diff --git a/docs/00-CURRENT-STATE.md b/docs/00-CURRENT-STATE.md index 0c11957..a0e3948 100644 --- a/docs/00-CURRENT-STATE.md +++ b/docs/00-CURRENT-STATE.md @@ -2,7 +2,7 @@ ## Current Infrastructure State -**Document Updated:** 2026-01-21 +**Document Updated:** 2026-01-22 **Target Domain:** xtrm-lab.org --- @@ -37,10 +37,24 @@ | cAP ac | `netdisco` | 192.168.31.2 only | Enabled | **Running Containers on MikroTik:** -| Container | IP | Purpose | -|-----------|-----|---------| -| pihole:latest | 172.17.0.2 | DNS sinkhole (Pi-hole v6) | -| unbound:latest | 172.17.0.3 | Recursive DNS resolver | +| Container | IP | Storage | Purpose | +|-----------|-----|---------|---------| +| unbound:latest | 172.17.0.3 | usb1/unbound/root | Recursive DNS resolver | +| tailscale:latest | 172.17.0.4 | usb1/tailscale/root | Tailscale VPN client | +| adguardhome:latest | 172.17.0.5 | usb1/adguardhome | DNS sinkhole with DoH/DoT/DoQ | + +**AdGuard Home Configuration (172.17.0.5):** +| Service | Port | Protocol | Status | +|---------|------|----------|--------| +| DNS | 53 | UDP/TCP | Active | +| Web UI | 80 | HTTP | Active | +| DoH (DNS-over-HTTPS) | 443 | HTTPS | Active (TLS) | +| DoT (DNS-over-TLS) | 853 | TCP | Active (TLS) | +| DoQ (DNS-over-QUIC) | 8853 | UDP | Active (TLS) | + +**TLS Certificate:** Let's Encrypt wildcard cert for `*.xtrm-lab.org` (shared from Traefik) +**Server Name:** `dns.xtrm-lab.org` +**Certificate Expiry:** 2026-04-02 ### MikroTik CSS326-24G-2S+ Switch (192.168.31.9) @@ -96,7 +110,6 @@ | **DNS** | | Pi-hole (Unraid) | binhex-official-pihole | 192.168.31.4 | ph1.xtrm-lab.org | | Unbound (Unraid) | unbound | 192.168.31.5 | - | -| DoH Server | DoH-Server | 172.18.0.22 | doh.xtrm-lab.org | | **DevOps** | | Git Server | gitea | 172.18.0.31 | git.xtrm-lab.org | | CI/CD Server | woodpecker-server | 172.18.0.32 | ci.xtrm-lab.org | @@ -172,37 +185,45 @@ ``` ┌─────────────────────────────────────┐ │ Internet │ + │ (DoH/DoT/DoQ: dns.xtrm-lab.org) │ └───────────────┬─────────────────────┘ │ ┌───────────────▼─────────────────────┐ │ MikroTik hAP ax³ (192.168.31.1) │ │ WAN: 62.73.120.142 │ + │ Ports: 443(DoH), 853(DoT), │ + │ 8853(DoQ), 53(DNS) │ └───────────────┬─────────────────────┘ │ ┌────────────────────────┼────────────────────────┐ │ │ │ ▼ ▼ ▼ -┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ -│ Pi-hole (Router) │ │ Unraid Server │ │ LAN Devices │ -│ 172.17.0.2 │ │ 192.168.31.2 │ │ 192.168.31.x │ -│ Primary DNS │ │ │ │ │ -└────────┬─────────┘ └────────┬─────────┘ └──────────────────┘ - │ │ - ▼ ▼ -┌──────────────────┐ ┌──────────────────┐ -│ Unbound (Router) │ │ Unbound (Unraid) │ -│ 172.17.0.3 │ │ 192.168.31.5 │ -│ Recursive DNS │ │ Recursive DNS │ -└──────────────────┘ └──────────────────┘ - │ - ▼ - ┌──────────────────┐ - │ Pi-hole (Unraid) │ - │ 192.168.31.4 │ - │ Secondary DNS │ - └──────────────────┘ +┌──────────────────────┐ ┌──────────────────┐ ┌──────────────────┐ +│ AdGuard Home │ │ Unraid Server │ │ LAN Devices │ +│ 172.17.0.5 │ │ 192.168.31.2 │ │ 192.168.31.x │ +│ Primary DNS │ │ │ │ │ +│ DoH/DoT/DoQ Server │ └────────┬─────────┘ └──────────────────┘ +└────────┬─────────────┘ │ + │ ▼ + ▼ ┌──────────────────┐ +┌──────────────────┐ │ Pi-hole (Unraid) │ +│ Unbound (Router) │ │ 192.168.31.4 │ +│ 172.17.0.3 │ │ Secondary DNS │ +│ Recursive DNS │ └────────┬─────────┘ +└──────────────────┘ │ + ▼ + ┌──────────────────┐ + │ Unbound (Unraid) │ + │ 192.168.31.5 │ + │ Recursive DNS │ + └──────────────────┘ ``` +**Encrypted DNS Endpoints (MikroTik AdGuard Home):** +- **DoH:** `https://dns.xtrm-lab.org/dns-query` +- **DoT:** `tls://dns.xtrm-lab.org:853` +- **DoQ:** `quic://dns.xtrm-lab.org:8853` + --- ## Current NAT/Port Forwarding (MikroTik) @@ -213,11 +234,14 @@ | Forward HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik HTTPS | | Plex | TCP | 32400 | 192.168.31.2:32400 | Plex Media Server | | Transmission | TCP/UDP | 51413 | 