jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: migrate MikroTik DNS from Pi-hole to AdGuard Home
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
- Replaced Pi-hole container with AdGuard Home (172.17.0.5)
- Configured native DoH/DoT/DoQ with TLS certificates
- Updated DNS architecture diagram
- Updated NAT rules documentation
- Added encrypted DNS endpoints

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
XTRM-Unraid
2026-01-22 07:53:02 +02:00
parent c85724f308
commit 73d43d462e
2 changed files with 90 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
docs/00-CURRENT-STATE.md
View File

@@ -2,7 +2,7 @@
## Current Infrastructure State
**Document Updated:** 2026-01-21
**Document Updated:** 2026-01-22
**Target Domain:** xtrm-lab.org
---
@@ -37,10 +37,24 @@
| cAP ac | `netdisco` | 192.168.31.2 only | Enabled |
**Running Containers on MikroTik:**
| Container | IP | Purpose |
|-----------|-----|---------|
| pihole:latest | 172.17.0.2 | DNS sinkhole (Pi-hole v6) |
| unbound:latest | 172.17.0.3 | Recursive DNS resolver |
| Container | IP | Storage | Purpose |
|-----------|-----|---------|---------|
| unbound:latest | 172.17.0.3 | usb1/unbound/root | Recursive DNS resolver |
| tailscale:latest | 172.17.0.4 | usb1/tailscale/root | Tailscale VPN client |
| adguardhome:latest | 172.17.0.5 | usb1/adguardhome | DNS sinkhole with DoH/DoT/DoQ |
**AdGuard Home Configuration (172.17.0.5):**
| Service | Port | Protocol | Status |
|---------|------|----------|--------|
| DNS | 53 | UDP/TCP | Active |
| Web UI | 80 | HTTP | Active |
| DoH (DNS-over-HTTPS) | 443 | HTTPS | Active (TLS) |
| DoT (DNS-over-TLS) | 853 | TCP | Active (TLS) |
| DoQ (DNS-over-QUIC) | 8853 | UDP | Active (TLS) |
**TLS Certificate:** Let's Encrypt wildcard cert for `*.xtrm-lab.org` (shared from Traefik)
**Server Name:** `dns.xtrm-lab.org`
**Certificate Expiry:** 2026-04-02
### MikroTik CSS326-24G-2S+ Switch (192.168.31.9)
@@ -96,7 +110,6 @@
| **DNS** |
| Pi-hole (Unraid) | binhex-official-pihole | 192.168.31.4 | ph1.xtrm-lab.org |
| Unbound (Unraid) | unbound | 192.168.31.5 | - |
| DoH Server | DoH-Server | 172.18.0.22 | doh.xtrm-lab.org |
| **DevOps** |
| Git Server | gitea | 172.18.0.31 | git.xtrm-lab.org |
| CI/CD Server | woodpecker-server | 172.18.0.32 | ci.xtrm-lab.org |
@@ -172,37 +185,45 @@
```
┌─────────────────────────────────────┐
│ Internet │
│ (DoH/DoT/DoQ: dns.xtrm-lab.org) │
└───────────────┬─────────────────────┘
┌───────────────▼─────────────────────┐
│ MikroTik hAP ax³ (192.168.31.1) │
│ WAN: 62.73.120.142 │
│ Ports: 443(DoH), 853(DoT), │
│ 8853(DoQ), 53(DNS) │
└───────────────┬─────────────────────┘
┌────────────────────────┼────────────────────────┐
│ │ │
▼ ▼ ▼
┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐
Pi-hole (Router) │ │ Unraid Server │ │ LAN Devices │
│ 172.17.0.2 │ │ 192.168.31.2 │ │ 192.168.31.x │
│ Primary DNS │ │ │ │ │
└────────┬─────────┘ └────────┬─────────┘ └──────────────────┘
┌──────────────────┐ ┌──────────────────┐
│ Unbound (Router) │ │ Unbound (Unraid) │
172.17.0.3 │ 192.168.31.5
Recursive DNS │ │ Recursive DNS │
└──────────────────┘ └─────────────────┘
┌──────────────────┐
│ Pi-hole (Unraid) │
│ 192.168.31.4
Secondary DNS │
└──────────────────┘
┌──────────────────────┐ ┌──────────────────┐ ┌──────────────────┐
AdGuard Home │ │ Unraid Server │ │ LAN Devices │
│ 172.17.0.5 │ │ 192.168.31.2 │ │ 192.168.31.x │
│ Primary DNS │ │ │ │ │
│ DoH/DoT/DoQ Server │ └────────┬─────────┘ └──────────────────┘
└────────┬─────────────┘
┌──────────────────┐
┌──────────────────┐ │ Pi-hole (Unraid) │
Unbound (Router) │ │ 192.168.31.4
172.17.0.3 Secondary DNS │
│ Recursive DNS │ └─────────────────┘
└──────────────────┘
┌──────────────────┐
│ Unbound (Unraid) │
│ 192.168.31.5
Recursive DNS │
└──────────────────┘
```
**Encrypted DNS Endpoints (MikroTik AdGuard Home):**
- **DoH:** `https://dns.xtrm-lab.org/dns-query`
- **DoT:** `tls://dns.xtrm-lab.org:853`
- **DoQ:** `quic://dns.xtrm-lab.org:8853`
---
## Current NAT/Port Forwarding (MikroTik)
@@ -213,11 +234,14 @@
| Forward HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik HTTPS |
| Plex | TCP | 32400 | 192.168.31.2:32400 | Plex Media Server |
| Transmission | TCP/UDP | 51413 | 192.168.31.2:51413 | BitTorrent |
| DoT | TCP | 853 | 172.17.0.2:853 | DNS over TLS |
| DoH | TCP/UDP | 5443 | 172.17.0.2:443 | DNS over HTTPS |
| DNS Force | UDP/TCP | 53 | 172.17.0.2:53 | Force LAN DNS to Pi-hole |
| DoT | TCP | 853 | 172.17.0.5:853 | DNS over TLS (AdGuard) |
| DoQ | UDP | 8853 | 172.17.0.5:8853 | DNS over QUIC (AdGuard) |
| DNS Force | UDP/TCP | 53 | 172.17.0.5:53 | Force LAN DNS to AdGuard Home |
| AdGuard Web UI | TCP | - | 172.17.0.5:80 | Internal access via router IP |
| RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk Server |
**Note:** DoH (443) shares port with Traefik HTTPS. External DoH clients should use the dedicated endpoint or internal access.
---
## Traefik Configuration
@@ -232,6 +256,10 @@
- Containers need this label to be auto-discovered
- Otherwise add routes to `/mnt/user/appdata/traefik/dynamic.yml`
**TLS Certificates Location:** `/mnt/user/appdata/traefik/certs/`
- `xtrm-lab.org.crt` - Wildcard certificate chain
- `xtrm-lab.org.key` - Private key
---
## Reference Documents
@@ -257,40 +285,6 @@
|--------|------|---------|
| drive: | Google Drive | Cloud backup storage |
**Config Location:**
### Automated Backups
| Backup | Source | Destination (Local) | Destination (Cloud) | Schedule | Retention |
|--------|--------|---------------------|---------------------|----------|-----------|
| Flash Backup (Unraid plugin) | /boot/config/ | /mnt/user/Backup/flash | drive:Backups/flash | Daily (via Unraid) | 49 files |
| Flash Backup (Custom script) | /boot/config/ | /mnt/user/Backup/unraid-flash | drive:Backups/unraid-flash | Daily 3:00 AM | 7 days |
### Flash Backup Script
- **Script Path:**
- **Schedule:** (Daily at 3:00 AM)
- **Retention:** 7 days
- **Format:**
- **Symlink:**
### Cloud Sync Summary
| Folder | Google Drive Path | Size | Files |
|--------|-------------------|------|-------|
| /mnt/user/Backup/flash | drive:Backups/flash | 60.37 GiB | 49 |
| /mnt/user/Backup/unraid-flash | drive:Backups/unraid-flash | 371 MiB | 2 |
---
## Backup & Cloud Sync
### Rclone Configuration
| Remote | Type | Purpose |
|--------|------|---------|
| drive: | Google Drive | Cloud backup storage |
**Config Location:** /root/.config/rclone/rclone.conf
### Automated Backups

