Skip to content

Session 2026-01-14

Summary

Deep architecture review and streamlining for maximum geek factor with minimalism. Comprehensive documentation pass.

Accomplished

Part 1: Architecture Planning (Morning)

VPS Architecture

  • Researched Vultr vs DigitalOcean pricing (~$6/mo)
  • Documented privacy-focused VPS services
  • Created docs/vps-architecture.md

Fixed Homelab Planning

  • Designed Proxmox VE architecture (OPNsense + Docker Host VMs)
  • Researched Umbrel vs Start9 for Bitcoin node (chose Start9)
  • Planned NAS with Debian + mergerfs + snapraid
  • Created docs/fixed-homelab.md

Key Architecture Decisions

  • RPi 5 as primary Headscale (not VPS) - maximum sovereignty
  • VPS demoted to helper only (DERP relay + monitoring)
  • Mobile kit is fully self-contained

Minimalism Review

  • Removed Portainer (use lazydocker CLI)
  • Removed Nextcloud (use Syncthing)
  • Removed Browserless from VPS (changedetection has built-in)
  • Replaced Traefik with Caddy (simpler)
  • Service count: 28 → 22

DNS Decision

  • Compared Pi-hole vs AdGuard Home
  • Chose Pi-hole for all environments (mobile/home/VPS)
  • Reason: OG street cred, better CLI (pihole -t), massive community

Part 2: Documentation Deep Dive (Afternoon)

Fixed Architecture Doc Issues

  • Updated diagram: Nextcloud/Traefik → Pi-hole/Caddy
  • Changed VPS label: "Coordination" → "Helper"
  • Fixed AdGuard → Pi-hole reference in secrets doc
  • Added Pi-hole to fixed homelab deployment order
  • Added NAS to Tailscale network table

DNS Architecture

  • Created comprehensive DNS flow documentation
  • Mobile: Pi-hole → public DNS (simple for travel)
  • Fixed: Pi-hole → Unbound on OPNsense:5353 (recursive, max privacy)
  • VPS: Pi-hole → public DNS (fallback)
  • Documented Headscale MagicDNS integration

Services Inventory

  • Updated services.md with all 22 services
  • Added service matrix by environment and category
  • Created full port allocation map
  • Documented Docker directory structure

SOPS Configuration

  • Created .sops.yaml with creation rules
  • Rules for mobile, fixed, VPS, and catch-all
  • User needs to add age public key

RPi 5 Case Research

  • Researched 3D printable cases for local printing (Paraguay)
  • Documented 7 options ranked by geek factor
  • Top pick: Retro Tower Desktop
  • Created comparison matrix and printing tips

Hardware Documentation

  • Complete rewrite of hardware.md
  • Added device details (RPi 5, Mini PC, RPi 4, NAS)
  • Network topologies with IPs
  • Tailscale IP allocation table
  • Power considerations and future hardware

Part 3: Domain & Branding Research (Initial)

Domain Name Research

  • Brainstormed Guarani-inspired domain names
  • Checked availability via WHOIS
  • Discovered .io doesn't support IDN (no ñ character)
  • Found available: nanduti.io, mbyja.io, kuarahy.io, verava.net

Initial Domain Decision

  • nanduti.io for homelab (Guarani "web/lace" = mesh metaphor)
  • verava.net for business (professional, easy)
  • Total cost: ~$42/year for both

Note: This decision was revised in Part 5.

Part 4: Comprehensive Architecture Review

Full Architecture Analysis

  • Reviewed all architecture docs with exploration agent
  • Identified strengths and gaps across all environments
  • Found 4 critical, 4 high, 4 medium, 3 low priority issues

Critical Gaps Identified

  • Headscale backup only daily (should be hourly)
  • No disaster recovery runbook
  • Caddy reverse proxy config undefined
  • MQTT missing for Home Assistant ↔ Frigate

Domain Coexistence Strategy

  • Mapped 11 subdomains for nanduti.io (personal)
  • Mapped 5 subdomains for verava.net (business)
  • Defined public vs Tailscale-only access model
  • Created proposed Caddy reverse proxy config

