1.8 KiB
1.8 KiB
| title | description | published | date | tags | editor | dateCreated |
|---|---|---|---|---|---|---|
| Keystone Grimoire | Architecture — the dwarven runesmith's blueprints | true | 2026-04-12T00:00:00.000Z | keystone, architecture | markdown | 2026-04-12T00:00:00.000Z |
Keystone Grimoire
The Keystone Grimoire holds the architectural blueprints of Netgrimoire — how everything is wired together, how traffic flows, why decisions were made. Remove the keystone and the arch falls. This is the arch.
Sections
| Section | Contents |
|---|---|
| Hosts | Node inventory, roles, IPs, pinned services, hardware |
| Network | Topology, VLANs, DNS, WireGuard, OpenVPN, port assignments |
| Docker | Swarm template standard, overlay network, label rules, volume paths |
| MailCow, MXRoute, DKIM, SRS, domain setup, hardening |
Key Principles
- Caddy is the single entry point for all web traffic. Every public service goes through Caddy. No exceptions.
- Docker labels drive routing — services register themselves with Caddy via
deploy.labels. Static Caddyfile entries only for Compose stacks where label pickup is unreliable. - Never mix label and static routing for the same hostname — caddy-docker-proxy merges them into a broken upstream pool.
- Always VIP endpoint mode —
endpoint_mode: dnsrris banned. It breaks internal DNS resolution. - ARM nodes are excluded by default — all swarm services carry
node.platform.arch != aarch64andnode.platform.arch != armconstraints unless explicitly ARM-specific.