Mesh
Internally, the owned hosts — Manor, Annex, Outpost — share a private Hetzner network on an isolated layer-2 link the public internet never touches, carved into subnets and VLANs that keep unrelated traffic apart. The Den stands apart from even that: its machines reach each other over a private VPN mesh and have no path to the rest of the enclave at all. That gap is enforced, not incidental — life-critical services shouldn’t share a wire with anything experimental.
Inside the network, routing decides which rooms can reach which, and a private DNS — distinct from the public DNS at the Edge — lets services find each other by name rather than address. The mesh is as much about what’s severed as what’s joined, and where the breaks are deliberate. This is internal plumbing only: the public boundary lives in Edge, and the soft switch inside a single host in Frames › Proxmox vSwitch. The mesh software is in Software; the routing and subnet specifics are in the Hardware Manifest.