Add infrastructure documentation

docs/05-PHASE5-RUSTDESK.md

@@ -0,0 +1,187 @@
+# Phase 5: Hardened RustDesk Self-Hosted Setup
+
+## Status: ✅ SERVER-SIDE COMPLETE
+
+**Last Verified:** 2026-01-18
+
+---
+
+## Goal
+Deploy a high-security, self-hosted RustDesk infrastructure with custom ID server, relay server, and end-to-end encryption using your own keypair.
+
+---
+
+## Current State
+
+### Server Components
+
+| Component | Container | Status | Ports |
+|-----------|-----------|--------|-------|
+| ID Server | rustdesk-hbbs | ✅ Running | TCP 21115-21116, UDP 21116, WS 21118-21119 |
+| Relay Server | rustdesk-hbbr | ✅ Running | TCP 21117 |
+
+### Configuration
+
+| Parameter | Value |
+|-----------|-------|
+| Public Key | `+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=` |
+| ID Server | rustdesk.xtrm-lab.org:21116 |
+| Relay Server | rustdesk.xtrm-lab.org:21117 |
+| DNS | rustdesk.xtrm-lab.org → 62.73.120.142 |
+| Data Path | /mnt/user/appdata/rustdesk-server |
+
+### MikroTik NAT Rules
+
+| Rule | Protocol | WAN Port | Destination |
+|------|----------|----------|-------------|
+| RustDesk NAT Test | TCP | 21115 | 192.168.31.2:21115 |
+| RustDesk ID Server | TCP | 21116 | 192.168.31.2:21116 |
+| RustDesk ID Server | UDP | 21116 | 192.168.31.2:21116 |
+| RustDesk Relay | TCP | 21117 | 192.168.31.2:21117 |
+
+### Port Connectivity (Verified)
+
+| Port | Protocol | Status |
+|------|----------|--------|
+| 21116 | TCP | ✅ Accessible |
+| 21117 | TCP | ✅ Accessible |
+
+---
+
+## Client Configuration
+
+To connect RustDesk clients to your self-hosted server:
+
+### Settings
+```
+ID Server: rustdesk.xtrm-lab.org
+Relay Server: rustdesk.xtrm-lab.org
+Key: +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
+```
+
+### Connection String (for quick setup)
+```
+rustdesk.xtrm-lab.org,+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
+```
+
+---
+
+## Verification Checklist
+
+### Server-Side (Complete)
+- [x] Keypair generated: `/mnt/user/appdata/rustdesk-server/id_ed25519*`
+- [x] hbbs container running
+- [x] hbbr container running  
+- [x] MikroTik NAT rules configured (4 rules)
+- [x] DNS resolves: rustdesk.xtrm-lab.org → 62.73.120.142
+- [x] Port 21116 accessible from external
+- [x] Port 21117 accessible from external
+
+### Client-Side (Pending User Testing)
+- [ ] Client connects with public key
+- [ ] Remote session works between two clients
+- [ ] Relay works when direct P2P fails
+
+---
+
+## Architecture
+
+```
+                              Internet
+                                 │
+                    ┌────────────▼────────────┐
+                    │  MikroTik (62.73.120.142)│
+                    │  NAT Rules:             │
+                    │  TCP 21115-21117        │
+                    │  UDP 21116              │
+                    └────────────┬────────────┘
+                                 │
+              ┌──────────────────┼──────────────────┐
+              │                  │                  │
+              ▼                  ▼                  ▼
+    ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
+    │ hbbs (ID Server)│ │ hbbr (Relay)    │ │ RustDesk Client │
+    │ TCP 21115-21116 │ │ TCP 21117       │ │ Your devices    │
+    │ UDP 21116       │ │                 │ │                 │
+    │ WS 21118-21119  │ │                 │ │                 │
+    └─────────────────┘ └─────────────────┘ └─────────────────┘
+```
+
+---
+
+## Container Details
+
+### hbbs (ID/Rendezvous Server)
+
+```
+Image: rustdesk/rustdesk-server:latest
+Command: hbbs -r rustdesk.xtrm-lab.org:21117 -k _
+Volume: /mnt/user/appdata/rustdesk-server:/root
+Ports: 21115, 21116 (TCP+UDP), 21118, 21119
+```
+
+### hbbr (Relay Server)
+
+```
+Image: rustdesk/rustdesk-server:latest
+Command: hbbr -k _
+Volume: /mnt/user/appdata/rustdesk-server:/root
+Ports: 21117
+```
+
+**Note:** The `-k _` flag enforces encrypted connections using the keypair.
+
+---
+
+## Security Features
+
+1. **End-to-End Encryption:** All connections encrypted with Ed25519 keypair
+2. **Key Verification:** Clients must have correct public key to connect
+3. **Self-Hosted:** No third-party servers involved
+4. **Encrypted-Only Mode:** Unencrypted connections rejected
+
+---
+
+## Maintenance
+
+### View Logs
+```bash
+docker logs rustdesk-hbbs --tail 50
+docker logs rustdesk-hbbr --tail 50
+```
+
+### Restart Services
+```bash
+docker restart rustdesk-hbbs rustdesk-hbbr
+```
+
+### Key Rotation
+```bash
+# Generate new keypair
+docker run --rm -v /mnt/user/appdata/rustdesk-server:/data rustdesk/rustdesk-server hbbs -g
+
+# Restart containers
+docker restart rustdesk-hbbs rustdesk-hbbr
+
+# Update all clients with new public key
+```
+
+---
+
+## Rollback Procedure
+
+```bash
+# Stop and remove containers
+docker stop rustdesk-hbbs rustdesk-hbbr
+docker rm rustdesk-hbbs rustdesk-hbbr
+
+# Remove MikroTik NAT rules (via SSH)
+/ip/firewall/nat remove [find comment~RustDesk]
+```
+
+---
+
+## Related Documents
+
+- [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview
+- [04-PHASE4-REMOTE-GAMING.md](./04-PHASE4-REMOTE-GAMING.md) - Sunshine/Moonlight setup