Architecture Decision Records (ADRs)

Project-wide decision log for HybridOps. Each ADR captures context, options, the decision, and consequences, with links to code, diagrams, verification material, and runbooks where relevant.

ADRs capture design intent and trade-offs. For live operating guidance, follow the current runbooks and contracts first. Superseded or deprecated ADRs are retained for traceability and should always point to the supported path.

Internal working notes belong under .internal/ and are excluded from generated indexes and published builds until promoted.

---

Categories

00 Governance (8) · 01 Networking (10) · 02 Platform (12) · 03 Security (5) · 04 Observability (2) · 05 Data Storage (3) · 06 Cicd Automation (11) · 07 Disaster Recovery (1) · 08 Cost Optimisation (1)

---

Index

All ADRs — (search by ID or domain as needed)

Published ADRs (53)

• ADR-0001 — ADR Process and Documentation Conventions — Accepted
• ADR-0002 — Source of Truth: NetBox-Driven Inventory — Accepted
• ADR-0003 — Secrets Management Strategy for Hybrid Kubernetes & Platform Workloads — Superseded
• ADR-0012 — Control Node Runs as a VM (Cloud-Init); LXC Reserved for Light Helpers — Accepted
• ADR-0013 — PostgreSQL Runs in LXC (State on Host-Mounted Storage; Backups First-Class) — Superseded
• ADR-0014 — RKE2 Runs on Full VMs (Rocky Linux 9 Base) with Simple LB and Storage — Superseded
• ADR-0015 — Network Infrastructure Assumptions for Packer Builds — Superseded
• ADR-0016 — Adopt Packer + Cloud-Init for VM Template Standardization — Accepted
• ADR-0017 — Operating System Baseline for HybridOps — Accepted
• ADR-0018 — LXC Containers for Lightweight Workloads on Proxmox — Accepted
• ADR-0020 — Secrets Strategy — Azure Key Vault primary; encrypted vault bundle for bootstrap/CI/DR; Vault optional later — Accepted
• ADR-0022 — Documentation, Public Site, and Academy Strategy — Accepted
• ADR-0023 — Showcase Packaging for Academy Labs — Proposed
• ADR-0101 — VLAN Allocation Strategy — Accepted
• ADR-0102 — Proxmox as Intra-Site Core Router — Accepted
• ADR-0103 — Inter-VLAN Firewall Policy — Accepted
• ADR-0104 — Static IP Allocation with Terraform IPAM — Accepted
• ADR-0105 — Dual Uplink Design (Ethernet/WiFi Failover) — Accepted
• ADR-0106 — Dual ISP Load Balancing for Resiliency — Accepted
• ADR-0107 — VyOS as Cost-Effective Edge Router — Accepted
• ADR-0108 — Full Mesh Topology for High Availability — Accepted
• ADR-0109 — NCC primary hub with routed Azure spoke connectivity — Accepted
• ADR-0115 — Legacy Linux Edge WAN with strongSwan and FRR — Superseded
• ADR-0201 — EVE-NG Network Lab Architecture — Accepted
• ADR-0202 — Adopt RKE2 as Primary Runtime for Platform and Applications — Accepted
• ADR-0203 — Adopt Argo CD as GitOps Controller for Application Delivery — Accepted
• ADR-0204 — RKE2 Runs on Rocky VMs on Enterprise Hypervisors — Accepted
• ADR-0205 — Infrastructure as Code Engine: Terraform with Terragrunt Composition — Accepted
• ADR-0206 — Define Module → Driver → Profile → Pack execution contract (v1) — Proposed
• ADR-0207 — Adopt pack layout packs///stack (Option B) — Proposed
• ADR-0208 — Execute Terragrunt packs in isolated workdir with generated inputs.auto.tfvars.json — Proposed
• ADR-0301 — Deprecated pfSense Flow-Control Plane — Deprecated
• ADR-0302 — Deprecated Fortigate Edge Firewall Variant — Deprecated
• ADR-0303 — Adopt Trivy for Container Image Vulnerability Scanning in CI/CD — Proposed
• ADR-0401 — Unified Observability with Prometheus — Accepted
• ADR-0402 — Use Prometheus Federation as Central DR Signal Plane — Accepted
• ADR-0500 — Use a PWA Install Model for Offline Documentation Access — Accepted
• ADR-0501 — PostgreSQL Runs on Dedicated VM with Host-Managed Storage and DR Replication — Accepted
• ADR-0502 — Use External Secrets Operator with Azure Key Vault for Application Secrets — Accepted
• ADR-0503 — Use Longhorn as RKE2 Storage Layer for Stateful Kubernetes Workloads — Accepted
• ADR-0600 — Adopt Environment Guard Framework (EGF) for Ansible Governance Pipeline — Accepted
• ADR-0601 — Hybrid Network Automation: Nornir + Ansible Integration — Accepted
• ADR-0602 — NETCONF and Nornir Automation for CSR1000v — Accepted
• ADR-0603 — Run Jenkins Controller on Control Node, Agents on RKE2 — Accepted
• ADR-0604 — Standardise Packer Image Pipeline for Proxmox Templates — Accepted
• ADR-0605 — Terraform Execution Modes and HCP Workspace Governance for Multi-Cloud and On-Prem — Accepted
• ADR-0607 — Adopt a tools-enabled Jenkins agent image for HybridOps CI — Accepted
• ADR-0608 — Docker Engine baseline for control nodes and container hosts — Accepted
• ADR-0609 — Normalize Terragrunt live stacks via generated alias tree — Accepted
• ADR-0610 — Standardise environment bootstrap scripts for cloud and Proxmox credentials — Accepted
• ADR-0701 — Use GitHub Actions as Stateless DR Orchestrator — Accepted
• ADR-0801 — Treat Cost as a First-Class Signal for DR and Cloud Bursting — Accepted

---

Related

• HOWTOs
• Runbooks
• Network design
• Network routing contract

Back to Docs Home