Alliance Fleet · Architecture Overview
The Alliance Fleet
Three-node Proxmox cluster running 25+ self-hosted services across five VLANs. Star Wars naming conventions. Production-grade standards. One operator.
NODE-A ONLINE
NODE-B ONLINE
NODE-C ONLINE
K-2SO ONLINE
GHOST SQUADRON PLANNED
01
Cluster Nodes
Millennium Falcon
FCM2250 · NODE-A · 192.168.1.10
ONLINE
CPU
Intel Core Ultra 9
RAM
64GB DDR5
Storage
2TB NVMe Gen4
GPU
RTX 4000 SFF Ada
VRAM
16GB GDDR6
Passthrough
VFIO / IOMMU
VM 201Tantive-III·20.20Ollama · OpenWebUI · AnythingLLM · ComfyUI
VM 400Canto-Bight·20.86Win 11 · RetroArch · ES-DE · Sunshine/Moonlight
CR90 Corvette
QCM1255 · NODE-B · 192.168.1.11
ONLINE
CPU
Ryzen 7 PRO
RAM
64GB DDR5 ECC
Storage
4TB ZFS Mirror
ECC
Active · 0 errors
ZFS
Self-healing checksums
Role
All stateful services
VM 200Home One·20.10Authentik SSO · PostgreSQL · Redis
VM 300ALLIANCE-DC01·1.50Win Server 2022 · AD DS · Entra Connect
VM 116Home Assistant·30.10HA OS · VLAN 30 · InfluxDB telemetry
VMPhoenix-Nest·20.70n8n · Vaultwarden · Homepage
LXCInfluxDB·20.4130d retention · 10s resolution
LXCGrafana·20.40TIG dashboards · Alerting · SSO
LXC 113Uptime Kuma·20.6125+ monitors · Discord alerts
Gozanti Cruiser
OptiPlex 7050 · NODE-C · 192.168.1.12
ONLINE
CPU
Intel i7-7700
RAM
32GB DDR4
NVMe
512GB
SATA
1TB
NICs
Dual (M.2 E-key mod)
Role
Network & security edge
LXC 110Wazuh·20.30SIEM · XDR · 10+ agents
LXC 100AdGuard·1.4DNS filtering · wildcard rewrite
LXC 101Nginx Proxy Mgr·1.101TLS termination · reverse proxy
VM 203Stinger Mantis·20.80BD-1 Discord bot · K-2SO observer · Node.js · PM2
VM 204Fulcrum·50.10NemoClaw legacy · VLAN 50 isolated · pending rebuild
CT 114RustDesk·20.81Self-hosted remote desktop relay
Proxmox VE 8.x · Kernel 6.17
HA Quorum 3 votes · Corosync
VMs + LXC 17 active
Services 25+ running
n8n 20+ active workflows
Wazuh Agents 10+ enrolled
02
VLAN Architecture
VLAN 1
Management
192.168.1.0/24 · Static only, no DHCP
Proxmox hypervisors, UniFi UDM, AdGuard, NPM, ALLIANCE-DC01. Every host explicitly provisioned. No dynamic addressing.
ALLOW Management → Services (any)
ALLOW Management → IoT (specific ports)
DENY Services → Management (new flows)
ALLOW Management → IoT (specific ports)
DENY Services → Management (new flows)
VLAN 20
Services
192.168.20.0/24 · DHCP .100–.200
All application workloads: auth, AI inference, SIEM, automation, bots, observability. Primary operational network.
ALLOW Services ↔ Services
ALLOW Services → internet (via NPM)
DENY Services → Management (initiated)
ALLOW Services → internet (via NPM)
DENY Services → Management (initiated)
VLAN 30
IoT
192.168.30.0/24 · DHCP enabled
Home Assistant, Apple TVs, smart devices. IoT devices cannot initiate connections to Management or Services.
ALLOW IoT → internet
ALLOW HA → InfluxDB :8086 only
DENY IoT → Management / Services
ALLOW HA → InfluxDB :8086 only
DENY IoT → Management / Services
VLAN 40
DMZ
192.168.40.0/24 · DHCP enabled · 0 active hosts
Provisioned and reserved for externally-facing services. Sits between IoT and Bot-Net. Rules added per service as deployed.
ALLOW DMZ → internet
DENY DMZ → Management
DENY DMZ → Services (default)
DENY DMZ → Management
DENY DMZ → Services (default)
VLAN 50
Bot-Net / Security
192.168.50.0/28 · /28 = 14 usable · K-2SO only
Maximum isolation. Docker inside unprivileged LXC on Fulcrum VM 204. Outbound HTTPS to specific API endpoints only.
ALLOW → Wazuh API :443
ALLOW → InfluxDB :8086
ALLOW → Proxmox API :8006
ALLOW → Discord (external)
DENY everything else
ALLOW → InfluxDB :8086
ALLOW → Proxmox API :8006
ALLOW → Discord (external)
DENY everything else
VLAN 60
Endor / Ghost Squadron
192.168.60.0/24 · Planned · Not deployed
Raspberry Pi k3s cluster (Sentinel + Tydirium). Edge quorum witness, distributed DNS, monitoring probes, AdGuard secondary.
