Roadmap
gantt
title Archon Platform — build phases
dateFormat YYYY-MM-DD
section Phase 1
ESP32 OT sensor pipeline :done, 2026-03-01, 2026-03-20
MQTT broker (caneast-c1-mqtt1) :done, 2026-03-01, 2026-03-20
Telegraf + InfluxDB + Grafana :done, 2026-03-20, 2026-03-25
SentinelBot Telegram alert :done, 2026-03-25, 2026-03-28
section Phase 2
OPNsense firewall VM :done, 2026-03-28, 2026-03-30
Infisical secrets :done, 2026-03-28, 2026-03-31
Ansible common + ssh roles :done, 2026-03-31, 2026-04-01
archon-docs MkDocs live :done, 2026-03-31, 2026-04-01
ADRs + AI portability docs :done, 2026-04-01, 2026-04-01
WireGuard on caneast-c1-node1 :done, 2026-03-28, 2026-03-30
PiHole on caneast-c1-node1 :done, 2026-03-28, 2026-03-30
Tailscale (caneast-c1-node1+node2) :done, 2026-03-30, 2026-04-01
Portainer on caneast-c1-node2 :done, 2026-03-31, 2026-04-01
Homepage dashboard :done, 2026-03-31, 2026-04-01
Uptime Kuma :done, 2026-03-31, 2026-04-01
AdGuard Home (primary DNS) :done, 2026-04-01, 2026-04-02
NetAlertX (network monitor) :done, 2026-04-01, 2026-04-02
node_exporter + docker roles :done, 2026-04-01, 2026-04-02
Ubuntu 25.10 compat + lint :done, 2026-04-02, 2026-04-02
Grype container scanning :2026-04-07, 2026-04-14
Syft SBOM generation :2026-04-07, 2026-04-14
Lynis security audit :2026-04-07, 2026-04-14
OPNsense firewall rules :active, 2026-04-07, 2026-04-14
Jump box caneast-c1-jmp1 :active, 2026-04-07, 2026-04-14
section Phase 3
k3s cluster :done, 2026-04-02, 2026-04-03
AWX Operator 2.19.1 :done, 2026-04-03, 2026-04-03
k3s namespace design :done, 2026-04-03, 2026-04-03
ADO self-hosted agent :done, 2026-04-03, 2026-04-03
Sanitization pipeline :done, 2026-04-03, 2026-04-03
Public docs pipeline (CF) :done, 2026-04-03, 2026-04-03
docs.peries.ca custom domain :2026-04-07, 2026-04-10
AWX config + Infisical :2026-04-07, 2026-04-14
Terraform Azure + DNS :2026-04-14, 2026-04-28
ArgoCD GitOps :2026-05-05, 2026-05-19
ADO CI/CD OT pipeline :2026-04-28, 2026-05-12
peries.ca go-live :2026-05-12, 2026-05-19
Conpot ICS honeypot :2026-05-05, 2026-05-19
Wazuh SIEM :2026-05-12, 2026-06-02
Falco runtime security :2026-05-12, 2026-05-26
section Phase 4
Home Assistant :2026-06-01, 2026-06-14
AI avatar :2026-06-14, 2026-07-14
section Phase 5
Defender for Containers :2026-07-14, 2026-07-28
Wazuh to Azure Sentinel :2026-07-14, 2026-07-28
SBOM pipeline in ADO :2026-07-14, 2026-07-28
Phase status
| Phase |
Status |
Key deliverables |
| 1 |
Complete |
ESP32 → MQTT → InfluxDB → Grafana → SentinelBot |
| 2 |
In progress |
DMZ, Infisical, Ansible, archon-docs, home automation stack, Grype, Syft, Lynis |
| 3 |
In progress |
k3s live, AWX deployed, sanitization pipeline live, public docs pipeline live. Next: docs.peries.ca, AWX config, Terraform |
| 4 |
Backlog |
Home Assistant, AI avatar, cae2/cae3/cae4 |
| 5 |
Backlog |
Enterprise hardening — Defender for Containers, Wazuh → Sentinel, SBOM pipeline |
Phase 2 — Completed
| Item |
Node |
Port |
Notes |
| OPNsense firewall VM |
caneast-c1-node3 (KVM) |
— |
VM running, rules not yet active |
| Infisical secrets |
caneast-c1-node3 |
8443 |
Self-hosted, nginx TLS proxy |
| Ansible common + ssh_hardening |
all IT nodes |
— |
Baseline 26 ok / 0 failed on caneast-c1-node3 |
| node_exporter |
caneast-c1-node2, caneast-c1-node3 |
9100 |
Systemd service, Prometheus-ready |
| Docker CE |
caneast-c1-node2 |
— |
ansible-svc-account in docker group |
| archon-docs MkDocs |
caneast-c1-node2 |
3003 |
nginx, mike versioning |
| WireGuard |
caneast-c1-node1 (RPi4) |
— |
Dedicated — do not touch |
| PiHole |
caneast-c1-node1 (RPi4) |
— |
Secondary DNS fallback |
| Tailscale |
caneast-c1-node1, caneast-c1-node2 |
— |
Both nodes enrolled |
