New Grimoire

Keystone-Grimoire/Overview.md

@@ -0,0 +1,36 @@
+---
+title: Keystone Grimoire
+description: Architecture — the dwarven runesmith's blueprints
+published: true
+date: 2026-04-12T00:00:00.000Z
+tags: keystone, architecture
+editor: markdown
+dateCreated: 2026-04-12T00:00:00.000Z
+---
+
+# Keystone Grimoire
+
+![keystone-badge](/images/keystone-badge.png)
+
+The Keystone Grimoire holds the architectural blueprints of Netgrimoire — how everything is wired together, how traffic flows, why decisions were made. Remove the keystone and the arch falls. This is the arch.
+
+---
+
+## Sections
+
+| Section | Contents |
+|---------|----------|
+| [Hosts](/Keystone-Grimoire/Hosts/Host-Inventory) | Node inventory, roles, IPs, pinned services, hardware |
+| [Network](/Keystone-Grimoire/Network/Topology) | Topology, VLANs, DNS, WireGuard, OpenVPN, port assignments |
+| [Docker](/Keystone-Grimoire/Docker/Swarm-Template) | Swarm template standard, overlay network, label rules, volume paths |
+| [Mail](/Keystone-Grimoire/Mail/MailCow-Overview) | MailCow, MXRoute, DKIM, SRS, domain setup, hardening |
+
+---
+
+## Key Principles
+
+- **Caddy is the single entry point** for all web traffic. Every public service goes through Caddy. No exceptions.
+- **Docker labels drive routing** — services register themselves with Caddy via `deploy.labels`. Static Caddyfile entries only for Compose stacks where label pickup is unreliable.
+- **Never mix label and static routing for the same hostname** — caddy-docker-proxy merges them into a broken upstream pool.
+- **Always VIP endpoint mode** — `endpoint_mode: dnsrr` is banned. It breaks internal DNS resolution.
+- **ARM nodes are excluded by default** — all swarm services carry `node.platform.arch != aarch64` and `node.platform.arch != arm` constraints unless explicitly ARM-specific.