Bedrock

The substrate everything stands on — the hypervisors, the container runtime, the operating systems, and the network beneath every service.

In a nutshell

Bedrock is the floor. Every service in the enclave runs on one of these — a hypervisor, a container runtime, an operating system, a piece of the network — and none of them is a service anyone signs into. They are what the rest stands on, recorded once here and shared by everything above.

Two virtualization choices split the load: Proxmox VE carries the Manor and the Annex, Incus carries the Outpost’s ephemeral range forks, both on Debian. Docker runs the Den’s containers on Ubuntu Server, with no hypervisor beneath. OPNsense guards the edge, and Tailscale binds the four nodes into one private mesh.

Has anything touched?

If reading this made you want to argue with it, extend it, or notice what's missing, that's the signal to show up.

:/back-to-top