Repository Structure
lron-infra/
|-- mkdocs.yml # MkDocs Material configuration
|-- docs/ # Documentation site source
| |-- index.md # Landing page
| |-- architecture/
| | |-- overview.md # High-level architecture
| | |-- infrastructure.md # VM specs, IaC resources
| | |-- network.md # Network topology, firewall rules
| | |-- kubernetes.md # K3s + Rancher + Cilium setup
| | +-- decisions.md # Architecture Decision Records (ADR-001 to ADR-014)
| |-- operations/
| | |-- beast-lifecycle.md # Beast spin-up/down procedures
| | |-- secrets.md # SOPS+age, Bitwarden, key rotation
| | |-- sync.md # GitLab + GDrive sync strategy
| | |-- backup-recovery.md # Backup strategy, loss scenarios, CX32 recovery
| | +-- wan-emulation.md # tc netem profiles, DDIL testing
| |-- security/
| | |-- dmz.md # Caddy, Authelia, ttyd configuration
| | |-- hardening.md # CrowdSec, endlessh, UFW, SSH, K3s hardening
| | +-- access.md # Access workflows (home, Defence workstation)
| |-- observability/
| | |-- monitoring.md # VictoriaMetrics, Grafana, dashboards
| | |-- logging.md # Loki + Alloy, log sources, retention
| | |-- alerting.md # vmalert rules, ntfy.sh integration
| | +-- uptime.md # Uptime Kuma + UptimeRobot
| |-- hdcp/
| | +-- alignment.md # HDCP concept mapping, design decisions proven
| +-- reference/
| |-- costs.md # Full cost breakdown, budget enforcement
| |-- repo-structure.md # This file
| +-- risks.md # Risk register
|
|-- tofu/ # OpenTofu infrastructure definitions
| |-- main.tf # Provider config, Hetzner resources
| |-- variables.tf # Input variables
| |-- outputs.tf # Output values (IPs, DNS)
| |-- versions.tf # Provider version constraints
| |-- terraform.tfvars # SOPS-encrypted variable values
| +-- terraform.tfstate # SOPS-encrypted state file
|
|-- ansible/ # Ansible playbooks for VM configuration
| |-- site.yml # Master playbook
| |-- inventory/
| | +-- hosts.yml # Inventory with private IPs
| |-- roles/
| | |-- common/ # OS hardening, packages, UFW
| | |-- k3s-server/ # K3s server installation
| | |-- k3s-agent/ # K3s agent installation
| | |-- crowdsec/ # CrowdSec + bouncer setup
| | |-- wireguard/ # WireGuard configuration
| | +-- endlessh/ # endlessh tarpit setup
| +-- group_vars/
| |-- all.yml # Shared variables
| +-- hub.yml # Hub-specific variables
|
|-- fleet/ # Fleet GitOps bundles
| |-- ingress/ # DMZ workloads (Caddy, Authelia, ttyd)
| | |-- fleet.yaml # Fleet bundle config
| | +-- *.yaml # Kubernetes manifests
| |-- monitoring/ # Observability stack
| | |-- fleet.yaml
| | +-- *.yaml
| +-- dev/ # Beast dev workloads
| |-- fleet.yaml
| +-- *.yaml
|
|-- scripts/ # Operational scripts
| |-- beast-up.sh # Spin up Beast VM (10-step)
| |-- beast-down.sh # Spin down Beast VM (8-step)
| |-- wan-test.sh # WAN emulation wrapper
| +-- rotate-keys.sh # Key rotation helper
|
|-- secrets/ # SOPS-encrypted secrets (committed)
| |-- wireguard.yaml # WireGuard key pairs
| |-- k3s.yaml # K3s node token
| |-- authelia-users.yaml # Authelia user database
| +-- hetzner.yaml # API tokens
|
|-- dashboards/ # Grafana dashboard JSON exports
| |-- cluster-overview.json
| |-- node-detail.json
| |-- pod-resources.json
| |-- network-cilium.json
| |-- beast-session.json
| +-- crowdsec.json
|
|-- wan-emulation/ # WAN emulation profiles and results
| |-- profiles/
| | |-- normal.sh
| | |-- degraded.sh
| | +-- ddil-severe.sh
| +-- results/ # Test run results (gitignored)
|
|-- .sops.yaml # SOPS encryption rules
|-- .gitignore # Standard ignores
+-- README.md # Quick start pointer to docs/
Key Conventions
| Convention |
Rule |
| Secrets |
Always SOPS-encrypted, never plaintext in repo |
| State files |
SOPS-encrypted, committed to repo |
| Dashboards |
Exported as JSON, provisioned by Grafana |
| Fleet bundles |
One directory per namespace, fleet.yaml in each |
| Scripts |
Bash, executable, self-documenting with usage headers |
| WAN results |
Gitignored (regenerated per test run) |
| Documentation |
MkDocs source in docs/, served via mkdocs serve |