Improvement Roadmap

  • 17 tasks across 4 phases
  • Phase 1: Critical fixes before deployment
  • Phase 2: High priority during deployment
  • Phase 3: Medium priority post-deployment
  • Phase 4: Future enhancements

Part 5: Domain Strategy Pivot

New Context Revealed

  • Already own cronova.dev for Open Source / Micro SaaS
  • Email configured: augusto@cronova.dev
  • GitHub org exists: github.com/cronova
  • Personal GitHub: github.com/ajhermosilla

Strategy Pivot

  • cronova.dev replaces nanduti.io for homelab (already owned, same geek factor)
  • verava.ai replaces verava.net (AI positioning for Supply Chain + AI)
  • Skip nanduti.io entirely (save $30/yr)

Final Two-Domain Strategy

  • cronova.dev: Developer identity, homelab, open source, micro SaaS
  • verava.ai: Business identity, Supply Chain + AI consulting

verava.ai Availability

  • Checked WHOIS: AVAILABLE
  • Price: ~$50-80/yr
  • Recommended registrar: Cloudflare

Subdomain Architecture

  • cronova.dev: 16 subdomains (hs, home, media, btc, nas, git, vault, status, notify, api, saas, www, docs...)
  • verava.ai: 5 subdomains (www, app, api, docs, demo)

Part 6: Branding

Brand Identity Created

  • Created comprehensive docs/branding.md (393 lines)
  • Defined both brands with etymology, taglines, mission/vision

cronova.dev Brand

  • Etymology: Cron (Unix scheduler) + Nova (new star) = "Scheduled Innovation"
  • Tagline: "Build weird. Ship fast."
  • Mission: Build tools for developers who refuse to wait. Open source first. Ship fast.
  • Vision: Digital sovereignty for developers. Your code, your servers, your rules.
  • Personality: The friend who shares their dotfiles

verava.ai Brand

  • Etymology: Vera (Latin "true") + .ai = "True AI" / "Genuine Intelligence"
  • Tagline: "From chaos to clarity"
  • Mission: Transform supply chain chaos into competitive advantage through AI that anticipates, not just analyzes.
  • Vision: A world where no product is delayed, no inventory is wasted, and every supply chain runs on truth.
  • Personality: The strategic advisor who delivers results

Manifestos Created

  • The Cronova Manifesto: "That cron jobs are poetry. That shipping beats perfection."
  • The Verava Promise: "We will tell you the truth about your supply chain."

Additional Content

  • Founder bios (short, medium, long versions)
  • Elevator pitches (10-second, 30-second, combined)
  • Messaging matrix for different audiences
  • Color palettes and logo concepts
  • Social media handles to secure

Part 7: Disaster Recovery

DR Runbook Created

  • Created comprehensive docs/disaster-recovery.md (647 lines)
  • Addresses critical gap from architecture review

Scenarios Covered

Scenario Priority Recovery Options

| Headscale failure | Critical | Same hardware / Rebuild / VPS failover | | Pi-hole failure | High | Restart / Restore / Rebuild | | VPS failure | Medium | Vultr recovery / Rebuild | | Vaultwarden failure | Critical | Restart / Restore from backup | | Start9/Bitcoin failure | Medium | Restart / Reflash / Restore | | NAS failure | Medium | SnapRAID recovery / Rebuild | | Complete site failure | Variable | Per-site procedures |

Backup Strategy Documented

  • Headscale: Hourly to NAS + Cloud (30 days retention)
  • Vaultwarden: Hourly to NAS + Cloud (30 days retention)
  • Pi-hole: Daily to NAS (7 days retention)
  • Home Assistant: Daily to NAS (14 days retention)
  • Start9: Weekly to NAS (4 weeks retention)

Additional Content

  • Backup scripts ready to deploy
  • Recovery checklist (before/after)
  • Backup verification schedule (weekly/monthly/quarterly)
  • Post-incident template

Part 8: Infrastructure as Code

Mobile Kit Docker Compose

  • Created deployable configs for RPi 5
  • Ready to deploy when PSU arrives

Headscale Configuration

  • docker-compose.yml with embedded DERP server
  • config.yaml.example template with MagicDNS for cronova.dev
  • Let's Encrypt ACME setup
  • Setup instructions and useful commands in comments

