diff --git a/docs/00-CURRENT-STATE.md b/docs/00-CURRENT-STATE.md
index c9ceda2..3a967e3 100644
--- a/docs/00-CURRENT-STATE.md
+++ b/docs/00-CURRENT-STATE.md
@@ -1,15 +1,84 @@
-# Infrastructure Upgrade Proposal: xtrm-lab.org (v2)
+# Infrastructure Current State: xtrm-lab.org
-## Current Infrastructure State
-
-**Document Updated:** 2026-01-22
-**Target Domain:** xtrm-lab.org
+## Document Updated: 2026-01-22
+## Target Domain: xtrm-lab.org
---
-## Network Topology
+## Network Topology Diagram
-### MikroTik hAP ax³ Router (192.168.31.1)
+```mermaid
+graph TB
+ subgraph Internet
+ WAN["WAN: 62.73.120.142"]
+ DNS_EXT["dns.xtrm-lab.org
DoH/DoT/DoQ"]
+ end
+
+ subgraph MikroTik["MikroTik hAP ax³ (192.168.31.1)"]
+ ROUTER["RouterOS 7.20.6"]
+ subgraph MK_Containers["Docker Containers"]
+ AGH_MK["AdGuard Home
172.17.0.5:5355
PRIMARY DNS"]
+ TS["Tailscale
172.17.0.4"]
+ end
+ end
+
+ subgraph Switch["CSS326-24G-2S+ (192.168.31.9)"]
+ SW["24-Port Managed Switch"]
+ end
+
+ subgraph AP["cAP ac (192.168.31.6)"]
+ WIFI["CAPsMAN AP"]
+ end
+
+ subgraph Unraid["Unraid Server (192.168.31.2)"]
+ subgraph Core["Core Services"]
+ TRAEFIK["Traefik
172.18.0.3"]
+ HOMARR["Homarr
172.18.0.4"]
+ end
+ subgraph Security["Security"]
+ AUTH["Authentik
172.18.0.11"]
+ VAULT["Vaultwarden
172.18.0.15"]
+ end
+ subgraph DNS_Unraid["DNS Services"]
+ AGH_UR["AdGuard Home
192.168.31.4:53
SECONDARY DNS"]
+ UNBOUND["Unbound
192.168.31.5"]
+ end
+ subgraph DevOps["DevOps"]
+ GITEA["Gitea
172.18.0.31"]
+ WOODPECKER["Woodpecker CI
172.18.0.32"]
+ end
+ subgraph Monitoring["Monitoring"]
+ UPTIME["Uptime Kuma
172.18.0.20"]
+ NETBOX["NetBox
172.24.0.5"]
+ end
+ subgraph Media["Media"]
+ PLEX["Plex"]
+ NEXTCLOUD["Nextcloud
172.18.0.24"]
+ end
+ end
+
+ subgraph LAN["LAN Devices (192.168.31.x)"]
+ CLIENTS["Clients"]
+ end
+
+ WAN --> ROUTER
+ DNS_EXT --> ROUTER
+ ROUTER --> AGH_MK
+ ROUTER --> TS
+ ROUTER --> SW
+ SW --> Unraid
+ SW --> AP
+ AP --> CLIENTS
+ SW --> CLIENTS
+ AGH_MK -.->|"Upstream DoH"| QUAD9["Quad9 DNS"]
+ AGH_UR -.->|"Upstream DoH"| QUAD9
+ CLIENTS -->|"DNS Queries"| AGH_MK
+ CLIENTS -.->|"Failover"| AGH_UR
+```
+
+---
+
+## MikroTik hAP ax³ Router (192.168.31.1)
| Parameter | Value |
|-----------|-------|
@@ -17,11 +86,7 @@
| WAN IP (Static) | 62.73.120.142 |
| LAN Subnet | 192.168.31.0/24 |
| Docker Bridge | 172.17.0.0/24 |
-| SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1` |
-
-**SSH Users:**
-- `xtrm` - Primary admin user (key auth issues)
-- `unraid` - Secondary admin user (key-based from Unraid) ✓ Working
+| SSH Access | Port 2222, user: jazzymc |
**Interfaces:**
- `ether1` - WAN (62.73.120.142/23)
@@ -29,54 +94,46 @@
- `docker-bridge` - Container network (172.17.0.1/24)
- `back-to-home-vpn` - WireGuard VPN (192.168.216.1/24)
-**Running Containers on MikroTik:**
+### Running Containers on MikroTik
+
| Container | IP | Storage | Purpose |
|-----------|-----|---------|---------|
-| tailscale:latest | 172.17.0.4 | usb1/tailscale/root | Tailscale VPN client |
-| adguardhome:latest | 172.17.0.5 | usb1/agh2 | DNS sinkhole with DoH/DoT/DoQ |
+| tailscale | 172.17.0.4 | usb1/tailscale/root | Tailscale VPN client |
