Skip to content

Session 2026-01-14

Summary

Deep architecture review and streamlining for maximum geek factor with minimalism. Comprehensive documentation pass.

Accomplished

Part 1: Architecture Planning (Morning)

VPS Architecture

  • Researched Vultr vs DigitalOcean pricing (~$6/mo)
  • Documented privacy-focused VPS services
  • Created docs/vps-architecture.md

Fixed Homelab Planning

  • Designed Proxmox VE architecture (OPNsense + Docker Host VMs)
  • Researched Umbrel vs Start9 for Bitcoin node (chose Start9)
  • Planned NAS with Debian + mergerfs + snapraid
  • Created docs/fixed-homelab.md

Key Architecture Decisions

  • RPi 5 as primary Headscale (not VPS) - maximum sovereignty
  • VPS demoted to helper only (DERP relay + monitoring)
  • Mobile kit is fully self-contained

Minimalism Review

  • Removed Portainer (use lazydocker CLI)
  • Removed Nextcloud (use Syncthing)
  • Removed Browserless from VPS (changedetection has built-in)
  • Replaced Traefik with Caddy (simpler)
  • Service count: 28 → 22

DNS Decision

  • Compared Pi-hole vs AdGuard Home
  • Chose Pi-hole for all environments (mobile/home/VPS)
  • Reason: OG street cred, better CLI (pihole -t), massive community

Part 2: Documentation Deep Dive (Afternoon)

Fixed Architecture Doc Issues

  • Updated diagram: Nextcloud/Traefik → Pi-hole/Caddy
  • Changed VPS label: "Coordination" → "Helper"
  • Fixed AdGuard → Pi-hole reference in secrets doc
  • Added Pi-hole to fixed homelab deployment order
  • Added NAS to Tailscale network table

DNS Architecture

  • Created comprehensive DNS flow documentation
  • Mobile: Pi-hole → public DNS (simple for travel)
  • Fixed: Pi-hole → Unbound on OPNsense:5353 (recursive, max privacy)
  • VPS: Pi-hole → public DNS (fallback)
  • Documented Headscale MagicDNS integration

Services Inventory

  • Updated services.md with all 22 services
  • Added service matrix by environment and category
  • Created full port allocation map
  • Documented Docker directory structure

SOPS Configuration

  • Created .sops.yaml with creation rules
  • Rules for mobile, fixed, VPS, and catch-all
  • User needs to add age public key

RPi 5 Case Research

  • Researched 3D printable cases for local printing (Paraguay)
  • Documented 7 options ranked by geek factor
  • Top pick: Retro Tower Desktop
  • Created comparison matrix and printing tips

Hardware Documentation

  • Complete rewrite of hardware.md
  • Added device details (RPi 5, Mini PC, RPi 4, NAS)
  • Network topologies with IPs
  • Tailscale IP allocation table
  • Power considerations and future hardware

Part 3: Domain & Branding Research (Initial)

Domain Name Research

  • Brainstormed Guarani-inspired domain names
  • Checked availability via WHOIS
  • Discovered .io doesn't support IDN (no ñ character)
  • Found available: nanduti.io, mbyja.io, kuarahy.io, verava.net

Initial Domain Decision

  • nanduti.io for homelab (Guarani "web/lace" = mesh metaphor)
  • verava.net for business (professional, easy)
  • Total cost: ~$42/year for both

Note: This decision was revised in Part 5.

