feat: upgrading the always-on infra to use multiple individual stacks

InputObject2 · InputObject2 · commit 5538ae6fc4b7 · 2026-03-31T00:35:03.000-04:00
diff --git a/infrastructure/always-on/README.md b/infrastructure/always-on/README.md
@@ -5,9 +5,9 @@ This directory contains the complete implementation spec and automation for the
 ## Overview
 
 Three machines (`srv-26`, `srv-27`, `srv-28`) form the backbone of the homelab infrastructure, providing:
-- **srv-26**: DNS, VPN gateway, WLAN controller, monitoring clients, GitHub Actions runner, Portainer server
-- **srv-27**: Secondary DNS, Grafana, Prometheus, Loki, InfluxDB (observability stack)
-- **srv-28**: Home Assistant, Matterbridge, FreePBX + VOIP, Portainer agent
+- **srv-26**: Primary DNS (Technitium), network fabric (Tailscale, Gatus, ntfy), WLAN controller (Omada), GitHub Actions runner
+- **srv-27**: Secondary DNS (Technitium, zone transfer from srv-26), observability stack (Prometheus, Grafana, Loki, InfluxDB, Promtail)
+- **srv-28**: Home automation (Home Assistant, Matterbridge, python-matter-server, matter-hub, ESPHome, Zigbee2MQTT, Mosquitto), VoIP (FreePBX, TFTP, MariaDB)
 
 ## Quick Start
 
@@ -109,9 +109,17 @@ infrastructure/always-on/
 │       └── portainer/          # Deploy Portainer server/agent
 │
 ├── stacks/                     # Docker Compose workloads (managed by Portainer)
-│   ├── srv-26/docker-compose.yml
-│   ├── srv-27/docker-compose.yml
-│   └── srv-28/docker-compose.yml
+│   ├── srv-26/
+│   │   ├── dns/docker-compose.yml       # Technitium DNS
+│   │   ├── infra/docker-compose.yml     # Tailscale, Gatus, ntfy
+│   │   ├── wlan/docker-compose.yml      # Omada controller
+│   │   └── cicd/docker-compose.yml      # GitHub Actions runner
+│   ├── srv-27/
+│   │   ├── dns/docker-compose.yml       # Technitium DNS (secondary)
+│   │   └── observability/docker-compose.yml  # Prometheus, Grafana, Loki, InfluxDB, Promtail
+│   └── srv-28/
+│       ├── ha/docker-compose.yml        # Home Assistant, Matterbridge, Matter, ESPHome, Zigbee2MQTT, Mosquitto
+│       └── voip/docker-compose.yml      # FreePBX, TFTP, MariaDB
 │
 ├── vault/                      # Vault configuration
 │   ├── policies/               # Vault policies (shared, srv-26, srv-27, srv-28)
@@ -139,8 +147,10 @@ infrastructure/always-on/
 - Or manually trigger: `ssh ansible@srv-host sudo systemctl start ansible-pull.service`
 
 **For Docker/application changes:**
-- Edit `stacks/<hostname>/docker-compose.yml`
-- Add as a Git-backed stack in Portainer, or push and let Portainer auto-sync
+- Edit the relevant `stacks/<hostname>/<stack>/docker-compose.yml`
+- Each stack is registered independently in Portainer as a Git-backed stack
+- Portainer stack path format: `infrastructure/always-on/stacks/<hostname>/<stack>`
+- Push to main branch and trigger a pull in Portainer, or let auto-sync run
 