+| adguardhome | 172.17.0.5 | disk1/agh-root + usb1 mount | DNS with DoH/DoT/DoQ |
-**Stopped Containers:**
-| Container | Issue |
-|-----------|-------|
-| unbound:latest | exited with status 1 |
+### AdGuard Home (MikroTik) - PRIMARY DNS
-**AdGuard Home Configuration (172.17.0.5):**
| Service | Port | Protocol | Status |
|---------|------|----------|--------|
-| DNS | 5355 | UDP/TCP | Active (NAT from 53) |
+| DNS | 5355 (NAT from 53) | UDP/TCP | Active |
| Web UI | 80 | HTTP | Active |
-| DoH (DNS-over-HTTPS) | 443 | HTTPS | Active (TLS) |
-| DoT (DNS-over-TLS) | 853 | TCP | Active (TLS) |
-| DoQ (DNS-over-QUIC) | 8853 | UDP | Active (TLS) |
+| DoH | 443 | HTTPS | Active |
+| DoT | 853 | TCP | Active |
+| DoQ | 8853 | UDP | Active |
-**AdGuard Home Blocklists:**
-- StevenBlack Hosts
-- Hagezi Pro
-- Hagezi NSFW
+**Configuration:**
+- Upstream: Quad9 DoH (https://dns10.quad9.net/dns-query)
+- TLS Certificate: Let's Encrypt wildcard (\*.xtrm-lab.org)
+- Server Name: dns.xtrm-lab.org
+- Certificate Expiry: 2026-04-02
+- Credentials: jazzymc / 7RqWElENNbZnPW
-**AdGuard Home Custom Rules:**
-- ||dv-eu-prod.sentinelone.net^
-- ||euce1-soc360.sentinelone.net^
-- ||ampeco.jamfcloud.com^
-- ||*.jamfcloud.com^
+**Persistence:** root-dir on disk1 + data mount on usb1 (survives container restart)
-**TLS Certificate:** Let's Encrypt wildcard cert for `*.xtrm-lab.org`
-**Server Name:** `dns.xtrm-lab.org`
-**Certificate Expiry:** 2026-04-02
+---
-**⚠️ IMPORTANT:** Do NOT stop/restart the AdGuard Home container - MikroTik has a bug where the root directory disappears when container stops.
-
-### MikroTik CSS326-24G-2S+ Switch (192.168.31.9)
+## MikroTik CSS326-24G-2S+ Switch (192.168.31.9)
| Parameter | Value |
|-----------|-------|
| Role | Managed Layer 2 Switch |
-| Model | CSS326-24G-2S+ |
| Ports | 24x Gigabit + 2x SFP |
-| OS | SwOS (MikroTik Switch OS) |
-| Web UI | http://192.168.31.9/index.html |
+| OS | SwOS |
+| Web UI | http://192.168.31.9 |
-### MikroTik cAP ac (192.168.31.6)
+---
+
+## MikroTik cAP ac (192.168.31.6)
| Parameter | Value |
|-----------|-------|
@@ -95,152 +152,144 @@
| Network | Subnet | Purpose |
|---------|--------|---------|
+| br0 | 192.168.31.0/24 | LAN macvlan (AdGuard Home) |
| dockerproxy | 172.18.0.0/16 | Traefik-accessible services |
| netbox | 172.24.0.0/16 | NetBox stack |
-| slurpit_slurpit-network | Auto | Slurp'it stack |
-| br0 | 192.168.31.0/24 | LAN macvlan |
| bridge | 172.17.0.0/16 | Default Docker bridge |
-| host | - | Host network stack |
### Key Services
-| Service | Container | Static IP | External URL |
-|---------|-----------|-----------|--------------|
-| **Core Infrastructure** |
+| Service | Container | IP | External URL |
+|---------|-----------|---|--------------|
+| **Core** ||||
| Reverse Proxy | traefik | 172.18.0.3 | traefik.xtrm-lab.org |
-| Docker Socket | dockersocket | 172.18.0.2 | - |
| Dashboard | homarr | 172.18.0.4 | xtrm-lab.org |
-| **Security** |
+| **Security** ||||
| Identity Provider | authentik | 172.18.0.11 | auth.xtrm-lab.org |
-| Authentik Worker | authentik-worker | 172.18.0.12 | - |