Pi-hole Configuration

  • docker-compose.yml with configurable upstream DNS
  • Port 8080 for web UI (80 reserved)
  • DNSSEC enabled
  • Blocklist recommendations included

Supporting Files

  • .env.example with all environment variables
  • README.md quick start guide
  • .gitignore to protect secrets

Services Updated

  • Added Mosquitto MQTT broker to services.md
  • Service count: 22 → 23
  • Deployments: 25 → 26
  • Addresses critical gap (HA ↔ Frigate communication)

Part 9: Caddy Reverse Proxy

Comprehensive Config Created

  • Created docs/caddy-config.md (555 lines)
  • Addresses last critical gap from architecture review

VPS Caddyfile

  • Full config for cronova.dev public services (vault, status, notify, api, saas)
  • Full config for verava.ai services (www, app, api, docs)
  • Security headers on all responses
  • CORS configured per-service
  • Let's Encrypt ACME integration

Fixed Homelab Caddyfile

  • Internal services via Tailscale (home, media, sonarr, radarr, etc.)
  • WebSocket support for Home Assistant & Frigate
  • Tailscale HTTPS certificate strategy

Additional Content

  • Docker compose for VPS Caddy
  • Complete Cloudflare DNS tables (both domains)
  • SSL/TLS strategy documentation
  • Security hardening checklist
  • Deployment checklist and troubleshooting guide

Part 10: VPS Docker Compose

Complete VPS Stack Created

  • 7 docker-compose files for all VPS services
  • Ready for Vultr deployment

Services Configured

Service Ports Purpose

| Caddy | 80, 443 | Reverse proxy + Caddyfile | | Pi-hole | 53, 8053 | US fallback DNS | | DERP | 3478, 8443 | Tailscale relay | | Uptime Kuma | 3001 | Status monitoring | | ntfy | 8080 | Push notifications | | changedetection | 5000 | Website monitoring | | Restic REST | 8000 | Backup target |

Supporting Files

  • .env.example with VPS-specific variables
  • README.md with deployment order and setup
  • UFW firewall rules documented
  • Tailscale integration instructions
  • Monitoring checklist for Uptime Kuma

Directory Structure

docker/vps/
├── networking/caddy/     # + Caddyfile
├── networking/pihole/
├── networking/derp/
├── monitoring/           # Uptime Kuma + ntfy
├── scraping/             # changedetection + Playwright
└── backup/               # Restic REST

Part 11: Headscale Hourly Backup

Last Critical Gap Fixed

  • Added backup sidecar container to Headscale docker-compose
  • Alpine container with crond running hourly backups
  • Uses sqlite3 .backup for consistent database snapshots
  • Configurable backup path and retention (default 30 days)

Files Created/Updated

  • docker/mobile/rpi5/networking/headscale/docker-compose.yml - Added backup sidecar
  • docker/mobile/rpi5/networking/headscale/backup.sh - Backup script
  • docker/mobile/rpi5/.env.example - Added BACKUP_PATH and BACKUP_RETENTION_HOURS
  • docs/architecture-review.md - Marked Phase 1 complete

Phase 1 Critical Fixes Complete

All 4 critical gaps now addressed:

  • [x] Headscale hourly backup
  • [x] Disaster recovery runbook
  • [x] MQTT broker added
  • [x] Caddy reverse proxy documented

Part 12: Next Session Planning

  • Created docs/sessions/next-session-plan.md
  • Focus: High + Medium priority items
  • 8 tasks identified for next session

Architecture Overview

[Mobile Kit - Sovereign]
├── RPi 5: Headscale (PRIMARY), Pi-hole
└── MacBook: soft-serve, Docker dev

[Fixed Homelab - Always-On]
├── Mini PC (Proxmox): OPNsense VM + Docker Host VM
├── RPi 4: Start9 (Bitcoin Core, Lightning, Electrum)
└── Old PC/NAS: Debian, mergerfs, Syncthing, Frigate