 **For new secrets:**
 - Add to Vault: `vault kv put secrets/infra/srv-xx/app-name key=value`
diff --git a/infrastructure/always-on/ansible/bootstrap.yml b/infrastructure/always-on/ansible/bootstrap.yml
@@ -2,7 +2,7 @@
 # Bootstrap playbook to be run once from operator laptop
 # Usage: ansible-playbook infrastructure/always-on/ansible/bootstrap.yml \
 #  --inventory infrastructure/always-on/ansible/inventory/hosts.yml \
-#  --extra-vars "vault_token=hvs.xxxxx" \
+#  --extra-vars "vault_token=hvs.xxxxx vault_addr=https://vault.your-domain.com" \
 #  --ask-become-pass
 #
 # This playbook Sets up Vault policies and AppRoles, then applies common roles to all machines
diff --git a/infrastructure/always-on/ansible/roles/common/handlers/main.yml b/infrastructure/always-on/ansible/roles/common/handlers/main.yml
@@ -13,3 +13,8 @@
 - name: reload systemd
   ansible.builtin.systemd:
     daemon_reload: yes
+
+- name: restart systemd-resolved
+  ansible.builtin.systemd:
+    name: systemd-resolved
+    state: restarted
diff --git a/infrastructure/always-on/ansible/roles/common/tasks/main.yml b/infrastructure/always-on/ansible/roles/common/tasks/main.yml
@@ -121,3 +121,22 @@
   ansible.builtin.systemd:
     name: ansible-pull.timer
     state: started
+
+- name: Ensure [Resolve] section exists in resolved.conf for Technitium hosts
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regexp: '^\[Resolve\]$'
+    line: '[Resolve]'
+    insertafter: EOF
+    state: present
+  when: "'technitium' in host_stacks"
+
+- name: Disable systemd-resolved DNS stub listener for Technitium hosts
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regexp: '^DNSStubListener='
+    line: DNSStubListener=no
+    insertafter: '^\[Resolve\]$'
+    state: present
+  when: "'technitium' in host_stacks"
+  notify: restart systemd-resolved
diff --git a/infrastructure/always-on/ansible/roles/portainer/tasks/main.yml b/infrastructure/always-on/ansible/roles/portainer/tasks/main.yml
@@ -19,6 +19,7 @@
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - portainer_data:/data
+      - /opt/secrets:/opt/secrets:ro
   when: portainer_role == "server"
 
 - name: Deploy Portainer agent
diff --git a/infrastructure/always-on/stacks/srv-26/cicd/docker-compose.yml b/infrastructure/always-on/stacks/srv-26/cicd/docker-compose.yml
@@ -0,0 +1,15 @@
+version: '3.8'
+
+services:
+  github-runner:
+    image: myoung34/github-runner:latest
+    container_name: github-runner
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - runner_data:/home/runner
+    env_file:
+      - /opt/secrets/github-runner/github-runner.env
+
+volumes:
+  runner_data:
diff --git a/infrastructure/always-on/stacks/srv-26/dns/docker-compose.yml b/infrastructure/always-on/stacks/srv-26/dns/docker-compose.yml
@@ -15,4 +15,4 @@ services:
       - /opt/secrets/technitium/technitium.env
 