| Password Manager | vaultwarden | 172.18.0.15 | vault.xtrm-lab.org |
-| **Databases** |
-| PostgreSQL | postgresql17 | 172.18.0.13 | - |
-| Redis | Redis | 172.18.0.14 | - |
-| **DNS (Unraid - Secondary)** |
-| Pi-hole (Unraid) | binhex-official-pihole | 192.168.31.4 | ph1.xtrm-lab.org |
-| Unbound (Unraid) | unbound | 192.168.31.5 | - |
-| DoH Server | DoH-Server | 172.18.0.22 | doh.xtrm-lab.org |
-| nebula-sync | nebula-sync | - | ⚠️ Crash-looping (incompatible with AdGuard) |
-| **DevOps** |
+| **DNS** ||||
+| AdGuard Home | adguardhome | 192.168.31.4 | - |
+| Unbound | unbound | 192.168.31.5 | - |
+| **DevOps** ||||
| Git Server | gitea | 172.18.0.31 | git.xtrm-lab.org |
| CI/CD Server | woodpecker-server | 172.18.0.32 | ci.xtrm-lab.org |
-| CI/CD Agent | woodpecker-agent | 172.18.0.33 | - |
-| **Network Management** |
-| NetBox | netbox | 172.24.0.5 | netbox.xtrm-lab.org |
-| NetDisco Web | netdisco-web | 172.18.0.41 | netdisco.xtrm-lab.org |
-| Unimus | unimus | host | unimus.xtrm-lab.org |
-| **Monitoring** |
+| **Monitoring** ||||
| Uptime Kuma | UptimeKuma | 172.18.0.20 | uptime.xtrm-lab.org |
-| NetAlertX | NetAlertX | host | netalert.xtrm-lab.org |
-| Speedtest Tracker | speedtest-tracker | 172.18.0.21 | speedtest.xtrm-lab.org |
-| **Media & Storage** |
+| NetBox | netbox | 172.24.0.5 | netbox.xtrm-lab.org |
+| **Media** ||||
| Plex | plex | host | plex.xtrm-lab.org |
| Nextcloud | Nextcloud | 172.18.0.24 | nextcloud.xtrm-lab.org |
-| **Remote Access** |
-| RustDesk ID | rustdesk-hbbs | bridge | rustdesk.xtrm-lab.org |
-| RustDesk Relay | rustdesk-hbbr | bridge | - |
+| **Remote Access** ||||
+| RustDesk | rustdesk-hbbs/hbbr | bridge | rustdesk.xtrm-lab.org |
+
+### AdGuard Home (Unraid) - SECONDARY DNS
+
+| Setting | Value |
+|---------|-------|
+| IP Address | 192.168.31.4 |
+| Network | br0 (macvlan) |
+| Web UI | http://192.168.31.4:3000 |
+| DNS | 192.168.31.4:53 |
+| DoT | 192.168.31.4:853 |
+| Credentials | jazzymc / 7RqWElENNbZnPW |
+
+**Configuration (synced with MikroTik):**
+- Upstream: Quad9 DoH
+- TLS Certificate: Let's Encrypt wildcard
+- 6 Clients configured
+- Custom filtering rules (SentinelOne, Jamf)
+
+**Data Location:** /mnt/user/appdata/adguardhome/
+
+**Stopped Services:**
+- binhex-official-pihole (replaced by AdGuard Home)
+- nebula-sync (incompatible with AdGuard Home)
---
## DNS Architecture
-```
- ┌─────────────────────────────────────┐
- │ Internet │
- │ (DoH/DoT/DoQ: dns.xtrm-lab.org) │
- └───────────────┬─────────────────────┘
- │
- ┌───────────────▼─────────────────────┐
- │ MikroTik hAP ax³ (192.168.31.1) │
- │ Ports: 443(DoH), 853(DoT), │
- │ 8853(DoQ), 53→5355(DNS) │
- └───────────────┬─────────────────────┘
- │
- ┌────────────────────────┼────────────────────────┐
- │ │ │
- ▼ ▼ ▼
-┌──────────────────────┐ ┌──────────────────┐ ┌──────────────────┐
-│ AdGuard Home │ │ Unraid Server │ │ LAN Devices │
-│ 172.17.0.5:5355 │ │ 192.168.31.2 │ │ 192.168.31.x │
-│ PRIMARY DNS │ │ │ │ │
-│ DoH/DoT/DoQ Server │ └────────┬─────────┘ └──────────────────┘
-└──────────────────────┘ │
- ▼
- ┌──────────────────┐
- │ Pi-hole (Unraid) │
- │ 192.168.31.4 │
