jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Major documentation restructure - consolidated docs
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
New Structure:
- 01-NETWORK-MAP.md - Network topology, IPs, Docker networks, services
- 02-SERVICES-CRITICAL.md - DNS, Auth, Routing (P0/P1 services)
- 03-SERVICES-OTHER.md - All non-critical services
- 04-HARDWARE-INVENTORY.md - Physical devices and specs
- 05-CHANGELOG.md - Major events only

New Folders:
- docs/archive/ - Legacy docs (read-only reference)
- docs/wip/ - Planned changes and ideas
  - UPGRADE-2026-HARDWARE.md - N5 Air + N100 migration plan
  - GITOPS-CONTAINERS.md - Phase 2 container GitOps

Changes:
- Moved all 22 legacy docs to archive/
- Consolidated container IPs, physical map, and services into single network map
- Extracted critical vs non-critical service classification
- Simplified changelog to major events only

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
XTRM-Unraid
2026-01-25 11:17:33 +02:00
parent ed17dea2d6
commit b250493d5a
31 changed files with 1585 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
docs/archive/00-CHANGELOG.md Normal file
View File

@@ -0,0 +1,57 @@
# Changelog
## 2026-01-19 (NetBox Deployment)
- [SERVICE] NetBox DCIM/IPAM deployed - netbox.xtrm-lab.org - COMPLETED
- [SERVICE] netbox-postgres: PostgreSQL 16 Alpine, dedicated database
- [SERVICE] netbox-redis: Redis 7 Alpine, background tasks
- [SERVICE] netbox-redis-cache: Redis 7 Alpine, caching
- [SERVICE] netbox-worker: RQ worker for background jobs
- [SERVICE] netbox-housekeeping: Daily housekeeping tasks
- [NETWORK] Created dedicated 'netbox' Docker network (172.24.0.0/16)
- [TRAEFIK] Added route for netbox.xtrm-lab.org with Authentik forward-auth
- [DNS] DNS record for netbox.xtrm-lab.org pre-configured
- [CREDS] Admin user: admin / M0stW4nt3d@xtrm
## 2026-01-18
- [PHASE 1] DNS Portability - COMPLETED
- Added DoH route to Traefik dynamic.yml (doh.xtrm-lab.org)
- Verified DoH endpoint working with ad-blocking
- Updated verification checklist - all items complete
- Fixed hostname in docs: dns.xtrm-lab.org → doh.xtrm-lab.org
- Updated nebula-sync status: unhealthy → healthy
- [SERVICE] DoH-Server: Now routed via Traefik at doh.xtrm-lab.org
- [SERVICE] stunnel-dot: Confirmed running for DoT on port 853
- [ISSUE] Certificate renewal failing - Cloudflare API token needs Zone:DNS:Edit permission (certs expire Feb 11, 2026)
- [PHASE 1] DNS Redundancy verified:
- 2x Pi-hole: MikroTik (172.17.0.2) + Unraid (192.168.31.4)
- 2x Unbound: MikroTik (172.17.0.3) + Unraid (192.168.31.5)
- nebula-sync: Healthy, syncing every 5 minutes
- NAT rules: Properly configured for failover
- Added DNS Redundancy Architecture section to Phase 1 doc
- [DOC] Rewrote 01-PHASE1-DNS-PORTABILITY.md - removed implementation guides, kept only current state
## 2026-01-18
- [INFRA] Updated static IP proposal: dockersocket→172.18.0.2, traefik→172.18.0.3, vaultwarden→172.18.0.15
- [INFRA] Static IP assignment for critical services - COMPLETED
## 2026-01-18 (Phase 7 Deployment)
- [PHASE 7] Gitea deployed - git.xtrm-lab.org - COMPLETED
- [PHASE 7] Woodpecker CI Server deployed - ci.xtrm-lab.org - COMPLETED
- [PHASE 7] Woodpecker CI Agent deployed and connected - COMPLETED
- [SERVICE] gitea: PostgreSQL database (gitea_db) created
- [SERVICE] woodpecker-server: Port 8008, OAuth via Gitea
- [SERVICE] woodpecker-agent: Connected to server, 2 parallel workflows
- [DNS] Added git.xtrm-lab.org and ci.xtrm-lab.org A records
## 2026-01-18 (Woodpecker Update)
- [PHASE 7] Woodpecker Server updated to v3.13.0
- [PHASE 7] Woodpecker Agent updated to v3.13.0
- [SERVICE] Fixed SQLite database permissions for migration
- [CI] First pipeline test successful (infrastructure repo)
## 2026-01-18 (Documentation Migration)
- [DOCS] Infrastructure documentation migrated to Git (git.xtrm-lab.org/jazzymc/infrastructure)
- [DOCS] Updated local CLAUDE.md to point to Git repo
- [DOCS] Updated Unraid CLAUDE.md to point to Git repo
- [PHASE 7] Phase 7 fully completed - GitOps workflow operational

306
docs/archive/00-CURRENT-STATE.md Normal file
View File

@@ -0,0 +1,306 @@
# Infrastructure Current State: xtrm-lab.org
## Document Updated: 2026-01-23
## Target Domain: xtrm-lab.org
---
## Network Topology Diagram
```mermaid
graph TB
subgraph Internet
WAN["WAN: 62.73.120.142"]
end
subgraph MikroTik["MikroTik hAP ax³ (192.168.31.1)"]
ROUTER["RouterOS 7.20.6"]
subgraph MK_Containers["Docker Containers"]
AGH_MK["AdGuard Home<br/>172.17.0.5:5355<br/>dns.xtrm-lab.org"]
TS["Tailscale<br/>172.17.0.4"]
end
end
subgraph Switch["CSS326-24G-2S+ (192.168.31.9)"]
SW["24-Port Managed Switch"]
end
subgraph AP["cAP ac (192.168.31.6)"]
WIFI["CAPsMAN AP"]
end
subgraph Unraid["Unraid Server (192.168.31.2)"]
subgraph SharedServices["Shared Services"]
POSTGRES["PostgreSQL 17<br/>172.18.0.13"]
REDIS["Redis<br/>172.18.0.14"]
end
subgraph Core["Core Services"]
TRAEFIK["Traefik<br/>172.18.0.3"]
HOMARR["Homarr<br/>172.18.0.4"]
end
subgraph Security["Security"]
AUTH["Authentik<br/>172.18.0.11"]
VAULT["Vaultwarden<br/>172.18.0.15"]
end
subgraph DNS_Unraid["DNS Services"]
AGH_UR["AdGuard Home<br/>192.168.31.4<br/>dns2.xtrm-lab.org"]
end
subgraph DevOps["DevOps"]
GITEA["Gitea<br/>172.18.0.31"]
WOODPECKER["Woodpecker CI<br/>172.18.0.32"]
end
subgraph NetBoxStack["Network Inventory"]
NETBOX["NetBox<br/>172.18.0.61"]
DIODE["Diode Stack<br/>172.18.0.70-74"]
NETDISCO["NetDisco<br/>172.18.0.41-42"]
end
end
WAN --> ROUTER
ROUTER --> AGH_MK
ROUTER --> SW
SW --> Unraid
SW --> AP
AGH_MK -.->|sync| AGH_UR
```
---
## Service Architecture Diagram
```mermaid
flowchart TB
subgraph SharedServices["Shared Infrastructure"]
PG[("PostgreSQL 17<br/>172.18.0.13")]
RD[("Redis<br/>172.18.0.14")]
end
subgraph NetBoxStack["Network Inventory Stack"]
NB["NetBox<br/>172.18.0.61"]
NBW["NetBox Worker<br/>172.18.0.62"]
NBC[("Redis Cache<br/>172.18.0.64")]
subgraph Diode["Diode Discovery"]
DI["Ingress<br/>172.18.0.70"]
DIN["Ingester<br/>172.18.0.71"]
DRE["Reconciler<br/>172.18.0.72"]
DHY["Hydra<br/>172.18.0.73"]
DAU["Auth<br/>172.18.0.74"]
DAG["Agent<br/>host network"]
end
subgraph NetDisco["NetDisco"]
NDW["Web<br/>172.18.0.41"]
NDB["Backend<br/>172.18.0.42"]
end
end
subgraph DevOps["DevOps Stack"]
GIT["Gitea<br/>172.18.0.31"]
WPS["Woodpecker Server<br/>172.18.0.32"]
WPA["Woodpecker Agent<br/>172.18.0.33"]
end
PG --> NB
PG --> GIT
PG --> NDW
PG --> DRE
PG --> DHY
RD --> DIN
RD --> DRE
RD --> NBW
NBC --> NB
DAG -->|gRPC| DI
DI --> DIN
DIN --> RD
DRE --> NB
NDB --> NDW
```
---
## DNS Architecture
```mermaid
flowchart TB
subgraph External["External Access"]
DOH1["DoH: dns.xtrm-lab.org"]
DOT1["DoT: dns.xtrm-lab.org:853"]
DOH2["DoH: dns2.xtrm-lab.org"]
DOT2["DoT: dns2.xtrm-lab.org:853"]
end
subgraph MikroTik["MikroTik Router"]
NAT["NAT: 53 → 5355"]
AGH1["AdGuard Home<br/>PRIMARY"]
end
subgraph Unraid["Unraid Server"]
AGH2["AdGuard Home<br/>SECONDARY"]
end
subgraph Sync["Configuration Sync"]
AGHSYNC["adguardhome-sync<br/>Every 30 min"]
end
subgraph Upstream["Upstream DNS"]
Q9["Quad9 DoH"]
end
DOH1 --> AGH1
DOT1 --> AGH1
DOH2 --> AGH2
DOT2 --> AGH2
NAT --> AGH1
AGH1 --> Q9
AGH2 --> Q9
AGH1 <-.->|sync| AGHSYNC
AGHSYNC <-.->|sync| AGH2
```
---
## Container Summary
### Shared Services
| Container | IP | Purpose | Consumers |
|-----------|-----|---------|-----------|
| postgresql17 | 172.18.0.13 | PostgreSQL 17 | NetBox, Gitea, NetDisco, Authentik, Diode |
| Redis | 172.18.0.14 | Redis Queue | Diode, NetBox Worker |
### Network Inventory (NetBox & Discovery)
| Container | IP | Purpose |
|-----------|-----|---------|
| netbox | 172.18.0.61 | Web UI |
| netbox-worker | 172.18.0.62 | Background tasks |
| netbox-redis-cache | 172.18.0.64 | Query cache |
| diode-ingress | 172.18.0.70 | API Gateway (nginx) |
| diode-ingester | 172.18.0.71 | Data ingestion |
| diode-reconciler | 172.18.0.72 | NetBox sync |
| diode-hydra | 172.18.0.73 | OAuth2 (Ory Hydra) |
| diode-auth | 172.18.0.74 | Token service |
| diode-agent | host | Network scanner |
| netdisco-web | 172.18.0.41 | Web UI |
| netdisco-backend | 172.18.0.42 | SNMP poller |
### Infrastructure
| Container | IP | Purpose |
|-----------|-----|---------|
| traefik | 172.18.0.3 | Reverse proxy |
| dockersocket | - | Docker socket proxy |
| adguardhome | 192.168.31.4 | DNS (Secondary) |
| adguardhome-sync | 172.18.0.65 | Config sync |
### DevOps
| Container | IP | Purpose |
|-----------|-----|---------|
| gitea | 172.18.0.31 | Git hosting |
| woodpecker-server | 172.18.0.32 | CI/CD server |
| woodpecker-agent | 172.18.0.33 | CI/CD agent |
### Security
| Container | IP | Purpose |
|-----------|-----|---------|
| authentik | 172.18.0.11 | Identity provider |
| authentik-worker | - | Background tasks |
| vaultwarden | 172.18.0.15 | Password manager |
### Monitoring
| Container | IP | Purpose |
|-----------|-----|---------|
| UptimeKuma | 172.18.0.20 | Uptime monitoring |
| Uptime-Kuma-API | 172.18.0.18 | REST API |
| AutoKuma | 172.18.0.19 | Auto-monitor creation |
| NetAlertX | - | Network alerting |
| speedtest-tracker | - | Speed tests |
---
## RAM Usage (as of 2026-01-23)
**Total: 15GB | Used: 12GB (80%) | Available: 2.7GB**
| Container | RAM | % |
|-----------|-----|---|
| unimus | 1.62 GB | 10.5% |
| karakeep | 664 MB | 4.2% |
| netdisco-web | 534 MB | 3.4% |
| n8n | 293 MB | 1.9% |
| netdisco-backend | 281 MB | 1.8% |
| netbox-worker | 230 MB | 1.5% |
| plex | 161 MB | 1.0% |
| postgresql17 | 136 MB | 0.9% |
| All others | <130 MB each | <1% |
---
## Removed Services (2026-01-23)
The following services were removed as redundant (AdGuard Home provides DoH/DoT natively):
| Service | Reason |
|---------|--------|
| Unbound | AdGuard uses upstream DoH directly |
| DoH-Server | AdGuard has built-in DoH |
| stunnel-dot | AdGuard has built-in DoT |
| Pangolin | Not in use |
---
## External URLs
| Service | URL |
|---------|-----|
| Dashboard | https://xtrm-lab.org |
| Traefik | https://traefik.xtrm-lab.org |
| Authentik | https://auth.xtrm-lab.org |
| Gitea | https://git.xtrm-lab.org |
| Woodpecker CI | https://ci.xtrm-lab.org |
| NetBox | https://netbox.xtrm-lab.org |
| NetDisco | https://netdisco.xtrm-lab.org |
| Uptime Kuma | https://uptime.xtrm-lab.org |
| Plex | https://plex.xtrm-lab.org |
| Nextcloud | https://cloud.xtrm-lab.org |
| Vaultwarden | https://vault.xtrm-lab.org |
| DNS (Primary) | dns.xtrm-lab.org (MikroTik) |
| DNS (Secondary) | dns2.xtrm-lab.org (Unraid) |
---
## FolderView2 Categories
| Category | Containers |
|----------|------------|
| Infrastructure | traefik, dockersocket, adguardhome, adguardhome-sync |
| Security | authentik, authentik-worker, vaultwarden |
| Monitoring | UptimeKuma, Uptime-Kuma-API, AutoKuma, NetAlertX, speedtest-tracker |
| DevOps | gitea, woodpecker-server, woodpecker-agent, postgresql17, Redis |
| Media | plex, Libation, transmission |
| Storage/Backup | rustfs, UrBackup, TimeMachine, Nextcloud |
| Productivity | actual-budget, n8n, karakeep, homarr |
| Smart Home | HomeAssistant_inabox |
| Remote Access | rustdesk-hbbs, rustdesk-hbbr |
| Management | portainer, unimus |
| Network Inventory | netbox, netbox-worker, netbox-redis-cache, diode-*, netdisco-* |
---
## NetBox Plugins (2026-01-25)
| Plugin | Purpose | Status |
|--------|---------|--------|
| netbox_diode_plugin | Diode network discovery integration | ✅ Active |
| nextbox_ui_plugin | Network topology visualization | ✅ Active |
| netbox_dns | DNS zone and record management | ✅ Active |
| netbox_inventory | Asset/inventory management | ✅ Active |
| netbox_interface_synchronization | Interface sync between devices | ✅ Active |
| netbox_routing | Routing protocol management (BGP, OSPF) | ✅ Active |
**Topology View:** https://netbox.xtrm-lab.org/plugins/nextbox-ui/topology/

208
docs/archive/01-PHASE1-DNS-PORTABILITY.md Normal file
View File

@@ -0,0 +1,208 @@
# Phase 1: Global DNS Portability
## Status: ✅ COMPLETED (2026-01-18)
Pi-hole ad-blocking works on all devices via Tailscale MagicDNS and DoH/DoT endpoints.
---
## Tailscale Configuration
| Parameter | Value |
|-----------|-------|
| Unraid Tailscale IP | 100.100.208.70 |
| Hostname | xtrm-unraid |
| Subnet Route | 192.168.31.0/24 (advertised & approved) |
| Global DNS | Pi-hole via MagicDNS |
| Override Local DNS | Enabled |
### Connected Devices
| Device | Tailscale IP | Status |
|--------|--------------|--------|
| xtrm-unraid | 100.100.208.70 | Online |
| kaloyans-macbook-air | 100.68.118.59 | Active |
| mikrotik-tailscale-1 | 100.75.93.123 | Online |
| samsung-sm-s938b | 100.111.64.56 | Offline |
---
## DNS Services
### Pi-hole Instances
| Instance | Location | IP | Web UI | Status |
|----------|----------|-----|--------|--------|
| Primary | MikroTik Container | 172.17.0.2 | ph2.xtrm-lab.org | ✅ Running |
| Secondary | Unraid (macvlan br0) | 192.168.31.4 | ph1.xtrm-lab.org | ✅ Running |
**Sync:** nebula-sync (healthy) syncs Unraid → MikroTik every 5 minutes
### Unbound Instances (Recursive DNS)
| Instance | Location | IP | Status |
|----------|----------|-----|--------|
| Primary | MikroTik Container | 172.17.0.3 | ✅ Running |
| Secondary | Unraid (macvlan br0) | 192.168.31.5 | ✅ Running |
### Pi-hole Upstream Configuration
**Unraid Pi-hole (192.168.31.4):**
```
upstreams = ["172.17.0.3#53", "192.168.31.5#53"]
```
---
## DoH Endpoint (DNS over HTTPS)
| Parameter | Value |
|-----------|-------|
| URL | `https://doh.xtrm-lab.org/dns-query` |
| Container | DoH-Server (ghcr.io/ich777/doh-server) |
| Listen Port | 8053 |
| Upstream DNS | udp:192.168.31.1:53 |
| Network | dockerproxy |
**Traefik Route (dynamic.yml):**
```yaml
doh-secure:
rule: "Host(`doh.xtrm-lab.org`)"
entryPoints: [https]
tls:
certResolver: cloudflare
service: doh # → http://DoH-Server:8053
```
**Test:**
```bash
curl -H 'accept: application/dns-json' 'https://doh.xtrm-lab.org/dns-query?name=google.com&type=A'
```
---
## DoT Endpoint (DNS over TLS)
| Parameter | Value |
|-----------|-------|
| Hostname | doh.xtrm-lab.org:853 |
| Container | stunnel-dot (dweomer/stunnel) |
| Accept Port | 853 |
| Forward To | 192.168.31.4:53 (Unraid Pi-hole) |
**MikroTik NAT:** WAN:853 → 192.168.31.2:853
**Android Private DNS:** Settings → Private DNS → `doh.xtrm-lab.org`
---
## DNS Architecture
```
┌─────────────────────────────────────┐
│ External Clients │
└──────────────┬──────────────────────┘
┌─────────────────────────┼─────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Tailscale │ │ DoH │ │ DoT │
│ MagicDNS │ │ doh.xtrm-lab.org│ │ :853 │
│ 100.100.100.100 │ │ (Traefik→DoH) │ │ (stunnel) │
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ │ │
└────────────────────────┼────────────────────────┘
┌─────────────────────────────────────────────────────────────────────┐
│ LAN (192.168.31.0/24) │
│ │
│ ┌─────────────────────────┐ ┌─────────────────────────┐ │
│ │ MikroTik Pi-hole │ │ Unraid Pi-hole │ │
│ │ 172.17.0.2 │ │ 192.168.31.4 │ │
│ │ (NAT forced for LAN) │ │ (Direct access allowed) │ │
│ └───────────┬─────────────┘ └───────────┬─────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────────┐ ┌─────────────────────────┐ │
│ │ MikroTik Unbound │ │ Unraid Unbound │ │
│ │ 172.17.0.3 (recursive) │ │ 192.168.31.5 (recursive)│ │
│ └─────────────────────────┘ └─────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
```
---
## DHCP DNS Servers (MikroTik)
| Priority | Server | Notes |
|----------|--------|-------|
| Primary | 192.168.31.1 | MikroTik (NAT forces to Pi-hole 172.17.0.2) |
| Secondary | 192.168.31.4 | Unraid Pi-hole (direct, for failover) |
---
## MikroTik DNS NAT Rules
| Rule | Action | Description |
|------|--------|-------------|
| 3 | ACCEPT | Traffic TO 192.168.31.4:53 (allows Unraid Pi-hole) |
| 7 | DST-NAT | Force LAN DNS to 172.17.0.2 (MikroTik Pi-hole) |
| 21 | DST-NAT | DoT WAN:853 → 192.168.31.2:853 |
---
## Failover Behavior
| Scenario | Behavior |
|----------|----------|
| MikroTik Pi-hole down | Clients use secondary DNS (192.168.31.4) |
| MikroTik Unbound down | Pi-holes use Unraid Unbound (192.168.31.5) |
| Unraid down | MikroTik services continue independently |
---
## Client Configuration
### macOS (DoH)
- Firefox/Chrome: Settings → Security → Custom DNS → `https://doh.xtrm-lab.org/dns-query`
- System-wide: Install DNS profile with DoH URL
### Android (DoT)
- Settings → Network → Private DNS → `doh.xtrm-lab.org`
### Tailscale Clients
- Automatic via MagicDNS (no configuration needed)
---
## Verification Commands
```bash
# Test DoH endpoint
curl -H 'accept: application/dns-json' 'https://doh.xtrm-lab.org/dns-query?name=google.com&type=A'
# Test ad-blocking via DoH
curl -H 'accept: application/dns-json' 'https://doh.xtrm-lab.org/dns-query?name=ads.google.com&type=A'
# Expected: 0.0.0.0
# Test Pi-holes directly
dig +short google.com @172.17.0.2 # MikroTik Pi-hole
dig +short google.com @192.168.31.4 # Unraid Pi-hole
# Test Unbound directly
dig +short google.com @172.17.0.3 # MikroTik Unbound
dig +short google.com @192.168.31.5 # Unraid Unbound
# Check Tailscale ad-blocking
dig +short ads.google.com @100.100.100.100
# Expected: 0.0.0.0
```
---
## Known Issues
| Issue | Status | Notes |
|-------|--------|-------|
| Certificate renewal failing | ⚠️ Open | Cloudflare API token needs Zone:DNS:Edit permission. Certs expire Feb 11, 2026. |