Part 4: Comprehensive Architecture Review

Full Architecture Analysis

  • Reviewed all architecture docs with exploration agent
  • Identified strengths and gaps across all environments
  • Found 4 critical, 4 high, 4 medium, 3 low priority issues

Critical Gaps Identified

  • Headscale backup only daily (should be hourly)
  • No disaster recovery runbook
  • Caddy reverse proxy config undefined
  • MQTT missing for Home Assistant ↔ Frigate

Domain Coexistence Strategy

  • Mapped 11 subdomains for nanduti.io (personal)
  • Mapped 5 subdomains for verava.net (business)
  • Defined public vs Tailscale-only access model
  • Created proposed Caddy reverse proxy config

Improvement Roadmap

  • 17 tasks across 4 phases
  • Phase 1: Critical fixes before deployment
  • Phase 2: High priority during deployment
  • Phase 3: Medium priority post-deployment
  • Phase 4: Future enhancements

Part 5: Domain Strategy Pivot

New Context Revealed

  • Already own cronova.dev for Open Source / Micro SaaS
  • Email configured: augusto@cronova.dev
  • GitHub org exists: github.com/cronova
  • Personal GitHub: github.com/ajhermosilla

Strategy Pivot

  • cronova.dev replaces nanduti.io for homelab (already owned, same geek factor)
  • verava.ai replaces verava.net (AI positioning for Supply Chain + AI)
  • Skip nanduti.io entirely (save $30/yr)

Final Two-Domain Strategy

  • cronova.dev: Developer identity, homelab, open source, micro SaaS
  • verava.ai: Business identity, Supply Chain + AI consulting

verava.ai Availability

  • Checked WHOIS: AVAILABLE
  • Price: ~$50-80/yr
  • Recommended registrar: Cloudflare

Subdomain Architecture

  • cronova.dev: 16 subdomains (hs, home, media, btc, nas, git, vault, status, notify, api, saas, www, docs...)
  • verava.ai: 5 subdomains (www, app, api, docs, demo)

Part 6: Branding

Brand Identity Created

  • Created comprehensive docs/branding.md (393 lines)
  • Defined both brands with etymology, taglines, mission/vision

cronova.dev Brand

  • Etymology: Cron (Unix scheduler) + Nova (new star) = "Scheduled Innovation"
  • Tagline: "Build weird. Ship fast."
  • Mission: Build tools for developers who refuse to wait. Open source first. Ship fast.
  • Vision: Digital sovereignty for developers. Your code, your servers, your rules.
  • Personality: The friend who shares their dotfiles

verava.ai Brand

  • Etymology: Vera (Latin "true") + .ai = "True AI" / "Genuine Intelligence"
  • Tagline: "From chaos to clarity"
  • Mission: Transform supply chain chaos into competitive advantage through AI that anticipates, not just analyzes.
  • Vision: A world where no product is delayed, no inventory is wasted, and every supply chain runs on truth.
  • Personality: The strategic advisor who delivers results

Manifestos Created

  • The Cronova Manifesto: "That cron jobs are poetry. That shipping beats perfection."
  • The Verava Promise: "We will tell you the truth about your supply chain."

Additional Content

  • Founder bios (short, medium, long versions)
  • Elevator pitches (10-second, 30-second, combined)
  • Messaging matrix for different audiences
  • Color palettes and logo concepts
  • Social media handles to secure

Part 7: Disaster Recovery

DR Runbook Created

  • Created comprehensive docs/disaster-recovery.md (647 lines)
  • Addresses critical gap from architecture review

Scenarios Covered

Scenario Priority Recovery Options
Headscale failure Critical Same hardware / Rebuild / VPS failover
Pi-hole failure High Restart / Restore / Rebuild
VPS failure Medium Vultr recovery / Rebuild
Vaultwarden failure Critical Restart / Restore from backup
Start9/Bitcoin failure Medium Restart / Reflash / Restore
NAS failure Medium SnapRAID recovery / Rebuild
Complete site failure Variable Per-site procedures

Backup Strategy Documented

  • Headscale: Hourly to NAS + Cloud (30 days retention)
  • Vaultwarden: Hourly to NAS + Cloud (30 days retention)
  • Pi-hole: Daily to NAS (7 days retention)
  • Home Assistant: Daily to NAS (14 days retention)
  • Start9: Weekly to NAS (4 weeks retention)

Additional Content

  • Backup scripts ready to deploy
  • Recovery checklist (before/after)
  • Backup verification schedule (weekly/monthly/quarterly)
  • Post-incident template

