960 B
960 B
✅ Point 1 – Control Plane (“Watchtower”) – FINAL
Node
- Raspberry Pi 5
- OS: Raspberry Pi OS Lite (64-bit)
Purpose
- Out-of-band control
- Automation authority
- Monitoring vantage point
- Recovery access when everything else is down
Allowed services (explicit)
-
VS Code Tunnel
-
Ansible controller
-
Tailscale (always-on)
-
Uptime Kuma
- Single container
- Bound to Tailscale IP only
- No reverse proxy
- No public ports
- Outbound alerts only (email / Discord / etc.)
Explicit exclusions
- No Traefik
- No Authentik
- No Swarm membership
- No shared storage
- No stateful apps beyond Kuma’s local data
Security posture
- SSH key-only
- Non-root admin
- Firewall: SSH + Tailscale
- Consider SD → NAS image backups
Operational contract
- If this node is down: changes pause, nothing breaks
- If everything else is down: this node is how you recover