391
docs/archive/02-PHASE2-FOSSORIAL-STACK.md Normal file
View File

@@ -0,0 +1,391 @@
# Phase 2: The "Fossorial" Tunnel Stack (Pangolin, Gerbil, Newt)
## Goal
Deploy the Fossorial tunnel stack using your MikroTik's static IP (62.73.120.142) to host tunnels without requiring a VPS, with MikroTik container fallback for resilience.
---
## What is Fossorial?
Fossorial is a self-hosted tunnel solution consisting of:
| Component | Purpose | Role |
|-----------|---------|------|
| **Pangolin** | Central controller/dashboard | Manages tunnels, provides web UI |
| **Gerbil** | WireGuard manager | Handles WireGuard peer configuration |
| **Newt** | Tunnel connector | Lightweight agent that "dials out" to establish tunnels |
**Why Fossorial over plain WireGuard?**
- Automatic peer management
- Web-based tunnel configuration
- Self-healing connections via Newt
- Easier certificate/identity management
---
## Current WireGuard State (MikroTik)
```
Interface: back-to-home-vpn
├── Listen Port: 59188 (non-standard - good!)
├── Address: 192.168.216.1/24
├── Public Key: 3e+p++SJ6f5EURt6WCKApOLMQHWpURm/vn/0s9+EKzs=
└── Peers: 3 configured
```
**Port 51820 Status:** NOT in use - available for Fossorial
---
## Architecture Overview
```
Internet
┌────────────▼────────────┐
│ MikroTik (62.73.120.142)│
│ Port Forward: │
│ UDP 51820 → Unraid │
│ TCP 443 → Traefik │
└────────────┬────────────┘
┌──────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Pangolin │ │ Gerbil │ │ Newt │
│ (Controller) │ │ (WG Manager) │ │ (Connector) │
│ :3000 web UI │ │ :51820 WG │ │ Outbound only │
│ │ │ :8080 API │ │ │
└────────┬────────┘ └────────┬────────┘ └────────┬────────┘
│ │ │
└───────────────────┴───────────────────┘
Internal Network
192.168.31.0/24
```
---
## Implementation Steps
### Step 2.1: Create Docker Network for Fossorial
```bash
docker network create --driver bridge fossorial
```
---
### Step 2.2: Deploy Pangolin (Controller)
**Unraid Docker Template:**
```xml
<?xml version="1.0"?>
<Container version="2">
<Name>pangolin</Name>
<Repository>fossoriumtech/pangolin:latest</Repository>
<Registry>https://hub.docker.com/r/fossoriumtech/pangolin</Registry>
<Network>fossorial</Network>
<Shell>sh</Shell>
<Privileged>false</Privileged>
<Overview>Pangolin - Fossorial tunnel controller and dashboard</Overview>
<Category>Network:VPN</Category>
<WebUI>https://pangolin.xtrm-lab.org</WebUI>
<ExtraParams>--restart unless-stopped</ExtraParams>
<!-- Ports -->
<Config Name="Web UI" Target="3000" Default="3000" Mode="tcp" Type="Port" Display="always" Required="true">3000</Config>
<!-- Volumes -->
<Config Name="Data" Target="/app/data" Default="/mnt/user/appdata/pangolin/data" Mode="rw" Type="Path" Display="always" Required="true">/mnt/user/appdata/pangolin/data</Config>
<Config Name="Config" Target="/app/config" Default="/mnt/user/appdata/pangolin/config" Mode="rw" Type="Path" Display="always" Required="true">/mnt/user/appdata/pangolin/config</Config>
<!-- Environment -->
<Config Name="BASE_URL" Target="PANGOLIN_BASE_URL" Default="https://pangolin.xtrm-lab.org" Mode="" Type="Variable" Display="always" Required="true">https://pangolin.xtrm-lab.org</Config>
<Config Name="SECRET_KEY" Target="PANGOLIN_SECRET_KEY" Default="" Mode="" Type="Variable" Display="always" Required="true" Mask="true">GENERATE_A_SECURE_32_CHAR_KEY</Config>
<!-- Traefik Labels -->
<Config Name="traefik.enable" Target="traefik.enable" Type="Label" Display="always">true</Config>
<Config Name="traefik.http.routers.pangolin.rule" Target="traefik.http.routers.pangolin.rule" Type="Label" Display="always">Host(`pangolin.xtrm-lab.org`)</Config>
<Config Name="traefik.http.routers.pangolin.entrypoints" Target="traefik.http.routers.pangolin.entrypoints" Type="Label" Display="always">https</Config>
<Config Name="traefik.http.routers.pangolin.tls.certresolver" Target="traefik.http.routers.pangolin.tls.certresolver" Type="Label" Display="always">cloudflare</Config>
<Config Name="traefik.http.routers.pangolin.middlewares" Target="traefik.http.routers.pangolin.middlewares" Type="Label" Display="always">default-headers@file</Config>
<Config Name="traefik.http.services.pangolin.loadbalancer.server.port" Target="traefik.http.services.pangolin.loadbalancer.server.port" Type="Label" Display="always">3000</Config>
<Config Name="traefik.docker.network" Target="traefik.docker.network" Type="Label" Display="always">dockerproxy</Config>
<!-- AutoKuma -->
<Config Name="kuma" Target="kuma" Type="Label" Display="advanced">https://pangolin.xtrm-lab.org</Config>
<Config Name="kuma.name" Target="kuma.name" Type="Label" Display="advanced">Pangolin Dashboard</Config>
<Config Name="kuma.type" Target="kuma.type" Type="Label" Display="advanced">http</Config>
<!-- Tailscale (optional) -->
<Config Name="TailScale Fallback State Directory" Target="CA_TS_FALLBACK_DIR" Type="Variable" Display="advanced">/app/data</Config>
</Container>
```
**Generate Secret Key:**
```bash
openssl rand -hex 32
```
---
### Step 2.3: Deploy Gerbil (WireGuard Manager)
**Unraid Docker Template:**
```xml
<?xml version="1.0"?>
<Container version="2">
<Name>gerbil</Name>
<Repository>fossoriumtech/gerbil:latest</Repository>
<Registry>https://hub.docker.com/r/fossoriumtech/gerbil</Registry>
<Network>fossorial</Network>
<Shell>sh</Shell>
<Privileged>true</Privileged>
<Overview>Gerbil - Fossorial WireGuard manager</Overview>
<Category>Network:VPN</Category>
<ExtraParams>--cap-add=NET_ADMIN --cap-add=SYS_MODULE --sysctl net.ipv4.ip_forward=1 --sysctl net.ipv4.conf.all.src_valid_mark=1</ExtraParams>
<!-- Ports -->
<Config Name="WireGuard UDP" Target="51820" Default="51820" Mode="udp" Type="Port" Display="always" Required="true">51820</Config>
<Config Name="API" Target="8080" Default="8080" Mode="tcp" Type="Port" Display="always" Required="true">8080</Config>
<!-- Volumes -->
<Config Name="WireGuard Config" Target="/etc/wireguard" Default="/mnt/user/appdata/gerbil/wireguard" Mode="rw" Type="Path" Display="always" Required="true">/mnt/user/appdata/gerbil/wireguard</Config>
<Config Name="Data" Target="/app/data" Default="/mnt/user/appdata/gerbil/data" Mode="rw" Type="Path" Display="always" Required="true">/mnt/user/appdata/gerbil/data</Config>
<!-- Environment -->
<Config Name="PANGOLIN_URL" Target="GERBIL_PANGOLIN_URL" Default="http://pangolin:3000" Mode="" Type="Variable" Display="always" Required="true">http://pangolin:3000</Config>
<Config Name="PUBLIC_IP" Target="GERBIL_PUBLIC_IP" Default="" Mode="" Type="Variable" Display="always" Required="true">62.73.120.142</Config>
<Config Name="PUBLIC_PORT" Target="GERBIL_PUBLIC_PORT" Default="51820" Mode="" Type="Variable" Display="always" Required="true">51820</Config>
<Config Name="WG_INTERFACE" Target="GERBIL_WG_INTERFACE" Default="wg0" Mode="" Type="Variable" Display="always" Required="true">wg0</Config>
<Config Name="API_KEY" Target="GERBIL_API_KEY" Default="" Mode="" Type="Variable" Display="always" Required="true" Mask="true">SAME_AS_PANGOLIN_SECRET</Config>
<!-- AutoKuma -->
<Config Name="kuma" Target="kuma" Type="Label" Display="advanced">http://192.168.31.2:8080/health</Config>
<Config Name="kuma.name" Target="kuma.name" Type="Label" Display="advanced">Gerbil WireGuard</Config>
<Config Name="kuma.type" Target="kuma.type" Type="Label" Display="advanced">http</Config>
</Container>
```
---
### Step 2.4: Deploy Newt (Connector)
**Unraid Docker Template:**
```xml
<?xml version="1.0"?>
<Container version="2">
<Name>newt</Name>
<Repository>fossoriumtech/newt:latest</Repository>
<Registry>https://hub.docker.com/r/fossoriumtech/newt</Registry>
<Network>fossorial</Network>
<Shell>sh</Shell>
<Privileged>false</Privileged>
<Overview>Newt - Fossorial tunnel connector (dials out to establish tunnels)</Overview>
<Category>Network:VPN</Category>
<ExtraParams>--restart unless-stopped</ExtraParams>
<!-- Volumes -->
<Config Name="Data" Target="/app/data" Default="/mnt/user/appdata/newt/data" Mode="rw" Type="Path" Display="always" Required="true">/mnt/user/appdata/newt/data</Config>
<!-- Environment -->
<Config Name="PANGOLIN_URL" Target="NEWT_PANGOLIN_URL" Default="" Mode="" Type="Variable" Display="always" Required="true">https://pangolin.xtrm-lab.org</Config>
<Config Name="ENDPOINT" Target="NEWT_ENDPOINT" Default="" Mode="" Type="Variable" Display="always" Required="true">62.73.120.142:51820</Config>
<Config Name="API_KEY" Target="NEWT_API_KEY" Default="" Mode="" Type="Variable" Display="always" Required="true" Mask="true">GENERATE_VIA_PANGOLIN_UI</Config>
<Config Name="TUNNEL_NAME" Target="NEWT_TUNNEL_NAME" Default="unraid-local" Mode="" Type="Variable" Display="always" Required="true">unraid-local</Config>
<!-- AutoKuma -->
<Config Name="kuma" Target="kuma" Type="Label" Display="advanced">docker</Config>
<Config Name="kuma.name" Target="kuma.name" Type="Label" Display="advanced">Newt Connector</Config>
<Config Name="kuma.type" Target="kuma.type" Type="Label" Display="advanced">docker</Config>
</Container>
```
---
### Step 2.5: MikroTik Port Forward for WireGuard
**Add NAT rule for Fossorial WireGuard:**
```routeros
# Connect via SSH
ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
# Add port forward
/ip/firewall/nat add chain=dstnat \
action=dst-nat \
to-addresses=192.168.31.2 \
to-ports=51820 \
protocol=udp \
dst-address=62.73.120.142 \
dst-port=51820 \
comment="Fossorial WireGuard"
# Add firewall rule to allow
/ip/firewall/filter add chain=forward \
action=accept \
protocol=udp \
dst-address=192.168.31.2 \
dst-port=51820 \
comment="Allow Fossorial WireGuard" \
place-before=14
```
**Verification:**
```routeros
/ip/firewall/nat print where comment~"Fossorial"
```
---
### Step 2.6: Connect Networks (fossorial ↔ dockerproxy)
Pangolin needs to be accessible via Traefik. Either:
**Option A: Connect Pangolin to both networks**
```bash
docker network connect dockerproxy pangolin
```
**Option B: Use Traefik external routing in dynamic.yml**
```yaml
# Add to /mnt/user/appdata/traefik/dynamic.yml
http:
routers:
pangolin-secure:
rule: "Host(`pangolin.xtrm-lab.org`)"
entryPoints:
- https
middlewares:
- default-headers
tls:
certResolver: cloudflare
service: pangolin
services:
pangolin:
loadBalancer:
servers:
- url: "http://192.168.31.2:3000"
```
---
### Step 2.7: MikroTik Container Fallback (Optional)
Deploy a lightweight Gerbil instance on MikroTik for resilience:
**Prerequisites:**
- USB storage connected to MikroTik (already present: `usb1`)
- Container mode enabled
**MikroTik Commands:**
```routeros
# Create container for Gerbil fallback
/container/config set registry-url=https://registry-1.docker.io tmpdir=usb1/tmp
# Pull gerbil image
/container add \
remote-image=fossoriumtech/gerbil:latest \
interface=docker-bridge \
root-dir=usb1/gerbil \
start-on-boot=yes \
comment="Fossorial Gerbil Fallback"
# Configure environment
/container/envs add name=gerbil-env key=GERBIL_PUBLIC_IP value="62.73.120.142"
/container/envs add name=gerbil-env key=GERBIL_PUBLIC_PORT value="51821"
/container/envs add name=gerbil-env key=GERBIL_MODE value="standalone"
```
**Note:** MikroTik containers have limited resources. This is a fallback for critical services only (Pi-hole access, Authentik).
---
## Service Interruption Assessment
| Action | Risk | Impact | Mitigation |
|--------|------|--------|------------|
| Deploy Pangolin/Gerbil/Newt | NONE | New containers | - |
| Port forward 51820 | LOW | New port, existing WG on 59188 unaffected | - |
| Connect fossorial network | LOW | Container networking | Test connectivity |
| MikroTik container | MEDIUM | Router resources | Monitor CPU/memory |
**Existing WireGuard (back-to-home-vpn) Impact:** NONE
- Uses port 59188, not 51820
- Completely separate interface
---
## Verification Checklist
- [ ] All three containers running: `docker ps | grep -E "pangolin|gerbil|newt"`
- [ ] Pangolin web UI accessible: https://pangolin.xtrm-lab.org
- [ ] Gerbil API responding: `curl http://192.168.31.2:8080/health`
- [ ] MikroTik NAT rule in place: `ssh ... "/ip/firewall/nat print"`
- [ ] External WireGuard test: Connect from external network to 62.73.120.142:51820
- [ ] Newt connected in Pangolin dashboard
---
## Initial Pangolin Setup
1. Navigate to https://pangolin.xtrm-lab.org
2. Create admin account
3. Add Gerbil node:
- Name: `unraid-gerbil`
- API URL: `http://gerbil:8080`
- API Key: (same as GERBIL_API_KEY)
4. Create a tunnel:
- Name: `home-services`
- Assign to Gerbil node
5. Generate Newt API key in Pangolin UI
6. Update Newt container with the API key
---
## Rollback Procedure
1. **Stop containers:**
```bash
docker stop newt gerbil pangolin
docker rm newt gerbil pangolin
```
2. **Remove MikroTik NAT:**
```routeros
/ip/firewall/nat remove [find comment="Fossorial WireGuard"]
```
3. **Remove network:**
```bash
docker network rm fossorial
```
4. **Clean up data (if desired):**
```bash
rm -rf /mnt/user/appdata/pangolin /mnt/user/appdata/gerbil /mnt/user/appdata/newt
```
---
## Files Modified
| File/System | Change | Backup Required |
|-------------|--------|-----------------|
| MikroTik NAT | Add UDP 51820 forward | N/A (can remove) |
| /mnt/user/appdata/traefik/dynamic.yml | Add pangolin route | YES |
| New directories created | /mnt/user/appdata/pangolin,gerbil,newt | N/A |
---
## Dependencies for Next Phase
Phase 3 (Authentik) can now use Fossorial tunnels to:
- Expose Authentik externally without Cloudflare dependency
- Create secure tunnels for mobile OIDC authentication

196
docs/archive/03-PHASE3-AUTHENTIK-ZEROTRUST.md Normal file
View File

@@ -0,0 +1,196 @@
# Phase 3: Identity & Zero Trust (Authentik)
## Status: ✅ COMPLETED
**Last Verified:** 2026-01-18
---
## Goal
Gate every `*.xtrm-lab.org` service behind OIDC authentication using Authentik, implementing Zero Trust access control.
---
## Current Authentik State
| Parameter | Value |
|-----------|-------|
| Container | authentik (+ authentik-worker) |
| Version | 2025.8.1 |
| Network | dockerproxy |
| Ports | 9000 (HTTP), 9443 (HTTPS) |
| URL | https://auth.xtrm-lab.org |
| PostgreSQL | postgresql17 (authentik_db) |
| Redis | redis |
| Status | ✅ Running (healthy) |
---
## Verified Configuration
### Users
| Username | Name | Status |
|----------|------|--------|
| akadmin | authentik Default Admin | Active |
| admin | Admin User | Active |
| jazzymc | Kaloyan Danchev | Active |
### Groups
| Group Name | Purpose |
|------------|---------|
| authentik Admins | Administrative access |
| authentik Read-only | Read-only access |
### Outpost
| Name | Type | Status |
|------|------|--------|
| authentik Embedded Outpost | proxy | ✅ Running |
### Applications
| Application | Slug |
|-------------|------|
| XTRM-Lab Protected Services | xtrm-lab-protected |
| Actual Budget | actual-budget |
### Proxy Provider
| External Host | Mode |
|---------------|------|
| https://auth.xtrm-lab.org | forward_domain |
### 2FA Status
| Type | Count |
|------|-------|
| TOTP Devices | 2 |
| WebAuthn Devices | 0 |
---
## Services Protected by Authentik Forward Auth
The following services require Authentik authentication:
| Service | Domain |
|---------|--------|
| n8n | n8n.xtrm-lab.org |
| Traefik Dashboard | traefik.xtrm-lab.org |
| NetAlertX | netalert.xtrm-lab.org |
| UrBackup | urbackup.xtrm-lab.org |
| Pi-hole 1 | ph1.xtrm-lab.org |
| Pi-hole 2 | ph2.xtrm-lab.org |
| Unimus | unimus.xtrm-lab.org |
| Homarr | xtrm-lab.org |
| Uptime Kuma | uptime.xtrm-lab.org |
| Transmission | transmission.xtrm-lab.org |
**Total: 12 protected routes** (including root redirects for Pi-holes)
---
## Services WITHOUT Authentik Protection
These services have their own authentication or are public:
| Service | Domain | Reason |
|---------|--------|--------|
| Authentik | auth.xtrm-lab.org | Self (would cause redirect loop) |
| Plex | plex.xtrm-lab.org | Has own Plex authentication |
| Vaultwarden | vault.xtrm-lab.org | Has own authentication |
| Home Assistant | ha.xtrm-lab.org | Has own authentication |
| Karakeep | karakeep.xtrm-lab.org | Public/own auth |
| RustFS CDN | cdn.xtrm-lab.org | Public CDN (S3 auth) |
| Pangolin API | pangolin.xtrm-lab.org | API access |
| Nextcloud | nextcloud.xtrm-lab.org | Has own authentication |
---
## Traefik Forward Auth Middleware
Configured in `/mnt/user/appdata/traefik/dynamic.yml`:
```yaml
authentik-forward-auth:
forwardAuth:
address: "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
```
---
## Verification Checklist
- [x] Authentik initial setup completed (admin password set)
- [x] Outpost running and connected (embedded outpost)
- [x] User groups created (authentik Admins, authentik Read-only)
- [x] Application/provider pairs configured (2 applications)
- [x] Traefik config updated with forward auth middleware
- [x] Services tested successfully (302 redirect to login)
- [x] All planned services protected (12 routes)
- [x] 2FA enabled for admin accounts (2 TOTP devices)
---
## Architecture
```
Internet User
┌────────────▼────────────┐
│ Traefik (Reverse Proxy)│
│ *.xtrm-lab.org:443 │
└────────────┬────────────┘
┌────────────▼────────────┐
│ Forward Auth Check │
│ → Authentik Outpost │
└────────────┬────────────┘
┌──────────────────┴──────────────────┐
│ │
┌─────────▼─────────┐ ┌─────────▼─────────┐
│ Authenticated? │ │ Login Required │
│ YES → Pass │ │ Redirect to │
│ through to │ │ auth.xtrm-lab.org│
│ backend service │ └───────────────────┘
└───────────────────┘
```
---
## Maintenance Notes
### Database
- PostgreSQL database: `authentik_db`
- User: `authentik_user`
- Host: `postgresql17` container
- Data path: `/mnt/user/appdata/postgresql`
### Backup Recommendation
Regularly backup:
- PostgreSQL database (contains all Authentik config)
- `/mnt/user/appdata/traefik/dynamic.yml`
### Rollback Procedure
**Remove all protection (emergency):**
1. Edit `/mnt/user/appdata/traefik/dynamic.yml`
2. Remove `authentik-forward-auth` from all router middlewares
3. Traefik will auto-reload
---
## Related Documents
- [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview
- [02-PHASE2-FOSSORIAL-STACK.md](./02-PHASE2-FOSSORIAL-STACK.md) - Pangolin integration

190
docs/archive/04-PHASE4-REMOTE-GAMING.md Normal file
View File

@@ -0,0 +1,190 @@
# Phase 4: Remote Gaming (Sunshine + Moonlight)
## Status: 🔄 IN PROGRESS
**Last Updated:** 2026-01-19
---
## Current Progress
| Task | Status | Notes |
|------|--------|-------|
| Tailscale on Nobara | ✅ Complete | IP: 100.98.57.73 |
| VA-API verification | ✅ Complete | RX 6600 H.264/HEVC encoding working |
| Sunshine Flatpak | ❌ Failed | Capture methods incompatible |
| Native Sunshine | ⏳ Pending | Recommended installation method |
| Moonlight pairing | ⏳ Pending | Awaiting Sunshine setup |
### Verified Hardware
- **GPU:** AMD Radeon RX 6600M (Navi 23) + AMD Radeon 680M (integrated)
- **Driver:** Mesa Gallium 25.3.2 (radeonsi, navi23, LLVM 21.1.7)
- **VA-API:** v1.22 with H.264 and HEVC encode support
### Tailscale Network
| Device | Tailscale IP | Status |
|--------|--------------|--------|
| xtrm-pc (Nobara) | 100.98.57.73 | Online |
| kaloyans-macbook-air | 100.68.118.59 | Online |
| xtrm-unraid | 100.100.208.70 | Online |
### Flatpak Issues Encountered
The Flatpak version of Sunshine failed due to:
1. **wlr capture:** Missing wlr-export-dmabuf protocol (KDE Plasma incompatible)
2. **PipeWire capture:** XDG portal permissions blocked in sandbox
3. **KMS capture:** Cannot apply setcap to sandboxed binaries
**Solution:** Use native DNF installation instead.
---
## Goal
Enable low-latency 60FPS game streaming from Nobara Linux (AMD GPU) to MacBook and Android devices, using Tailscale for optimal network pathing.
---
## Architecture Overview
```
┌─────────────────────────────────┐
│ Tailscale Mesh Network │
│ (Encrypted, P2P when possible) │
└─────────────────┬───────────────┘
┌────────────────────────────┼────────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Nobara Gaming PC│ │ MacBook │ │ Android Device │
│ xtrm-pc │ │ Moonlight Client│ │ Moonlight Client│
│ 100.98.57.73 │ │ 100.68.118.59 │ │ │
│ AMD RX 6600 │ │ │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
```
---
## Installation (Native - Recommended)
### Step 1: Remove Flatpak (if installed)
```bash
flatpak remove dev.lizardbyte.app.Sunshine -y
```
### Step 2: Install Native Sunshine
```bash
sudo dnf copr enable lizardbyte/stable -y
sudo dnf install sunshine -y
```
### Step 3: Set KMS Capture Permission
```bash
sudo setcap cap_sys_admin+p $(readlink -f $(which sunshine))
```
### Step 4: Enable Service
```bash
systemctl --user enable --now sunshine
```
### Step 5: Configure Sunshine
1. Open https://localhost:47990
2. Set admin password
3. Go to Configuration → Video:
- Encoder: vaapi
- Adapter: /dev/dri/renderD128
---
## Moonlight Client Setup
### MacBook
Moonlight already installed. Add PC:
- Host: 100.98.57.73 (Tailscale IP)
- Or hostname: xtrm-pc (if MagicDNS enabled)
### Pairing
1. Open Moonlight, add xtrm-pc
2. Enter 4-digit PIN shown in Moonlight
3. Input PIN in Sunshine Web UI → PIN Pairing
---
## VA-API Verification Output
```
vainfo: VA-API version: 1.22 (libva 2.22.0)
vainfo: Driver version: Mesa Gallium driver 25.3.2 for AMD Radeon RX 6600M
vainfo: Supported profile and entrypoints
VAProfileH264ConstrainedBaseline: VAEntrypointEncSlice
VAProfileH264Main : VAEntrypointEncSlice
VAProfileH264High : VAEntrypointEncSlice
VAProfileHEVCMain : VAEntrypointEncSlice
VAProfileHEVCMain10 : VAEntrypointEncSlice
```
---
## Firewall Configuration (Optional)
Restrict Sunshine to Tailscale network only:
```bash
sudo firewall-cmd --permanent --zone=trusted --add-source=100.64.0.0/10
sudo firewall-cmd --permanent --zone=trusted --add-port=47984-48010/tcp
sudo firewall-cmd --permanent --zone=trusted --add-port=47998-48010/udp
sudo firewall-cmd --permanent --zone=trusted --add-port=47989-47990/tcp
sudo firewall-cmd --reload
```
---
## Streaming Settings
| Setting | LAN Value | Remote Value |
|---------|-----------|--------------|
| Bitrate | 50-80 Mbps | 20-40 Mbps |
| FPS | 60-120 | 60 |
| Resolution | Native | 1080p |
| Codec | HEVC | HEVC |
---
## Verification Checklist
- [x] Tailscale running on Nobara: 100.98.57.73
- [x] VA-API encoding verified: H.264 + HEVC
- [ ] Sunshine installed (native)
- [ ] KMS capture working
- [ ] Sunshine Web UI accessible
- [ ] Moonlight paired
- [ ] Desktop streaming works
- [ ] Game streaming at 60 FPS
---
## Troubleshooting
### Encoder Fails
```bash
# Verify VA-API
vainfo
# Check Sunshine logs
journalctl --user -u sunshine -f
```
### Connection Issues
```bash
# Check Tailscale connectivity
tailscale ping kaloyans-macbook-air
# Verify ports
ss -tlnp | grep sunshine
```
---
## Related Documents
- [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview
- [05-PHASE5-RUSTDESK.md](./05-PHASE5-RUSTDESK.md) - RustDesk for general remote access

