The Alliance Fleet: Deep-Dive
3-Node Proxmox VE Cluster · Corosync Quorum · 25+ Services
Why This Exists
"I built this to learn by doing. Every design decision mirrors production standards I saw across three enterprise environments. The goal is to understand why infrastructure works, not just how to configure it."
Physical Architecture
Millennium Falcon: Node A (FCM2250)
- Intel Core Ultra 9
- 64 GB DDR5
- 2 TB NVMe Gen4
- RTX 4000 SFF Ada (20 GB VRAM, VFIO passthrough)
Carries the GPU for AI/ML inference: 20 GB VRAM handles 70B parameter models via Ollama in the Tantive-III VM.
CR90 Corvette: Node B (QCM1255)
- AMD Ryzen 7 PRO (ECC-capable)
- 64 GB DDR5 ECC
- 4 TB Storage
ECC memory because it runs InfluxDB, PostgreSQL, and Wazuh: silent bit-flip corruption in time-series or auth data would poison monitoring and identity.
Gozanti Cruiser: Node C (OptiPlex 7050)
- Intel i7-7700
- 32 GB DDR4
- 512 GB NVMe + 1 TB SATA
- 2.5 GbE NIC (hardware mod)
Network-edge services and Tailscale subnet router: keeping the security control plane on a dedicated node.
Network Segmentation
| VLAN | Name | Subnet | DHCP | Strategy |
|---|---|---|---|---|
| 10 | Management | 192.168.1.0/24 | Disabled | Hypervisors, switch, gateway UI. Static-only: prevents rogue device access. |
| 20 | Services | 192.168.20.0/24 | .100-.200 | All application workloads: AI models, SIEM, databases, identity, automation. |
| 30 | IoT | 192.168.30.0/24 | .100-.200 | Fully isolated: cannot initiate connections to Management or Services. |
| 40 | DMZ | 192.168.40.0/24 | Disabled | Public-facing reverse proxy ingress only. Static-only: every host explicitly provisioned. |
Network hardware: UniFi Dream Machine (gateway/firewall/routing), UniFi US-8-150W (PoE managed switch, VLAN trunking), UniFi Beacon HD (wireless).
Traffic Flow & Remote Access
External Request Path
→ VLAN 40: Nginx Proxy Manager (TLS termination)
→ VLAN 20: Authentik (SSO challenge, MFA)
→ VLAN 20: Backend Service
Remote Access: Tailscale
Zero-trust mesh VPN with Node-C as the subnet router. No ports exposed to the public internet. ACL policies enforce least-privilege access per device and user.
SIEM & Identity Core
Wazuh SIEM
Brute-force detection, file integrity monitoring, and log aggregation across all nodes. Custom detection rules being expanded. Alerts piped to Discord via n8n.
Authentik SSO/IAM
All 15+ internal services sit behind Authentik with OIDC/SAML integration and MFA enforcement. Every login logged. Zero-trust gateway enforced via Nginx Proxy Manager in the DMZ.
Observability & Automation
Telegraf → InfluxDB → Grafana
Observability pipeline. Telegraf agents on all nodes push CPU, memory, disk, network, and kernel metrics at 10-second intervals to InfluxDB. Grafana dashboards provide cluster-wide visibility.
n8n: Tactical Orchestration
API orchestrator for fleet maintenance, threat response, and notification pipelines.
Wazuh → Block & Alert Pipeline ▼
// n8n workflow logic { "trigger": "Wazuh Webhook (POST)", "filter": "Reject if srcip ∈ 192.168.*", "action_1": "Block IP via firewall alias", "action_2": "Discord webhook alert" }
Private AI Stack
Tantive-III VM (Node A)
Local LLM inference running Ollama and AnythingLLM on the RTX 4000 Ada (20 GB VRAM) via VFIO passthrough. 50 tok/s on 70B models. 500+ document RAG pipeline with OpenWebUI and ComfyUI for image generation. Zero data egress, all inference on-premises.
Roadmap
In Progress
Planned