- │ SECONDARY DNS │
- └────────┬─────────┘
- │
- ▼
- ┌──────────────────┐
- │ Unbound (Unraid) │
- │ 192.168.31.5 │
- │ Recursive DNS │
- └──────────────────┘
+```mermaid
+flowchart TB
+ subgraph External["External Access"]
+ DOH["DoH: https://dns.xtrm-lab.org/dns-query"]
+ DOT["DoT: tls://dns.xtrm-lab.org:853"]
+ DOQ["DoQ: quic://dns.xtrm-lab.org:8853"]
+ end
+
+ subgraph MikroTik["MikroTik Router"]
+ NAT["NAT: 53 → 5355"]
+ AGH1["AdGuard Home
172.17.0.5:5355
PRIMARY"]
+ end
+
+ subgraph Unraid["Unraid Server"]
+ AGH2["AdGuard Home
192.168.31.4:53
SECONDARY"]
+ end
+
+ subgraph Upstream["Upstream DNS"]
+ Q9["Quad9 DoH
dns10.quad9.net"]
+ end
+
+ subgraph Clients["LAN Clients"]
+ C1["IPhone Dancho"]
+ C2["IPhone Kimi"]
+ C3["Laptop Dari"]
+ C4["Laptop Kimi"]
+ C5["PC Dancho"]
+ C6["ROG Ally Teodor"]
+ end
+
+ External --> MikroTik
+ Clients -->|"Primary"| NAT
+ NAT --> AGH1
+ Clients -.->|"Failover"| AGH2
+ AGH1 --> Q9
+ AGH2 --> Q9
```
-**Encrypted DNS Endpoints (MikroTik AdGuard Home):**
-- **DoH:** `https://dns.xtrm-lab.org/dns-query`
-- **DoT:** `tls://dns.xtrm-lab.org:853`
-- **DoQ:** `quic://dns.xtrm-lab.org:8853`
+---
-**Note:** Pi-hole on Unraid serves as secondary/backup. nebula-sync is disabled (incompatible with AdGuard Home).
+## Configured Clients (Both AdGuard Instances)
+
+| Client | MAC Address | Tags |
+|--------|-------------|------|
+| IPhone (Dancho) | f2:b8:14:61:c8:27 | - |
+| IPhone (Kimi) | 2a:2b:ba:86:d4:af | user_child |
+| Laptop (Dari) | 34:f6:4b:b3:14:83 | user_child |
+| Laptop (Kimi) | 90:91:64:70:0d:86 | user_child |
+| PC (Dancho) | 70:85:c2:75:64:e5 | - |
+| ROG Ally (Teodor) | cc:5e:f8:d3:37:d3 | user_child |
---
-## Current NAT/Port Forwarding (MikroTik)
+## Custom Filtering Rules
-| Rule | Protocol | Src/Dst Port | Destination | Purpose |
-|------|----------|--------------|-------------|---------|
-| Forward HTTP | TCP | 80 | 192.168.31.2:8001 | Traefik HTTP |
-| Forward HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik HTTPS |
-| Force DNS to AdGuard | UDP | 53→5355 | 172.17.0.5 | LAN DNS redirect |
-| Force DNS TCP | TCP | 53→5355 | 172.17.0.5 | LAN DNS redirect |
-| AdGuard Web UI | TCP | 80 | 172.17.0.5:80 | Internal web access |
-| DoT | TCP | 853 | 172.17.0.5:853 | DNS over TLS |
-| DoH (internal) | TCP | 443 | 172.17.0.5:443 | DNS over HTTPS |
-| Plex | TCP | 32400 | 192.168.31.2:32400 | Plex Media Server |
-| RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk Server |
+```
+||dv-eu-prod.sentinelone.net^
+||euce1-soc360.sentinelone.net^
+||ampeco.jamfcloud.com^
+||*.jamfcloud.com^
+```
---
-## Traefik Configuration
+## NAT/Port Forwarding (MikroTik)
-**Entry Points:**
-- HTTP (:80) → Redirects to HTTPS
-- HTTPS (:443)
-
-**Certificate Resolver:** Cloudflare DNS Challenge
-
-**TLS Certificates Location:** `/mnt/user/appdata/traefik/certs/`
-- `xtrm-lab.org.crt` - Wildcard certificate chain
-- `xtrm-lab.org.key` - Private key
-
----
-
-## Migration Data
-
-**AdGuard Migration Config:** `/mnt/user/appdata/adguard-migration.json`
-
-Contains blocklists, custom rules, and client configurations for applying to new AdGuard Home instances.