194
docs/archive/05-PHASE5-RUSTDESK.md Normal file
View File

@@ -0,0 +1,194 @@
# Phase 5: Hardened RustDesk Self-Hosted Setup
## Status: ✅ FULLY COMPLETE
**Last Verified:** 2026-01-18
**Completion Date:** 2026-01-18
---
## Goal
Deploy a high-security, self-hosted RustDesk infrastructure with custom ID server, relay server, and end-to-end encryption using your own keypair.
---
## Current State
### Server Components
| Component | Container | Status | Ports |
|-----------|-----------|--------|-------|
| ID Server | rustdesk-hbbs | ✅ Running | TCP 21115-21116, UDP 21116, WS 21118-21119 |
| Relay Server | rustdesk-hbbr | ✅ Running | TCP 21117 |
### Configuration
| Parameter | Value |
|-----------|-------|
| Public Key | `+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=` |
| ID Server | rustdesk.xtrm-lab.org:21116 |
| Relay Server | rustdesk.xtrm-lab.org:21117 |
| DNS | rustdesk.xtrm-lab.org → 62.73.120.142 |
| Data Path | /mnt/user/appdata/rustdesk-server |
### Registered Clients
| ID | Platform | Status |
|----|----------|--------|
| 527588949 | macOS | ✅ Working |
| 20116399 | Nobara Linux | ✅ Working |
### MikroTik NAT Rules
| Rule | Protocol | WAN Port | Destination |
|------|----------|----------|-------------|
| RustDesk NAT Test | TCP | 21115 | 192.168.31.2:21115 |
| RustDesk ID Server | TCP | 21116 | 192.168.31.2:21116 |
| RustDesk ID Server | UDP | 21116 | 192.168.31.2:21116 |
| RustDesk Relay | TCP | 21117 | 192.168.31.2:21117 |
---
## Client Configuration
To connect RustDesk clients to your self-hosted server:
### Settings
```
ID Server: rustdesk.xtrm-lab.org
Relay Server: rustdesk.xtrm-lab.org
Key: +Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
```
### Connection String (for quick setup)
```
rustdesk.xtrm-lab.org,+Xlxh96tqwh9tD58ctOmB05Qpfs0ByCoLQcF+yCw0J8=
```
### macOS Permissions Required
- **Accessibility** - Required for keyboard/mouse control
- **Screen Recording** - Required for screen capture
---
## Verification Checklist
### Server-Side
- [x] Keypair generated: `/mnt/user/appdata/rustdesk-server/id_ed25519*`
- [x] hbbs container running
- [x] hbbr container running
- [x] MikroTik NAT rules configured (4 rules)
- [x] DNS resolves: rustdesk.xtrm-lab.org → 62.73.120.142
- [x] Port 21116 accessible from external
- [x] Port 21117 accessible from external
### Client-Side
- [x] Nobara client connects with public key
- [x] macOS client connects with public key
- [x] Remote session works (Nobara → macOS tested)
- [x] Video streaming working
- [x] Keyboard/mouse control working
---
## Architecture
```
Internet
┌────────────▼────────────┐
│ MikroTik (62.73.120.142)│
│ NAT Rules: │
│ TCP 21115-21117 │
│ UDP 21116 │
└────────────┬────────────┘
┌──────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ hbbs (ID Server)│ │ hbbr (Relay) │ │ RustDesk Client │
│ TCP 21115-21116 │ │ TCP 21117 │ │ Your devices │
│ UDP 21116 │ │ │ │ │
│ WS 21118-21119 │ │ │ │ │
└─────────────────┘ └─────────────────┘ └─────────────────┘
```
---
## Container Details
### hbbs (ID/Rendezvous Server)
```
Image: rustdesk/rustdesk-server:latest
Command: hbbs -r rustdesk.xtrm-lab.org:21117 -k _
Volume: /mnt/user/appdata/rustdesk-server:/root
Ports: 21115, 21116 (TCP+UDP), 21118, 21119
```
### hbbr (Relay Server)
```
Image: rustdesk/rustdesk-server:latest
Command: hbbr -k _
Volume: /mnt/user/appdata/rustdesk-server:/root
Ports: 21117
```
**Note:** The `-k _` flag enforces encrypted connections using the keypair.
---
## Security Features
1. **End-to-End Encryption:** All connections encrypted with Ed25519 keypair
2. **Key Verification:** Clients must have correct public key to connect
3. **Self-Hosted:** No third-party servers involved
4. **Encrypted-Only Mode:** Unencrypted connections rejected
---
## Maintenance
### View Logs
```bash
docker logs rustdesk-hbbs --tail 50
docker logs rustdesk-hbbr --tail 50
```
### Restart Services
```bash
docker restart rustdesk-hbbs rustdesk-hbbr
```
### Key Rotation
```bash
# Generate new keypair
docker run --rm -v /mnt/user/appdata/rustdesk-server:/data rustdesk/rustdesk-server hbbs -g
# Restart containers
docker restart rustdesk-hbbs rustdesk-hbbr
# Update all clients with new public key
```
---
## Rollback Procedure
```bash
# Stop and remove containers
docker stop rustdesk-hbbs rustdesk-hbbr
docker rm rustdesk-hbbs rustdesk-hbbr
# Remove MikroTik NAT rules (via SSH)
/ip/firewall/nat remove [find comment~RustDesk]
```
---
## Related Documents
- [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview
- [04-PHASE4-REMOTE-GAMING.md](./04-PHASE4-REMOTE-GAMING.md) - Sunshine/Moonlight setup

281
docs/archive/06-CHANGELOG.md Normal file
View File

@@ -0,0 +1,281 @@
## 2026-01-23 - NetBox Discovery (Diode) Setup & Slurp'it Removal
### Slurp'it Removal
- [SLURPIT] Removed entire Slurp'it stack (portal, scanner, scraper, warehouse, mariadb, mongodb)
- [SLURPIT] Decision: Use NetBox Discovery + NetDisco instead for better NetBox integration
### NetBox Discovery (Diode) Installation
- [DIODE] Installed Diode server stack via quickstart.sh
- [DIODE] Containers: ingress-nginx, diode-auth, diode-ingester, diode-reconciler, hydra, postgres, redis
- [NETBOX] Installed netboxlabs-diode-netbox-plugin via custom Dockerfile
- [NETBOX] Ran plugin migrations for netbox_diode_plugin
- [DIODE] Configured Nginx with public /auth/introspect endpoint for NetBox plugin
- [DIODE] Connected NetBox to diode_default network for inter-container communication
### Discovery Agent Setup
- [DIODE] Deployed orb-agent container for network discovery
- [DIODE] Configured network_discovery policy: 192.168.31.0/24, ports 22/80/161/443
- [DIODE] Schedule: Every 30 minutes (*/30 * * * *)
- [DIODE] Successfully discovered 26 hosts on first scan
### NetDisco to NetBox Sync
- [SYNC] Created Python sync script at /mnt/user/appdata/netdisco-netbox-sync/
- [SYNC] Uses Diode SDK to ingest devices and IP addresses from NetDisco
- [SYNC] Syncs: 4 devices (with vendor, model, OS) and 42 ARP entries (with MAC)
- [SYNC] Containerized with Docker for easy deployment
### Documentation
- [DOCS] Updated 00-CURRENT-STATE.md with new discovery architecture
- [DOCS] Removed Slurp'it references, added Diode and sync script documentation
---
## 2026-01-22 - NetBox Migration to Shared PostgreSQL
### Database Consolidation
- [NETBOX] Migrated NetBox database to shared postgresql17
- [NETBOX] Created netbox_user and netbox database on postgresql17
- [NETBOX] Backed up and imported all NetBox data
- [NETBOX] Removed dedicated netbox-postgres container
### Network Consolidation
- [NETBOX] Moved all NetBox containers to dockerproxy network
- [NETBOX] Assigned static IPs: netbox (172.18.0.61), worker (172.18.0.62), redis (172.18.0.63/64)
- [NETBOX] Removed unused netbox network (172.24.0.0/16)
### Resource Savings
- Removed netbox-postgres container (~200-400MB RAM saved)
- Consolidated network infrastructure
---
## 2026-01-22 - Slurp'it Network Discovery Setup
### SNMP Configuration
- [MIKROTIK] Enabled SNMP on router (192.168.31.1)
- [SNMP] Communities configured: public, netdisco
- [DISCOVERY] MikroTik router discovered via SNMP
### Agent Service Account
- [UNRAID] Created agent user with SSH key access (port 422)
- [MIKROTIK-ROUTER] Created agent user with SSH key (port 2222)
- [MIKROTIK-AP] Created agent user with password auth (port 2222)
- [SWITCH] CSS326 uses SwOS - no SSH support
### Slurp'it Configuration
- [SNMP] Added SNMP v2c credentials to vault (public, netdisco)
- [NETBOX] Enabled NetBox integration plugin
- [SCAN] Configured scan target: 192.168.31.0/24
### Documentation
- [DOCS] Added Network Discovery section to 00-CURRENT-STATE.md
- [DOCS] Created AGENT-CREDENTIALS.md (gitignored)
- [DIAGRAM] Added INFRASTRUCTURE-DIAGRAM.md with complete topology
---
## 2026-01-22 - MikroTik DNS Migration to AdGuard Home
### Pi-hole Removal from MikroTik
- [CONTAINER] Removed Pi-hole container from MikroTik
- [STORAGE] Freed internal flash storage
## 2026-01-22 - AdGuard Home Migration Complete
### MikroTik AdGuard Home - Persistence Fix
- [CONTAINER] Fixed container persistence issue (root-dir on disk1, data on usb1)
- [CONFIG] Container now survives stop/start cycles
- [MOUNT] agh-work mount: usb1/adguard-home/work → /opt/adguardhome/work
### Unraid AdGuard Home - Replaces Pi-hole
- [CONTAINER] Deployed AdGuard Home on br0 macvlan network
- [IP] 192.168.31.4 (same IP as Pi-hole was using)
- [STOPPED] binhex-official-pihole container stopped (not removed)
- [CONFIG] Same credentials and rules as MikroTik instance
### Configuration Sync (Both Instances)
- [DNS] Upstream: Quad9 DoH (dns10.quad9.net)
- [TLS] Let's Encrypt wildcard cert for *.xtrm-lab.org
- [CLIENTS] 6 clients configured with MAC addresses
- [RULES] Custom filtering rules for SentinelOne, Jamf
### Documentation
- [DOCS] Updated 00-CURRENT-STATE.md with Mermaid diagrams
- [DIAGRAM] Added network topology and DNS architecture diagrams
---
- [CLEANUP] Removed Pi-hole mounts, envs, and data
### AdGuard Home Installation (Multiple Attempts)
- [ISSUE] MikroTik container root directory disappears on stop (bug)
- [WORKAROUND] Use DNS port 5355 to avoid stats.db creation error
- [CONTAINER] Final working config: usb1/agh2 root-dir, no mounts
- [VERSION] AdGuard Home v0.107.71
### Configuration Applied via API
- [BLOCKLISTS] StevenBlack Hosts, Hagezi Pro, Hagezi NSFW
- [RULES] Custom blocks: SentinelOne, Jamfcloud domains
- [CLIENTS] 6 devices migrated from Pi-hole
- [TLS] Let's Encrypt wildcard cert (*.xtrm-lab.org)
### Encrypted DNS Services
- [DOH] Port 443 - Active
- [DOT] Port 853 - Active
- [DOQ] Port 8853 - Active
- [SERVER] dns.xtrm-lab.org
### NAT Rules Updated
- [NAT] DNS Force: 53 → 172.17.0.5:5355 (UDP/TCP)
- [NAT] Web UI: 80 → 172.17.0.5:80
- [NAT] DoT: 853 → 172.17.0.5:853
- [NAT] DoH: 443 → 172.17.0.5:443
### Migration Data Saved
- [FILE] /mnt/user/appdata/adguard-migration.json
- [DATA] Blocklists, rules, clients for future Unraid migration
### Known Issues
- [BUG] MikroTik container root-dir disappears on stop - DO NOT RESTART
- [INCOMPATIBLE] nebula-sync crash-looping (Pi-hole ↔ AdGuard incompatible)
---
## 2026-01-21 - Rclone & Cloud Backup Setup
### Rclone Installation & Configuration
- [SERVICE] Installed rclone on Unraid
- [CONFIG] Configured Google Drive remote (drive:)
- [SYNC] Initial sync completed for backup folders
### Flash Backup Updates
- [SCRIPT] Updated flash-backup script output path
- [PATH] Changed from /mnt/user/backup/unraid-flash to /mnt/user/Backup/unraid-flash
- [SYNC] Synced to drive:Backups/unraid-flash (371 MiB)
---
## 2026-01-21 - Pi-hole Version Sync Automation
### MikroTik Pi-hole Update
- [CONTAINER] Updated MikroTik Pi-hole to v6.4.1 (matching Unraid)
- [CONFIG] Enabled FTLCONF_webserver_api_app_sudo=true for nebula-sync
- [FIX] Resolved nebula-sync crash loop (was failing with HTTP 400)
### Version Sync Script
- [SCRIPT] Created pihole-version-sync User Script
- [SCHEDULE] Runs daily at 4:00 AM
- [PATH] /boot/config/plugins/user.scripts/scripts/pihole-version-sync/
---
## 2026-01-19 - Phase 8 Enhanced Network Mapping
### MikroTik DHCP Sync
- [SCRIPT] Created mikrotik_dhcp_to_netbox.sh
- [SYNC] 29 DHCP leases synced to NetBox IPs
### Slurpit Plugin Installation
- [PLUGIN] Installed slurpit_netbox v1.2.7
- [CONFIG] Plugin configuration at /mnt/user/appdata/netbox/config/plugins.py
---
## 2026-01-18 - Phase 7 Gitea & Woodpecker CI
### Gitea Setup
- [SERVICE] gitea container deployed
- [URL] https://git.xtrm-lab.org
- [AUTH] Integrated with Authentik OAuth2
### Woodpecker CI
- [SERVICE] woodpecker-server and woodpecker-agent deployed
- [URL] https://ci.xtrm-lab.org
- [AUTH] Integrated with Gitea OAuth2
---
## Previous Changes
See git history for earlier changes.
## 2026-01-22
- [CLEANUP] Removed Pi-hole container (binhex-official-pihole) from Unraid - using AdGuard Home on MikroTik as primary DNS
- [CLEANUP] Removed nebula-sync container - not in use
- [CLEANUP] Removed Traefik routes for ph1.xtrm-lab.org
- [SERVICE] adguardhome-sync: Added for syncing rules between MikroTik AdGuard Home and Unraid AdGuard
- [MONITORING] Added 27 monitors to Uptime Kuma covering all web services and infrastructure
- [ORGANIZATION] Updated Unraid container categories for better organization
- [NETBOX] Migrated NetBox to shared postgresql17 database and dockerproxy network
## 2026-01-23 - Diode Stack Consolidation
### Service Consolidation
- [POSTGRES] Removed dedicated diode-postgres container
- [REDIS] Removed dedicated diode-redis container
- [NETWORK] Migrated all Diode containers to dockerproxy network
- [SHARED] Using postgresql17 (172.18.0.13) for diode and hydra databases
- [SHARED] Using Redis (172.18.0.14) for queue management
### Static IP Assignments (dockerproxy)
- diode-ingress: 172.18.0.70
- diode-ingester: 172.18.0.71
- diode-reconciler: 172.18.0.72
- diode-hydra: 172.18.0.73
- diode-auth: 172.18.0.74
### Unraid Docker UI
- [LABELS] Added net.unraid.docker.managed=dockerman
- [ICONS] NetBox/Diode icon for all containers
- [FOLDERVIEW] Containers visible in Docker tab
### Configuration Updates
- [ENV] Updated .env to use shared service hostnames
- [NGINX] Updated nginx.conf with new container names
- [AGENT] Updated discovery agent config with diode-ingress IP
---
## 2026-01-23 - NetBox Redis Consolidation
### Service Consolidation
- [REDIS] Removed netbox-redis container (task queue)
- [SHARED] Using Redis (172.18.0.14) for NetBox task queue
- [CACHE] Kept netbox-redis-cache (172.18.0.64) for caching
### Configuration Changes
- [ENV] REDIS_HOST changed from 172.18.0.63 to 172.18.0.14
- [LABELS] Added Unraid labels and icons to NetBox containers
### Containers Removed
- netbox-redis (was 172.18.0.63)
---
## 2026-01-23 - Service Cleanup & Documentation Update
### Services Removed
- [REMOVED] Unbound - redundant (AdGuard has upstream DoH)
- [REMOVED] DoH-Server - redundant (AdGuard has built-in DoH)
- [REMOVED] stunnel-dot - redundant (AdGuard has built-in DoT)
- [REMOVED] Pangolin - not in use
### DNS Configuration
- [CONFIG] Unraid AdGuard: dns2.xtrm-lab.org (was dns.xtrm-lab.org)
- [CONFIG] MikroTik AdGuard: dns.xtrm-lab.org (primary)
### Container Management
- [LABELS] Added net.unraid.docker.managed to all containers
- [LABELS] Added WebUI URLs to containers with web interfaces
- [LABELS] Updated icons to PNG format (from SVG)
### FolderView2
- [CATEGORY] Added "Network Inventory" for NetBox/Diode/NetDisco
### Documentation
- [DOCS] Updated 00-CURRENT-STATE.md with current architecture
- [DOCS] Added Mermaid diagrams for network topology
- [DOCS] Added RAM usage statistics
- [DOCS] Documented removed services
---

159
docs/archive/06-PHASE6-PORTAINER-MANAGEMENT.md Normal file
View File

@@ -0,0 +1,159 @@
# Phase 6: Multi-Host Docker Management with Portainer
## Overview
**Goal:** Unified container management dashboard for Unraid Docker.
| Component | Role |
|-----------|------|
| Portainer CE | Management hub (runs on Unraid) |
| Unraid Docker | Local host via Unix socket |
> **Note:** MikroTik RouterOS containers cannot be managed via Portainer - see [Limitation](#mikrotik-limitation) section.
---
## Phase 6.1: Unraid Server Setup ✅ COMPLETED
**Goal:** Install and configure the Portainer controller.
### Tasks
- [x] Install Portainer CE container via Docker CLI
- [x] Configure container settings:
- Network Type: **Bridge**
- Port Mapping: Container **9000** → Host **9002** (changed due to Authentik conflict)
- Port Mapping: Container **9443** → Host **9444**
- Path Mappings:
- Host `/var/run/docker.sock` → Container `/var/run/docker.sock`
- Host `/mnt/user/appdata/portainer` → Container `/data`
- [x] Add Unraid labels (`net.unraid.docker.managed`, `net.unraid.docker.icon`)
- [x] Add Tailscale labels (`tailscale.expose`, `tailscale.host`, `tailscale.port`)
- [x] Start container
- [x] Initialize Portainer via web UI
### Container Configuration
```bash
docker run -d \
--name=portainer \
--restart=unless-stopped \
-p 9002:9000 \
-p 9444:9443 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /mnt/user/appdata/portainer:/data \
--label 'net.unraid.docker.managed=dockerman' \
--label 'net.unraid.docker.icon=https://raw.githubusercontent.com/lllllllillllllillll/Dashboard-Icons/main/png/portainer.png' \
--label 'net.unraid.docker.webui=http://100.100.208.70:9002' \
--label 'tailscale.expose=true' \
--label 'tailscale.host=100.100.208.70' \
--label 'tailscale.port=9002' \
portainer/portainer-ce:latest
```
### Access URLs
- LAN: `http://192.168.31.2:9002`
- Tailscale: `http://100.100.208.70:9002`
- HTTPS LAN: `https://192.168.31.2:9444`
- HTTPS Tailscale: `https://100.100.208.70:9444`
### Verification
- [x] Portainer container running
- [x] Portainer UI accessible
- [x] Local Unraid environment connected
---
## Phase 6.2 & 6.3: MikroTik Integration ❌ NOT FEASIBLE
### MikroTik Limitation
**MikroTik RouterOS does not use Docker.** It has its own proprietary container runtime that:
- Does NOT have a Docker daemon
- Does NOT expose `/var/run/docker.sock`
- Does NOT support Docker API
- Can ONLY be managed via RouterOS CLI/API
### What Was Attempted
1. Created veth interface (`veth-socat` at 172.17.0.5)
2. Added bridge port to `docker-bridge`
3. Created mount for `/var/run/docker.sock`
4. Deployed `alpine/socat` container
5. Added firewall and NAT rules
### Why It Failed
```
socat[2] E connect(, AF=1 "/var/run/docker.sock", 22): No such file or directory
```
The socket doesn't exist because MikroTik's container system is not Docker-based.
### Cleanup Performed
All MikroTik changes were reverted:
- Removed socat container
- Removed veth-socat interface
- Removed docker_sock mount
- Removed firewall/NAT rules
---
## MikroTik Container Management Alternatives
Since Portainer cannot connect to MikroTik, use these methods instead:
### 1. RouterOS CLI (SSH)
```bash
# From Unraid
ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
# List containers
/container/print
# Start/stop containers
/container/start 0
/container/stop 0
# View logs
/log/print where topics~"container"
```
### 2. WinBox/WebFig
Access MikroTik web interface at `http://192.168.31.1` to manage containers via GUI.
### 3. RouterOS REST API
MikroTik RouterOS 7+ has a REST API that can be used for automation:
```
GET https://192.168.31.1/rest/container
```
---
## Current Status Summary
| Component | Status | Access |
|-----------|--------|--------|
| Portainer (Unraid) | ✅ Running | http://100.100.208.70:9002 |
| Unraid Docker | ✅ Connected | Via Portainer |
| MikroTik Containers | ⚠️ Separate | Via RouterOS CLI |
---
## Rollback Plan
If Portainer issues occur:
```bash
docker stop portainer && docker rm portainer
```
---
## Related Documents
- [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview

