beatzaplenty/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b7b4b4d36dc969cb3dcaa79124da512a7298f98d
docker/docs/architecture.md
T
beatz174-bit a4501d4034 Add VM inventory to proxmox outputs for host topology
2026-05-13 04:36:38 +10:00

2.5 KiB
Raw Blame History

Architecture Summary

Overview

This stack uses Traefik v3 as internet-facing ingress for application and operations UIs. Service routing is label-driven from Docker Compose files, with shared Docker networks (traefik, monitor) connecting reverse-proxied and telemetry services.

TLS is terminated at Traefik (ACME HTTP challenge), with hardening via middleware chains, Authelia forward-auth for selected routes, CrowdSec integration, and mTLS options for private-admin paths.

Network / Request Flow

flowchart LR
  C[Internet Client] -->|80/443| T[Traefik Ingress]
  T -->|HTTP->HTTPS redirect| T
  T -->|ACME HTTP challenge| LE[Let's Encrypt ACME]

  subgraph TraefikNet[Docker network: traefik]
    A[Authelia]
    CS[CrowdSec LAPI]
    EP[Error Pages]

    NC[Nextcloud]
    PB[Passbolt]
    GT[Gitea]
    GW[Gramps Web]
    SX[SearXNG]

    GF[Grafana]
    PR[Prometheus]
    NR[Node-RED]
    PT[Portainer]
    UK[Uptime Kuma]
    IF[InfluxDB]
    GO[Gotify]
  end

  T -->|forwardAuth for selected services| A
  T -->|plugin decisions| CS
  T -->|4xx/5xx middleware| EP

  T --> NC
  T --> PB
  T --> GT
  T --> GW
  T --> SX

  T --> GF
  T --> PR
  T --> NR
  T --> PT
  T --> UK
  T --> IF
  T --> GO

  subgraph MonitorNet[Docker network: monitor]
    NE[Node Exporter]
    TE[Telegraf]
    DE[Docker Update Exporter]
    PE[Pi-hole Exporter]
    DSP[Docker Socket Proxy]
  end

  PR --> NE
  PR --> TE
  PR --> DE
  PR --> PE
  PR --> UK
  PR -->|remote scrape| RH[Remote Hosts]
  TE --> DSP
  NR --> DSP
  PT --> DSP
  T --> DSP

Key components

  • Ingress/security plane: Traefik, Authelia, CrowdSec, Error Pages.
  • User-facing apps: Nextcloud, Passbolt, Gitea, Gramps Web, SearXNG.
  • Monitoring/ops: Prometheus, Grafana, InfluxDB, Node-RED, Uptime Kuma, Portainer, Gotify.
  • Support plane: Docker Socket Proxy for controlled Docker API access.

Relationship to Terraform inventory

Terraform in infrastructure/terraform/ captures infrastructure inventory and reconciliation state for Proxmox VMs, physical host metadata, and selected Docker mirrors.

Use architecture docs together with:

Notes on runtime vs declared state

Runtime scrape targets and health signals are useful observed-state inputs, but they do not replace declared config authority from Compose/Terraform sources.

Reference in New Issue View Git Blame Copy Permalink