Part 8: Infrastructure as Code

Mobile Kit Docker Compose

  • Created deployable configs for RPi 5
  • Ready to deploy when PSU arrives

Headscale Configuration

  • docker-compose.yml with embedded DERP server
  • config.yaml.example template with MagicDNS for cronova.dev
  • Let's Encrypt ACME setup
  • Setup instructions and useful commands in comments

Pi-hole Configuration

  • docker-compose.yml with configurable upstream DNS
  • Port 8080 for web UI (80 reserved)
  • DNSSEC enabled
  • Blocklist recommendations included

Supporting Files

  • .env.example with all environment variables
  • README.md quick start guide
  • .gitignore to protect secrets

Services Updated

  • Added Mosquitto MQTT broker to services.md
  • Service count: 22 → 23
  • Deployments: 25 → 26
  • Addresses critical gap (HA ↔ Frigate communication)

Part 9: Caddy Reverse Proxy

Comprehensive Config Created

  • Created docs/caddy-config.md (555 lines)
  • Addresses last critical gap from architecture review

VPS Caddyfile

  • Full config for cronova.dev public services (vault, status, notify, api, saas)
  • Full config for verava.ai services (www, app, api, docs)
  • Security headers on all responses
  • CORS configured per-service
  • Let's Encrypt ACME integration

Fixed Homelab Caddyfile

  • Internal services via Tailscale (home, media, sonarr, radarr, etc.)
  • WebSocket support for Home Assistant & Frigate
  • Tailscale HTTPS certificate strategy

Additional Content

  • Docker compose for VPS Caddy
  • Complete Cloudflare DNS tables (both domains)
  • SSL/TLS strategy documentation
  • Security hardening checklist
  • Deployment checklist and troubleshooting guide

Part 10: VPS Docker Compose

Complete VPS Stack Created

  • 7 docker-compose files for all VPS services
  • Ready for Vultr deployment

Services Configured

Service Ports Purpose
Caddy 80, 443 Reverse proxy + Caddyfile
Pi-hole 53, 8053 US fallback DNS
DERP 3478, 8443 Tailscale relay
Uptime Kuma 3001 Status monitoring
ntfy 8080 Push notifications
changedetection 5000 Website monitoring
Restic REST 8000 Backup target

Supporting Files

  • .env.example with VPS-specific variables
  • README.md with deployment order and setup
  • UFW firewall rules documented
  • Tailscale integration instructions
  • Monitoring checklist for Uptime Kuma

Directory Structure

docker/vps/
├── networking/caddy/     # + Caddyfile
├── networking/pihole/
├── networking/derp/
├── monitoring/           # Uptime Kuma + ntfy
├── scraping/             # changedetection + Playwright
└── backup/               # Restic REST

Part 11: Headscale Hourly Backup

Last Critical Gap Fixed

  • Added backup sidecar container to Headscale docker-compose
  • Alpine container with crond running hourly backups
  • Uses sqlite3 .backup for consistent database snapshots
  • Configurable backup path and retention (default 30 days)

Files Created/Updated

  • docker/mobile/rpi5/networking/headscale/docker-compose.yml - Added backup sidecar
  • docker/mobile/rpi5/networking/headscale/backup.sh - Backup script
  • docker/mobile/rpi5/.env.example - Added BACKUP_PATH and BACKUP_RETENTION_HOURS
  • docs/architecture-review.md - Marked Phase 1 complete

Phase 1 Critical Fixes Complete

All 4 critical gaps now addressed:

  • [x] Headscale hourly backup
  • [x] Disaster recovery runbook
  • [x] MQTT broker added
  • [x] Caddy reverse proxy documented

Part 12: Next Session Planning

  • Created docs/sessions/next-session-plan.md
  • Focus: High + Medium priority items
  • 8 tasks identified for next session

Architecture Overview

[Mobile Kit - Sovereign]
├── RPi 5: Headscale (PRIMARY), Pi-hole
└── MacBook: soft-serve, Docker dev

