# Infrastructure Dependency Graph This document maps out the dependencies between all infrastructure components and services, providing a clear order for building out the personal infrastructure. ## Infrastructure Overview ### Machines (Hosts) - **lapy**: Laptop (Ansible control node) - **vipy**: Main VPS (207.154.226.192) - hosts most services - **watchtower**: Monitoring VPS (206.189.63.167) - hosts Uptime Kuma and ntfy - **spacey**: Headscale VPS (165.232.73.4) - hosts Headscale coordination server - **nodito**: Proxmox server (192.168.1.139) - home infrastructure - **memos-box**: Separate box for memos (192.168.1.149) --- ## Dependency Layers ### Layer 0: Prerequisites (No Dependencies) These must exist before anything else can be deployed. #### On lapy (Laptop - Ansible Control Node) - Python venv with Ansible - SSH keys configured - Domain name configured (`root_domain` in `infra_vars.yml`) **Commands:** ```bash python3 -m venv venv source venv/bin/activate pip install -r requirements.txt ansible-galaxy collection install -r ansible/requirements.yml ``` --- ### Layer 1: Basic Machine Setup (Depends on: Layer 0) Initial machine provisioning and security hardening. #### All VPSs (vipy, watchtower, spacey) **Playbooks (in order):** 1. `infra/01_user_and_access_setup_playbook.yml` - Create user, setup SSH 2. `infra/02_firewall_and_fail2ban_playbook.yml` - Firewall, fail2ban, auditd **Dependencies:** - SSH access with root user - SSH key pair #### Nodito (Proxmox Server) **Playbooks (in order):** 1. `infra/nodito/30_proxmox_bootstrap_playbook.yml` - SSH keys, user creation, security 2. `infra/nodito/31_proxmox_community_repos_playbook.yml` - Switch to community repos 3. `infra/nodito/32_zfs_pool_setup_playbook.yml` - ZFS storage pool (optional) 4. `infra/nodito/33_proxmox_debian_cloud_template.yml` - Cloud template (optional) **Dependencies:** - Root password access initially - Disk IDs identified for ZFS (if using ZFS) #### Memos-box **Playbooks:** 1. `infra/01_user_and_access_setup_playbook.yml` 2. `infra/02_firewall_and_fail2ban_playbook.yml` --- ### Layer 2: General Infrastructure Tools (Depends on: Layer 1) Common utilities needed across multiple services. #### On All Machines (as needed per service requirements) **Playbooks:** - `infra/900_install_rsync.yml` - For backup operations - `infra/910_docker_playbook.yml` - For Docker-based services - `infra/920_join_headscale_mesh.yml` - Join machines to VPN mesh (requires Layer 5 - Headscale) **Dependencies:** - Layer 1 complete (user and firewall setup) **Notes:** - rsync needed on: vipy, watchtower, lapy (for backups) - docker needed on: vipy, watchtower (for containerized services) --- ### Layer 3: Reverse Proxy (Depends on: Layer 2) Caddy provides HTTPS termination and reverse proxying for all web services. #### On vipy, watchtower, spacey **Playbook:** - `services/caddy_playbook.yml` **Dependencies:** - Layer 1 complete (firewall configured to allow ports 80/443) - No other services required **Critical Note:** - Caddy is deployed to vipy, watchtower, and spacey - Each service deployed configures its own Caddy reverse proxy automatically - All subsequent web services depend on Caddy being installed first --- ### Layer 4: Core Monitoring & Notifications (Depends on: Layer 3) These services provide monitoring and alerting for all other infrastructure. #### 4A: ntfy (Notification Service) **Host:** watchtower **Playbook:** `services/ntfy/deploy_ntfy_playbook.yml` **Dependencies:** - Caddy on watchtower (Layer 3) - DNS record for ntfy subdomain - NTFY_USER and NTFY_PASSWORD environment variables **Used By:** - Uptime Kuma (for notifications) - ntfy-emergency-app - Any service needing push notifications #### 4B: Uptime Kuma (Monitoring Platform) **Host:** watchtower **Playbook:** `services/uptime_kuma/deploy_uptime_kuma_playbook.yml` **Dependencies:** - Caddy on watchtower (Layer 3) - Docker on watchtower (Layer 2) - DNS record for uptime kuma subdomain **Used By:** - All infrastructure monitoring (disk alerts, healthchecks, CPU temp) - Service availability monitoring **Backup:** `services/uptime_kuma/setup_backup_uptime_kuma_to_lapy.yml` - Requires rsync on watchtower and lapy --- ### Layer 5: VPN Infrastructure (Depends on: Layer 3) Headscale provides secure mesh networking between