# Architecture

## Model

- VPS is public edge (Caddy + VPN client).
- Homelab hosts internal application stacks.
- Traffic path: Internet -> VPS Caddy -> VPN -> homelab service.

## State Conventions

- `/srv/ops` cloned repo
- `/srv/secrets` decrypted runtime secrets (not committed)
- `/srv/data/<stack>` persistent bind mounts
- `/srv/backups` backup artifacts

## Deployment Order

1. Edge bootstrap on VPS
2. Homelab bootstrap
3. Bring up proxy/network dependencies
4. Bring up core stacks (gitea, db)
5. Bring up secondary stacks (kuma, apps)

## Bootstrap Paradox Mitigation

Because ops is hosted on Gitea inside the homelab, bootstrap uses three repo sources:

1. Primary Gitea repo
2. Optional fallback mirror (secondary git host)
3. Local git bundle backup (`/srv/backups/ops/latest/ops.bundle`)

Nightly backups include both full Gitea backups and standalone repo exports/bundles.