The Fleet Manifest: Strategic Resource Allocation
Category: Orchestration / Asset Management
Post 02 covered the architecture and fault domain logic. Now let's look at what actually runs on it.
This Fleet Manifest is the master inventory: every VM and LXC mapped to its node, its resources, and its purpose. It's also the document I use for capacity planning, ensuring AI workloads never compete with the identity platform or the SIEM for CPU and memory.
The Service Map
| Node | Service | Codename | Type | Purpose |
|---|---|---|---|---|
| Node-A | Tantive-III | (Diplomatic Consular Ship) | VM | Dedicated AI VM: Ollama LLM, OpenWebUI, ComfyUI, AnythingLLM-C3PO. RTX 4000 Ada via VFIO passthrough. |
| Node-B | Authentik SSO | Authentik-ChainCode | VM | Identity Core. SSO via OIDC/SAML, MFA enforcement across 15+ services. |
| Node-B | PostgreSQL | Postgres-Archives | LXC | Central relational database for Authentik, n8n, and stateful services. |
| Node-B | Redis | Redis-HoloNet | LXC | In-memory cache. Session management and fast data relay for Authentik. |
| Node-B | n8n | (Tactical Droid) | LXC | API automation. Processes Wazuh webhooks, pushes alerts to Discord via Admiral Ackbar. |
| Node-B | InfluxDB | LXC | Time-series database (Flux). 10-second telemetry from all nodes. | |
| Node-B | Grafana | LXC | Visualization layer for the TIG Stack. | |
| Node-B | Vaultwarden | LXC | Self-hosted Bitwarden-compatible password manager. ECC/ZFS-protected. | |
| Node-B | Home Assistant | VM | IoT automation, isolated on VLAN 30. | |
| Node-B | Homepage | LXC | Centralized service dashboard. | |
| Node-C | Wazuh SIEM | VM | Log aggregation, FIM, threat detection across the fleet. | |
| Node-C | AdGuard Home | LXC | DNS-level filtering. Blocks tracking, ads, and malware domains. | |
| Node-C | Nginx Proxy Mgr | LXC | TLS termination and reverse proxy. Lives in DMZ (VLAN 40). | |
| Node-C | Uptime Kuma | LXC | Service availability monitoring. |
Network Hardware
| Device | Model | Role |
|---|---|---|
| Gateway/Firewall | UniFi Dream Machine | Routing, inter-VLAN firewall, VLAN management, threat management |
| Switch | UniFi US-8-150W | PoE managed switch, VLAN trunking to all nodes |
| WiFi AP | UniFi Beacon HD | Wireless connectivity |
Management Stations
| Device | Codename | Role |
|---|---|---|
| Home Desktop | Independence (MC80 Star Cruiser) | Fixed Command. Primary workstation for fleet administration. |
| Dell Pro 14 Plus (PB14255) | Lady Luck (Lando's Yacht) | Mobile Command. On-the-go management and monitoring. |
| Dell Latitude 7350 2-in-1 | The Ghost (Hera's Ship) | Tactical Recon. Versatile, modular, tablet/laptop configurations. |
Placement Logic
The service distribution follows directly from Post 02's fault domains:
Node-A is pure compute. One node, one VM, one GPU. Tantive-III gets the full RTX 4000 Ada via VFIO with no contention. In earlier iterations, Node-A also hosted n8n, Home Assistant, and Uptime Kuma. A GPU-triggered VFIO lockup would have taken all of those down. Current layout means a GPU failure costs AI inference and nothing else.
Node-B holds everything stateful. Authentik-ChainCode (identity), Postgres-Archives (databases), Redis-HoloNet (session cache), InfluxDB (metrics history), Vaultwarden (credentials), automation state. All on ECC-protected ZFS. Scattering these across nodes with different storage guarantees creates inconsistent reliability. Centralizing on the Corvette gives every data service the same hardware-level integrity and snapshot/rollback capability.
Node-C is the security baseline. Wazuh moved here from Node-B so security monitoring stays up during data-tier maintenance. The SIEM, DNS filtering, reverse proxy, and availability monitoring form an always-on perimeter that survives any single-node failure.
VLAN Segmentation
Services don't just live on different nodes. They live on different networks.
╔══════════════════════════════════════════════════════════════════════════╗
║ VLAN TOPOLOGY ║
╠══════════════════════════════════════════════════════════════════════════╣
║ ║
║ VLAN 10 — MANAGEMENT (192.168.1.0/24) ║
║ ├─ 192.168.1.1 UniFi Dream Machine (Gateway/Firewall) ║
║ ├─ 192.168.1.2 UniFi US-8-150W (Switch) ║
║ ├─ 192.168.1.10 Node-A Proxmox (Millennium Falcon) ║
║ ├─ 192.168.1.11 Node-B Proxmox (CR90 Corvette) ║
║ ├─ 192.168.1.12 Node-C Proxmox (Gozanti Cruiser) ║
║ └─ No DHCP — static assignments only ║
║ ║
║ VLAN 20 — SERVICES (192.168.20.0/24) ║
║ ├─ 192.168.20.10 Authentik-ChainCode (Postgres-Archives, Redis-HoloNet) ║
║ ├─ 192.168.20.20 Tantive-III VM (Ollama, OpenWebUI, ComfyUI) ║
║ ├─ 192.168.20.30 Wazuh SIEM ║
║ ├─ 192.168.20.40 Grafana ║
║ ├─ 192.168.20.41 InfluxDB ║
║ ├─ 192.168.20.50 n8n Automation ║
║ ├─ 192.168.20.51 Vaultwarden ║
║ └─ DHCP .100-.200 for future services ║
║ ║
║ VLAN 30 — IoT (192.168.30.0/24) ║
║ ├─ 192.168.30.10 HomeAssistant ║
║ ├─ Smart home devices ║
║ └─ Isolated — cannot initiate to Management or Services ║
║ ║
║ VLAN 40 — DMZ (192.168.40.0/24) ║
║ ├─ 192.168.40.10 Nginx Proxy Manager ║
║ ├─ Public-facing ingress only ║
║ └─ No DHCP — static assignments only ║
║ ║
╚══════════════════════════════════════════════════════════════════════════╝
| VLAN | Name | Subnet | DHCP | Purpose |
|---|---|---|---|---|
| 10 | Management | 192.168.1.0/24 | Disabled | Hypervisor interfaces. Static-only prevents rogue devices. |
| 20 | Services | 192.168.20.0/24 | .100-.200 | Application workloads. |
| 30 | IoT | 192.168.30.0/24 | .100-.200 | Smart home. Cannot initiate to Management or Services. |
| 40 | DMZ | 192.168.40.0/24 | Disabled | Public-facing reverse proxy. Every host explicitly provisioned. |
DHCP is disabled on Management and DMZ: the highest-trust and highest-exposure VLANs. IoT is isolated because consumer devices ship with default credentials, unpatched firmware, and phone-home telemetry. Same segmentation pattern used in enterprise campus networks.
That's the full inventory. Next post digs into the observability pipeline that ties it all together, and why it turned out to be the most important system in the fleet.