WHAT NETBOX DOES FOR THE FLEET
NetBox = IPAM + DCIM. The fleet already has informal IPAM (MEDIP pages) and informal DCIM (TOOLS.md, medip-*.html pages).
NetBox formalizes both: every IP tracked, every device documented, every rack mapped.
It adds a REST API and GraphQL layer that PEMCLAU can query to get live fleet topology.
It closes the loop: IP assigned in NetBox → DNS record created automatically via external-dns.
IPAM
IP ADDRESS MANAGEMENT
Every IP in the fleet: tracked, owned, documented
Every prefix: LAN · Tailscale · AKS pod CIDR · Cloud IPs
Custom fields: γ₁ stratum · KCF score · belt64 segment
Webhook: IP change → Azure DNS update automatically
DCIM
DATA CENTER INFRASTRUCTURE
Every rack: home lab rack at Grimsby
Every device: msi01 · msclo · yone · forge · pcdev · NAS
Every cable: LAN · power · USB · PCIe
Every cloud: AKS · GCP NE1 · AWS us-east-2
API
REST API + GRAPHQL
PEMCLAU: can query fleet topology via NetBox API
Query: "which silo owns 192.168.2.23?" → yone
Query: "what's the KCF of belt64-seg-10?" → 8
Webhook: IP change → external-dns ConfigMap → Azure DNS
WHY NOW
The fleet has grown to 10+ physical devices, 100+ IPs, 4 clouds, 44 domains.
MEDIP pages are hand-maintained — they fall out of date. NetBox gives us a live source of truth.
When Belt64 Seg 24 (PostgreSQL) lands, NetBox runs on it. The moment NetBox is up,
PEMCLAU can query fleet topology, MEDIP pages can fetch live data, and DNS records self-manage.
THE 5 SECURITY FLOORS (OUR OWN ASSESSMENT — consult-floor-netbox.html)
01
AUTH
Zitadel OIDC · v2 tokens only · no auto-create users · every login is a grant
02
NETWORK
ClusterIP only — no public exposure · Tailscale mesh for access · zero ingress rule
03
DATA
Key Vault secrets · Azure Blob media · encrypted Postgres · no plaintext credentials
04
AUDIT
AKS audit logs · Postgres WAL backup to NAS · PEMCLAU review trail
05
AI NATIVE
PEMCLAU/NetBox API integration · fleet topology graph · live queryable knowledge
DEPLOY PATH V13 — TWO OPTIONS
Option A · RECOMMENDED FIRST
YONE DOCKER
SOVEREIGN-ONLY · FASTER
Deploy: Docker compose: netbox + postgres + redis on yone
Port: 8001 (internal only · Tailscale access)
Auth: Zitadel OIDC (already in fleet)
Storage: Postgres on yone disk + backup to NAS
Access: Tailscale only — no public exposure
Timeline: Day 98+ (need PostgreSQL volume on yone)
Option B · CLOUD ACCESSIBLE
AKS pemos-system
WHEN POSTGRESQL LANDS
Deploy: Kubernetes deployment alongside mefine-static
Ingress: netbox.pemos.ca (cert-manager + Azure DNS)
Auth: oauth2-proxy → Zitadel OIDC
Storage: Azure PostgreSQL Flexible Server + Azure Blob media
Access: SOSTLE L3 (organization-only · not public)
Timeline: Day 99+ (needs Azure PostgreSQL provisioning)
FLEET TOPOLOGY IN NETBOX
| Object Type | Examples | Details |
|---|
| SITES | Grimsby Home Lab · AKS Canada East · GCP NE1 · AWS us-east-2 | 4 sites: 1 physical + 3 cloud |
| RACKS | Home Lab rack | msi01 · msclo · yone · forge · pcdev · NAS · all physical |
| DEVICES | msi01 · msclo · yone · forge · pcdev · NAS | Each as NetBox device: manufacturer · model · role · primary IP |
| VIRTUAL MACHINES | AKS nodes · WSL2 instances | WSL2 = VM type inside parent device |
| PREFIXES | 192.168.2.0/24 · 192.168.50.0/24 · 100.64.0.0/10 · 20.200.111.70/32 | LAN · Lounge · Tailscale · AKS LB |
| IP ADDRESSES | All static IPs + AKS LB IPs + Tailscale IPs | 14+ tracked IPs (see boabixer for full GID registry) |
CUSTOM FIELDS FOR FLEET SOVEREIGNTY
γ₁_stratum
Which stratum coordinate (L0–L5) is this device at? L0 = γ₁ floor · L5 = fully gated
kcf_score
KCF score (0–10) of the primary service running on this device. Drives adelic pressure.
fermentation_school
Which school owns this device's primary workload? E.coli · LAB · Yeast · Methanogen · C.elegans
belt64_segment
Which belt64 segment owns this device? Drives topology ordering (Seg 8 = msi01, etc.)
catan_shape
Device CATAN shape classification: STAR FORT · CASTLE · FORTRESS · KEEP · WATCHTOWER
crew_owner
Which crew member owns this device? BOSUN · SIGNALS · RICK · CODY · JOHN · ADA · IMHOTEP
gid
GID token for this device. Format: GID-IP-{SILO}-{ZONE}. Links to boabixer GID registry.
NETBOX → PEMCLAU PIPELINE
NetBox
REST API
→
Python Script
netbox2jsonl.py
→
JSONL
fleet-topology
→
FC1
Fulcrum Engine
→
PEMCLAU
ingest + index
Every device becomes a PEMCLAU knowledge node. Every prefix becomes an adelic pressure zone.
Every IP change triggers an automatic fleet topology update. PEMCLAU can answer:
"which silo owns 192.168.2.23?" → yone · RTX5080 · CASTLE · Seg 10
NETBOX → DNS FLOWER SYNC
NetBox IP
assigned/changed
→
Webhook
NetBox → HTTP
→
external-dns
ConfigMap update
→
Azure DNS
A record created
MEDIP V13 UPGRADE PATH
Current MEDIP pages (medip-*.html) are static hand-maintained files. With NetBox live:
each MEDIP page can fetch from the NetBox API on load — showing live IP, port, status, uptime.
MEDIP becomes a live view of NetBox, not a static document. Static pages become dashboards.
medip-yone.html → fetch from NetBox /api/dcim/devices/?name=yone → live status
medip-forge.html → fetch from NetBox /api/dcim/devices/?name=forge → live status
medip-msclo.html → fetch from NetBox /api/dcim/devices/?name=msclo → live status
medip-pcdev.html → fetch from NetBox /api/dcim/devices/?name=pcdev → live status
Each page renders: IP · port map · uptime · belt64 segment · KCF score · crew owner