale, VS Code Tunnel. MFA and password vault required.
---
## Playbook Priorities & Expectations
1. **Idempotency:** All playbooks must be safe to run repeatedly and should not cause drift or break contracts.
2. **Contracts:** Reference the v2 contracts in `architecture/v2/contracts/` for allowed/forbidden services, node roles, and operational constraints.
3. **Inventory:** Maintain a clear, up-to-date inventory (hosts, groups, roles) reflecting the contracts.
4. **Separation of Concerns:**
- Control plane (Watchtower) is for automation, monitoring, and recovery only.
- Compute plane (Proxmox VMs) runs all application workloads.
- Never deploy workloads or Swarm nodes directly on Proxmox hosts or NAS devices.
5. **Access:** Use Authentik SSO for all supported services. Document and automate onboarding/offboarding where possible.
6. **Backups:** Automate and verify backup flows (TerraMaster → Synology → cloud). Never skip scheduled backups.
7. **Security:** Never expose management UIs to the public internet. Enforce MFA and strong password policies.
---
## Immediate Playbook Targets
- Proxmox host and VM provisioning (with static IPs, labels, and roles)
- Docker Swarm cluster setup and node role enforcement
- NAS configuration and backup job automation
- Authentik SSO integration for new services
- Monitoring/alerting setup (Uptime Kuma, notifications)
- Access onboarding/offboarding automation
---
## Reference
- Full contracts: `architecture/v2/contracts/`
- Planning docs: `architecture/v2/plans/`
- README: `architecture/v2/README.md`
---
**Contact the homelab owner for clarifications or to propose contract updates before making architectural changes.**
Reference in New Issue View Git Blame Copy Permalink