192.168.31.2:51413 | BitTorrent | -| DoT | TCP | 853 | 172.17.0.2:853 | DNS over TLS | -| DoH | TCP/UDP | 5443 | 172.17.0.2:443 | DNS over HTTPS | -| DNS Force | UDP/TCP | 53 | 172.17.0.2:53 | Force LAN DNS to Pi-hole | +| DoT | TCP | 853 | 172.17.0.5:853 | DNS over TLS (AdGuard) | +| DoQ | UDP | 8853 | 172.17.0.5:8853 | DNS over QUIC (AdGuard) | +| DNS Force | UDP/TCP | 53 | 172.17.0.5:53 | Force LAN DNS to AdGuard Home | +| AdGuard Web UI | TCP | - | 172.17.0.5:80 | Internal access via router IP | | RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk Server | +**Note:** DoH (443) shares port with Traefik HTTPS. External DoH clients should use the dedicated endpoint or internal access. + --- ## Traefik Configuration @@ -232,6 +256,10 @@ - Containers need this label to be auto-discovered - Otherwise add routes to `/mnt/user/appdata/traefik/dynamic.yml` +**TLS Certificates Location:** `/mnt/user/appdata/traefik/certs/` +- `xtrm-lab.org.crt` - Wildcard certificate chain +- `xtrm-lab.org.key` - Private key + --- ## Reference Documents @@ -257,40 +285,6 @@ |--------|------|---------| | drive: | Google Drive | Cloud backup storage | -**Config Location:** - -### Automated Backups - -| Backup | Source | Destination (Local) | Destination (Cloud) | Schedule | Retention | -|--------|--------|---------------------|---------------------|----------|-----------| -| Flash Backup (Unraid plugin) | /boot/config/ | /mnt/user/Backup/flash | drive:Backups/flash | Daily (via Unraid) | 49 files | -| Flash Backup (Custom script) | /boot/config/ | /mnt/user/Backup/unraid-flash | drive:Backups/unraid-flash | Daily 3:00 AM | 7 days | - -### Flash Backup Script - -- **Script Path:** -- **Schedule:** (Daily at 3:00 AM) -- **Retention:** 7 days -- **Format:** -- **Symlink:** - -### Cloud Sync Summary - -| Folder | Google Drive Path | Size | Files | -|--------|-------------------|------|-------| -| /mnt/user/Backup/flash | drive:Backups/flash | 60.37 GiB | 49 | -| /mnt/user/Backup/unraid-flash | drive:Backups/unraid-flash | 371 MiB | 2 | - ---- - -## Backup & Cloud Sync - -### Rclone Configuration - -| Remote | Type | Purpose | -|--------|------|---------| -| drive: | Google Drive | Cloud backup storage | - **Config Location:** /root/.config/rclone/rclone.conf ### Automated Backups diff --git a/docs/06-CHANGELOG.md b/docs/06-CHANGELOG.md index 5c3bbee..db7bfe0 100644 --- a/docs/06-CHANGELOG.md +++ b/docs/06-CHANGELOG.md @@ -1,3 +1,37 @@ +## 2026-01-22 - MikroTik DNS Migration to AdGuard Home + +### Pi-hole Removal +- [CONTAINER] Removed Pi-hole container from MikroTik (was 172.17.0.2) +- [STORAGE] Freed 91.2 MiB internal flash storage (was full at 128MB) +- [CLEANUP] Removed Pi-hole mounts, envs, veth interface, and data directories + +### AdGuard Home Installation +- [CONTAINER] Deployed adguardhome:latest on MikroTik +- [IP] Assigned 172.17.0.5 (veth-adguard interface) +- [STORAGE] Data stored on USB (usb1/adguardhome) +- [VERSION] AdGuard Home v0.107.71 + +### Encrypted DNS Configuration +- [TLS] Configured Let's Encrypt wildcard certificate (*.xtrm-lab.org) +- [DOH] DNS-over-HTTPS enabled on port 443 +- [DOT] DNS-over-TLS enabled on port 853 +- [DOQ] DNS-over-QUIC enabled on port 8853 +- [SERVER] Server name: dns.xtrm-lab.org +- [CERT] Certificate expires: 2026-04-02 + +### NAT Rules Updated +- [NAT] Rule 7: DNS Force now points to 172.17.0.5 (AdGuard Home) +- [NAT] Rule 9: DNS TCP Force now points to 172.17.0.5 +- [NAT] Rule 24: AdGuard Home Web UI (192.168.31.1:80 → 172.17.0.5:80) +- [NAT] DoT/DoQ rules to be added for external access + +### Benefits +- [FEATURE] Native DoH/DoT/DoQ server support (Pi-hole required extra containers) +- [RESOURCE] Reduced container count (no need for separate DoH-Server) +- [STORAGE] Better storage utilization (USB instead of internal flash) + +--- + ## 2026-01-21 - Rclone & Cloud Backup Setup ### Rclone Installation & Configuration