Rebuild · Build Atlas DRAWING 02 / 06
STAGE 02 / BASE Homelab P1–2 Runner P1 ~68 credits

Foundations.

Infrastructure declared in code. Bare VMs become configured machines. The runner's spine — config, models, providers — compiles and starts cleanly under Docker Compose.

Goal

Reproducible substrate.

Two homelab VMs provisioned by Terraform. Ansible applies idempotently. Runner's docker compose up starts every service with no errors. Provider tests pass.

Exit criteria
  • S3 fast + slow buckets exist via Terraform
  • Prod-Services + Dev-Learning VMs reachable on Tailscale
  • Ansible site.yml runs twice with no changes the second time
  • Pydantic Settings validates on app start
  • All 4 providers (Ollama, Groq, Gemini, Anthropic) callable; tests green
  • Davas health endpoint contract tested
Drawing 02.A — Foundations Map

Two tracks, one stage

HOMELAB TRACK · TERRAFORM + ANSIBLE RUNNER TRACK · PYTHON SPINE Terraform · Proxmox prod + dev VMs Terraform · AWS S3 fast + slow + IAM Cloudflare DNS tunnels declared Tailscale ACLs node auth keys role: base users · ssh · fail2ban role: docker CE + compose plugin role: tailscale install + auth role: nginx · k3s(off) templates ready Pydantic Settings validate at startup data models Job · Message · Provider ModelProvider ABC complete · stream 4 providers + router ollama · groq · gemini · anth docker-compose.yml + .env.example all services declared, no ports public Ansible: roles/runner + roles/vault + roles/ollama queue dirs · model pulls · service unit tests/ test_providers/ ollama_test groq_test gemini_test anthropic_test all mocked HTTP Both tracks proceed in parallel after S3 buckets exist.
Drawing 02.B — Track Detail

Files & Kiro prompts

Homelab Phase 1 · Terraform
  • terraform/proxmox/main.tf — both VMs
  • terraform/cloudflare/main.tf
  • terraform/tailscale/main.tf + ACLs
  • terraform/aws/main.tf — buckets, IAM, lifecycle
  • S3 state backend (separate bucket)
  • docs/rebuild-from-zero.md
Homelab Phase 2 · Ansible Roles
  • roles/base — users, ssh, fail2ban
  • roles/docker — CE + compose plugin
  • roles/tailscale
  • roles/nginx
  • roles/restic — install only (cron in Stage 5)
  • roles/k3s — disabled by default
  • site.yml + inventory + group vars
  • Second run = zero changes
shared/
  • shared/config/settings.py — startup validation, vault path check
  • shared/models/job.py
  • shared/models/message.py
  • shared/models/provider.py
  • providers/base.py — ABC
  • providers/ollama.py + Davas health
  • providers/groq.py · 429 logging
  • providers/gemini.py · models/ prefix
  • providers/anthropic.py · max_tokens=8192
  • providers/router.py
infra + scaffolding
  • docker-compose.yml — 7 services declared
  • .env.example — every var documented
  • requirements.txt pinned via pip freeze
  • infra/terraform/main.tf — Contabo firewall
  • infra/terraform/dns.tf
  • infra/ansible/roles/docker/
  • infra/ansible/roles/vault/ — queue dirs
  • infra/ansible/roles/ollama/ — model pulls
  • infra/ansible/roles/runner/ — deploy compose
  • tests/test_providers/* — 4 files, mocked
# Paste into Kiro one phase at a time. Smaller context = fewer credits.
# Always include the tech stack + non-negotiable rules at the top.

## Homelab — Phase 1
Build the Terraform layout described in homelab-iac-kiro-spec.md
under "Phase 1 — Terraform". Targets:
  - terraform/proxmox/main.tf  (Prod-Services + Dev-Learning)
  - terraform/cloudflare/main.tf
  - terraform/tailscale/main.tf
  - terraform/aws/main.tf  (S3 fast/slow + IAM + lifecycle)
  - state backend in S3 (separate bucket)
Output: working terraform plan with no manual edits.

## Homelab — Phase 2
Author the 6 Ansible roles listed in spec Phase 2.
Idempotent. Vault-encrypt the tailscale auth key.
Output: site.yml succeeds twice with zero changes second run.

## Runner — Phase 1
Build the Foundation files in llm-runner-kiro-spec.md Phase 1.
Pydantic Settings v2 with startup validation. Every provider has
a corresponding pytest file with mocked HTTP.
Output: docker compose up starts every service; pytest green.
Risks & Wildcards

Where credits leak

+8 buffer

Proxmox provider

bpg/proxmox is fiddly; docs patchy. VM definitions may need a rework cycle.

QUIRK

Provider edges

Gemini needs models/ prefix · Anthropic requires max_tokens · Groq 429s.

CRITICAL

Davas health

Health-check davas-ollama.davidcockson.com/api/tags before routing. Never silently fall back.

← Stage 01 · Precheck NEXT · Stage 03
Services →