PLAN k3s networking on /24
PLAN corosync-qnetd on Alienware
TBD firewall rules pending
PLAN corosync-qnetd on Alienware
TBD firewall rules pending
03
Services by Function
◆ Identity & Access
Authentik SSOHome One
PostgreSQL 15Home One
RedisHome One
VaultwardenPhoenix-Nest
ALLIANCE-DC01NODE-B
Entra Connect PHSDC01 → Azure
◯ Security & Detection
Wazuh SIEMLXC 110
Wazuh Agents (10+)All hosts
AdGuard HomeLXC 100
Nginx Proxy MgrLXC 101
▲ Observability
Telegraf (all hosts)10s intervals
InfluxDB 2.xNODE-B
Grafana·20.40
Uptime KumaLXC 113
HomepagePhoenix-Nest
⚡ Automation
n8n (20+ workflows)Phoenix-Nest
BD-1 Discord botStinger Mantis
K-2SO ObserverStinger Mantis
Wazuh → n8n → DiscordAlert pipeline
CVE Digest → OllamaWeekly
vzdump + azcopyAzure Blob backup
✦ AI / ML Platform
OllamaTantive-III
OpenWebUIllm.tima.dev
AnythingLLM2,385 vectors
llama3.1:8b50+ tok/s
llama3.1:70b (Q4)12 tok/s
◇ Access & Remote
Tailscale subnet routerAll 5 VLANs
Home AssistantVM 116 · VLAN 30
RustDeskCT 114 · ·20.81
Sunshine streamCanto-Bight
Cloudflare DNS + SSL*.tima.dev wildcard
04
Three-System Identity Architecture
Authentik SSO
Web SSO
Centralized web application identity. OIDC and SAML across 15+ services. MFA enforced at flow level. Single audit trail forwarded to Wazuh.
OIDC/SAML: Grafana, n8n, Portainer, Wazuh, Gitea, BookStack
Forward Auth: Vaultwarden, Homepage, ComfyUI, AnythingLLM
MFA: TOTP enforced at flow level, not per-app
Login events forwarded to Wazuh SIEM
Active Directory
Windows Domain
On-premises Windows domain for endpoint management and SC-300 lab work. ALLIANCE-DC01 on Windows Server 2022.
Forest: alliance.lab · ALLIANCE domain
Canto-Bight domain-joined workstation
GPO cascade: domain → OU → computer
Source for Entra Connect PHS sync
Entra ID
Cloud IdP
Azure AD synchronized from on-prem via Entra Connect Password Hash Sync. Conditional Access testing for SC-300 objectives.
Entra Connect PHS: 2-min sync cycle
Conditional Access policy testing
Azure Blob Storage: azcopy backup target
AZ-104 / SC-300 hands-on lab environment
Three systems, three distinct purposes.
Authentik handles web apps (OIDC/SAML). Active Directory handles Windows endpoint management (Kerberos/GPO). Entra ID handles cloud resources. None replaces another.
05
Ghost Squadron
Planned — Not Deployed
Ghost Squadron — Edge Tier
Two Raspberry Pi 4Bs on VLAN 60 (Endor) as a lightweight k3s cluster. Edge quorum witness, distributed DNS, monitoring probes, AdGuard secondary. The Alienware Steam Machine R2 repurposed as NAS and corosync-qnetd device.
Sentinel
RPi 4B · 8GB
k3s server · quorum witness
Tydirium
RPi 4B · 8GB
k3s agent · edge DNS · probes
Alienware R2
Steam Machine (decom)
NAS backbone · corosync-qnetd
VLAN 60 / Endor
192.168.60.0/24
Isolated edge · AdGuard secondary
06
Fleet Phase Roadmap
Phase 0
Backup Foundation
vzdump, pg_dump, azcopy first run at 130GB to Azure Blob. BD-1 PM2 startup hook complete.
COMPLETE
Phase 1
Core Stabilization
Hostname cleanup, n8n timezone fix, all critical services stable, vzdump and pg_dump running since April 14.
COMPLETE
Phase 1.5
Home Assistant Integration
HA VM 116 onboarded, InfluxDB integration confirmed, Uptime Kuma monitor active, VLAN 30 isolation verified.
COMPLETE
Phase 2
Alliance Fleet Codex
Yavin-IV (VM 500): BookStack, NetBox, Gitea, Homepage. Full documentation standard. Target: mid-August 2026.
PENDING · AUG 2026
Phase 3
Ghost Squadron
Sentinel + Tydirium k3s cluster on VLAN 60. Alienware repurposed as NAS + qdevice for edge quorum.
PLANNED
Phase 4
Cloud Translation
Continuation post AZ-104: map remaining homelab to Azure. Azure Blob backup already operational as the first wedge. Next: VNets, NSGs, Azure Monitor, RBAC. Act V capstone.
PLANNED · POST AZ-104