34
docs/06-CHANGELOG.md
View File

@@ -1,3 +1,37 @@
## 2026-01-22 - MikroTik DNS Migration to AdGuard Home
### Pi-hole Removal
- [CONTAINER] Removed Pi-hole container from MikroTik (was 172.17.0.2)
- [STORAGE] Freed 91.2 MiB internal flash storage (was full at 128MB)
- [CLEANUP] Removed Pi-hole mounts, envs, veth interface, and data directories
### AdGuard Home Installation
- [CONTAINER] Deployed adguardhome:latest on MikroTik
- [IP] Assigned 172.17.0.5 (veth-adguard interface)
- [STORAGE] Data stored on USB (usb1/adguardhome)
- [VERSION] AdGuard Home v0.107.71
### Encrypted DNS Configuration
- [TLS] Configured Let's Encrypt wildcard certificate (*.xtrm-lab.org)
- [DOH] DNS-over-HTTPS enabled on port 443
- [DOT] DNS-over-TLS enabled on port 853
- [DOQ] DNS-over-QUIC enabled on port 8853
- [SERVER] Server name: dns.xtrm-lab.org
- [CERT] Certificate expires: 2026-04-02
### NAT Rules Updated
- [NAT] Rule 7: DNS Force now points to 172.17.0.5 (AdGuard Home)
- [NAT] Rule 9: DNS TCP Force now points to 172.17.0.5
- [NAT] Rule 24: AdGuard Home Web UI (192.168.31.1:80 → 172.17.0.5:80)
- [NAT] DoT/DoQ rules to be added for external access
### Benefits
- [FEATURE] Native DoH/DoT/DoQ server support (Pi-hole required extra containers)
- [RESOURCE] Reduced container count (no need for separate DoH-Server)
- [STORAGE] Better storage utilization (USB instead of internal flash)
---
## 2026-01-21 - Rclone & Cloud Backup Setup
### Rclone Installation & Configuration