345
docs/archive/07-CHANGELOG.md Normal file
View File

@@ -0,0 +1,345 @@
## 2026-01-19 - NetDisco Web UI Fixed
## 2026-01-19 - Phase 8 NetDisco Integration COMPLETED
### All Tasks Completed
- [8.1] SNMP enabled on hAP ax³, cAP ac, CSS326
- [8.2] NetDisco deployed (backend + web containers)
- [8.3] Discovery configured (3 devices discovered)
- [8.4] Traefik ingress with Authentik SSO
- [8.5] NetBox sync script created and tested
- [8.6] All functionality verified
### Key Fix
- [FIX] session_cookie_key missing from database - manually inserted
### Metrics
- Devices discovered: 3
- Ports collected: 52
- MAC addresses tracked: 19
### Access
- External: https://netdisco.xtrm-lab.org (SSO)
- Internal: http://192.168.31.2:5000
---
### Task 8.4: Traefik Ingress - VERIFIED WORKING
**Root Cause:**
- [BUG] session_cookie_key was missing from database
- NetDisco generates this key via netdisco-deploy, but our external PostgreSQL setup skipped this step
- Error: "The setting session_cookie_key must be defined"
**Fix Applied:**
- [DB] Manually inserted dancer_session_cookie_key into sessions table:
```sql
INSERT INTO sessions (id, a_session) VALUES ('dancer_session_cookie_key', md5(random()::text));
```
**Verification:**
- [TEST] http://netdisco-web:5000 - WORKING (returns HTML)
- [TEST] https://netdisco.xtrm-lab.org - WORKING (302 redirect to Authentik)
**Access:**
- External URL: https://netdisco.xtrm-lab.org (SSO via Authentik)
- Internal URL: http://192.168.31.2:5000 (direct)
- Database: session_cookie_key stored in PostgreSQL sessions table
---
# Infrastructure Changelog
## 2026-01-19 - NetDisco Traefik Integration
### Task 8.4: Traefik Ingress - COMPLETED
- [TRAEFIK] Added netdisco-secure router to dynamic.yml
- [TRAEFIK] Service: http://netdisco-web:5000
- [AUTH] Protected with authentik-forward-auth middleware
- [DNS] netdisco.xtrm-lab.org (configured by user)
- [URL] https://netdisco.xtrm-lab.org
---
## 2026-01-19 - NetDisco Deployment
### Task 8.2: Deploy NetDisco - COMPLETED
**Database Setup:**
- [DB] Created netdisco_db database in postgresql17
- [DB] Created netdisco_user with password
- [DB] Database schema initialized (96 migrations applied)
**Container Deployment:**
- [SERVICE] netdisco-web: Web UI on port 5000
- [SERVICE] netdisco-backend: SNMP polling daemon
- [CONFIG] deployment.yml configured with SNMP communities
- [CONFIG] Discover schedule: Every 2 hours
- [CONFIG] MAC/ARP polling: Hourly
**Device Discovery:**
- [DISCOVER] 192.168.31.1 (hAP ax³) - Successful
- [DISCOVER] 192.168.31.6 (cAP ac) - Successful
- [DISCOVER] 192.168.31.9 (CSS326) - Successful
- [DATA] MAC address tables collected
- [DATA] ARP tables collected
**Access:**
- Web UI: http://192.168.31.2:5000
- Initial auth: no_auth=true (unauthenticated admin)
---
## 2026-01-19 - SNMP Configuration for NetDisco
### Task 8.1: Enable SNMP on MikroTik Devices - COMPLETED
**hAP ax³ (192.168.31.1):**
- [SNMP] Enabled SNMPv2c
- [SNMP] Added `netdisco` community (192.168.31.2 only)
- [SNMP] Restricted `public` community to 192.168.31.2
- [SNMP] Contact: admin@xtrm-lab.org, Location: XTRM Home Lab
**cAP ac (192.168.31.6):**
- [SNMP] Enabled SNMPv2c via REST API
- [SNMP] Added `netdisco` community (192.168.31.2 only)
- [SNMP] Restricted `public` community to 192.168.31.2
**CSS326 (192.168.31.9):**
- [SNMP] Verified SNMP enabled (SwOS default)
- [SNMP] Using `public` community (SwOS single-community limitation)
- [NOTE] SwOS does not support address restrictions via API
**Testing:**
- [TEST] All three devices responding to SNMP queries from Unraid
- [TEST] sysName.0 verified: HAPax3, CAP XL ac, CSS326-24G-2S+
---
## 2026-01-19 - NetDisco Integration Planning
### Phase 8: NetDisco + NetBox Integration
- [DOCS] Created 12-PHASE8-NETDISCO-INTEGRATION.md
- [PLANNING] NetDisco deployment for SNMP-based network discovery
- [PLANNING] MikroTik SNMP configuration (hAP ax³, CSS326, cAP ac)
- [PLANNING] NetBox integration via plugin or custom API sync
- [DECISION] Keep NetAlertX running in parallel during transition
### MikroTik SNMP Support Confirmed
- hAP ax³ (RouterOS 7.x): Full SNMPv1/v2c/v3 support
- CSS326 (SwOS): SNMPv1/v2c read-only support
- cAP ac (RouterOS 7.x): Full SNMPv1/v2c/v3 support
### Resources
- [NetDisco](https://netdisco.org/)
- [NetBox Plugin for NetDisco](https://github.com/mksoska/netbox-plugin-netdisco)
---
## 2026-01-19 - NetBox IPAM/DCIM Deployment
### NetBox Installation
- [SERVICE] netbox: Deployed NetBox IPAM/DCIM on port 8090
- [SERVICE] netbox-worker: Background task worker
- [SERVICE] netbox-housekeeping: Database maintenance
- [SERVICE] netbox-postgres: Dedicated PostgreSQL 16 database
- [SERVICE] netbox-redis: Persistent Redis for queues
- [SERVICE] netbox-redis-cache: Redis cache instance
### Configuration
- URL: https://netbox.xtrm-lab.org
- Local: http://192.168.31.2:8090
- Network: dockerproxy (for Traefik) + netbox (internal)
- Data: /mnt/user/appdata/netbox/
### DNS
- [DNS] Added netbox.xtrm-lab.org to Cloudflare
### Purpose
- IP Address Management (IPAM)
- Data Center Infrastructure Management (DCIM)
- VLAN documentation and planning
- Network device inventory
- Cable/connection tracking
---
## 2026-01-18 - MikroTik WiFi & CAPsMAN Configuration
### CAPsMAN Setup
- [MIKROTIK] Configured CAPsMAN on hAP ax³ (192.168.31.1) as WiFi controller
- [MIKROTIK] Added cAP ac (192.168.31.6) as managed access point
- [MIKROTIK] Created provisioning rules for 2.4GHz and 5GHz bands
- [MIKROTIK] cAP ac radios now managed by CAPsMAN (configuration.manager=capsman)
### WiFi Security Updates
- [WIFI] XTRM (2.4GHz): Changed from WPA2/WPA3 to WPA/WPA2 for legacy device support
- [WIFI] XTRM2 (IoT): Changed from WPA2/WPA3 to WPA/WPA2 for legacy device support
- [WIFI] XTRM (5GHz): Remains WPA2/WPA3
- [WIFI] Fixed configuration band mismatch (cfg-XTRM5g had 2ghz-n, cfg-XTRM2g had 5ghz-ac)
### SSH Key Configuration
- [SSH] Added SSH key to cAP ac for xtrm user (key-based auth from Desktop)
- [SSH] Documented SSH access for both MikroTik devices
### Documentation
- [DOCS] Created 09-MIKROTIK-WIFI-CAPSMAN.md with full WiFi/CAPsMAN configuration
- [DOCS] Updated 00-CURRENT-STATE.md with cAP ac device info and WiFi networks
- [DOCS] Added WiFi passwords and connection details to documentation
### Issue Resolved
- [FIX] iPad 2 connectivity issue - resolved by enabling WPA-PSK on 2.4GHz networks
---
## 2026-01-18 - Docker Organization & Container Fixes
### FolderView2 Categories Reorganized
- [UNRAID] Reorganized Docker containers into 10 categories
- Categories: Infrastructure, Security, Monitoring, DevOps, Media, Storage/Backup, Productivity, Smart Home, Remote Access, Management
- Icon collection: Dazzle Line Icons (https://www.svgrepo.com/collection/dazzle-line-icons/)
- Deleted old categories: Cloud, Dashboards and Stats, Finance, Databases, Network, Network Monitoring, Automation, Backup
### Container Icon Fixes
- [SERVICE] rustfs: Fixed missing icon (was 404), now uses GitHub org avatar
- [SERVICE] gitea: Fixed webui label (was template syntax, now https://git.xtrm-lab.org)
- [SERVICE] woodpecker-server: Fixed icon URL (woodpecker.png → woodpecker-ci.png)
- [SERVICE] woodpecker-agent: Fixed icon URL (woodpecker.png → woodpecker-ci.png)
### Documentation
- [DOCS] Added Unraid Docker Organization section to 00-CURRENT-STATE.md
## 2026-01-18
- [INFRA] Added pending task: Static IP assignment for critical services on dockerproxy and bridge networks
- [SERVICE] postgresql17: Recreated container (was stopped due to port conflict)
- [SERVICE] authentik + authentik-worker: Restarted after PostgreSQL fix
- [TEMPLATE] Added RustDesk container templates with icons
- [TEMPLATE] Updated Pi-hole template with proper Unraid CA metadata
Track all changes to services, configurations, and phase progress.
---
## 2026-01-17 - Homarr + Portainer Integration
### Portainer App Added to Homarr
- [SERVICE] homarr: Added Portainer app to dashboard
- Section: Monitoring
- URL: http://100.100.208.70:9002 (Tailscale)
- Ping URL: http://192.168.31.2:9002 (LAN)
### Docker Integration Added
- [SERVICE] homarr: Added Docker integration via socket
- Integration name: Docker (Unraid)
- Socket: unix:///var/run/docker.sock
- Linked to Portainer app for container status display
### Database Changes
- Added app record for Portainer
- Added item and item_layout for Monitoring section
- Added integration record for Docker
- Linked integration to Portainer item
### Access
- Homarr: https://xtrm-lab.org
- Portainer visible in Monitoring section
---
## 2026-01-17 - Phase 6.2/6.3 Cancelled: MikroTik Incompatible
### Discovery
- MikroTik RouterOS containers are NOT Docker-based
- No `/var/run/docker.sock` exists on MikroTik
- Portainer cannot connect to MikroTik's container runtime
### What Was Attempted
- Created veth-socat interface (172.17.0.5)
- Deployed alpine/socat container
- Added firewall and NAT rules for port 2375
- Socat failed: `No such file or directory` for docker.sock
### Cleanup Performed
- Removed socat container
- Removed veth-socat interface and bridge port
- Removed docker_sock mount
- Removed firewall/NAT rules for port 2375
### Conclusion
- Phase 6.2 and 6.3 are NOT FEASIBLE
- MikroTik containers must be managed via RouterOS CLI/WebFig
- Portainer remains useful for Unraid-only container management
### Status Update
- [PHASE 6.1] COMPLETED - Portainer managing Unraid
- [PHASE 6.2] CANCELLED - MikroTik incompatible
- [PHASE 6.3] CANCELLED - MikroTik incompatible
---
## 2026-01-17 - Unraid Container Labels Fixed
### Containers Updated
- [SERVICE] unbound: Added Unraid labels (`net.unraid.docker.managed`, `net.unraid.docker.icon`)
- [SERVICE] portainer: Added Unraid labels + Tailscale labels
### Portainer Labels
- `net.unraid.docker.managed=dockerman`
- `net.unraid.docker.icon` - Portainer icon
- `net.unraid.docker.webui=http://100.100.208.70:9002`
- `tailscale.expose=true`
- `tailscale.host=100.100.208.70`
- `tailscale.port=9002`
### Unbound Labels
- `net.unraid.docker.managed=dockerman`
- `net.unraid.docker.icon` - Unbound icon
### Note
Both containers recreated to apply labels. Services verified working after recreation.
---
## 2026-01-17 - Phase 6.1 Completed: Portainer CE Deployed
### Portainer CE Installation
- [PHASE 6.1] Portainer CE deployed on Unraid - COMPLETED
- Container: `portainer/portainer-ce:latest`
- HTTP Port: **9002** (changed from 9000 due to Authentik conflict)
- HTTPS Port: **9444**
- Data: `/mnt/user/appdata/portainer`
- LAN URL: `http://192.168.31.2:9002`
- Tailscale URL: `http://100.100.208.70:9002`
### Port Conflict Resolution
- Original plan: port 9000
- Conflict: Authentik already using port 9000
- Resolution: Mapped to port 9002 (HTTP) and 9444 (HTTPS)
### Next Steps
- Phase 6.2: Deploy Socat proxy on MikroTik (port 2375)
- Phase 6.3: Connect MikroTik environment to Portainer
### Status
- [PHASE 6.1] COMPLETED - Portainer running, needs initial setup via web UI
- [PHASE 6.2] NOT STARTED
- [PHASE 6.3] NOT STARTED
---
## 2026-01-17 - Phase 6 Added: Multi-Host Docker Management
### New Documentation
- [PHASE 6] Created 06-PHASE6-PORTAINER-MANAGEMENT.md
- Portainer CE deployment plan for unified Docker management
- Covers Unraid local setup and MikroTik remote API via Socat
### Phase 6 Components
- Phase 6.1: Portainer CE installation on Unraid (port 9002)
- Phase 6.2: MikroTik Socat proxy for Docker API exposure (port 2375)
- Phase 6.3: Unified dashboard connection
### Security Considerations
-

168
docs/archive/08-PHASE7-GITEA-GITOPS.md Normal file
View File

@@ -0,0 +1,168 @@
# Phase 7: Gitea + Woodpecker CI (GitOps for Homelab)
## Status: ✅ COMPLETED
**Deployed:** 2026-01-18
---
## Deployed Components
| Service | Container | Version | Port | URL | Status |
|---------|-----------|---------|------|-----|--------|
| Gitea | gitea | 1.25.3 | 3005→3000, 2222→22 | https://git.xtrm-lab.org | ✅ Running |
| Woodpecker Server | woodpecker-server | 3.13.0 | 8008→8000 | https://ci.xtrm-lab.org | ✅ Running |
| Woodpecker Agent | woodpecker-agent | 3.13.0 | - | - | ✅ Running |
---
## Configuration
### Gitea
| Parameter | Value |
|-----------|-------|
| Admin User | jazzymc |
| Database | PostgreSQL (gitea_db @ 172.18.0.13) |
| DB User | gitea |
| SSH Port | 2222 |
| Data Path | /mnt/user/appdata/gitea/data |
| Network | dockerproxy |
### Woodpecker CI
| Parameter | Value |
|-----------|-------|
| Version | 3.13.0 |
| Admin User | jazzymc (via Gitea OAuth) |
| Server IP | 172.18.0.134 |
| gRPC Port | 9000 |
| HTTP Port | 8000 (mapped to 8008) |
| Max Workflows | 2 (parallel) |
| Data Path | /mnt/user/appdata/woodpecker/server |
| Agent Secret | 564a5716400532874a8e02313a491b4f3864ce9b77a5122ce0eb14777749e740 |
### Gitea OAuth App (for Woodpecker)
| Parameter | Value |
|-----------|-------|
| Client ID | 924b3300-b607-4a48-bc26-35b06dbf18c7 |
| Redirect URI | https://ci.xtrm-lab.org/authorize |
---
## Network Configuration
All services on `dockerproxy` network:
| Service | Internal IP | DNS Name |
|---------|-------------|----------|
| Gitea | Dynamic | gitea |
| Woodpecker Server | 172.18.0.134 | woodpecker-server |
| PostgreSQL | 172.18.0.13 | postgresql17 |
### Traefik Routes
| Domain | Service | Port |
|--------|---------|------|
| git.xtrm-lab.org | gitea | 3000 |
| ci.xtrm-lab.org | woodpecker-server | 8000 |
---
## Verification Checklist
- [x] Gitea container running
- [x] Gitea accessible at https://git.xtrm-lab.org
- [x] Admin account created (jazzymc)
- [x] OAuth app created for Woodpecker
- [x] Woodpecker Server v3.13.0 running
- [x] Woodpecker Agent v3.13.0 running and connected
- [x] Woodpecker accessible at https://ci.xtrm-lab.org
- [x] Gitea OAuth login working
- [x] CI pipeline tested successfully
---
## Usage
### Git Operations
```bash
# Clone via HTTPS
git clone https://git.xtrm-lab.org/jazzymc/infrastructure.git
# Clone via SSH (port 2222)
git clone ssh://git@git.xtrm-lab.org:2222/jazzymc/infrastructure.git
```
### CI Pipeline (.woodpecker.yml)
```yaml
steps:
- name: test
image: alpine
commands:
- echo 'Hello from Woodpecker CI!'
- date
```
### Example: Node.js Pipeline
```yaml
steps:
- name: install
image: node:20
commands:
- npm install
- name: test
image: node:20
commands:
- npm test
- name: build
image: node:20
commands:
- npm run build
when:
branch: main
```
### Example: Docker Build
```yaml
steps:
- name: build
image: docker
commands:
- docker build -t myapp .
volumes:
- /var/run/docker.sock:/var/run/docker.sock
```
---
## Maintenance
### Update Woodpecker
```bash
docker pull woodpeckerci/woodpecker-server:v3
docker pull woodpeckerci/woodpecker-agent:v3
docker restart woodpecker-server woodpecker-agent
```
### Backup
Important paths to backup:
- /mnt/user/appdata/gitea/data
- /mnt/user/appdata/woodpecker/server
- PostgreSQL database: gitea_db
---
## Related Documents
- [00-CURRENT-STATE.md](./00-CURRENT-STATE.md) - Infrastructure overview
- [03-PHASE3-AUTHENTIK-ZEROTRUST.md](./03-PHASE3-AUTHENTIK-ZEROTRUST.md) - SSO setup

352
docs/archive/09-MIKROTIK-WIFI-CAPSMAN.md Normal file
View File

@@ -0,0 +1,352 @@
# MikroTik WiFi & CAPsMAN Configuration
**Document Created:** 2026-01-18
**Last Updated:** 2026-01-18
---
## Device Inventory
### MikroTik hAP ax³ (CAPsMAN Controller)
| Parameter | Value |
|-----------|-------|
| Role | Main Router + CAPsMAN Controller |
| IP Address | 192.168.31.1 |
| RouterOS Version | 7.20.6 (stable) |
| Identity | HAPax3 |
**SSH Connection:**
```bash
# From Unraid server (key-based)
ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1
# Alternative user
ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
```
### MikroTik cAP ac (Managed Access Point)
| Parameter | Value |
|-----------|-------|
| Role | CAPsMAN Managed Access Point |
| IP Address | 192.168.31.6 |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |
| Board | RBcAPGi-5acD2nD |
**SSH Connection:**
```bash
# Key-based (from desktop)
ssh -p 2222 xtrm@192.168.31.6
# Password-based
ssh -p 2222 xtrm@192.168.31.6
# Password: M0stW4nt3d@xtrm
```
---
## WiFi Networks
### XTRM (Main Network)
| Parameter | Value |
|-----------|-------|
| SSID | XTRM |
| Password | M0stW4nt3d@home |
| Bands | 2.4GHz + 5GHz |
| Security | WPA-PSK, WPA2-PSK (2.4GHz) / WPA2-PSK, WPA3-PSK (5GHz) |
### XTRM2 (IoT Network)
| Parameter | Value |
|-----------|-------|
| SSID | XTRM2 |
| Password | M0stW4nt3d@IoT |
| Bands | 2.4GHz only |
| Security | WPA-PSK, WPA2-PSK |
| Purpose | Legacy/IoT devices |
---
## WiFi Interfaces
### hAP ax³ (Local Interfaces)
| Interface | Band | SSID | Channel | Status |
|-----------|------|------|---------|--------|
| hap-wifi1 | 5GHz | XTRM | 5180, 5260, 5500 (80MHz) | Running |
| hap-wifi2 | 2.4GHz | XTRM | 2412, 2432, 2472 (20MHz) | Running |
| hap-wifi2-virtual1 | 2.4GHz | XTRM2 | 2412, 2432, 2472 (20MHz) | Running |
### cAP ac (CAPsMAN Managed)
| Interface | Band | SSID | Channel | Status |
|-----------|------|------|---------|--------|
| cap-wifi1 | 2.4GHz | XTRM | 2432 (20MHz) | Running |
| cap-wifi1-virtual1 | 2.4GHz | XTRM2 | (virtual) | Running |
| cap-wifi2 | 5GHz | XTRM | 5260 (80MHz, DFS) | Running |
---
## CAPsMAN Configuration
### Controller Settings (hAP ax³)
```
/interface/wifi/capsman/print
enabled: yes
interfaces: bridge
require-peer-certificate: no
upgrade-policy: none
generated-ca-certificate: WiFi-CAPsMAN-CA-789A182CA548
generated-certificate: WiFi-CAPsMAN-789A182CA548
```
### Channel Configurations
```
/interface/wifi/channel/print
0 name="ch-2ghz" frequency=2412,2432,2472 width=20mhz
1 name="ch-5ghz" frequency=5180,5260,5500 width=20/40/80mhz
```
### Security Profiles
```
/interface/wifi/security/print
0 name="sec-XTRM" authentication-types=wpa2-psk,wpa3-psk
passphrase="M0stW4nt3d@home"
1 name="sec-IoT" authentication-types=wpa-psk,wpa2-psk
passphrase="M0stW4nt3d@IoT" disable-pmkid=yes
```
### WiFi Configurations
```
/interface/wifi/configuration/print
0 name="cfg-XTRM5g" ssid="XTRM"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-5ghz channel.band=5ghz-ac
datapath.bridge=bridge
1 name="cfg-XTRM2g" ssid="XTRM"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-2ghz channel.band=2ghz-n
datapath.bridge=bridge
2 name="cfgXTRM-IoT" ssid="XTRM2"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-2ghz channel.band=2ghz-n
datapath.bridge=bridge
```
### Provisioning Rules
```
/interface/wifi/provisioning/print
0 comment="XTRM-5G"
supported-bands=5ghz-ac
action=create-dynamic-enabled
master-configuration=cfg-XTRM5g
1 comment="XTRM-2G"
supported-bands=2ghz-n
action=create-dynamic-enabled
master-configuration=cfg-XTRM2g
slave-configurations=cfgXTRM-IoT
```
---
## CAP Configuration (cAP ac)
### CAP Settings
```
/interface/wifi/cap/print
enabled: yes
discovery-interfaces: bridge
caps-man-addresses: 192.168.31.1
```
### Interface Manager Settings
Both radios must be set to CAPsMAN managed:
```
/interface/wifi set wifi1 configuration.manager=capsman
/interface/wifi set wifi2 configuration.manager=capsman
```
---
## Legacy Device Compatibility
### iPad 2 / Older Devices
Older devices (pre-2012) may not support:
- WPA3-PSK
- PMF (Protected Management Frames)
- 5GHz band
**Solution:** Use XTRM2 network which supports WPA-PSK/WPA2-PSK without WPA3.
### Important Notes
1. **WPA + WPA3 Incompatibility:** MikroTik does not allow WPA-PSK and WPA3-PSK in the same configuration. Use WPA-PSK + WPA2-PSK for legacy support.
2. **Management Protection:** When using WPA3, management-protection must be "allowed" or "required". Setting it to "disabled" with WPA3 will cause interface to become inactive.
3. **Band Configuration:** Ensure configuration templates have correct `channel.band` settings:
- 5GHz configs: `5ghz-ac` or `5ghz-ax`
- 2.4GHz configs: `2ghz-n` or `2ghz-ax`
---
## Useful Commands
### Check Connected Clients
```
/interface/wifi/registration-table/print
```
### Check CAPsMAN Remote CAPs
```
/interface/wifi/capsman/remote-cap/print
```
### Check All WiFi Radios
```
/interface/wifi/radio/print
```
### Check Interface Status
```
/interface/wifi/print
```
### Restart WiFi Interface
```
/interface/wifi disable [interface-name]
:delay 2s
/interface/wifi enable [interface-name]
```
### View WiFi Logs
```
/log print where topics~"wireless" or topics~"wifi"
```
---
## Troubleshooting
### Interface Shows "I" (Inactive)
1. Check for configuration errors in detail view:
```
/interface/wifi/print detail where name=[interface]
```
2. Look for comment warnings like:
- "can't use WPA with WPA3"
- "management protection should be allowed or required with WPA3"
- "no available channels"
3. Verify channel configuration has proper frequency settings
### CAP Not Connecting to CAPsMAN
1. Verify CAPsMAN is enabled on controller:
```
/interface/wifi/capsman/print
```
2. Check CAP has correct CAPsMAN address:
```
/interface/wifi/cap/print
```
3. Ensure CAP radios are set to CAPsMAN managed:
```
/interface/wifi/print detail
# Look for configuration.manager=capsman
```
4. Check firewall isn't blocking CAPsMAN traffic (UDP 5246-5247)
### CAP Interfaces Show "B" But Not "R"
This is normal when traffic is processed on CAP (local forwarding mode). The "R" (Running) flag only appears on the CAP device itself, not on CAPsMAN.
---
## Network Diagram
```
Internet
┌────────────────────────┐
│ MikroTik hAP ax³ │
│ 192.168.31.1 │
│ CAPsMAN Controller │
│ │
│ WiFi Interfaces: │
│ - hap-wifi1 (5GHz) │
│ - hap-wifi2 (2.4GHz) │
│ - XTRM, XTRM2 │
└───────────┬────────────┘
│ LAN
┌───────────┴────────────┐
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ MikroTik cAP ac │ │ Other Devices │
│ 192.168.31.6 │ │ 192.168.31.x │
│ CAPsMAN Managed │ │ │
│ │ │ │
│ WiFi Interfaces: │ │ │
│ - wifi1 (2.4GHz) │ │ │
│ - wifi2 (5GHz) │ │ │
│ - XTRM, XTRM2 │ │ │
└────────────────────┘ └────────────────────┘
```
---
## SSH Key Setup
### Adding SSH Key to MikroTik Device
1. Copy public key to device:
```bash
scp -P 2222 ~/.ssh/id_ed25519.pub user@[device-ip]:key.pub
```
2. Import key for user:
```
/user/ssh-keys/import public-key-file=key.pub user=[username]
```
3. Verify import:
```
/user/ssh-keys/print
```
4. Clean up:
```
/file/remove key.pub
```
### Current SSH Key Status
| Device | User | Key Installed |
|--------|------|---------------|
| hAP ax³ (192.168.31.1) | xtrm | Yes (mikrotik_key from Unraid) |
| hAP ax³ (192.168.31.1) | unraid | Yes (mikrotik_key from Unraid) |
| cAP ac (192.168.31.6) | xtrm | Yes (id_ed25519 from Desktop) |