[VPS - Helper Only]
└── Vultr US: DERP relay, Pi-hole, Uptime Kuma, ntfy, changedetection

Decisions Made

Decision Choice Rationale

| VPS Provider | Vultr US | ~$6/mo, burn credits first | | Bitcoin Node | Start9 over Umbrel | Privacy-first, HTTPS, open source | | Reverse Proxy | Caddy over Traefik | Simpler config | | File Sync | Syncthing over Nextcloud | Peer-to-peer, minimal | | Container Mgmt | lazydocker over Portainer | CLI-first | | Secrets | age + SOPS | Encrypted in git | | Mesh Coordination | Headscale on RPi 5 | Carry mesh in backpack | | DNS | Pi-hole over AdGuard | OG street cred, CLI-first | | DNS Flow (home) | Pi-hole → Unbound | Max privacy, recursive | | RPi 5 Case | Retro Tower Desktop | Server aesthetic, 3D printable | | Homelab Domain | cronova.dev | Already owned, same geek factor | | Business Domain | verava.ai | AI positioning for Supply Chain |

Documentation Created/Updated

File Status Description

| docs/vps-architecture.md | New | Cloud helper node | | docs/fixed-homelab.md | New + Updated | Home infrastructure | | docs/secrets-management.md | New | age + SOPS workflow | | docs/dns-architecture.md | New | DNS flow all environments | | docs/services.md | Rewritten | 22 services, ports, structure | | docs/hardware.md | Rewritten | All hardware with roles | | docs/rpi5-case-research.md | New | 3D printable case options | | docs/domain-research.md | New | Domain comparison and decision | | docs/architecture-review.md | New | Full review with gaps and roadmap | | docs/domain-strategy.md | New | Final two-domain strategy | | docs/branding.md | New | Brand identity for both domains | | docs/disaster-recovery.md | New | DR runbook for all scenarios | | docs/caddy-config.md | New | Reverse proxy for all environments | | docs/mobile-homelab.md | Updated | Added NAS to Tailscale table | | .sops.yaml | New | SOPS encryption config |

Stats

Metric Value

| Unique services | 23 | | Total deployments | 26 | | Environments | 3 (Mobile, Fixed, VPS) | | Docs created | 11 | | Docs updated | 7 | | Docker compose files | 9 (2 mobile + 7 VPS) | | Commits | 33 | | Critical gaps fixed | 4/4 | | Domains | 2 (cronova.dev owned, verava.ai to buy) | | Improvement tasks | 17 (4 critical done) | | Money saved | $42/yr (skipped nanduti.io + verava.net) |

Next Steps

Critical Fixes (Before Deployment)

  • [x] Increase Headscale backup to hourly (in compose config)
  • [x] Create disaster recovery runbook
  • [x] Add MQTT broker to services
  • [x] Document Caddy reverse proxy config

Mobile Kit (waiting for PSU)

  • [ ] Flash RPi OS, install Docker
  • [ ] Deploy Headscale + Pi-hole
  • [ ] Configure Beryl AX DHCP reservations
  • [ ] Test all scenarios
  • [ ] 3D print case locally

VPS

  • [ ] Create Vultr account
  • [ ] Deploy VPS, harden
  • [ ] Deploy DERP + Pi-hole + monitoring stack

Fixed Homelab

  • [ ] Install Proxmox on Mini PC
  • [ ] Create OPNsense + Docker Host VMs
  • [ ] Flash Start9 on RPi 4
  • [ ] Install Debian on NAS

Infrastructure as Code

  • [ ] Generate age key, update .sops.yaml
  • [x] Create docker-compose files (mobile kit)
  • [ ] Create docker-compose files (fixed homelab)
  • [x] Create docker-compose files (VPS)
  • [ ] Create Ansible playbooks
  • [ ] Version control all configs

Domains

  • [x] cronova.dev - Already owned
  • [ ] Purchase verava.ai (Cloudflare ~$50-80/yr)
  • [ ] Configure cronova.dev DNS for homelab subdomains
  • [ ] Set up verava.ai email

