Roles¶

Every host gets common, security, and auto_updates. Additional roles are applied based on the host's function. Phase 5 adds pbs, beszel_hub, beszel_agent, auto_updates, and hawser.

Role matrix¶

Role	proxfold	arrstack	nginx	plex	pbs	beszel	n8n	vintage	control
common	✓	✓	✓	✓	✓	✓	✓	✓	✓
security	✓	✓	✓	✓	✓	✓	✓	✓	✓
auto_updates	✓	✓	✓	✓	✓	✓	✓	✓	✓
proxmox	✓
docker		✓	✓				✓
zfs	✓
nvidia	✓
nfs	✓ (server)	✓ (client)
nut	✓
pbs					✓
beszel_hub						✓
beszel_agent	✓	✓	✓	✓	✓		✓	✓	✓
hawser			(manual)¹				✓
arrstack		✓
plex				✓

¹ nginx VM has a pre-existing manual Hawser install that's not yet codified — see hawser role for the deferred-follow-up note.

Role summaries¶

Role	Purpose
common	Timezone, locale, base packages, SSH keys, NTP
security	Hardened SSH config, Fail2ban
auto_updates	Unattended-upgrades (security-only by default) + reboot-required Discord notifier; wraps `hifis.toolkit.unattended_upgrades`
proxmox	PVE apt repos (deb822), kernel pin, nouveau blacklist, sysctl migration, stash import, nasbackup CIFS
docker	Docker CE + Compose plugin, daemon config
zfs	ZFS ARC tuning, pool health check, monthly scrub timer, ZED Discord webhook
nvidia	T400 driver, NVENC patch, persistence daemon, IPMI fan fix
nfs	NFS server exports and/or client fstab mounts
nut	Network UPS Tools — server + monitor for CyberPower PR1500ERT2U
pbs	Proxmox Backup Server + NFS datastore on QNAP (Phase 5A)
beszel_hub	Beszel aggregation hub + Discord alerts (Phase 5B)
beszel_agent	Per-host Beszel metrics agent (Phase 5B)
arrstack	Media stack Compose deployment, MediaBot, health checks
plex	Plex install, media symlink, GPU passthrough verification
hawser	Dockhand remote-host agent (Edge mode, outbound WebSocket); per-host TOKEN, RW socket, named volume for stack cache