444
docs/archive/10-VLAN-NETWORK-SEGMENTATION.md Normal file
View File

@@ -0,0 +1,444 @@
# VLAN Network Segmentation Plan
**Document Created:** 2026-01-18
**Status:** PLANNING
---
## Current Network Analysis
### Network Devices
| Device | IP | Role |
|--------|-----|------|
| MikroTik hAP ax³ | 192.168.31.1 | Router, CAPsMAN, VLAN gateway |
| CSS326-24G-2S+ | 192.168.31.9 | Managed switch (24 port + 2 SFP) |
| cAP ac | 192.168.31.6 | Managed AP (CAPsMAN) |
### Current Device Inventory
**Secure Devices (should be isolated):**
| Device | IP | MAC | Notes |
|--------|-----|-----|-------|
| Unraid Server | 192.168.31.2 | - | Main server |
| Nobara PC (LAN) | 192.168.31.95 | 08:92:04:C6:07:C5 | xtrm-pc via Dell KVM |
| Nobara PC (WiFi) | 192.168.31.142 | 22:4C:7F:1D:85:8E | xtrm-pc |
| Game Machine | 192.168.31.97 | 1C:83:41:32:F3:AF | xtrm-pc |
| Kaloyan MacBook (WiFi) | 192.168.31.99 | 82:EC:EF:B5:F2:AF | Mac |
| Kaloyan S25 Ultra | 192.168.31.98 | AA:ED:8B:2A:40:F1 | S25-Ultra |
| Unraid KVM | 192.168.31.20 | 48:DA:35:6F:BE:50 | KVM access |
**IoT Devices:**
| Device | IP | MAC | Notes |
|--------|-----|-----|-------|
| Home Assistant | 192.168.31.102 | AC:87:A3:77:8F:BD | Smart home hub |
| Chromecast | 192.168.31.134 | D0:E7:82:F7:65:DD | Streaming |
| Roborock S7 | 192.168.31.104 | B0:4A:39:3F:9A:14 | Vacuum |
| Bosch Smart Oven | 192.168.31.105 | 94:27:70:1E:0C:EE | Kitchen |
| Reolink Doorbell | 192.168.31.68 | 48:9E:9D:0E:16:F7 | Security |
| HP LaserJet | 192.168.31.19 | 64:4E:D7:D8:43:3E | Printer |
| Unknown IoT 1 | 192.168.31.109 | D0:C9:07:92:1A:8E | Tuya? |
| Unknown IoT 2 | 192.168.31.110 | D0:C9:07:8C:C9:46 | Tuya? |
| Unknown IoT 3 | 192.168.31.113 | 38:1F:8D:04:6F:E4 | Tuya? |
| Unknown IoT 4 | 192.168.31.149 | D4:AD:FC:BE:13:B0 | Smart device? |
| lwip0 devices | 192.168.31.100-101 | 38:A5:C9:44:7B:xx | ESP/Tuya |
**Kids/Guest Devices:**
| Device | IP | MAC | Notes |
|--------|-----|-----|-------|
| Nora MacBook | 192.168.31.79 | 82:6D:FB:D9:E0:47 | MacBookAir |
| Kimi Notebook | 192.168.31.108 | 90:91:64:70:0D:86 | Kimi-Notebook |
| Kimi iPhone | 192.168.31.121 | 2A:2B:BA:86:D4:AF | iPhone |
| Dancho iPhone | 192.168.31.114 | F2:B8:14:61:C8:27 | iPhone |
| Compusbg iPad | 192.168.31.107 | A4:D1:D2:7B:52:BE | iPad |
---
## Proposed VLAN Architecture
### VLAN Assignments
| VLAN ID | Name | Subnet | Gateway | Purpose |
|---------|------|--------|---------|---------|
| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Network infrastructure only |
| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers |
| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras, IoT |
| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices |
| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi |
### WiFi SSID to VLAN Mapping
| SSID | VLAN | Security | Purpose |
|------|------|----------|---------|
| XTRM | 10 (Secure) | WPA2/WPA3 | Main network for trusted devices |
| XTRM-IoT | 20 (IoT) | WPA2 | IoT devices |
| XTRM-Kids | 30 (Kids) | WPA2 | Kids devices |
| XTRM-Guest | 40 (Guest) | WPA2 | Guest access |
---
## The S25 Challenge: Cross-VLAN Access
### Requirements
Your S25 needs to:
1. Be in Secure VLAN (192.168.10.x) for server management
2. Discover and cast to Chromecast (IoT VLAN)
3. Control Tuya smart devices
4. Access Home Assistant
### Solution Architecture
```
┌─────────────────────────────────────────────────────────────────────┐
│ VLAN 10 (Secure) │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Unraid │ │ Nobara │ │ MacBook │ │ S25 │ │
│ │ Server │ │ PC │ │ │ │ Ultra │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │ │
└───────┼────────────┼────────────┼────────────┼───────────────────────┘
│ │ │ │
│ │ │ │ Firewall Rules +
│ │ │ │ mDNS Reflector
│ │ │ ▼
┌───────┼────────────┼────────────┼────────────────────────────────────┐
│ │ │ │ VLAN 20 (IoT) │
│ │ │ │ │
│ ┌────▼────┐ ┌────┴────┐ ┌───┴────┐ ┌──────────┐ ┌───────────┐ │
│ │ Home │ │ Printer │ │Chromec.│ │ Tuya │ │ Roborock │ │
│ │Assistant│◄─┤ │ │ TV │ │ Devices │ │ S7 │ │
│ └─────────┘ └─────────┘ └────────┘ └──────────┘ └───────────┘ │
│ ▲ │
│ │ Controls all IoT │
└───────┼──────────────────────────────────────────────────────────────┘
HA manages IoT locally,
accessible from Secure VLAN
```
### Cross-VLAN Solutions
#### 1. Home Assistant as IoT Bridge (Recommended)
- Home Assistant stays in **IoT VLAN** (can directly communicate with IoT devices)
- Firewall allows Secure VLAN → Home Assistant (port 8123)
- S25 controls everything through Home Assistant UI
- No direct IoT access from S25, but full control via HA
#### 2. mDNS Reflector for Chromecast Discovery
MikroTik can reflect mDNS between VLANs:
```
/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20
```
This allows S25 to discover Chromecast for casting.
#### 3. Firewall Rules for Casting
Allow specific traffic from Secure → IoT:
```
# Allow Chromecast (mDNS + casting ports)
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=32768-61000 protocol=udp action=accept
# Allow Home Assistant access
/ip/firewall/filter add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.102 dst-port=8123 protocol=tcp action=accept
```
#### 4. Tuya Devices (Cloud-Based)
Tuya devices communicate via cloud, so they work from any VLAN with internet access. No special rules needed.
---
## Implementation Plan
### Phase 1: Router Configuration
#### 1.1 Create VLAN Interfaces
```
/interface/vlan/add name=vlan10-secure interface=bridge vlan-id=10
/interface/vlan/add name=vlan20-iot interface=bridge vlan-id=20
/interface/vlan/add name=vlan30-kids interface=bridge vlan-id=30
/interface/vlan/add name=vlan40-guest interface=bridge vlan-id=40
```
#### 1.2 Assign IP Addresses
```
/ip/address/add address=192.168.10.1/24 interface=vlan10-secure
/ip/address/add address=192.168.20.1/24 interface=vlan20-iot
/ip/address/add address=192.168.30.1/24 interface=vlan30-kids
/ip/address/add address=192.168.40.1/24 interface=vlan40-guest
```
#### 1.3 Create DHCP Servers
```
/ip/pool/add name=pool-secure ranges=192.168.10.100-192.168.10.200
/ip/pool/add name=pool-iot ranges=192.168.20.100-192.168.20.200
/ip/pool/add name=pool-kids ranges=192.168.30.100-192.168.30.200
/ip/pool/add name=pool-guest ranges=192.168.40.100-192.168.40.200
/ip/dhcp-server/add name=dhcp-secure interface=vlan10-secure address-pool=pool-secure
/ip/dhcp-server/add name=dhcp-iot interface=vlan20-iot address-pool=pool-iot
/ip/dhcp-server/add name=dhcp-kids interface=vlan30-kids address-pool=pool-kids
/ip/dhcp-server/add name=dhcp-guest interface=vlan40-guest address-pool=pool-guest
/ip/dhcp-server/network/add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=192.168.31.4
/ip/dhcp-server/network/add address=192.168.40.0/24 gateway=192.168.40.1 dns-server=192.168.31.4
```
### Phase 2: Bridge VLAN Filtering
#### 2.1 Enable VLAN Filtering
```
/interface/bridge/set bridge vlan-filtering=yes
```
#### 2.2 Configure Bridge VLANs
```
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=10
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=20
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=30
/interface/bridge/vlan/add bridge=bridge tagged=bridge,eth4_CCS324_Uplink vlan-ids=40
```
### Phase 3: Switch Configuration (CSS326-24G-2S+ SwOS)
**Switch Access:**
- Web UI: http://192.168.31.9/index.html
- Model: CSS326-24G-2S+ (24 Gigabit ports + 2 SFP)
- OS: SwOS (MikroTik Switch OS)
- Username: `admin`
- Password: `M0stW4nt3d@xtrm`
#### 3.1 SwOS VLAN Configuration
Access the switch at http://192.168.31.9 and configure:
**Step 1: Enable VLAN Mode**
- Go to **VLAN** tab
- Set VLAN Mode to **Enabled**
**Step 2: Create VLANs**
| VLAN ID | Name |
|---------|------|
| 1 | Management |
| 10 | Secure |
| 20 | IoT |
| 30 | Kids |
| 40 | Guest |
**Step 3: Port VLAN Assignments**
| Port | Device | VLAN Mode | VLAN ID | Tagged VLANs |
|------|--------|-----------|---------|--------------|
| 1 | Uplink to hAP ax³ | Trunk | 1 | 10,20,30,40 |
| 2 | Unraid Server | Access | 10 | - |
| 3 | Nobara PC (LAN) | Access | 10 | - |
| 4 | Game Machine | Access | 10 | - |
| 5-8 | Reserved Secure | Access | 10 | - |
| 9-16 | IoT Devices | Access | 20 | - |
| 17-20 | Kids Devices | Access | 30 | - |
| 21-24 | Guest/Unused | Access | 40 | - |
| SFP1 | Unused | - | - | - |
| SFP2 | Unused | - | - | - |
**Step 4: PVID Settings**
For each access port, set PVID (Port VLAN ID) to match the access VLAN.
**Step 5: Uplink Port Configuration**
Port 1 (uplink to router) must be configured as trunk:
- VLAN Receive: Any
- Default VLAN ID: 1
- Tagged VLANs: 10, 20, 30, 40
- Force VLAN ID: No
#### 3.2 SwOS Web Interface Navigation
```
┌─────────────────────────────────────────────────────────┐
│ CSS326-24G-2S+ SwOS │
├─────────────────────────────────────────────────────────┤
│ Tabs: Link | VLAN | VLANs | Isolation | Statistics │
│ │
│ VLAN Tab: │
│ ┌─────┬──────────┬──────┬────────┬─────────┐ │
│ │Port │VLAN Mode │ PVID │ Tagged │ Untagged│ │
│ ├─────┼──────────┼──────┼────────┼─────────┤ │
│ │ 1 │ Trunk │ 1 │10,20,30│ 1 │ │
│ │ 2 │ Access │ 10 │ - │ 10 │ │
│ │ ... │ ... │ ... │ ... │ ... │ │
│ └─────┴──────────┴──────┴────────┴─────────┘ │
└─────────────────────────────────────────────────────────┘
```
#### 3.3 Current Port Mapping (TO BE FILLED)
**Please identify which device is connected to which switch port:**
| Port | Cable Color/Label | Connected Device |
|------|-------------------|------------------|
| 1 | | Uplink to hAP ax³ (eth4_CCS324_Uplink) |
| 2 | | |
| 3 | | |
| 4 | | |
| 5 | | |
| 6 | | |
| 7 | | |
| 8 | | |
| 9 | | |
| 10 | | |
| 11 | | |
| 12 | | |
| ... | | |
> **Note:** You can identify ports by checking the **Link** tab in SwOS - it shows which ports have active links and their speed.
### Phase 4: WiFi VLAN Configuration
#### 4.1 Create WiFi Configurations
```
/interface/wifi/configuration/add name=cfg-secure ssid="XTRM" \
security.authentication-types=wpa2-psk,wpa3-psk \
security.passphrase="M0stW4nt3d@home" \
datapath.bridge=bridge datapath.vlan-id=10
/interface/wifi/configuration/add name=cfg-iot ssid="XTRM-IoT" \
security.authentication-types=wpa2-psk \
security.passphrase="M0stW4nt3d@IoT" \
datapath.bridge=bridge datapath.vlan-id=20
/interface/wifi/configuration/add name=cfg-kids ssid="XTRM-Kids" \
security.authentication-types=wpa2-psk \
security.passphrase="KidsPassword123" \
datapath.bridge=bridge datapath.vlan-id=30
/interface/wifi/configuration/add name=cfg-guest ssid="XTRM-Guest" \
security.authentication-types=wpa2-psk \
security.passphrase="GuestPassword123" \
datapath.bridge=bridge datapath.vlan-id=40
```
### Phase 5: Firewall Rules
#### 5.1 Inter-VLAN Firewall
```
# Allow established/related
/ip/firewall/filter/add chain=forward connection-state=established,related action=accept
# Secure VLAN can access everything (management)
/ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 action=accept
# IoT VLAN - Internet only, no inter-VLAN
/ip/firewall/filter/add chain=forward src-address=192.168.20.0/24 dst-address=!192.168.0.0/16 action=accept
# Kids VLAN - Internet only
/ip/firewall/filter/add chain=forward src-address=192.168.30.0/24 dst-address=!192.168.0.0/16 action=accept
# Guest VLAN - Internet only, strict isolation
/ip/firewall/filter/add chain=forward src-address=192.168.40.0/24 dst-address=!192.168.0.0/16 action=accept
# Drop all other inter-VLAN traffic
/ip/firewall/filter/add chain=forward src-address=192.168.0.0/16 dst-address=192.168.0.0/16 action=drop
```
#### 5.2 Special Rules for Casting/mDNS
```
# Allow Secure to access Chromecast
/ip/firewall/filter/add chain=forward src-address=192.168.10.0/24 \
dst-address=192.168.20.0/24 dst-port=8008,8009,8443 protocol=tcp action=accept \
comment="Chromecast from Secure"
# Allow mDNS (for device discovery)
/ip/firewall/filter/add chain=input dst-port=5353 protocol=udp action=accept comment="mDNS"
/ip/firewall/filter/add chain=forward dst-port=5353 protocol=udp action=accept comment="mDNS forward"
```
---
## Static IP Reservations (New Subnets)
### VLAN 10 - Secure (192.168.10.0/24)
| Device | IP | MAC |
|--------|-----|-----|
| Unraid Server | 192.168.10.2 | (current MAC) |
| Pi-hole (Unraid) | 192.168.10.4 | (current MAC) |
| Unbound (Unraid) | 192.168.10.5 | (current MAC) |
| Nobara PC (LAN) | 192.168.10.10 | 08:92:04:C6:07:C5 |
| Nobara PC (WiFi) | 192.168.10.11 | 22:4C:7F:1D:85:8E |
| Game Machine | 192.168.10.12 | 1C:83:41:32:F3:AF |
| MacBook (Kaloyan) | 192.168.10.15 | 82:EC:EF:B5:F2:AF |
| S25 Ultra | 192.168.10.20 | AA:ED:8B:2A:40:F1 |
### VLAN 20 - IoT (192.168.20.0/24)
| Device | IP | MAC |
|--------|-----|-----|
| Home Assistant | 192.168.20.2 | AC:87:A3:77:8F:BD |
| Chromecast | 192.168.20.10 | D0:E7:82:F7:65:DD |
| Roborock S7 | 192.168.20.11 | B0:4A:39:3F:9A:14 |
| Bosch Oven | 192.168.20.12 | 94:27:70:1E:0C:EE |
| Reolink Doorbell | 192.168.20.13 | 48:9E:9D:0E:16:F7 |
| HP Printer | 192.168.20.20 | 64:4E:D7:D8:43:3E |
### VLAN 30 - Kids (192.168.30.0/24)
| Device | IP | MAC |
|--------|-----|-----|
| Nora MacBook | 192.168.30.10 | 82:6D:FB:D9:E0:47 |
| Kimi Notebook | 192.168.30.11 | 90:91:64:70:0D:86 |
| Kimi iPhone | 192.168.30.12 | 2A:2B:BA:86:D4:AF |
| Dancho iPhone | 192.168.30.13 | F2:B8:14:61:C8:27 |
---
## Risks & Considerations
### Service Interruption
- **HIGH RISK**: Enabling VLAN filtering will temporarily disrupt all devices
- **Mitigation**: Perform during maintenance window, have console access ready
### Device Re-configuration
- All devices will get new IPs from new DHCP pools
- Static IP reservations should be configured before migration
- Some devices may need manual WiFi reconnection
### Unraid Considerations
- Unraid needs to be on VLAN 10 (secure)
- Docker containers with br0 (192.168.31.x) need reconfiguration
- Pi-hole and Unbound IPs will change
### Home Assistant
- Will be on IoT VLAN
- Integrations may need reconfiguration for new IP ranges
- Traefik routing may need adjustment
---
## Rollback Plan
If issues occur, disable VLAN filtering:
```
/interface/bridge/set bridge vlan-filtering=no
```
This immediately returns to flat network mode.
---
## Questions Before Implementation
1. **WiFi passwords for new SSIDs** - What should Kids and Guest passwords be?
2. **Printer access** - Should Kids be able to print? (Requires firewall rule)
3. **Home Assistant location** - IoT VLAN (recommended) or Secure VLAN?
4. **Unraid Docker networks** - br0 containers need VLAN assignment decision
5. **Switch port mapping** - Need to know which CSS326 ports connect to which devices
---
## Next Steps
1. [ ] Confirm device categorization is correct
2. [ ] Decide on WiFi passwords for new SSIDs
3. [ ] Map CSS326 switch ports to devices
4. [ ] Schedule maintenance window for implementation
5. [ ] Backup MikroTik and switch configs before changes
6. [ ] Implement in phases with testing between each

240
docs/archive/11-NETWORK-ASSET-INVENTORY.md Normal file
View File

@@ -0,0 +1,240 @@
# Network Asset Inventory
**Document Created:** 2026-01-18
**Last Updated:** 2026-01-18
**Data Source:** MikroTik DHCP + ARP tables
---
## Network Infrastructure
| Device | IP | MAC | Vendor | Connection | VLAN (Proposed) |
|--------|-----|-----|--------|------------|-----------------|
| MikroTik hAP ax³ | 192.168.31.1 | 78:9A:18:2C:A5:48 | MikroTik | - | Management |
| MikroTik CSS326-24G-2S+ | 192.168.31.9 | F4:1E:57:C9:BD:09 | MikroTik | eth4 → Switch | Management |
| MikroTik cAP ac | 192.168.31.6 | 18:FD:74:54:3D:BC | MikroTik | eth2 → AP | Management |
---
## Servers & Core Infrastructure
| Device | IP | MAC | Vendor | Hostname | Connection | VLAN |
|--------|-----|-----|--------|----------|------------|------|
| Unraid Server | 192.168.31.2 | A8:B8:E0:02:B6:15 | ASIX (NIC) | - | Switch Port ? | 10 (Secure) |
| Pi-hole (Docker) | 192.168.31.4 | 02:42:C0:A8:1F:04 | Docker | - | br0 MACVLAN | 10 (Secure) |
| Unbound (Docker) | 192.168.31.5 | 02:42:C0:A8:1F:05 | Docker | - | br0 MACVLAN | 10 (Secure) |
| Home Assistant | 192.168.31.102 | AC:87:A3:77:8F:BD | Espressif | homeassistant | WiFi | 20 (IoT) |
| Unraid KVM | 192.168.31.20 | 48:DA:35:6F:BE:50 | Unknown | - | Switch Port ? | 10 (Secure) |
---
## Kaloyan's Devices (Admin - Full Access)
| Device | IP | MAC | Vendor | Hostname | Connection | VLAN |
|--------|-----|-----|--------|----------|------------|------|
| Nobara PC (LAN) | 192.168.31.95 | 08:92:04:C6:07:C5 | Intel | xtrm-pc | Switch via Dell KVM | 10 (Secure) |
| Nobara PC (WiFi) | 192.168.31.142 | 22:4C:7F:1D:85:8E | Random (Private) | xtrm-pc | WiFi XTRM | 10 (Secure) |
| Game Machine | 192.168.31.97 | 1C:83:41:32:F3:AF | Intel | xtrm-pc | Switch Port ? | 10 (Secure) |
| MacBook (WiFi) | 192.168.31.99 | 82:EC:EF:B5:F2:AF | Random (Private) | Mac | WiFi XTRM | 10 (Secure) |
| S25 Ultra | 192.168.31.98 | AA:ED:8B:2A:40:F1 | Random (Private) | S25-Ultra | WiFi XTRM | 10 (Secure) |
---
## IoT Devices
| Device | IP | MAC | Vendor | Hostname | Connection | VLAN |
|--------|-----|-----|--------|----------|------------|------|
| Chromecast | 192.168.31.134 | D0:E7:82:F7:65:DD | Google | Chromecast | WiFi XTRM2 | 20 (IoT) |
| Roborock S7 Vacuum | 192.168.31.104 | B0:4A:39:3F:9A:14 | Roborock | roborock-vacuum-a62 | WiFi XTRM2 | 20 (IoT) |
| Bosch Smart Oven | 192.168.31.105 | 94:27:70:1E:0C:EE | Bosch | bosch-oven-384... | WiFi XTRM2 | 20 (IoT) |
| Reolink Doorbell | 192.168.31.68 | 48:9E:9D:0E:16:F7 | Reolink | Reolink | WiFi XTRM2 | 20 (IoT) |
| HP LaserJet Printer | 192.168.31.19 | 64:4E:D7:D8:43:3E | HP | NPID8433E | WiFi/LAN? | 20 (IoT) |
| Tuya Device 1 | 192.168.31.109 | D0:C9:07:92:1A:8E | Tuya | - | WiFi XTRM2 | 20 (IoT) |
| Tuya Device 2 | 192.168.31.110 | D0:C9:07:8C:C9:46 | Tuya | - | WiFi XTRM2 | 20 (IoT) |
| Tuya Device 3 | 192.168.31.113 | 38:1F:8D:04:6F:E4 | Tuya | - | WiFi XTRM2 | 20 (IoT) |
| ESP/Tuya lwip0 #1 | 192.168.31.100 | 38:A5:C9:44:7B:80 | Espressif | lwip0 | WiFi XTRM2 | 20 (IoT) |
| ESP/Tuya lwip0 #2 | 192.168.31.101 | 38:A5:C9:44:7B:F1 | Espressif | lwip0 | WiFi XTRM2 | 20 (IoT) |
| Unknown IoT | 192.168.31.106 | 18:DE:50:5B:C8:A6 | Espressif | wlan0 | WiFi XTRM2 | 20 (IoT) |
| Unknown IoT | 192.168.31.149 | D4:AD:FC:BE:13:B0 | Unknown | - | WiFi XTRM2 | 20 (IoT) |
| Unknown (EMLAB) | 192.168.31.139 | 50:2C:C6:7A:55:39 | Unknown | EMLAB | WiFi | 20 (IoT) |
---
## Kids & Family Devices
| Device | IP | MAC | Vendor | Hostname | Owner | Connection | VLAN |
|--------|-----|-----|--------|----------|-------|------------|------|
| Nora MacBook Air | 192.168.31.79 | 82:6D:FB:D9:E0:47 | Apple (Private) | MacBookAir | Nora | WiFi XTRM | 30 (Kids) |
| Kimi Notebook | 192.168.31.108 | 90:91:64:70:0D:86 | Unknown | Kimi-Notebook | Kimi | WiFi | 30 (Kids) |
| Kimi iPhone | 192.168.31.121 | 2A:2B:BA:86:D4:AF | Apple (Private) | iPhone | Kimi | WiFi XTRM | 30 (Kids) |
| Dancho iPhone | 192.168.31.114 | F2:B8:14:61:C8:27 | Apple (Private) | iPhone | Dancho | WiFi XTRM | 30 (Kids) |
| Compusbg iPad | 192.168.31.107 | A4:D1:D2:7B:52:BE | Apple | Compusbg-iPad | ? | WiFi | 30 (Kids) |
---
## Unknown/Unidentified Devices
| IP | MAC | Vendor Prefix | Last Seen | Status | Notes |
|-----|-----|---------------|-----------|--------|-------|
| 192.168.31.22 | 1C:2A:A3:1E:78:67 | Unknown | ARP stale | Identify | |
| 192.168.31.118 | DC:03:98:6B:5A:3A | Unknown | ARP failed | Offline? | |
| 192.168.31.131 | AC:B5:7D:4D:DD:79 | Unknown | ARP stale | Identify | |
| 192.168.31.138 | C6:2A:59:AD:17:90 | Private MAC | Permanent | Static ARP? | |
| 192.168.31.40 | B0:37:95:79:AF:9B | Unknown | ARP failed | Offline? | |
| 192.168.31.122 | 72:F5:14:2D:F0:18 | Private MAC | 16 weeks ago | Very old | |
---
## MAC Vendor Reference
| Prefix | Vendor |
|--------|--------|
| 78:9A:18 | MikroTik |
| F4:1E:57 | MikroTik |
| 18:FD:74 | MikroTik |
| D0:C9:07 | Tuya Smart |
| 38:1F:8D | Tuya Smart |
| 38:A5:C9 | Espressif (ESP8266/ESP32) |
| AC:87:A3 | Espressif |
| 18:DE:50 | Espressif |
| D0:E7:82 | Google |
| B0:4A:39 | Roborock |
| 94:27:70 | Bosch |
| 48:9E:9D | Reolink |
| 64:4E:D7 | HP |
| 08:92:04 | Intel |
| 1C:83:41 | Intel |
| A8:B8:E0 | ASIX Electronics |
| 02:42:xx | Docker (Local) |
| x2:xx:xx | Randomized/Private MAC |
---
## Connection Summary
### Wired Connections (CSS326 Switch)
| Port | Device | MAC | Status |
|------|--------|-----|--------|
| ? | Uplink to hAP ax³ | - | Connected |
| ? | Unraid Server | A8:B8:E0:02:B6:15 | Connected |
| ? | Nobara PC (Dell KVM) | 08:92:04:C6:07:C5 | Connected |
| ? | Game Machine | 1C:83:41:32:F3:AF | Connected |
| ? | Unraid KVM | 48:DA:35:6F:BE:50 | Connected |
### WiFi Connections (hAP ax³ + cAP ac)
| SSID | Band | Devices Connected |
|------|------|-------------------|
| XTRM | 5GHz | MacBook, Nobara PC WiFi, Phones |
| XTRM | 2.4GHz | Some devices |
| XTRM2 | 2.4GHz | All IoT devices, legacy |
---
## Proposed VLAN Assignment Summary
| VLAN | Subnet | Device Count | Access Level |
|------|--------|--------------|--------------|
| 1 (Mgmt) | 192.168.31.0/24 | 3 | Network devices only |
| 10 (Secure) | 192.168.10.0/24 | ~8 | Full access (admin devices) |
| 20 (IoT) | 192.168.20.0/24 | ~15 | Internet + HA only |
| 30 (Kids) | 192.168.30.0/24 | ~5 | Internet only |
| 40 (Guest) | 192.168.40.0/24 | 0 | Internet only, isolated |
---
## Action Items
- [ ] Identify unknown devices (192.168.31.22, .118, .131, .138, .40)
- [ ] Map CSS326 switch ports to devices
- [ ] Verify all Tuya devices are correctly identified
- [ ] Confirm printer should be IoT or needs Secure access
- [ ] Decide if Compusbg-iPad is Kids or Guest
- [ ] Check if any IoT devices need wired connection
---
## Self-Hosted Network Asset Management Tools
### Recommended: NetBox (Best Overall)
| Feature | Details |
|---------|---------|
| **Description** | Industry-standard IPAM & DCIM tool |
| **Docker** | `netboxcommunity/netbox` |
| **Features** | IP address management, device inventory, rack diagrams, circuit tracking, VLAN management, API |
| **Best For** | Comprehensive network documentation |
| **URL** | https://netbox.dev |
```yaml
# Docker Compose snippet
services:
netbox:
image: netboxcommunity/netbox:latest
ports:
- "8080:8080"
depends_on:
- postgres
- redis
```
### Alternative Options
| Tool | Best For | Docker Image | Notes |
|------|----------|--------------|-------|
| **Snipe-IT** | Physical asset tracking | `snipe/snipe-it` | Great for hardware inventory, barcodes |
| **GLPI** | IT asset management + helpdesk | `diouxx/glpi` | Full ITSM solution |
| **Ralph** | Data center asset management | `allegro/ralph` | Good for servers/racks |
| **Racktables** | Rack/network documentation | `racktables/racktables` | Lightweight, classic |
| **phpIPAM** | IP address management only | `phpipam/phpipam-www` | Simple IPAM, easy setup |
| **Nautobot** | NetBox fork with extras | `networktocode/nautobot` | More plugins, enterprise features |
### Quick Comparison
| Tool | IPAM | Device Inventory | VLAN Mgmt | API | Complexity |
|------|------|------------------|-----------|-----|------------|
| **NetBox** | ✅ | ✅ | ✅ | ✅ | Medium |
| **phpIPAM** | ✅ | Basic | ✅ | ✅ | Low |
| **Snipe-IT** | ❌ | ✅ | ❌ | ✅ | Low |
| **GLPI** | Plugin | ✅ | Plugin | ✅ | Medium |
| **NetAlertX** | ❌ | ✅ (auto) | ❌ | ✅ | Low |
### Recommendation for Your Setup
**NetBox** is the best choice because:
1. Manages VLANs, IP ranges, and prefixes
2. Documents all network devices with relationships
3. Tracks cables and connections
4. Has powerful API for automation
5. Integrates with Ansible for network automation
6. Can import from MikroTik via API scripts
**Quick Start:**
```bash
# Clone NetBox Docker
git clone https://github.com/netbox-community/netbox-docker.git
cd netbox-docker
docker compose up -d
```
### Integration with Existing Stack
```
┌─────────────────────────────────────────────────────────┐
│ Your Network │
├─────────────────────────────────────────────────────────┤
│ │
│ NetAlertX ──────► Auto-discovery, alerts │
│ │ │
│ ▼ │
│ NetBox ─────────► IPAM, documentation, VLANs │
│ │ │
│ ▼ │
│ Home Assistant ─► IoT device control │
│ │ │
│ ▼ │
│ Uptime Kuma ───► Service monitoring │
│ │
└─────────────────────────────────────────────────────────┘
```
You already have **NetAlertX** for discovery - pair it with **NetBox** for proper documentation and VLAN planning.