all machines. #### Headscale (VPN Coordination Server) **Host:** spacey **Playbook:** `services/headscale/deploy_headscale_playbook.yml` **Dependencies:** - Caddy on spacey (Layer 3) - DNS record for headscale subdomain **Enables:** - Secure communication between all machines - Magic DNS for hostname resolution - Join machines using: `infra/920_join_headscale_mesh.yml` **Backup:** `services/headscale/setup_backup_headscale_to_lapy.yml` - Requires rsync on spacey and lapy --- ### Layer 6: Infrastructure Monitoring (Depends on: Layer 4) Automated monitoring scripts that report to Uptime Kuma. #### On All Machines **Playbooks:** - `infra/410_disk_usage_alerts.yml` - Disk usage monitoring - `infra/420_system_healthcheck.yml` - System health pings **Dependencies:** - Uptime Kuma deployed (Layer 4B) - `infra_secrets.yml` with Uptime Kuma credentials - Python uptime-kuma-api installed on lapy #### On Nodito Only **Playbook:** - `infra/nodito/40_cpu_temp_alerts.yml` - CPU temperature monitoring **Dependencies:** - Uptime Kuma deployed (Layer 4B) - `nodito_secrets.yml` with Uptime Kuma push URL --- ### Layer 7: Core Services (Depends on: Layers 3-4) Essential services for personal infrastructure. #### 7A: Vaultwarden (Password Manager) **Host:** vipy **Playbook:** `services/vaultwarden/deploy_vaultwarden_playbook.yml` **Dependencies:** - Caddy on vipy (Layer 3) - Docker on vipy (Layer 2) - Fail2ban on vipy (Layer 1) - DNS record for vaultwarden subdomain **Post-Deploy:** - Create first user account - Run `services/vaultwarden/disable_vaultwarden_sign_ups_playbook.yml` to disable registrations **Backup:** `services/vaultwarden/setup_backup_vaultwarden_to_lapy.yml` - Requires rsync on vipy and lapy #### 7B: Forgejo (Git Server) **Host:** vipy **Playbook:** `services/forgejo/deploy_forgejo_playbook.yml` **Dependencies:** - Caddy on vipy (Layer 3) - DNS record for forgejo subdomain **Used By:** - Personal blog (Layer 8) - Any service pulling from git repos #### 7C: LNBits (Lightning Wallet) **Host:** vipy **Playbook:** `services/lnbits/deploy_lnbits_playbook.yml` **Dependencies:** - Caddy on vipy (Layer 3) - DNS record for lnbits subdomain - Python 3.12 via pyenv - Poetry for dependency management **Backup:** `services/lnbits/setup_backup_lnbits_to_lapy.yml` - Requires rsync on vipy and lapy - Backups are GPG encrypted (requires GPG keys configured) --- ### Layer 8: Secondary Services (Depends on: Layer 7) Services that depend on core services being available. #### 8A: Personal Blog (Static Site) **Host:** vipy **Playbook:** `services/personal-blog/deploy_personal_blog_playbook.yml` **Dependencies:** - Caddy on vipy (Layer 3) - Forgejo on vipy (Layer 7B) - blog content hosted in Forgejo repo - rsync on vipy (Layer 2) - DNS record for blog subdomain - PERSONAL_BLOG_DEPLOY_TOKEN environment variable (Forgejo deploy token) **Notes:** - Auto-updates hourly via cron from Forgejo repo - Serves static files directly through Caddy #### 8B: ntfy-emergency-app **Host:** vipy **Playbook:** `services/ntfy-emergency-app/deploy_ntfy_emergency_app_playbook.yml` **Dependencies:** - Caddy on vipy (Layer 3) - Docker on vipy (Layer 2) - ntfy on watchtower (Layer 4A) - DNS record for emergency app subdomain **Notes:** - Configured with ntfy server URL and credentials - Sends emergency notifications to ntfy topics #### 8C: Memos (Note-taking) **Host:** memos-box **Playbook:** `services/memos/deploy_memos_playbook.yml` **Dependencies:** - Caddy on memos-box (Layer 3) - DNS record for memos subdomain --- ## Deployment Order Summary ### Phase 1: Foundation 1. Setup lapy as Ansible control node 2. Configure domain and DNS 3. Deploy Layer 1 on all machines (users, firewall) 4. Deploy Layer 2 tools (rsync, docker as needed) ### Phase 2: Web Infrastructure 5. Deploy Caddy (Layer 3) on vipy, watchtower, spacey ### Phase 3: Monitoring Foundation 6. Deploy ntfy on watchtower (Layer 4A) 7. Deploy Uptime Kuma on watchtower (Layer 4B) 8. Configure Uptime Kuma with ntfy notifications ### Phase 4: Mesh Network (Optional but Recommended) 9. Deploy Headscale on spacey (Layer 5) 10. Join machines to mesh using 920 playbook ### Phase 5: Infrastructure Monitoring 11. Deploy disk usage alerts on all machines (Layer 6) 12. Deploy system healthcheck on all machines (Layer 6) 13. Deploy CPU