36 lines
1.7 KiB
Markdown
36 lines
1.7 KiB
Markdown
---
|
|
title: Keystone Grimoire
|
|
description: Architecture — the dwarven runesmith's blueprints
|
|
published: true
|
|
date: 2026-04-12T00:00:00.000Z
|
|
tags: keystone, architecture
|
|
editor: markdown
|
|
dateCreated: 2026-04-12T00:00:00.000Z
|
|
---
|
|
|
|
# Keystone Grimoire
|
|
|
|
|
|
|
|
The Keystone Grimoire holds the architectural blueprints of Netgrimoire — how everything is wired together, how traffic flows, why decisions were made. Remove the keystone and the arch falls. This is the arch.
|
|
|
|
---
|
|
|
|
## Sections
|
|
|
|
| Section | Contents |
|
|
|---------|----------|
|
|
| [Hosts](/Keystone-Grimoire/Hosts/Host-Inventory) | Node inventory, roles, IPs, pinned services, hardware |
|
|
| [Network](/Keystone-Grimoire/Network/Topology) | Topology, VLANs, DNS, WireGuard, OpenVPN, port assignments |
|
|
| [Docker](/Keystone-Grimoire/Docker/Swarm-Template) | Swarm template standard, overlay network, label rules, volume paths |
|
|
| [Mail](/Keystone-Grimoire/Mail/MailCow-Overview) | MailCow, MXRoute, DKIM, SRS, domain setup, hardening |
|
|
|
|
---
|
|
|
|
## Key Principles
|
|
|
|
- **Caddy is the single entry point** for all web traffic. Every public service goes through Caddy. No exceptions.
|
|
- **Docker labels drive routing** — services register themselves with Caddy via `deploy.labels`. Static Caddyfile entries only for Compose stacks where label pickup is unreliable.
|
|
- **Never mix label and static routing for the same hostname** — caddy-docker-proxy merges them into a broken upstream pool.
|
|
- **Always VIP endpoint mode** — `endpoint_mode: dnsrr` is banned. It breaks internal DNS resolution.
|
|
- **ARM nodes are excluded by default** — all swarm services carry `node.platform.arch != aarch64` and `node.platform.arch != arm` constraints unless explicitly ARM-specific.
|