infra/docs/adr
Viktor Barzin 114a7743ac
All checks were successful
ci/woodpecker/push/default Pipeline was successful
backup-mx: pivot to self-hosted Oracle relay; challenge-hardened design v3
Rollernet's free tier failed the validation gates before any DNS change
(200 msgs / 10 MB per rolling week, then 48h of SMTP 5xx bounces —
worse than no backup MX; free accounts being discontinued). Viktor
chose to stay free, so the backup MX becomes a Postfix store-and-forward
relay on an Oracle Always-Free VM (mx2.viktorbarzin.me, MX pref 20),
draining via port 2526 through the existing pfSense HAProxy frontend
since Oracle blocks egress 25.

Two independent adversarial reviews then fixed the design: primary-side
drain enablement moved to the layers that actually reject (unknown-
client-hostname, spoof protection, anvil limits, rspamd reject tier ->
external_relay + action cap, never backscatter), monitoring moved off
the nonexistent cluster->tailnet path to allowlisted public-IP scrapes,
bounce lifetime cut to 1d (the VM can never deliver DSNs), OCI OS-level
iptables + reserved-IP + mandatory PAYG requirements added, and 4xx-only
postscreen hygiene replaces the blanket no-filtering stance.

ADR-0019 and the design doc renamed accordingly (rollernet -> oracle).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-04 13:38:39 +00:00
..
0001-android-emulator-in-cluster.md android-emulator: new stack — shared in-cluster Android 16 testing instance 2026-06-11 19:51:57 +00:00
0002-all-image-builds-off-infra-gha-ghcr.md docs: ADR-0002 — all owned image builds move off-infra to GHA + ghcr [ci skip] 2026-06-12 19:55:47 +00:00
0003-keep-forgejo-canonical-complete-mirror.md plotting-book: pull image from private ghcr instead of public DockerHub 2026-06-27 15:32:19 +00:00
0004-homelab-unified-cli.md homelab: v0.1 docs, distribution wiring, and version 2026-06-18 19:25:51 +00:00
0005-homelab-v01-scope.md homelab: v0.1 docs, distribution wiring, and version 2026-06-18 19:25:51 +00:00
0006-homelab-work-and-tf.md homelab: v0.1 docs, distribution wiring, and version 2026-06-18 19:25:51 +00:00
0007-homelab-k8s-verbs.md homelab: v0.2.0 — docs + version for the k8s verb-group 2026-06-18 22:30:41 +00:00
0008-homelab-memory-verbs.md homelab: add memory verb-group (v0.3.0) — direct claude-memory HTTP client 2026-06-19 05:56:25 +00:00
0009-homelab-ci-deploy-verbs.md homelab: v0.4.0 — ci/deploy verbs (watch what you trigger) 2026-06-19 10:59:14 +00:00
0010-homelab-net-obs-verbs.md homelab: v0.5.0 — net/dns/metrics/logs probes (endpoint resolution) 2026-06-19 11:27:31 +00:00
0011-homelab-usage-telemetry.md docs(adr): add ADR-0015 (OS/sudo is the authorization boundary), supersede ADR-0011 privacy norm 2026-06-26 08:22:29 +00:00
0012-homelab-ha-verbs.md homelab ha token: dedicated openclaw/ha-tokens secret + least-priv RBAC for emo 2026-06-21 10:45:32 +00:00
0013-homelab-browser-verbs.md homelab v0.8.0: browser verbs for headful anti-bot web automation 2026-06-22 12:22:22 +00:00
0014-service-identity-and-east-west-observability.md monitoring: consolidate all Slack alerting to #alerts, abandon #security 2026-06-26 13:29:44 +00:00
0015-os-is-the-authorization-boundary.md docs(adr): add ADR-0015 (OS/sudo is the authorization boundary), supersede ADR-0011 privacy norm 2026-06-26 08:22:29 +00:00
0016-gpu-vram-extended-resource-budget.md feat(nvidia): GPU VRAM budget + watchdog to stop T4 overallocation 2026-06-30 07:57:40 +00:00
0017-cctv-physical-cabling.svg ADR-0017: add physical-cabling diagram (wires only) 2026-07-03 12:40:29 +00:00
0017-cctv-segment-dedicated-pfsense-leg.md ADR-0017: replace ASCII trunk diagram with excalidraw VLAN-tagging diagram 2026-07-03 13:21:59 +00:00
0017-cctv-segment-topology.svg ADR-0017 rev 3: single switch — PE replaces the SG105E, CCTV rides a VLAN-30 trunk on the LAN1 cable 2026-07-03 09:15:52 +00:00
0017-cctv-vlan-tagging.excalidraw ADR-0017: replace ASCII trunk diagram with excalidraw VLAN-tagging diagram 2026-07-03 13:21:59 +00:00
0017-cctv-vlan-tagging.svg ADR-0017: replace ASCII trunk diagram with excalidraw VLAN-tagging diagram 2026-07-03 13:21:59 +00:00
0018-valia-sites-off-infra-pages-in-cluster-sync.md docs: Valia-sites domain language + ADR-0018 (off-infra Pages, in-cluster sync) 2026-07-03 12:17:45 +00:00
0019-backup-mx-self-hosted-oracle-relay.md backup-mx: pivot to self-hosted Oracle relay; challenge-hardened design v3 2026-07-04 13:38:39 +00:00