temp alerts on nodito (Layer 6) ### Phase 6: Core Services 14. Deploy Vaultwarden on vipy (Layer 7A) 15. Deploy Forgejo on vipy (Layer 7B) 16. Deploy LNBits on vipy (Layer 7C) ### Phase 7: Secondary Services 17. Deploy Personal Blog on vipy (Layer 8A) 18. Deploy ntfy-emergency-app on vipy (Layer 8B) 19. Deploy Memos on memos-box (Layer 8C) ### Phase 8: Backups 20. Configure all backup playbooks (to lapy) --- ## Critical Dependencies Map ``` Legend: → (depends on) MONITORING CHAIN: ntfy (Layer 4A) → Caddy (Layer 3) Uptime Kuma (Layer 4B) → Caddy (Layer 3) + Docker (Layer 2) + ntfy (Layer 4A) Disk Alerts (Layer 6) → Uptime Kuma (Layer 4B) System Healthcheck (Layer 6) → Uptime Kuma (Layer 4B) CPU Temp Alerts (Layer 6) → Uptime Kuma (Layer 4B) WEB SERVICES CHAIN: Caddy (Layer 3) → Firewall configured (Layer 1) Vaultwarden (Layer 7A) → Caddy (Layer 3) + Docker (Layer 2) Forgejo (Layer 7B) → Caddy (Layer 3) LNBits (Layer 7C) → Caddy (Layer 3) Personal Blog (Layer 8A) → Caddy (Layer 3) + Forgejo (Layer 7B) ntfy-emergency-app (Layer 8B) → Caddy (Layer 3) + Docker (Layer 2) + ntfy (Layer 4A) Memos (Layer 8C) → Caddy (Layer 3) VPN CHAIN: Headscale (Layer 5) → Caddy (Layer 3) All machines can join mesh → Headscale (Layer 5) BACKUP CHAIN: All backups → rsync (Layer 2) on source + lapy LNBits backups → GPG keys configured on lapy ``` --- ## Host-Service Matrix | Service | vipy | watchtower | spacey | nodito | memos-box | |---------|------|------------|--------|--------|-----------| | Caddy | ✓ | ✓ | ✓ | - | ✓ | | Docker | ✓ | ✓ | - | - | - | | Uptime Kuma | - | ✓ | - | - | - | | ntfy | - | ✓ | - | - | - | | Headscale | - | - | ✓ | - | - | | Vaultwarden | ✓ | - | - | - | - | | Forgejo | ✓ | - | - | - | - | | LNBits | ✓ | - | - | - | - | | Personal Blog | ✓ | - | - | - | - | | ntfy-emergency-app | ✓ | - | - | - | - | | Memos | - | - | - | - | ✓ | | Disk Alerts | ✓ | ✓ | ✓ | ✓ | ✓ | | System Healthcheck | ✓ | ✓ | ✓ | ✓ | ✓ | | CPU Temp Alerts | - | - | - | ✓ | - | --- ## Pre-Deployment Checklist ### Before Starting - [ ] SSH keys generated and added to VPS providers - [ ] Domain name acquired and accessible - [ ] Python venv created on lapy with Ansible installed - [ ] `inventory.ini` created and populated with all host IPs - [ ] `infra_vars.yml` configured with root domain - [ ] All VPSs accessible via SSH as root initially ### DNS Records to Configure Create A records pointing to appropriate IPs: - Uptime Kuma subdomain → watchtower IP - ntfy subdomain → watchtower IP - Headscale subdomain → spacey IP - Vaultwarden subdomain → vipy IP - Forgejo subdomain → vipy IP - LNBits subdomain → vipy IP - Personal Blog subdomain → vipy IP - ntfy-emergency-app subdomain → vipy IP - Memos subdomain → memos-box IP ### Secrets to Configure - [ ] `infra_secrets.yml` created with Uptime Kuma credentials - [ ] `nodito_secrets.yml` created with Uptime Kuma push URL - [ ] NTFY_USER and NTFY_PASSWORD environment variables for ntfy deployment - [ ] PERSONAL_BLOG_DEPLOY_TOKEN environment variable (from Forgejo) - [ ] GPG keys configured on lapy (for encrypted backups) --- ## Notes ### Why This Order Matters 1. **Caddy First**: All web services need reverse proxy, so Caddy must be deployed before any service that requires HTTPS access. 2. **Monitoring Early**: Deploying ntfy and Uptime Kuma early means all subsequent services can be monitored from the start. Infrastructure alerts can catch issues immediately. 3. **Forgejo Before Blog**: The personal blog pulls content from Forgejo, so the git server must exist first. 4. **Headscale Separation**: Headscale runs on its own VPS (spacey) because vipy needs to be part of the mesh network and can't run the coordination server itself. 5. **Backup Setup Last**: Backups should be configured after services are stable and have initial data to backup. ### Machine Isolation Strategy - **watchtower**: Runs monitoring services (Uptime Kuma, ntfy) separately so they don't fail when vipy fails - **spacey**: Runs Headscale coordination server isolated from the mesh clients - **vipy**: Main services server - most applications run here - **nodito**: Local Proxmox server for home infrastructure - **memos-box**: Separate dedicated server for memos service This isolation ensures monitoring remains functional even when primary services are down.