| Portainer |
caneast-c1-node2 |
9443 |
HTTPS management UI |
| Homepage dashboard |
caneast-c1-node2 |
3000 |
Service overview |
| Uptime Kuma |
caneast-c1-node2 |
3001 |
Uptime monitoring |
| AdGuard Home |
caneast-c1-node2 |
3080 |
Primary DNS for LAN |
| NetAlertX |
caneast-c1-node2 |
20211 |
Network device monitoring |
Phase 2 — Remaining
| Item |
Notes |
| OPNsense firewall rules |
ISP gateway DMZ → caneast-c1-fw1 not yet activated |
| Jump box caneast-c1-jmp1 |
KVM VM exists, not in Ansible inventory yet |
| Grype |
Container vulnerability scanning — Ansible role not yet written |
| Syft |
SBOM generation — Ansible role not yet written |
| Lynis |
Ubuntu security audit — not yet run on nodes |
| Infisical agent role |
Stub only — no secret injection yet |
| caneast-c1-node2 full baseline |
node_exporter confirmed; Ansible baseline not yet run end-to-end |
Phase 3 — In Progress
Infrastructure — DONE
- k3s cluster: caneast-c1-node3 (control plane) + caneast-c1-node2 (worker), v1.34.6+k3s1
- Namespaces:
archon-infra, archon-monitoring, archon-apps, archon-ot, archon-security, awx (ADR-0016)
- AWX Operator 2.19.1: deployed in
awx namespace, NodePort 30080 on caneast-c1-node3
- ADO self-hosted agent: caneast-c1-node3 ~/homelab/azagent, Default pool
- Sanitization pipeline: sanitize.py + verify-sanitization.py (ADR-0017, ADR-0018)
- Public docs pipeline: azure-pipelines.yml → Cloudflare Pages (peries-ca-docs)
Infrastructure — Next
- docs.peries.ca: custom domain on Cloudflare Pages
- AWX config: inventory, credentials (Infisical integration), job templates
- Infisical AWX secret: inject AWX admin password via Infisical agent
IaC and GitOps
- Terraform: Azure backend, state stored in Azure Blob Storage, manages DNS for peries.ca (Cloudflare via Terraform provider)
- ArgoCD: GitOps controller watching
archon-platform and archon-apps ADO repos, syncs manifests to k3s
CI/CD Pipelines
- IT pipeline: Ansible lint → Terraform plan → Grype scan → AWX trigger → k3s apply
- OT pipeline: PlatformIO build → firmware artifact → MQTT integration test
Security
- Conpot ICS/OT honeypot: deployed in DMZ on caneast-c1-node3, simulates Modbus/S7 PLC, captures real-world ICS attack patterns, feeds SELKS for enrichment
- Wazuh: full SIEM, vulnerability management, log aggregation across all nodes, AD/EntraID/Azure integration (heavy — requires RAM planning before deployment)
- Falco: runtime container security for k3s workloads — detects anomalous syscalls and container escapes
Public launch
- peries.ca: portfolio site public launch — CanEast sanitized architecture docs, project writeups
Phase 4 — Backlog
Home Assistant
Home automation dashboard running in Docker on caneast-c1-node2. Accessible via:
- Home Assistant native app (phone + iPad)
- Browser on LAN
AI Avatar
React frontend iPad display — local AI identity for the homelab.
| Component |
Technology |
Notes |
| Portrait generation |
Stable Diffusion / Flux |
Static base image |
| Expression / blinks |
LivePortrait |
Real-time facial animation |
| Lip sync |
MuseTalk 1.5 |
Audio-driven mouth animation |
| Voice |
Coqui TTS or Kokoro |
Local TTS synthesis |
| Memory |
Qdrant (vector DB) |
Persistent context store |
| LLM brain |
Qwen3:4b via Ollama |
Already running on CanEast AI Node |
| Frontend |
React |
iPad display, LAN-served |
Phase 5 — Enterprise Hardening (Backlog)
| Item |
Notes |
| Microsoft Defender for Containers |
Native Azure/EntraID integration for container workloads |
| Wazuh → Azure Sentinel |
Log forwarding and correlation at cloud scale |
| SBOM pipeline in ADO |
Syft generates SBOM on every build; Grype scans against it — build fails on critical CVEs |