Future Documentation

  • [ ] Unified network diagram (all 3 environments)
  • [ ] Monitoring strategy (Uptime Kuma checks)

Commits

Hash Message

| ed0fb79 | docs: add next session plan (high + medium priority) | | 2f5c212 | feat: add hourly backup sidecar for Headscale | | 69179c6 | feat: add docker-compose for VPS helper node | | bb1a3d8 | docs: update session summary with Caddy config | | d3e0a4b | docs: add comprehensive Caddy reverse proxy configuration | | dbe7b44 | docs: update session summary with IaC and MQTT | | 413f406 | feat: add docker-compose for mobile kit (RPi 5) | | 708f2d1 | docs: add Mosquitto MQTT broker to services | | cd36f1b | docs: update session summary with disaster recovery | | 4be81d7 | docs: add disaster recovery runbook | | 47a8679 | docs: update session summary with branding section | | 54e451e | docs: add branding guide for cronova.dev and verava.ai | | b168142 | docs: update session summary with domain strategy pivot | | 69ed4da | docs: add two-domain strategy (cronova.dev + verava.ai) | | 7ba1315 | docs: final session summary with architecture review | | 076edbf | docs: add comprehensive architecture review | | f17a666 | docs: update session summary with domain research | | 11289cb | docs: add domain research comparing nanduti.io vs verava.net | | bc71c26 | docs: update session summary with full day's work | | ae30367 | docs: update hardware.md with architecture decisions | | f0135f4 | docs: add RPi 5 case research for 3D printing | | 2a44743 | chore: add SOPS configuration for encrypted secrets | | b05b7e2 | docs: complete services inventory with all 22 services | | 00d228c | docs: add DNS architecture with Pi-hole + Unbound flow | | b15c2ed | fix: correct architecture docs after Pi-hole standardization | | 4ac127a | docs: update session summary with Pi-hole decision | | 24f736f | docs: standardize on Pi-hole for DNS (mobile/home/VPS) | | 4bba8de | docs: add session summary 2026-01-14 | | 5acf764 | docs: streamline architecture for geek factor + minimalism | | 7a0b4ef | docs: RPi 5 as primary Headscale, VPS as helper only | | ec86de3 | docs: add fixed homelab architecture | | 4828038 | docs: add VPS architecture plan | | c04ef14 | docs: update session summary with final decisions |

Files Changed

docs/
├── architecture-review.md (new)
├── branding.md (new) ← Brand identity
├── caddy-config.md (new) ← Reverse proxy config
├── disaster-recovery.md (new) ← DR runbook
├── dns-architecture.md (new)
├── domain-research.md (new)
├── domain-strategy.md (new) ← Final strategy
├── fixed-homelab.md (new + updated)
├── hardware.md (rewritten)
├── mobile-homelab.md (updated)
├── rpi5-case-research.md (new)
├── secrets-management.md (new)
├── services.md (rewritten + updated) ← Added MQTT
├── sessions/
│   ├── 2026-01-14.md (new + updated)
│   └── next-session-plan.md (new) ← Next session planning
└── vps-architecture.md (new + updated)

docker/
├── mobile/
│   └── rpi5/ ← Mobile kit configs
│       ├── .env.example (updated - backup vars)
│       ├── .gitignore
│       ├── README.md
│       └── networking/
│           ├── headscale/
│           │   ├── docker-compose.yml (updated - backup sidecar)
│           │   ├── backup.sh (new) ← Hourly backup script
│           │   └── config/
│           │       └── config.yaml.example
│           └── pihole/
│               └── docker-compose.yml
└── vps/ ← VPS configs (NEW)
    ├── .env.example
    ├── .gitignore
    ├── README.md
    ├── networking/
    │   ├── caddy/
    │   │   ├── docker-compose.yml
    │   │   └── Caddyfile
    │   ├── pihole/
    │   │   └── docker-compose.yml
    │   └── derp/
    │       └── docker-compose.yml
    ├── monitoring/
    │   └── docker-compose.yml
    ├── scraping/
    │   └── docker-compose.yml
    └── backup/
        └── docker-compose.yml

.sops.yaml (new)