-
----
-
-## Backup & Cloud Sync
-
-### Flash Backup Script
-
-- **Script Path:** /boot/config/plugins/user.scripts/scripts/flash-backup/script
-- **Schedule:** 0 3 * * * (Daily at 3:00 AM)
-- **Retention:** 7 days
-- **Cloud Sync:** drive:Backups/unraid-flash
+| Rule | Protocol | Port | Destination | Purpose |
+|------|----------|------|-------------|---------|
+| HTTP | TCP | 80 | 192.168.31.2:8001 | Traefik |
+| HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik |
+| DNS UDP | UDP | 53→5355 | 172.17.0.5 | AdGuard Home |
+| DNS TCP | TCP | 53→5355 | 172.17.0.5 | AdGuard Home |
+| DoT | TCP | 853 | 172.17.0.5 | DNS over TLS |
+| DoQ | UDP | 8853 | 172.17.0.5 | DNS over QUIC |
+| Plex | TCP | 32400 | 192.168.31.2 | Plex Media |
+| RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk |
---
## Reference Documents
-- [Phase 1: Global DNS Portability](./01-PHASE1-DNS-PORTABILITY.md)
+- [Phase 1: DNS Portability](./01-PHASE1-DNS-PORTABILITY.md)
- [Phase 7: Gitea GitOps](./08-PHASE7-GITEA-GITOPS.md)
-- [Container IP Assignments](./13-CONTAINER-IP-ASSIGNMENTS.md)
+- [Changelog](./06-CHANGELOG.md)
diff --git a/docs/06-CHANGELOG.md b/docs/06-CHANGELOG.md
index 2d874a8..357dc01 100644
--- a/docs/06-CHANGELOG.md
+++ b/docs/06-CHANGELOG.md
@@ -3,6 +3,31 @@
### Pi-hole Removal from MikroTik
- [CONTAINER] Removed Pi-hole container from MikroTik
- [STORAGE] Freed internal flash storage
+## 2026-01-22 - AdGuard Home Migration Complete
+
+### MikroTik AdGuard Home - Persistence Fix
+- [CONTAINER] Fixed container persistence issue (root-dir on disk1, data on usb1)
+- [CONFIG] Container now survives stop/start cycles
+- [MOUNT] agh-work mount: usb1/adguard-home/work → /opt/adguardhome/work
+
+### Unraid AdGuard Home - Replaces Pi-hole
+- [CONTAINER] Deployed AdGuard Home on br0 macvlan network
+- [IP] 192.168.31.4 (same IP as Pi-hole was using)
+- [STOPPED] binhex-official-pihole container stopped (not removed)
+- [CONFIG] Same credentials and rules as MikroTik instance
+
+### Configuration Sync (Both Instances)
+- [DNS] Upstream: Quad9 DoH (dns10.quad9.net)
+- [TLS] Let's Encrypt wildcard cert for *.xtrm-lab.org
+- [CLIENTS] 6 clients configured with MAC addresses
+- [RULES] Custom filtering rules for SentinelOne, Jamf
+
+### Documentation
+- [DOCS] Updated 00-CURRENT-STATE.md with Mermaid diagrams
+- [DIAGRAM] Added network topology and DNS architecture diagrams
+
+---
+
- [CLEANUP] Removed Pi-hole mounts, envs, and data
### AdGuard Home Installation (Multiple Attempts)