[Fixed Homelab - Always-On]
├── Mini PC (Proxmox): OPNsense VM + Docker Host VM
├── RPi 4: Start9 (Bitcoin Core, Lightning, Electrum)
└── Old PC/NAS: Debian, mergerfs, Syncthing, Frigate

[VPS - Helper Only]
└── Vultr US: DERP relay, Pi-hole, Uptime Kuma, ntfy, changedetection

Decisions Made

Decision Choice Rationale
VPS Provider Vultr US ~$6/mo, burn credits first
Bitcoin Node Start9 over Umbrel Privacy-first, HTTPS, open source
Reverse Proxy Caddy over Traefik Simpler config
File Sync Syncthing over Nextcloud Peer-to-peer, minimal
Container Mgmt lazydocker over Portainer CLI-first
Secrets age + SOPS Encrypted in git
Mesh Coordination Headscale on RPi 5 Carry mesh in backpack
DNS Pi-hole over AdGuard OG street cred, CLI-first
DNS Flow (home) Pi-hole → Unbound Max privacy, recursive
RPi 5 Case Retro Tower Desktop Server aesthetic, 3D printable
Homelab Domain cronova.dev Already owned, same geek factor
Business Domain verava.ai AI positioning for Supply Chain

Documentation Created/Updated

File Status Description
docs/vps-architecture.md New Cloud helper node
docs/fixed-homelab.md New + Updated Home infrastructure
docs/secrets-management.md New age + SOPS workflow
docs/dns-architecture.md New DNS flow all environments
docs/services.md Rewritten 22 services, ports, structure
docs/hardware.md Rewritten All hardware with roles
docs/rpi5-case-research.md New 3D printable case options
docs/domain-research.md New Domain comparison and decision
docs/architecture-review.md New Full review with gaps and roadmap
docs/domain-strategy.md New Final two-domain strategy
docs/branding.md New Brand identity for both domains
docs/disaster-recovery.md New DR runbook for all scenarios
docs/caddy-config.md New Reverse proxy for all environments
docs/mobile-homelab.md Updated Added NAS to Tailscale table
.sops.yaml New SOPS encryption config

Stats

Metric Value
Unique services 23
Total deployments 26
Environments 3 (Mobile, Fixed, VPS)
Docs created 11
Docs updated 7
Docker compose files 9 (2 mobile + 7 VPS)
Commits 33
Critical gaps fixed 4/4
Domains 2 (cronova.dev owned, verava.ai to buy)
Improvement tasks 17 (4 critical done)
Money saved $42/yr (skipped nanduti.io + verava.net)

Next Steps

Critical Fixes (Before Deployment)

  • [x] Increase Headscale backup to hourly (in compose config)
  • [x] Create disaster recovery runbook
  • [x] Add MQTT broker to services
  • [x] Document Caddy reverse proxy config

Mobile Kit (waiting for PSU)

  • [ ] Flash RPi OS, install Docker
  • [ ] Deploy Headscale + Pi-hole
  • [ ] Configure Beryl AX DHCP reservations
  • [ ] Test all scenarios
  • [ ] 3D print case locally

VPS

  • [ ] Create Vultr account
  • [ ] Deploy VPS, harden
  • [ ] Deploy DERP + Pi-hole + monitoring stack

Fixed Homelab

  • [ ] Install Proxmox on Mini PC
  • [ ] Create OPNsense + Docker Host VMs
  • [ ] Flash Start9 on RPi 4
  • [ ] Install Debian on NAS

Infrastructure as Code

  • [ ] Generate age key, update .sops.yaml
  • [x] Create docker-compose files (mobile kit)
  • [ ] Create docker-compose files (fixed homelab)
  • [x] Create docker-compose files (VPS)
  • [ ] Create Ansible playbooks
  • [ ] Version control all configs

Domains

  • [x] cronova.dev - Already owned
  • [ ] Purchase verava.ai (Cloudflare ~$50-80/yr)
  • [ ] Configure cronova.dev DNS for homelab subdomains
  • [ ] Set up verava.ai email