234
docs/archive/12-PHASE8-NETDISCO-INTEGRATION.md Normal file
View File

@@ -0,0 +1,234 @@
# Phase 8: NetDisco Integration with NetBox
**Status:** ✅ COMPLETED (Enhanced)
**Priority:** Medium
**Created:** 2026-01-19
**Last Updated:** 2026-01-19
---
## Overview
Deploy NetDisco for enterprise-grade network discovery using SNMP, and integrate it with NetBox for a unified "Fing-like" network management experience.
**Goal:** Automatic device discovery, switch port mapping, and L2/L3 topology tracking synchronized to NetBox IPAM/DCIM.
---
## Task Status Summary
| Task | Description | Status |
|------|-------------|--------|
| 8.1 | Enable SNMP on MikroTik Devices | ✅ COMPLETED |
| 8.2 | Deploy NetDisco on Unraid | ✅ COMPLETED |
| 8.3 | Configure NetDisco Discovery | ✅ COMPLETED |
| 8.4 | Traefik Ingress for NetDisco | ✅ COMPLETED |
| 8.5 | NetBox Integration | ✅ COMPLETED |
| 8.6 | Testing & Validation | ✅ COMPLETED |
| 8.7 | Enhanced Network Mapping | ✅ COMPLETED |
---
## Current State
| Tool | Status | Purpose |
|------|--------|---------|
| NetAlertX | Running | ARP/ICMP-based device discovery |
| NetBox | Running | IPAM/DCIM with Slurpit plugin |
| NetDisco | ✅ Running | SNMP-based discovery |
**Discovered Devices:** 4 (hAP ax³, cAP ac, CSS326, Unraid)
---
## Deployment Details
### Database
- **Host:** postgresql17
- **Database:** netdisco_db
- **User:** netdisco_user
- **Password:** NetD1sc0_M0stW4nt3d@db
### Containers
| Container | Image | Port | Status |
|-----------|-------|------|--------|
| netdisco-web | netdisco/netdisco:latest-web | 5000 | Running |
| netdisco-backend | netdisco/netdisco:latest-backend | - | Running |
| netbox | netbox-custom:latest (with slurpit) | 8090 | Running |
### Access URLs
| URL | Purpose |
|-----|---------|
| https://netdisco.xtrm-lab.org | External access (Authentik SSO) |
| http://192.168.31.2:5000 | Internal NetDisco access |
| https://netbox.xtrm-lab.org | External NetBox access |
| http://192.168.31.2:8090 | Internal NetBox access |
---
## Task 8.7: Enhanced Network Mapping (COMPLETED)
### 1. MikroTik DHCP → NetBox Sync
**Script:** `/mnt/user/appdata/netdisco/scripts/mikrotik_dhcp_to_netbox.sh`
Syncs DHCP leases from MikroTik router to NetBox IP addresses with:
- Hostname
- MAC address
- Comments/notes from DHCP
**Run Command:**
```bash
/mnt/user/appdata/netdisco/scripts/mikrotik_dhcp_to_netbox.sh
```
**Result:** 29 devices synced (26 created, 3 updated)
### 2. Slurp'it NetBox Plugin
**Plugin Version:** 1.2.7
**NetBox Version:** 4.5.0
**Custom Image:** `netbox-custom:latest`
**Plugin Configuration:** `/mnt/user/appdata/netbox/config/plugins.py`
```python
PLUGINS = ["slurpit_netbox"]
PLUGINS_CONFIG = {
"slurpit_netbox": {}
}
```
**Note:** Slurp'it requires a separate Slurp'it server for full network discovery. The plugin provides NetBox integration once the server is configured.
### 3. Enhanced NetDisco → NetBox Sync
**Script:** `/mnt/user/appdata/netdisco/scripts/sync_to_netbox.py`
Enhanced version syncs:
- Device info (serial, OS, model, vendor)
- IP addresses from device_ip table
- ARP table entries (MAC to IP mappings)
- System MAC addresses
- Uptime information
**Run Command:**
```bash
PG17_IP=$(docker inspect postgresql17 --format "{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}")
docker run --rm \
--network dockerproxy \
-e NETDISCO_DB_HOST=$PG17_IP \
-e NETBOX_URL=http://192.168.31.2:8090 \
-v /mnt/user/appdata/netdisco/scripts:/scripts \
python:3.11-slim python /scripts/sync_to_netbox.py
```
---
## SNMP-Enabled Devices
| Device | IP | Type | Communities |
|--------|-----|------|-------------|
| hAP ax³ | 192.168.31.1 | Router | netdisco, public |
| cAP ac | 192.168.31.6 | AP | netdisco, public |
| CSS326 | 192.168.31.9 | Switch | public |
| XTRM-Unraid | 192.168.31.2 | Server | netdisco, public |
### Unraid SNMP Configuration
**Config File:** `/etc/snmp/snmpd.conf`
```
rocommunity netdisco
rocommunity public
syslocation XTRM Home Lab
syscontact admin@xtrm-lab.org
sysname XTRM-Unraid
disk /mnt/disk1
disk /mnt/cache
extend cpumhz /usr/local/emhttp/plugins/snmp/cpu_mhz.sh
extend diskfree /usr/local/emhttp/plugins/snmp/disk_free_space.sh
extend disktemp /usr/local/emhttp/plugins/snmp/disk_temps.sh
extend meminfo /usr/local/emhttp/plugins/snmp/mem_info.sh
extend sharefree /usr/local/emhttp/plugins/snmp/share_free_space.sh
```
**Plugin:** kubedzero/unraid-snmp
---
## Sync Scripts Summary
| Script | Purpose | Trigger |
|--------|---------|---------|
| sync_to_netbox.py | NetDisco → NetBox device sync | Manual / cron |
| mikrotik_dhcp_to_netbox.sh | MikroTik DHCP → NetBox IPs | Manual / cron |
### Scheduling (Cron Examples)
```bash
# NetDisco sync - hourly at :45
45 * * * * docker run --rm --network dockerproxy -e NETDISCO_DB_HOST=172.18.0.13 -e NETBOX_URL=http://192.168.31.2:8090 -v /mnt/user/appdata/netdisco/scripts:/scripts python:3.11-slim python /scripts/sync_to_netbox.py >> /mnt/user/appdata/netdisco/logs/sync.log 2>&1
# MikroTik DHCP sync - hourly at :50
50 * * * * /mnt/user/appdata/netdisco/scripts/mikrotik_dhcp_to_netbox.sh >> /mnt/user/appdata/netdisco/logs/dhcp-sync.log 2>&1
```
---
## NetBox Credentials
| Item | Value |
|------|-------|
| URL | http://192.168.31.2:8090 |
| Admin User | admin |
| Admin Password | M0stW4nt3d@xtrm |
| API Token (v1) | kI2HiUD8Bb53KfdkOTaiWYxZuERjhGU30CgGdYxm |
| Secret Key | 56537576d25051987077c7270c876099fe44ad83bc7695a7f4531904fce5678e |
---
## Troubleshooting
### session_cookie_key Error
If NetDisco web UI shows "session_cookie_key must be defined":
```sql
SELECT * FROM sessions WHERE id = 'dancer_session_cookie_key';
INSERT INTO sessions (id, a_session) VALUES ('dancer_session_cookie_key', md5(random()::text));
```
### NetBox Plugin Not Loading
Check container logs:
```bash
docker logs netbox 2>&1 | grep -i plugin
```
Verify plugins.py is mounted:
```bash
docker exec netbox cat /etc/netbox/config/plugins.py
```
### SNMP Not Responding
```bash
snmpwalk -v2c -c netdisco 192.168.31.1 system
```
---
## Phase 8 Summary
**Status: ✅ COMPLETED**
All tasks completed with enhanced capabilities:
- 4 devices discovered via SNMP (MikroTik + Unraid)
- NetDisco → NetBox sync with device details
- MikroTik DHCP → NetBox sync (29 devices/IPs)
- Slurp'it plugin installed for future discovery expansion
- ARP table sync for MAC-to-IP mapping
**Data Flow:**
```
MikroTik Devices ─SNMP─> NetDisco ─sync─> NetBox
│ │ ↑
└──────DHCP──────────sync────────────┘
```

182
docs/archive/13-CONTAINER-IP-ASSIGNMENTS.md Normal file
View File

@@ -0,0 +1,182 @@
# Container Static IP Assignments
**Last Updated:** 2026-01-22
This document lists all static IP assignments for Docker containers on Unraid.
Static IPs are configured in docker-compose files and Unraid templates for persistence.
---
## dockerproxy Network (172.18.0.0/16)
Static IP range: 172.18.0.2 - 172.18.0.99
### Core Infrastructure (172.18.0.2 - 172.18.0.10)
| Container | Static IP | Purpose | Config |
|-----------|-----------|---------|--------|
| dockersocket | 172.18.0.2 | Docker socket proxy | Template |
| traefik | 172.18.0.3 | Reverse proxy | Template |
| homarr | 172.18.0.4 | Dashboard | Template |
### Security (172.18.0.11 - 172.18.0.15)
| Container | Static IP | Purpose | Config |
|-----------|-----------|---------|--------|
| authentik | 172.18.0.11 | Identity provider | Template |
| authentik-worker | 172.18.0.12 | Authentik worker | Template |
| postgresql17 | 172.18.0.13 | PostgreSQL database (shared) | Template |
| Redis | 172.18.0.14 | Redis cache (Authentik) | Template |
| vaultwarden | 172.18.0.15 | Password manager | Template |
### Productivity (172.18.0.16 - 172.18.0.30)
| Container | Static IP | Purpose | Config |
|-----------|-----------|---------|--------|
| actual-budget | 172.18.0.16 | Budget tracking | Template |
| n8n | 172.18.0.17 | Workflow automation | Template |
| Uptime-Kuma-API | 172.18.0.18 | Uptime API | Template |
| AutoKuma | 172.18.0.19 | Auto Kuma config | Template |
| UptimeKuma | 172.18.0.20 | Uptime monitoring | Template |
| speedtest-tracker | 172.18.0.21 | Speed test tracking | Template |
| DoH-Server | 172.18.0.22 | DNS over HTTPS | Template |
| Libation | 172.18.0.23 | Audiobook manager | Template |
| Nextcloud | 172.18.0.24 | Cloud storage | Template |
| karakeep | 172.18.0.25 | Bookmark manager | Template |
| transmission | 172.18.0.26 | Torrent client | Template |
| adguardhome-sync | 172.18.0.27 | AdGuard Home Sync | Compose |
### DevOps (172.18.0.31 - 172.18.0.40)
| Container | Static IP | Purpose | Config |
|-----------|-----------|---------|--------|
| gitea | 172.18.0.31 | Git server | Compose |
| woodpecker-server | 172.18.0.32 | CI/CD server | Compose |
| woodpecker-agent | 172.18.0.33 | CI/CD agent | Compose |
### NetDisco (172.18.0.41 - 172.18.0.50)
| Container | Static IP | Purpose | Config |
|-----------|-----------|---------|--------|
| netdisco-web | 172.18.0.41 | NetDisco web UI | Compose |
| netdisco-backend | 172.18.0.42 | NetDisco SNMP poller | Compose |
### Fossorial/Pangolin (172.18.0.51 - 172.18.0.60)
| Container | Static IP | Purpose | Config |
|-----------|-----------|---------|--------|
| pangolin | 172.18.0.51 | Pangolin tunnel | Compose |
### NetBox (172.18.0.61 - 172.18.0.70)
| Container | Static IP | Purpose | Config |
|-----------|-----------|---------|--------|
| netbox | 172.18.0.61 | NetBox web UI (DCIM/IPAM) | Compose |
| netbox-worker | 172.18.0.62 | NetBox background worker | Compose |
| netbox-redis | 172.18.0.63 | NetBox Redis (tasks) | Compose |
| netbox-redis-cache | 172.18.0.64 | NetBox Redis (cache) | Compose |
**Note:** NetBox uses shared postgresql17 (172.18.0.13) for database.
---
## slurpit_slurpit-network (Auto-assigned)
Slurp'it stack uses its own internal network with auto-assigned IPs.
Portal is also connected to dockerproxy for Traefik access.
| Container | Purpose | Config |
|-----------|---------|--------|
| slurpit-portal | Web UI | Compose |
| slurpit-scanner | Network scanner | Compose |
| slurpit-scraper | Device data collector | Compose |
| slurpit-warehouse | Data API | Compose |
| slurpit-mariadb | Portal database | Compose |
| slurpit-mongodb | Discovery database | Compose |
---
## br0 Network (LAN Macvlan - 192.168.31.x)
These containers have direct LAN access via macvlan.
| Container | Static IP | Purpose | Config |
|-----------|-----------|---------|--------|
| unbound | 192.168.31.5 | Recursive DNS | Template |
| TimeMachine | 192.168.31.12 | Time Machine backup | Template |
---
## bridge Network (172.17.0.0/16)
Default Docker bridge - dynamic IPs (no static assignment supported).
| Container | Purpose |
|-----------|---------|
| portainer | Container management |
| rustdesk-hbbs | RustDesk signaling |
| rustdesk-hbbr | RustDesk relay |
| rustfs | Rust filesystem |
---
## Host Network
These containers share the host network stack.
| Container | Purpose |
|-----------|---------|
| unimus | Network config backup |
| UrBackup | Backup server |
| NetAlertX | Network scanner |
| plex | Media server |
| HomeAssistant_inabox | Home automation |
| stunnel-dot | DNS over TLS |
---
## Shared PostgreSQL Database (postgresql17)
| Database | User | Used By |
|----------|------|---------|
| authentik_db | authentik_user | Authentik |
| netbox | netbox_user | NetBox |
| gitea | gitea_user | Gitea |
| netdisco_user | netdisco_user | NetDisco |
---
## Docker Compose Files
| Stack | Location |
|-------|----------|
| NetBox | `/mnt/user/appdata/netbox/docker-compose.yml` |
| NetDisco | `/mnt/user/appdata/netdisco/docker-compose.yml` |
| Gitea | `/mnt/user/appdata/gitea/docker-compose.yml` |
| Woodpecker | `/mnt/user/appdata/woodpecker/docker-compose.yml` |
| Pangolin | `/mnt/user/appdata/pangolin/docker-compose.yml` |
| Slurp'it | `/mnt/user/appdata/slurpit/docker-compose.yml` |
| AdGuard Home Sync | `/mnt/user/appdata/adguard-sync/docker-compose.yml` |
---
## Maintenance
### Recreate Compose Containers
```bash
cd /mnt/user/appdata/<stack>
docker compose down
docker compose up -d
```
### Update Template Container
Use Unraid Docker UI to update/recreate - static IP is preserved in template.
### Verify IPs
```bash
# Check all IPs on a network
docker network inspect <network> --format '{{range .Containers}}{{.Name}}: {{.IPv4Address}}{{"\n"}}{{end}}'
# Check specific container
docker inspect <container> | jq '.[0].NetworkSettings.Networks'
```

115
docs/archive/AGENT-CREDENTIALS.md Normal file
View File

@@ -0,0 +1,115 @@
# Agent Service Account Credentials
**Created:** 2026-01-22
**Purpose:** Read-only service account for Slurp'it network discovery and monitoring
> ⚠️ **SECURITY NOTE:** This file contains sensitive credentials. Ensure the repository has appropriate access controls.
---
## Account Details
| Property | Value |
|----------|-------|
| Username | `agent` |
| Password | `LOQWhsIzeGmWcsbO7dMI` |
| SSH Key | Ed25519 (see below) |
---
## Configured Devices
| Device | IP | SSH Port | Auth Method | Status |
|--------|-----|----------|-------------|--------|
| Unraid Server | 192.168.31.2 | 422 | SSH Key | ✅ Configured |
| MikroTik Router (hAP ax³) | 192.168.31.1 | 2222 | SSH Key | ✅ Configured |
| MikroTik AP (cAP ac) | 192.168.31.6 | 2222 | Password | ✅ Configured |
| MikroTik Switch (CSS326) | 192.168.31.9 | - | N/A | ⚠️ SwOS - No SSH |
---
## SSH Keys
### Private Key (`/root/.ssh/agent_key` on Unraid)
```
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCoNicuNDnSBn5pcK+uFL2x6/TsIQ5NE0qr7JW3HRM3lAAAAJCM4urpjOLq
6QAAAAtzc2gtZWQyNTUxOQAAACCoNicuNDnSBn5pcK+uFL2x6/TsIQ5NE0qr7JW3HRM3lA
AAAECfei47vy1Gcg+zpr+8QGN/27rV2MMAPCL+MlKtt2G0sqg2Jy40OdIGfmlwr64UvbHr
9OwhDk0TSqvslbcdEzeUAAAADWFnZW50QHNsdXJwaXQ=
-----END OPENSSH PRIVATE KEY-----
```
### Public Key
```
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKg2Jy40OdIGfmlwr64UvbHr9OwhDk0TSqvslbcdEzeU agent@slurpit
```
---
## Permissions
### Unraid
- Shell: `/bin/bash`
- Home: `/home/agent`
- Groups: `agent`
- SSH: Key-based auth
### MikroTik Router & AP
- Group: `read` (read-only access)
- Router: SSH Key Auth
- AP: Password Auth
---
## Slurp'it Vault Configuration
Add these credentials in **Slurp'it Portal****Vault****Credentials**:
### For Unraid (Linux):
| Field | Value |
|-------|-------|
| Group | default |
| Username | agent |
| Password | LOQWhsIzeGmWcsbO7dMI |
| Device OS | linux |
| SSH Port | 422 |
| Comment | Unraid agent |
### For MikroTik Router:
| Field | Value |
|-------|-------|
| Group | default |
| Username | agent |
| SSH Key | (paste private key above) |
| Device OS | mikrotik_routeros |
| Comment | MikroTik router agent |
### For MikroTik AP:
| Field | Value |
|-------|-------|
| Group | default |
| Username | agent |
| Password | LOQWhsIzeGmWcsbO7dMI |
| Device OS | mikrotik_routeros |
| SSH Port | 2222 |
| Comment | MikroTik AP agent |
---
## Testing Access
```bash
# Test Unraid SSH (key-based)
ssh -i /root/.ssh/agent_key -p 422 agent@192.168.31.2 'hostname'
# Test MikroTik Router SSH (key-based)
ssh -i /root/.ssh/agent_key -p 2222 agent@192.168.31.1 '/system identity print'
# Test MikroTik AP SSH (password-based)
ssh -p 2222 agent@192.168.31.6 '/system identity print'
# Password: LOQWhsIzeGmWcsbO7dMI
```

