---
title: Keystone Grimoire
description: Architecture — the dwarven runesmith's blueprints
published: true
date: 2026-04-12T00:00:00.000Z
tags: keystone, architecture
editor: markdown
dateCreated: 2026-04-12T00:00:00.000Z
---

# Keystone Grimoire

![keystone-badge](/images/keystone-badge.png)

The Keystone Grimoire holds the architectural blueprints of Netgrimoire — how everything is wired together, how traffic flows, why decisions were made. Remove the keystone and the arch falls. This is the arch.

---

## Sections

| Section | Contents |
|---------|----------|
| [Hosts](/Keystone-Grimoire/Hosts/Host-Inventory) | Node inventory, roles, IPs, pinned services, hardware |
| [Network](/Keystone-Grimoire/Network/Topology) | Topology, VLANs, DNS, WireGuard, OpenVPN, port assignments |
| [Docker](/Keystone-Grimoire/Docker/Swarm-Template) | Swarm template standard, overlay network, label rules, volume paths |
| [Mail](/Keystone-Grimoire/Mail/MailCow-Overview) | MailCow, MXRoute, DKIM, SRS, domain setup, hardening |

---

## Key Principles

- **Caddy is the single entry point** for all web traffic. Every public service goes through Caddy. No exceptions.
- **Docker labels drive routing** — services register themselves with Caddy via `deploy.labels`. Static Caddyfile entries only for Compose stacks where label pickup is unreliable.
- **Never mix label and static routing for the same hostname** — caddy-docker-proxy merges them into a broken upstream pool.
- **Always VIP endpoint mode** — `endpoint_mode: dnsrr` is banned. It breaks internal DNS resolution.
- **ARM nodes are excluded by default** — all swarm services carry `node.platform.arch != aarch64` and `node.platform.arch != arm` constraints unless explicitly ARM-specific.