Future Documentation

  • [ ] Unified network diagram (all 3 environments)
  • [ ] Monitoring strategy (Uptime Kuma checks)

Commits

Hash Message
ed0fb79 docs: add next session plan (high + medium priority)
2f5c212 feat: add hourly backup sidecar for Headscale
69179c6 feat: add docker-compose for VPS helper node
bb1a3d8 docs: update session summary with Caddy config
d3e0a4b docs: add comprehensive Caddy reverse proxy configuration
dbe7b44 docs: update session summary with IaC and MQTT
413f406 feat: add docker-compose for mobile kit (RPi 5)
708f2d1 docs: add Mosquitto MQTT broker to services
cd36f1b docs: update session summary with disaster recovery
4be81d7 docs: add disaster recovery runbook
47a8679 docs: update session summary with branding section
54e451e docs: add branding guide for cronova.dev and verava.ai
b168142 docs: update session summary with domain strategy pivot
69ed4da docs: add two-domain strategy (cronova.dev + verava.ai)
7ba1315 docs: final session summary with architecture review
076edbf docs: add comprehensive architecture review
f17a666 docs: update session summary with domain research
11289cb docs: add domain research comparing nanduti.io vs verava.net
bc71c26 docs: update session summary with full day's work
ae30367 docs: update hardware.md with architecture decisions
f0135f4 docs: add RPi 5 case research for 3D printing
2a44743 chore: add SOPS configuration for encrypted secrets
b05b7e2 docs: complete services inventory with all 22 services
00d228c docs: add DNS architecture with Pi-hole + Unbound flow
b15c2ed fix: correct architecture docs after Pi-hole standardization
4ac127a docs: update session summary with Pi-hole decision
24f736f docs: standardize on Pi-hole for DNS (mobile/home/VPS)
4bba8de docs: add session summary 2026-01-14
5acf764 docs: streamline architecture for geek factor + minimalism
7a0b4ef docs: RPi 5 as primary Headscale, VPS as helper only
ec86de3 docs: add fixed homelab architecture
4828038 docs: add VPS architecture plan
c04ef14 docs: update session summary with final decisions

Files Changed

docs/
├── architecture-review.md (new)
├── branding.md (new) ← Brand identity
├── caddy-config.md (new) ← Reverse proxy config
├── disaster-recovery.md (new) ← DR runbook
├── dns-architecture.md (new)
├── domain-research.md (new)
├── domain-strategy.md (new) ← Final strategy
├── fixed-homelab.md (new + updated)
├── hardware.md (rewritten)
├── mobile-homelab.md (updated)
├── rpi5-case-research.md (new)
├── secrets-management.md (new)
├── services.md (rewritten + updated) ← Added MQTT
├── sessions/
│   ├── 2026-01-14.md (new + updated)
│   └── next-session-plan.md (new) ← Next session planning
└── vps-architecture.md (new + updated)

docker/
├── mobile/
│   └── rpi5/ ← Mobile kit configs
│       ├── .env.example (updated - backup vars)
│       ├── .gitignore
│       ├── README.md
│       └── networking/
│           ├── headscale/
│           │   ├── docker-compose.yml (updated - backup sidecar)
│           │   ├── backup.sh (new) ← Hourly backup script
│           │   └── config/
│           │       └── config.yaml.example
│           └── pihole/
│               └── docker-compose.yml
└── vps/ ← VPS configs (NEW)
    ├── .env.example
    ├── .gitignore
    ├── README.md
    ├── networking/
    │   ├── caddy/
    │   │   ├── docker-compose.yml
    │   │   └── Caddyfile
    │   ├── pihole/
    │   │   └── docker-compose.yml
    │   └── derp/
    │       └── docker-compose.yml
    ├── monitoring/
    │   └── docker-compose.yml
    ├── scraping/
    │   └── docker-compose.yml
    └── backup/
        └── docker-compose.yml

.sops.yaml (new)