313
docs/archive/INFRASTRUCTURE-DIAGRAM.md Normal file
View File

@@ -0,0 +1,313 @@
# Infrastructure Diagram - xtrm-lab.org
**Generated:** 2026-01-22
**Domain:** xtrm-lab.org
**WAN IP:** 62.73.120.142
---
## Network Topology Overview
```mermaid
graph TB
subgraph Internet
WAN[/"🌐 Internet<br/>WAN: 62.73.120.142"/]
end
subgraph Router["MikroTik hAP ax³ (192.168.31.1)"]
direction TB
subgraph RouterContainers["Docker Containers"]
AGH["🛡️ AdGuard Home<br/>172.17.0.5<br/>DNS/DoH/DoT/DoQ"]
TS["🔗 Tailscale<br/>172.17.0.4"]
end
end
subgraph LAN["LAN Network (192.168.31.0/24)"]
Switch["🔌 CSS326 Switch<br/>192.168.31.9"]
AP["📶 cAP ac<br/>192.168.31.6"]
Unraid["🖥️ Unraid Server<br/>192.168.31.2"]
end
WAN --> Router
Router --> Switch
Switch --> AP
Switch --> Unraid
```
---
## Port Forwarding / NAT Rules
```mermaid
flowchart LR
subgraph WAN["Internet (62.73.120.142)"]
P80[":80"]
P443[":443"]
P853[":853"]
P8853[":8853"]
P32400[":32400"]
P51413[":51413"]
P21115[":21115-21119"]
end
subgraph Destinations
Traefik80["Traefik<br/>192.168.31.2:8001"]
Traefik443["Traefik<br/>192.168.31.2:44301"]
DoT["AdGuard DoT<br/>172.17.0.5:853"]
DoQ["AdGuard DoQ<br/>172.17.0.5:8853"]
Plex["Plex<br/>192.168.31.2:32400"]
Transmission["Transmission<br/>192.168.31.2:51413"]
RustDesk["RustDesk<br/>192.168.31.2"]
end
P80 --> Traefik80
P443 --> Traefik443
P853 --> DoT
P8853 --> DoQ
P32400 --> Plex
P51413 --> Transmission
P21115 --> RustDesk
```
---
## Unraid Docker Services
### Core Infrastructure & Security
```mermaid
flowchart TB
subgraph Core["Core Infrastructure"]
dockersocket["🔌 dockersocket<br/>172.18.0.2:2375"]
traefik["🔀 traefik<br/>172.18.0.3<br/>:8001→80, :44301→443"]
homarr["🏠 homarr<br/>172.18.0.4<br/>xtrm-lab.org"]
end
subgraph Security["Security & Identity"]
authentik["🔐 authentik<br/>172.18.0.11<br/>auth.xtrm-lab.org"]
authentik_worker["⚙️ authentik-worker<br/>172.18.0.12"]
vaultwarden["🔑 vaultwarden<br/>172.18.0.15<br/>vault.xtrm-lab.org"]
end
subgraph Databases["Databases"]
postgresql["🐘 postgresql17<br/>172.18.0.13:5432"]
redis["📦 Redis<br/>172.18.0.14:6379"]
end
traefik --> dockersocket
authentik --> postgresql
authentik --> redis
authentik_worker --> authentik
```
### DevOps & CI/CD
```mermaid
flowchart TB
subgraph DevOps["DevOps Stack"]
gitea["📚 gitea<br/>172.18.0.31<br/>git.xtrm-lab.org<br/>:2222→22, :3005→3000"]
woodpecker_server["🪵 woodpecker-server<br/>172.18.0.32<br/>ci.xtrm-lab.org"]
woodpecker_agent["🤖 woodpecker-agent<br/>172.18.0.33"]
end
gitea --> woodpecker_server
woodpecker_server --> woodpecker_agent
```
### DNS Infrastructure
```mermaid
flowchart TB
subgraph RouterDNS["MikroTik Router DNS"]
adguard["🛡️ AdGuard Home<br/>172.17.0.5<br/>PRIMARY<br/>DoH/DoT/DoQ"]
end
subgraph UnraidDNS["Unraid DNS (Secondary)"]
pihole["🕳️ Pi-hole<br/>192.168.31.4<br/>ph1.xtrm-lab.org"]
unbound["🔄 Unbound<br/>192.168.31.5<br/>Recursive DNS"]
doh_server["🌐 DoH-Server<br/>172.18.0.22"]
end
adguard -->|Fallback| pihole
pihole --> unbound
```
### Network Management
```mermaid
flowchart TB
subgraph NetMgmt["Network Management"]
netbox["📋 NetBox<br/>172.24.0.5<br/>netbox.xtrm-lab.org"]
netdisco["🔍 NetDisco<br/>172.18.0.41<br/>netdisco.xtrm-lab.org"]
unimus["💾 Unimus<br/>unimus.xtrm-lab.org<br/>Config Backup"]
slurpit["🔎 Slurp'it<br/>slurpit.xtrm-lab.org<br/>Network Discovery"]
end
subgraph NetBoxStack["NetBox Stack"]
nb_postgres["🐘 netbox-postgres<br/>172.24.0.4"]
nb_redis["📦 netbox-redis<br/>172.24.0.2"]
nb_worker["⚙️ netbox-worker<br/>172.24.0.6"]
end
netbox --> nb_postgres
netbox --> nb_redis
nb_worker --> netbox
```
### Monitoring
```mermaid
flowchart TB
subgraph Monitoring["Monitoring Stack"]
uptime["📊 Uptime Kuma<br/>172.18.0.20<br/>uptime.xtrm-lab.org"]
uptime_api["🔌 Uptime-Kuma-API<br/>172.18.0.18"]
autokuma["🤖 AutoKuma<br/>172.18.0.19"]
netalert["🚨 NetAlertX<br/>netalert.xtrm-lab.org"]
speedtest["📈 Speedtest<br/>172.18.0.21<br/>speedtest.xtrm-lab.org"]
end
autokuma --> uptime
uptime_api --> uptime
```
### Media & Storage
```mermaid
flowchart TB
subgraph Media["Media & Storage"]
plex["🎬 Plex<br/>:32400<br/>plex.xtrm-lab.org"]
nextcloud["☁️ Nextcloud<br/>172.18.0.24<br/>nextcloud.xtrm-lab.org"]
transmission["📥 Transmission<br/>:9091, :51413"]
timemachine["🕐 TimeMachine<br/>192.168.31.12"]
libation["📚 Libation<br/>172.18.0.23<br/>Audiobooks"]
end
```
### Productivity
```mermaid
flowchart TB
subgraph Productivity["Productivity Apps"]
actual["💰 Actual Budget<br/>172.18.0.16<br/>actual.xtrm-lab.org"]
n8n["⚡ n8n<br/>172.18.0.17<br/>n8n.xtrm-lab.org"]
karakeep["📝 Karakeep<br/>172.18.0.25<br/>karakeep.xtrm-lab.org"]
end
```
### Remote Access & Home Automation
```mermaid
flowchart TB
subgraph Remote["Remote Access"]
rustdesk_hbbs["🖥️ RustDesk ID<br/>:21115-21119<br/>rustdesk.xtrm-lab.org"]
rustdesk_hbbr["📡 RustDesk Relay"]
end
subgraph Home["Home Automation"]
ha["🏡 Home Assistant<br/>ha.xtrm-lab.org"]
urbackup["💾 UrBackup<br/>urbackup.xtrm-lab.org"]
end
rustdesk_hbbs --> rustdesk_hbbr
```
---
## Complete Service Flow
```mermaid
flowchart TB
subgraph Internet["🌐 Internet"]
User["👤 User"]
end
subgraph MikroTik["MikroTik Router"]
NAT["NAT/Firewall"]
AGH["AdGuard Home<br/>DNS/DoH/DoT"]
end
subgraph Unraid["Unraid Server"]
Traefik["Traefik<br/>Reverse Proxy"]
subgraph Services["Services"]
Auth["Authentik"]
Git["Gitea"]
CI["Woodpecker"]
NB["NetBox"]
UK["Uptime Kuma"]
PX["Plex"]
NC["Nextcloud"]
HA["Home Assistant"]
end
end
User -->|HTTPS :443| NAT
User -->|DoH/DoT| AGH
NAT -->|:44301| Traefik
Traefik --> Auth
Traefik --> Git
Traefik --> CI
Traefik --> NB
Traefik --> UK
Traefik --> NC
NAT -->|:32400| PX
Traefik --> HA
```
---
## Docker Networks
```mermaid
flowchart TB
subgraph dockerproxy["dockerproxy (172.18.0.0/16)"]
dp_traefik["traefik"]
dp_authentik["authentik"]
dp_gitea["gitea"]
dp_homarr["homarr"]
dp_uptime["UptimeKuma"]
dp_more["...40+ services"]
end
subgraph netbox_net["netbox (172.24.0.0/16)"]
nb_main["netbox"]
nb_pg["netbox-postgres"]
nb_redis["netbox-redis"]
end
subgraph br0["br0 macvlan (192.168.31.0/24)"]
br_pihole["Pi-hole<br/>192.168.31.4"]
br_unbound["Unbound<br/>192.168.31.5"]
br_tm["TimeMachine<br/>192.168.31.12"]
end
subgraph host_net["host network"]
h_plex["plex"]
h_netalert["NetAlertX"]
h_unimus["unimus"]
h_ha["HomeAssistant"]
end
```
---
## Service Summary Tables
### Core Infrastructure
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| Reverse Proxy | traefik | 172.18.0.3 | 8001→80, 44301→443 | traefik.xtrm-lab.org |
| Docker Socket | dockersocket | 172.18.0.2 | 2375 | - |
| Dashboard | homarr | 172.18.0.4 | 10004→7575 | xtrm-lab.org |
### Security & Identity
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| Identity Provider | authentik | 172.18.0.11 | 9000, 9443 | auth.xtrm-lab.org |
| Password Manager | vaultwarden | 172.18.0.15 | 4743→80 | vault.xtrm-lab.org |
### DNS Infrastructure
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| AdGuard Home | adguardhome | 172.17.0.5 | 5355, 443, 853, 8853 | dns.xtrm-lab.org |
| Unbound | unbound | 192.168.31.5 | 53 | - |
### DevOps & CI/CD
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| Git Server | gitea | 172.18.0.31 | 2222→22, 3005→3000 | git.xtrm-lab.org |
| CI/CD Server | woodpecker-server | 172.18.0.32 | 80, 443, 8000 | ci.xtrm-lab.org |
### Network Management
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| NetBox | netbox | 172.24.0.5 | 8090→8080 | netbox.xtrm-lab.org |
| NetDisco | netdisco-web | 172.18.0.41 | 5000 | netdisco.xtrm-lab.org |
| Unimus | unimus | host | - | unimus.xtrm-lab.org |
| Slurpit | slurpit-portal | dockerproxy | 80 | slurpit.xtrm-lab.org |
### Monitoring
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| Uptime Kuma | UptimeKuma | 172.18.0.20 | 3001 | uptime.xtrm-lab.org |
| NetAlertX | NetAlertX | host | - | netalert.xtrm-lab.org |
| Speedtest | speedtest-tracker | 172.18.0.21 | 1180→80 | speedtest.xtrm-lab.org |
### Media & Storage
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| Plex | plex | host | 32400 | plex.xtrm-lab.org |
| Nextcloud | Nextcloud | 172.18.0.24 | 8666→80 | nextcloud.xtrm-lab.org |
| Transmission | transmission | bridge | 9091, 51413 | - |
### Productivity
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| Actual Budget | actual-budget | 172.18.0.16 | 5006 | actual.xtrm-lab.org |
| n8n | n8n | 172.18.0.17 | 5678 | n8n.xtrm-lab.org |
| Karakeep | karakeep | 172.18.0.25 | 3000 | karakeep.xtrm-lab.org |
### Remote Access & Backup
| Service | Container | IP | Ports | URL |
|---------|-----------|-----|-------|-----|
| RustDesk | rustdesk-hbbs | bridge | 21115-21119 | rustdesk.xtrm-lab.org |
| Home Assistant | HomeAssistant_inabox | host | - | ha.xtrm-lab.org |
| UrBackup | UrBackup | host | - | urbackup.xtrm-lab.org |
---
## Encrypted DNS Endpoints
| Protocol | Endpoint | Port |
|----------|----------|------|
| DoH | https://dns.xtrm-lab.org/dns-query | 443 |
| DoT | tls://dns.xtrm-lab.org | 853 |
| DoQ | quic://dns.xtrm-lab.org | 8853 |
---
## Quick Reference
**SSH Access:**
```bash
# Unraid
ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422
# MikroTik
ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
```
**Key URLs:**
- 🏠 Dashboard: https://xtrm-lab.org
- 🔐 Auth: https://auth.xtrm-lab.org
- 📚 Git: https://git.xtrm-lab.org
- 🪵 CI/CD: https://ci.xtrm-lab.org
- 📋 NetBox: https://netbox.xtrm-lab.org
- 📊 Uptime: https://uptime.xtrm-lab.org

297
docs/archive/NETBOX-DRAFT.md Normal file
View File

@@ -0,0 +1,297 @@
# NetBox Data Import Draft
**Generated:** 2026-01-19
**Source Data:** MikroTik hAP ax³ ARP/DHCP, Unraid Docker
---
## 1. Site Structure
### Site: XTRM Home Lab
- **Location:** Sofia, Bulgaria
- **Status:** Active
---
## 2. Network Prefixes (IPAM)
| Prefix | Description | VLAN | Status |
|--------|-------------|------|--------|
| 62.73.120.0/23 | WAN (ISP) | - | Active |
| 192.168.31.0/24 | LAN | 1 | Active |
| 172.17.0.0/24 | MikroTik Docker Bridge | - | Active |
| 172.18.0.0/16 | Unraid dockerproxy | - | Active |
| 172.24.0.0/16 | Unraid netbox network | - | Active |
| 192.168.216.0/24 | WireGuard VPN | - | Active |
---
## 3. Network Devices
### 3.1 MikroTik hAP ax³ (Router)
- **Role:** Router / Firewall / CAPsMAN Controller
- **IP:** 192.168.31.1
- **WAN IP:** 62.73.120.142
- **MAC:** 78:9A:18:2C:A5:48
- **Platform:** RouterOS 7.20.6
**Interfaces:**
| Interface | Type | Description | MAC |
|-----------|------|-------------|-----|
| ether1 | Ethernet | WAN | 78:9A:18:2C:A5:48 |
| eth2_CAPac_Uplink | Ethernet | CAPac Uplink | 78:9A:18:2C:A5:49 |
| ether3 | Ethernet | LAN | 78:9A:18:2C:A5:4A |
| eth4_CCS324_Uplink | Ethernet | CSS326 Uplink (1G) | 78:9A:18:2C:A5:4B |
| ether5 | Ethernet | 2.5GbE Switch Uplink | 78:9A:18:2C:A5:4C |
| bridge | Bridge | LAN Bridge | 78:9A:18:2C:A5:49 |
| docker-bridge | Bridge | Container Network | 02:A4:4D:BB:D3:84 |
| back-to-home-vpn | WireGuard | VPN | - |
| hap-wifi1 | WiFi | 2.4GHz (XTRM) | 78:9A:18:2C:A5:4D |
| hap-wifi2 | WiFi | 5GHz (XTRM) | 78:9A:18:2C:A5:4E |
| hap-wifi2-virtual1 | WiFi | 5GHz (XTRM2) | 7A:9A:18:2C:A5:4E |
**Containers on Router:**
| Container | IP | Purpose |
|-----------|-----|---------|
| pihole:latest | 172.17.0.2 | Primary DNS (Pi-hole v6) |
| unbound:latest | 172.17.0.3 | Recursive DNS |
| tailscale:latest | 172.17.0.4 | Tailscale VPN |
---
### 3.2 MikroTik CSS326-24G-2S+ (Switch)
- **Role:** Layer 2 Switch (Main Distribution)
- **IP:** 192.168.31.9
- **MAC:** F4:1E:57:C9:BD:09
- **Ports:** 24x Gigabit + 2x SFP
- **Platform:** SwOS
**Uplinks:**
- 1GbE to hAP ax³ (eth4_CCS324_Uplink)
- 10GbE SFP to 2.5GbE Switch
---
### 3.3 2.5GbE Managed Switch
- **Role:** Layer 2 Switch (High-Speed Aggregation)
- **IP:** 192.168.31.? (TBD)
- **MAC:** ? (TBD)
- **Ports:** 8x 2.5GbE RJ45 + 2x 10GbE SFP+
- **Platform:** ? (TBD)
**Interfaces:**
| Port | Type | Speed | Connected To |
|------|------|-------|--------------|
| Port 1 | RJ45 | 2.5GbE | Unraid Server |
| Port 2 | RJ45 | 2.5GbE | ? |
| Port 3 | RJ45 | 2.5GbE | ? |
| Port 4 | RJ45 | 2.5GbE | ? |
| Port 5 | RJ45 | 2.5GbE | ? |
| Port 6 | RJ45 | 2.5GbE | ? |
| Port 7 | RJ45 | 2.5GbE | ? |
| Port 8 | RJ45 | 2.5GbE | hAP ax³ (Uplink) |
| SFP+ 1 | SFP+ | 10GbE | CSS326 (SFP Link) |
| SFP+ 2 | SFP+ | 10GbE | ? |
---
### 3.4 MikroTik cAP ac (Access Point)
- **Role:** CAPsMAN Managed AP
- **IP:** 192.168.31.6
- **MAC:** 18:FD:74:54:3D:BC
- **Platform:** RouterOS 7.20.1
**Managed Radios:**
| Interface | Band | SSID |
|-----------|------|------|
| cap-wifi1 | 2.4GHz | XTRM |
| cap-wifi1-virtual1 | 2.4GHz | XTRM2 |
| cap-wifi2 | 5GHz | XTRM |
---
## 4. Servers
### 4.1 Unraid Server (XTRM-Unraid)
- **Role:** NAS / Virtualization / Docker Host
- **IP:** 192.168.31.2
- **MAC:** A8:B8:E0:02:B6:15
- **NICs:** 4x 2.5GbE RJ45
- **Tailscale IP:** 100.100.208.70
- **Platform:** Unraid
**Services (Docker Containers):**
| Service | Port | Network | Purpose |
|---------|------|---------|---------|
| traefik | 8001/44301 | dockerproxy | Reverse Proxy |
| authentik | 9000/9443 | dockerproxy | Identity Provider |
| vaultwarden | 4743 | dockerproxy | Password Manager |
| gitea | 3005/2222 | dockerproxy | Git Server |
| woodpecker-server | 8008 | dockerproxy | CI/CD |
| postgresql17 | 5432 | bridge | Database |
| Redis | 6379 | bridge | Cache |
| plex | 32400 | host | Media Server |
| HomeAssistant | 8123 | host | Smart Home |
| netbox | 8090 | netbox | DCIM/IPAM |
| transmission | 9091/51413 | bridge | Torrent |
| Nextcloud | 8666 | bridge | Cloud Storage |
| UptimeKuma | 3001 | bridge | Monitoring |
| portainer | 9002/9444 | bridge | Docker Management |
| rustdesk-hbbs | 21115-21119 | bridge | Remote Desktop |
| pangolin | 3003/3004 | bridge | Fossorial Tunnel |
---
## 5. Virtual Machines / Containers (Secondary)
### 5.1 Pi-hole (Unraid)
- **IP:** 192.168.31.4
- **MAC:** 02:42:C0:A8:1F:04
- **Role:** Secondary DNS
### 5.2 Unbound (Unraid)
- **IP:** 192.168.31.5
- **MAC:** 02:42:C0:A8:1F:05
- **Role:** Secondary Recursive DNS
### 5.3 Home Assistant
- **IP:** 192.168.31.15 (configured)
- **Role:** Smart Home Controller
---
## 6. End User Devices
### 6.1 Workstations
| Device | IP | MAC | Owner | Notes |
|--------|-----|-----|-------|-------|
| xtrm-pc (LAN) | 192.168.31.95 | 08:92:04:C6:07:C5 | Kaloyan | MacBook via Dell KVM |
| xtrm-pc (Gaming) | 192.168.31.97 | 1C:83:41:32:F3:AF | Kaloyan | Game Machine |
| Mac (WiFi) | 192.168.31.99 | 82:EC:EF:B5:F2:AF | Kaloyan | MacBook WiFi |
| MacBookAir | 192.168.31.79 | 82:6D:FB:D9:E0:47 | Nora | - |
| Kimi-Notebook | 192.168.31.108 | 90:91:64:70:0D:86 | Kimi | - |
### 6.2 Mobile Devices
| Device | IP | MAC | Owner |
|--------|-----|-----|-------|
| S25-Ultra | 192.168.31.98 | AA:ED:8B:2A:40:F1 | Kaloyan |
| iPhone (Dancho) | 192.168.31.114 | F2:B8:14:61:C8:27 | Dancho |
| iPhone (Kimi) | 192.168.31.121 | 2A:2B:BA:86:D4:AF | Kimi |
| Compusbg-iPad | 192.168.31.107 | A4:D1:D2:7B:52:BE | - |
### 6.3 IoT Devices
| Device | IP | MAC | Type |
|--------|-----|-----|------|
| Chromecast | 192.168.31.134 | D0:E7:82:F7:65:DD | Media |
| Reolink Doorbell | 192.168.31.68 | 48:9E:9D:0E:16:F7 | Camera |
| Bosch Smart Oven | 192.168.31.105 | 94:27:70:1E:0C:EE | Appliance |
| roborock-vacuum | 192.168.31.104 | B0:4A:39:3F:9A:14 | Vacuum |
| HP LaserJet | 192.168.31.19 | 64:4E:D7:D8:43:3E | Printer |
### 6.4 Unknown/Unidentified
| IP | MAC | Status |
|-----|-----|--------|
| 192.168.31.102 | AC:87:A3:77:8F:BD | homeassistant (dynamic) |
| 192.168.31.106 | 18:DE:50:5B:C8:A6 | wlan0 |
| 192.168.31.109 | D0:C9:07:92:1A:8E | Unknown |
| 192.168.31.110 | D0:C9:07:8C:C9:46 | Unknown |
| 192.168.31.113 | 38:1F:8D:04:6F:E4 | Unknown |
| 192.168.31.139 | 50:2C:C6:7A:55:39 | Unknown |
| 192.168.31.149 | D4:AD:FC:BE:13:B0 | Unknown |
| 192.168.31.131 | AC:B5:7D:4D:DD:79 | Unknown |
---
## 7. Cables/Connections
### Network Topology:
```
[ISP]
|
[hAP ax³] (Router)
/ | \
(1G)/ (1G) \(eth)
/ | \
[CSS326] [2.5GbE SW] [cAP ac]
\ |
(10G) \ | (2.5G)
SFP+ \ |
\ |
[Unraid]
```
### Physical Connections:
| From | From Port | To | To Port | Type | Speed |
|------|-----------|-----|---------|------|-------|
| hAP ax³ | eth4_CCS324_Uplink | CSS326 | Port ? | Cat6 | 1GbE |
| hAP ax³ | ether5 (TBD) | 2.5GbE Switch | Port 8 | Cat6 | 1GbE |
| hAP ax³ | eth2_CAPac_Uplink | cAP ac | ether1 | Cat6 | 1GbE |
| 2.5GbE Switch | Port 1 | Unraid | eth0 | Cat6 | 2.5GbE |
| 2.5GbE Switch | Port 2 | Unraid | eth1 | Cat6 | 2.5GbE |
| 2.5GbE Switch | SFP+ 1 | CSS326 | SFP 1 | DAC/Fiber | 10GbE |
| CSS326 | Port ? | xtrm-pc | eth0 | Cat6 | 1GbE |
---
## 8. NetBox Import Order
1. **Site** - Create XTRM Home Lab
2. **Manufacturers** - MikroTik, Intel, Apple, etc.
3. **Device Types** - hAP ax³, CSS326, 2.5GbE Switch, cAP ac, Custom Server
4. **Device Roles** - Router, Switch, AP, Server, Workstation, IoT
5. **Prefixes** - All network ranges
6. **Devices** - All network devices
7. **Interfaces** - All device interfaces
8. **IP Addresses** - Assign to interfaces
9. **Cables** - Document physical connections
---
## 9. Notes
- MAC addresses starting with 02:42 are Docker containers (locally administered)
- Some devices have randomized MACs (privacy feature)
- DHCP pool: 192.168.31.50 - 192.168.31.200 (estimated)
- Static assignments outside pool for infrastructure
- CSS326 has dual uplinks: 1GbE direct to router + 10GbE SFP to 2.5GbE switch
---
## 10. Unraid Network Interfaces
| Interface | Speed | Connected To | Status |
|-----------|-------|--------------|--------|
| eth0 | 2.5GbE | 2.5GbE Switch Port 1 | Active |
| eth1 | 2.5GbE | 2.5GbE Switch Port 2 | Active |
| eth2 | 2.5GbE | - | Not connected |
| eth3 | 2.5GbE | - | Not connected |
---
## 11. Future Network Improvements
| Priority | Task | Benefit |
|----------|------|---------|
| 1 | Connect Unraid eth2 → hAP ax³ | Direct router access, redundancy |
| 2 | Connect Unraid eth3 → CSS326 | Access to CSS326 devices, redundancy |
| 3 | Configure link aggregation (LACP) | Increased bandwidth eth0+eth1 |
| 4 | Add 10GbE SFP+ NIC to Unraid | Direct 10G to CSS326 SFP |
### Target Topology (Future):
```
[ISP]
|
[hAP ax³] (Router)
/ | \
(1G)/ (1G) \(eth)
/ | \
[CSS326] [2.5GbE SW] [cAP ac]
| \ /|
(1G) | \(10G) | (2.5G x2 LACP)
| \ / |
+------[Unraid]------+
(eth2) (eth3)
| |
(2.5G) (future 10G?)
```