 volumes:
-  technitium_data:
+  technitium_data:
diff --git a/infrastructure/always-on/stacks/srv-26/docker-compose.yml b/infrastructure/always-on/stacks/srv-26/docker-compose.yml
diff --git a/infrastructure/always-on/stacks/srv-26/infra/docker-compose.yml b/infrastructure/always-on/stacks/srv-26/infra/docker-compose.yml
@@ -0,0 +1,40 @@
+version: '3.8'
+
+services:
+  tailscale:
+    image: tailscale/tailscale:latest
+    container_name: tailscale
+    restart: unless-stopped
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - tailscale_data:/var/lib/tailscale
+    env_file:
+      - /opt/secrets/tailscale/tailscale.env
+
+  gatus:
+    image: twinproduction/gatus:v5.5.1
+    container_name: gatus
+    restart: unless-stopped
+    ports:
+      - "8080:8080/tcp"
+    volumes:
+      - ./gatus-config.yaml:/etc/gatus/config.yaml
+    env_file:
+      - /opt/secrets/gatus/gatus.env
+
+  ntfy:
+    image: binwiederhier/ntfy:latest
+    container_name: ntfy
+    restart: unless-stopped
+    ports:
+      - "8090:80/tcp"
+    volumes:
+      - ntfy_data:/var/lib/ntfy
+    env_file:
+      - /opt/secrets/ntfy/ntfy.env
+
+volumes:
+  tailscale_data:
+  ntfy_data:
diff --git a/infrastructure/always-on/stacks/srv-26/wlan/docker-compose.yml b/infrastructure/always-on/stacks/srv-26/wlan/docker-compose.yml
@@ -0,0 +1,20 @@
+version: '3.8'
+
+services:
+  omada-controller:
+    image: mbentley/omada-controller:latest
+    container_name: omada
+    restart: unless-stopped
+    ports:
+      - "8088:8088/tcp"
+      - "8043:8043/tcp"
+      - "29810:29810/udp"
+      - "29811:29811/tcp"
+      - "29812:29812/tcp"
+    volumes:
+      - omada_data:/opt/tplink/EAPController/data
+    env_file:
+      - /opt/secrets/omada/omada.env
+
+volumes:
+  omada_data:
diff --git a/infrastructure/always-on/stacks/srv-27/dns/docker-compose.yml b/infrastructure/always-on/stacks/srv-27/dns/docker-compose.yml
@@ -0,0 +1,18 @@
+version: '3.8'
+
+services:
+  technitium:
+    image: technitium/dns-server:latest
+    container_name: technitium
+    restart: unless-stopped
+    ports:
+      - "53:53/tcp"
+      - "53:53/udp"
+      - "5380:5380/tcp"
+    volumes:
+      - technitium_data:/etc/technitium
+    env_file:
+      - /opt/secrets/technitium/technitium.env
+
+volumes:
+  technitium_data:
diff --git a/infrastructure/always-on/stacks/srv-27/observability/docker-compose.yml b/infrastructure/always-on/stacks/srv-27/observability/docker-compose.yml
@@ -60,4 +60,4 @@ volumes:
   prometheus_data:
   grafana_data:
   loki_data:
-  influxdb_data:
+  influxdb_data:
diff --git a/infrastructure/always-on/stacks/srv-28/ha/docker-compose.yml b/infrastructure/always-on/stacks/srv-28/ha/docker-compose.yml
@@ -0,0 +1,81 @@
+version: '3.8'
+
+services:
+  homeassistant:
+    image: ghcr.io/home-assistant/home-assistant:stable
+    container_name: homeassistant
+    restart: unless-stopped
+    network_mode: host
+    privileged: true
+    volumes:
+      - homeassistant_config:/config
+      - /run/dbus:/run/dbus:ro
+    env_file:
+      - /opt/secrets/homeassistant/homeassistant.env
+
+  matterbridge:
+    image: 42wim/matterbridge:latest
+    container_name: matterbridge
+    restart: unless-stopped
+    network_mode: host
+    volumes:
+      - ./matterbridge.toml:/etc/matterbridge/matterbridge.toml
+      - matterbridge_data:/data
+    env_file:
+      - /opt/secrets/matterbridge/matterbridge.env
+
+  python-matter-server:
+    image: ghcr.io/home-assistant-libs/python-matter-server:8.1
+    container_name: python-matter-server
+    restart: unless-stopped
+    volumes:
+      - python_matter_server_data:/data
+    env_file:
+      - /opt/secrets/python-matter-server/python-matter-server.env
+
+  matter-hub:
+    image: ghcr.io/t0bst4r/home-assistant-matter-hub:3.0.1
+    container_name: matter-hub
+    restart: unless-stopped
+    volumes:
+      - matter_hub_data:/data
+    env_file:
+      - /opt/secrets/matter-hub/matter-hub.env
+
+  esphome:
+    image: ghcr.io/esphome/esphome:2026.3.1
+    container_name: esphome
+    restart: unless-stopped
+    volumes:
+      - esphome_data:/config
+    env_file:
+      - /opt/secrets/esphome/esphome.env
+
+  zigbee2mqtt:
+    image: koenkk/zigbee2mqtt:2.9.1
+    container_name: zigbee2mqtt
+    restart: unless-stopped
+    volumes:
+      - zigbee2mqtt_data:/app/data
+    env_file:
+      - /opt/secrets/zigbee2mqtt/zigbee2mqtt.env
+
+  mosquitto:
+    image: eclipse-mosquitto:2.0.22
+    container_name: mosquitto
+    restart: unless-stopped
+    volumes:
+      - mosquitto_data:/mosquitto/data
+      - mosquitto_logs:/mosquitto/log
+    env_file:
+      - /opt/secrets/mosquitto/mosquitto.env
+
+volumes:
+  homeassistant_config:
+  matterbridge_data:
+  python_matter_server_data:
+  matter_hub_data:
+  esphome_data:
+  zigbee2mqtt_data:
+  mosquitto_data:
+  mosquitto_logs:
diff --git a/infrastructure/always-on/stacks/srv-28/voip/docker-compose.yml b/infrastructure/always-on/stacks/srv-28/voip/docker-compose.yml

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`# Bootstrap playbook to be run once from operator laptop`
`3`	`3`	`# Usage: ansible-playbook infrastructure/always-on/ansible/bootstrap.yml \`
`4`	`4`	`# --inventory infrastructure/always-on/ansible/inventory/hosts.yml \`
`5`		`-# --extra-vars "vault_token=hvs.xxxxx" \`
	`5`	`+# --extra-vars "vault_token=hvs.xxxxx vault_addr=https://vault.your-domain.com" \`
`6`	`6`	`# --ask-become-pass`
`7`	`7`	`#`
`8`	`8`	`# This playbook Sets up Vault policies and AppRoles, then applies common roles to all machines`