529
docs/archive/NETWORK-PHYSICAL-MAP.md Normal file
View File

@@ -0,0 +1,529 @@
# Network Physical Map - xtrm-lab.org
**Document Version:** 1.0
**Last Updated:** 2026-01-24
**Author:** _______________
---
## Rack Layout
### 10" Rack (9U) - Network Cabinet
```mermaid
block-beta
columns 3
block:rack10["10&quot; Rack (9U)"]:3
columns 3
U9["U9"] SH9["Shelf + ISP Gtw"] e1[" "]
U8["U8"] PP2["PP2 (12p)"] e2[" "]
U7["U7"] SH7["Shelf + ZX1"] e3[" "]
U6["U6"] empty6["(empty)"] e4[" "]
U5["U5"] empty5["(0.5 empty)"] e5[" "]
U4["U4"] unraid4["(XU-continued)"] e6[" "]
U3["U3"] unraid3["(XU-continued)"] e7[" "]
U2["U2"] unraid2["(XU-continued)"] e8[" "]
U1["U1"] unraid1["XTRM-Unraid"] e9[" "]
end
style SH9 fill:#f9f,stroke:#333
style PP2 fill:#bbf,stroke:#333
style SH7 fill:#bfb,stroke:#333
style unraid1 fill:#fbb,stroke:#333
style unraid2 fill:#fbb,stroke:#333
```
| U | Device | Model | Height | Notes |
|---|--------|-------|--------|-------|
| U9 | Shelf | 10" Rack Shelf | 1U | Holding ISP Gateway |
| U9 | IGP Fiber Gateway (Vivacom) | Vivacom Fiber ONT | - | On shelf, WAN connection |
| U8 | Patch Panel 2 | 10" 12-port Cat6a | 1U | Room connections |
| U7 | Shelf | 10" Rack Shelf | 1U | Holding ZX1 |
| U7 | ZX1 \| ZX-SWTGW218AS | 8x 2.5G + 2x 10G SFP+ | - | On shelf, Core switch |
| U6-U4.5 | (1.5 Uempty) | 1.5 U | - | - |
| U1-U4.5 | XTRM-Unraid | NAS Server | 2U | 4x 2.5GbE NIC |
---
<div style="page-break-after: always;"></div>
### 19" Rack (3U) - Wall Mount
```mermaid
block-beta
columns 3
block:rack19["19&quot; Rack (3U)"]:3
columns 3
U3b["U3"] SH3["Shelf + HAP1"] f1[" "]
U25["U2.5"] PP1["Patch Panel 1 (24p)"] f2[" "]
U1b["U1"] CSS["CSS326-24G-2S+"] f3[" "]
end
style SH3 fill:#f9f,stroke:#333
style PP1 fill:#bbf,stroke:#333
style CSS fill:#bfb,stroke:#333
```
| U | Device | Model | Height | Notes |
|---|--------|-------|--------|-------|
| U3 | Shelf | 19" Rack Shelf | 1U | Holding HAP1 |
| U3 | HAP1 \| hAP ax³ | MikroTik hAP ax³ | - | On shelf, Router |
| U2.5 | Patch Panel 1 | 19" 24-port Cat6a | 0.5U | Room connections |
| U2.5-U1 | (0.5 U empty) | 0.5 U | - | - |
| U1 | CSS1 \| CSS326-24G-2S+ | MikroTik CSS326-24G-2S+ | 1U | Distribution switch |
---
## Device Inventory
### 10" Rack Devices
| Device | Model | IP Address | MAC | Serial |
|--------|-------|------------|-----|--------|
| IGP Fiber Gateway (Vivacom) | Vivacom Fiber ONT | 62.73.120.2 | 9C:E0:41:BB:5E:32 | __________ |
| ZX1 \| ZX-SWTGW218AS | 8x 2.5G + 2x 10G SFP+ | 192.168.31.7 | 1C:2A:A3:1E:78:67 | Core Switch |
| XTRM-Unraid | NAS (4x 2.5GbE) eth1 | 192.168.31.2 | A8:B8:E0:02:B6:15 | Bond0 |
| XTRM-Unraid | NAS (4x 2.5GbE) eth2| x.x.x.3 |A8:B8:E0:02:B6:16| Bond0 |
| XTRM-Unraid | NAS (4x 2.5GbE) eth3| x.x.x.4 |A8:B8:E0:02:B6:17| Bond0 |
| XTRM-Unraid | NAS (4x 2.5GbE) eth4| x.x.x.5 |A8:B8:E0:02:B6:18| Bond0 |
| XTRM-Unraid | NAS (4x 2.5GbE) vth1| 192.168.31.4 | 02:42:C0:A8:1F:04 | br0 |
| XTRM-Unraid | NAS (4x 2.5GbE) vth2| 192.168.31.15| AC:87:A3:77:8F:BD | br0 |
### 19" Rack Devices
| Device | Model | IP Address | MAC | Serial |
|--------|-------|------------|-----|--------|
| HAP1 \| hAP ax³ | MikroTik hAP ax³ | 192.168.31.1 eth1| 78:9A:18:2C:A5:48 | __________ |
| CSS1 \| CSS326-24G-2S+ | MikroTik CSS326-24G-2S+ eth1| 192.168.31.9 | F4:1E:57:C9:BD:09 | __________ |
### Wireless
| Device | Model | IP Address | MAC| Location | Serial |
|--------|-------|------------|----|----------|--------|
| CAP \| cAP XL ac | MikroTik cAP ac eth1| 192.168.31.6 |18:FD:74:54:3D:BC | Corridor | HCT085KBH8B |
---
<div style="page-break-after: always;"></div>
## Patch Panel Maps
### [PP1] Patch Panel 1 - 19" 0.5U 24-Port (U2.5)
```mermaid
block-beta
columns 24
p1["1"] p2["2"] p3["3"] p4["4"] p5["5"] p6["6"] p7["7"] p8["8"] p9["9"] p10["10"] p11["11"] p12["12"] p13["13"] p14["14"] p15["15"] p16["16"] p17["17"] p18["18"] p19["19"] p20["20"] p21["21"] p22["22"] p23["23"] p24["24"]
style p1 fill:#ccc
style p2
style p3 fill:#bfb
style p4 fill:#ccc
style p5 fill:#ccc
style p6 fill:#ccc
style p7 fill:#ccc
style p8 fill:#ccc
style p9 fill:#ccc
style p10 fill:#ccc
style p11 fill:#ccc
style p12 fill:#bfb
style p13 fill:#ccc
style p14 fill:#ccc
style p15 fill:#ccc
style p16
style p17 fill:#bfb
style p18 fill:#bfb
style p19 fill:#bfb
style p20 fill:#bfb
style p21 fill:#bfb
style p22 fill:#bfb
style p23 fill:#bfb
style p24 fill:#bfb
```
| Port | Switch | SW Port | Destination | Dest Port | Type | Status |
|------|--------|---------|-------------|-----------|------|--------|
| PP1-1 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-2 | | | POE Adapter 2|PA-1 | Device | ☐ Active ☑ Unused ☐ Disabled |
| PP1-3 | HAP1|H-2 | POE Adapter 1 | PA-1 | Patch | ☑ Active ☐ Unused ☐ Disabled |
| PP1-4 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-5 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-6 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-7 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-8 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-9 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-10 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-11 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-12 | POE Adapter 1|PA-1 | CAP | CP-1 | Device | ☑ Active ☐ Unused ☐ Disabled |
| PP1-13 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-14 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-15 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP1-16 |CSS1 |CSS1-16 | Girls Room | G1 | Wall | ☐ Active ☑ Unused ☐ Disabled |
| PP1-17 |CSS1 |CSS1-17 | Boys Room | B2 | Wall | ☑ Active ☐ Unused ☐ Disabled |
| PP1-18 |CSS1|CSS1-18 | Boys Room | B1 | Wall | ☑ Active ☐ Unused ☐ Disabled |
| PP1-19 |CSS1|CSS1-19 | Main Bedroom | M1 | Wall | ☑ Active ☐ Unused ☐ Disabled |
| PP1-20 |CSS1 |CSS1-20 | Main Bedroom | M2 | Wall | ☑ Active ☐ Unused ☐ Disabled |
| PP1-21 |CSS1 |CSS1-21 | Main Bedroom | M3 | Wall | ☑ Active ☐ Unused ☐ Disabled |
| PP1-22 |CSS1 |CSS1-22 | Living Room | L1 | Wall | ☑ Active ☐ Unused ☐ Disabled |
| PP1-23 |CSS1 |CSS1-23 | Living Room | L2 | Wall | ☑ Active ☐ Unused ☐ Disabled |
| PP1-24 |CSS1 |CSS1-24 | Living Room | L3 | Wall | ☑ Active ☐ Unused ☐ Disabled |
<div style="page-break-after: always;"></div>
### [PP2] Patch Panel 2 - 10" 1U 12-Port (U8)
```mermaid
block-beta
columns 12
q1["1"] q2["2"] q3["3"] q4["4"] q5["5"] q6["6"] q7["7"] q8["8"] q9["9"] q10["10"] q11["11"] q12["12"]
style q1 fill:#bfb
style q2 fill:#bfb
style q3 fill:#ccc
style q4 fill:#ccc
style q5 fill:#ccc
style q6 fill:#ccc
style q7 fill:#ccc
style q8 fill:#ccc
style q9 fill:#ccc
style q10 fill:#ccc
style q11 fill:#ccc
style q12 fill:#ccc
```
| Port | Switch | SW Port | Destination | Dest Port | Type | Status |
|------|--------|---------|-------------|-----------|------|--------|
| PP2-1 | ZX1| ZX1-2| XTRM-U| XU-1| Device | ☑ Active ☐ Unused ☐ Disabled |
| PP2-2 | ZX1|ZX1-3 | XTRM-U | XU-2| Device | ☑ Active ☐ Unused ☐ Disabled |
| PP2-3 | | | | | | ☐ Active ☐ Unused ☑ Disabled |
| PP2-4 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP2-5 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP2-6 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP2-7 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP2-8 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP2-9 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP2-10 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP2-11 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
| PP2-12 | | | | | - | ☐ Active ☐ Unused ☑ Disabled |
---
## Switch Port Maps
### [ZX1] ZX1 | ZX-SWTGW218AS 2.5GbE Switch (10" Rack U7)
```mermaid
block-beta
columns 9
s1["1"] s2["2"] s3["3"] s4["4"] s5["5"] s6["6"] s7["7"] s8["8"] sfp1["SFP+1"]
style s1 fill:#bfb
style s2 fill:#bfb
style s3 fill:#bfb
style sfp1 fill:#f9f
```
| Port | Speed | Device | Device Port | VLAN | Notes | Status |
|------|-------|--------|-------------|------|-------|--------|
| ZX1-1 | 2.5G | HAP1 | H-4 | | HAP1 \| hAP ax³| ☑ Up ☐ Down |
| ZX1-2 | 2.5G | PP2 | PP2-1 | | XTRM-U XU1| ☑ Up ☐ Down |
| ZX1-3 | 2.5G | PP2 | PP2-2 | | XTRM-U XU2| ☑ Up ☐ Down |
| ZX1-4 | 2.5G | | | | | ☐ Up ☐ Down |
| ZX1-5 | 2.5G | | | | | ☐ Up ☐ Down |
| ZX1-6 | 2.5G | | | | | ☐ Up ☐ Down |
| ZX1-7 | 2.5G | | | | | ☐ Up ☐ Down |
| ZX1-8 | 2.5G | | | | | ☐ Up ☐ Down |
| ZX1-SFP1 | 10G |CSS1 |CSS1-SFP1 | | CSS326 Uplink | ☐ Up ☐ Down |
<div style="page-break-after: always;"></div>
### [CSS1] CSS1 | CSS326-24G-2S+ (19" Rack U1)
```mermaid
block-beta
columns 17
c2["2"] c4["4"] c6["6"] c8["8"] sp4[" "] c10["10"] c12["12"] c14["14"] c16["16"] sp5[" "] c18["18"] c20["20"] c22["22"] c24["24"] sp6[" "] space1[" "] space2[" "]
c1["1"] c3["3"] c5["5"] c7["7"] sp1[" "] c9["9"] c11["11"] c13["13"] c15["15"] sp2[" "] c17["17"] c19["19"] c21["21"] c23["23"] sp3[" "] csfp1["SFP1"] csfp2["SFP2"]
style sp1 fill:none,stroke:none
style sp2 fill:none,stroke:none
style sp3 fill:none,stroke:none
style sp4 fill:none,stroke:none
style sp5 fill:none,stroke:none
style sp6 fill:none,stroke:none
style space1 fill:none,stroke:none
style space2 fill:none,stroke:none
style csfp1 fill:#f9f
style csfp2 fill:#f9f
style c1 fill:#bfb
style c2 fill:#bfb
style c18 fill:#bfb
style c19 fill:#bfb
style c20 fill:#bfb
style c21 fill:#bfb
style c22 fill:#bfb
style c23 fill:#bfb
style c24 fill:#bfb
```
Port | Speed | Device | Device Port | VLAN | Notes | Status |
|------|-------|--------|-------------|------|-------|--------|
| CSS1-1 | 1G | HAP1 | H-3 | | HAP1 \| hAP ax³| ☑ Up ☐ Down |
| CSS1-2 | 100M | KVM1 | KVM1-1 | | KVM Switch| ☑ Up ☐ Down |
| CSS1-3 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-4 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-5 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-6 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-7 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-8 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-9 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-10 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-11 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-12 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-13 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-14 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-15 | 1G | | | | | ☐ Up ☑ Down |
| CSS1-16 | 1G |PP1| PP1-16| | G1| ☐ Up ☑ Down |
| CSS1-17 | 1G | PP1| PP1-17| | B2| ☑ Up ☐ Down |
| CSS1-18 | 1G | PP1| PP1-18 | | B1| ☑ Up ☐ Down |
| CSS1-19 | 1G | PP1| PP1-19| | M1| ☑ Up ☐ Down |
| CSS1-20 | 1G | PP1| PP1-20 | | M2| ☑ Up ☐ Down |
| CSS1-21 | 1G | PP1| PP1-21| | M3| ☑ Up ☐ Down |
| CSS1-22 | 1G | PP1| PP1-22 | | L1| ☑ Up ☐ Down |
| CSS1-23 | 1G | PP1| PP1-23| | L2| ☑ Up ☐ Down |
| CSS1-24 | 1G | PP1| PP1-24 | | L3| ☑ Up ☐ Down |
| CSS1-SFP1 | 10G | ZX1 | ZX1-SFP1 | | 10G Backbone | ☑ Up ☐ Down |
| CSS1-SFP2 | 10G | | | | Unused | ☐ Up ☑ Down |
---
<div style="page-break-after: always;"></div>
## Router Port Map
### [HAP1] HAP1 | hAP ax³ (192.168.31.1)
```mermaid
block-beta
columns 5
eth1["1\n(WAN)"] eth2["2"] eth3["3"] eth4["4"] eth5["5"]
style eth1 fill:#f9f
style eth2 fill:#bfb
style eth3 fill:#bfb
style eth4 fill:#bfb
style eth5
```
| Port | Speed | Device | Device Port | VLAN | Notes | Status |
|------|-------|--------|-------------|------|-------|--------|
| H-1 | 2.5G | IGP | GW-1 | | IGP Fiber Gateway| ☑ Up ☐ Down |
| H-2 | 1G | PP1 | PP1-3 | | CAP \| cAP XL ac| ☑ Up ☐ Down |
| H-3 | 1G | CSS1 | CSS1-1 | | Uplink| ☑ Up ☐ Down |
| H-4 | 1G | ZX1 | ZX1-1 | | Uplink| ☑ Up ☐ Down |
| H-5 | 1G | | | | | ☑ Up ☐ Down |
---
## Room Outlet Map
| Outlet | Room | Switch | SW Port | PP Port | Device | Device Port | Status |
|--------|------|--------|---------|---------|--------|-------------|--------|
| C1 | Corridor | HAP1 | H-2 | PP1-3→PP1-12 | CAP \| cAP XL ac | CP-1 | ☑ Active ☐ Unused |
| L1 | Living Room | CSS1 | CSS1-22 | PP1-22 | | | ☑ Active ☐ Unused |
| L2 | Living Room | CSS1 | CSS1-23 | PP1-23 | | | ☑ Active ☐ Unused |
| L3 | Living Room | CSS1 | CSS1-24 | PP1-24 |LGTV |LG-1 | ☑ Active ☐ Unused |
| M1 | Main Bedroom | CSS1 | CSS1-19 | PP1-19 | | | ☑ Active ☐ Unused |
| M2 | Main Bedroom | CSS1 | CSS1-20 | PP1-20 | XTRM-Nobara|NB-1 | ☑ Active ☐ Unused |
| M3 | Main Bedroom | CSS1 | CSS1-21 | PP1-21 |Dell Display | DD-1 | ☑ Active ☐ Unused |
| G1 | Girls Room | CSS1 | CSS1-16 | PP1-16 | | | ☐ Active ☑ Unused |
| B1 | Boys Room | CSS1 | CSS1-18 | PP1-18 | Dancho| D-1| ☑ Active ☐ Unused |
| B2 | Boys Room | CSS1 | CSS1-17 | PP1-17 | | | ☑ Active ☐ Unused |
### Room Summary
| Room | Ports | Cable Type |
|------|-------|------------|
| Living Room | 3 | Cat6a |
| Main Bedroom | 3 | Cat6a |
| Corridor (CAP) | 1 | Cat6a |
| Girls Room | 1 | Cat6a |
| Boys Room | 2 | Cat6a |
| **Total** | **10** | |
---
<div style="page-break-after: always;"></div>
## Network Topology
```mermaid
flowchart TB
subgraph Internet["Internet"]
ISP["IGP Fiber Gateway<br/>(Vivacom)<br/>62.73.120.x"]
end
subgraph Rack19["19&quot; Rack (3U)"]
HAP1["HAP1 | hAP ax³<br/>192.168.31.1"]
PP1["PP1 | 19&quot; 0.5U 24-port"]
CSS1["CSS1 | CSS326-24G-2S+<br/>192.168.31.9"]
end
subgraph Rack10["10&quot; Rack (9U)"]
ZX1["ZX1 | ZX-SWTGW218AS<br/>192.168.31.7"]
PP2["PP2 | 10&quot; 12-port"]
UNRAID["XTRM-Unraid<br/>192.168.31.2"]
end
subgraph AccessPoint["Corridor"]
POE["POE Adapter 1"]
CAP["CAP | cAP XL ac<br/>192.168.31.6"]
end
subgraph Rooms["Room Outlets"]
LR["Living Room<br/>L1, L2, L3"]
MB["Main Bedroom<br/>M1, M2, M3"]
GR["Girls Room<br/>G1"]
BR["Boys Room<br/>B1, B2"]
end
subgraph EndDevices["Connected Devices"]
LGTV["LGTV"]
NOBARA["XTRM-Nobara"]
DELL["Dell Display"]
DANCHO["Dancho"]
KVM["KVM Switch"]
end
%% WAN Connection
ISP -->|"H-1 (2.5G WAN)"| HAP1
%% Backbone Links (marked)
HAP1 -->|"H-4 → ZX1-1<br/>1G Uplink"| ZX1
HAP1 -->|"H-3 → CSS1-1<br/>1G Backup"| CSS1
ZX1 <-->|"ZX1-SFP1 ↔ CSS1-SFP1<br/>⚡ 10G BACKBONE ⚡"| CSS1
%% Server Connection via PP2
ZX1 -->|"ZX1-2 → PP2-1"| PP2
ZX1 -->|"ZX1-3 → PP2-2"| PP2
PP2 -->|"PP2-1 → XU-1<br/>PP2-2 → XU-2<br/>2.5G Bond"| UNRAID
%% CAP Path (wired POE)
HAP1 -->|"H-2 → PP1-3"| PP1
PP1 -->|"PP1-3 rear"| POE
POE -->|"PP1-12 rear"| PP1
PP1 -->|"PP1-12 → CP-1"| CAP
%% Room Distribution
CSS1 -->|"CSS1-16..24"| PP1
PP1 -->|"PP1-22..24"| LR
PP1 -->|"PP1-19..21"| MB
PP1 -->|"PP1-16"| GR
PP1 -->|"PP1-17..18"| BR
%% End Devices
LR -.-> LGTV
MB -.-> NOBARA
MB -.-> DELL
BR -.-> DANCHO
CSS1 -->|"CSS1-2"| KVM
%% Styling
style ZX1 fill:#bfb,stroke:#333,stroke-width:2px
style CSS1 fill:#bfb,stroke:#333,stroke-width:2px
style HAP1 fill:#f9f,stroke:#333,stroke-width:2px
style UNRAID fill:#fbb,stroke:#333,stroke-width:2px
style ISP fill:#ff9,stroke:#333
style CAP fill:#9ff,stroke:#333
```
### Backbone Links Summary
| Link | From | To | Speed | Type |
|------|------|----|-------|------|
| **Primary Backbone** | ZX1-SFP1 | CSS1-SFP1 | 10G | SFP+ DAC |
| Router → Core | HAP1 H-4 | ZX1-1 | 1G | Cat6a |
| Router → Distribution | HAP1 H-3 | CSS1-1 | 1G | Cat6a (backup) |
| Server Bond | ZX1-2/3 | XU-1/2 via PP2 | 2x 2.5G | Cat6a |
---
## IP Address Allocation
### Network: 192.168.31.0/24
| IP Address | Hostname | Device | DHCP/Static |
|------------|----------|--------|-------------|
| 192.168.31.1 | HAP1 \| hAP ax³ | Router | Static |
| 192.168.31.2 | XTRM-Unraid | Server | Static |
| 192.168.31.4 | AdGuard-Unraid | Container | Static |
| 192.168.31.6 | CAP \| cAP XL ac | Access Point | Static |
| 192.168.31.7 | ZX1 \| ZX-SWTGW218AS | 2.5GbE Switch | Static |
| 192.168.31.9 | CSS1 \| CSS326-24G-2S+ | Switch | Static |
| 192.168.31.10-99 | - | Reserved | - |
| 192.168.31.100-200 | - | DHCP Pool | DHCP |
| 192.168.31.201-254 | - | Reserved | - |
---
<div style="page-break-after: always;"></div>
## Cable Schedule
| Cable ID | From | To | Type | Length | Color | Tested |
|----------|------|-----|------|--------|-------|--------|
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
| _____ | __________ | __________ | Cat6a | _____ | _____ | ☐ |
---
## WiFi Configuration
### Access Point: CAP | cAP XL ac
| SSID | Band | Channel | Security | Coverage |
|------|------|---------|----------|----------|
| __________ | 2.4GHz | _____ | WPA2/WPA3 | __________ |
| __________ | 5GHz | _____ | WPA2/WPA3 | __________ |
---
## Change Log
| Date | Change | By |
|------|--------|-----|
| __________ | __________ | _____ |
| __________ | __________ | _____ |
| __________ | __________ | _____ |
---
## Notes
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________

16
docs/archive/README.md Normal file
View File

@@ -0,0 +1,16 @@
# Archived Documentation
> ⚠️ **OBSOLETE - DO NOT UPDATE**
These documents are from the legacy documentation structure (pre-2026-01-25).
They are kept for historical reference only.
**For current documentation, see the parent `docs/` folder:**
- `01-NETWORK-MAP.md` - Network topology, IPs, services
- `02-SERVICES-CRITICAL.md` - Essential services
- `03-SERVICES-OTHER.md` - Non-critical services
- `04-HARDWARE-INVENTORY.md` - Hardware details
- `05-CHANGELOG.md` - Major events
**Do not reference these archived documents for current state.**
All relevant information has been migrated to the new structure.

186
docs/archive/unraid-claude.md Normal file
View File

@@ -0,0 +1,186 @@
# Claude Code - Unraid Server Context
## Claude Installation
| Item | Path |
|------|------|
| Claude binary | `/root/.local/bin/claude` |
| Claude data | `/mnt/user/appdata/claude-code/` |
| Config | `~/.claude/` |
| Project instructions | `/root/CLAUDE.md` (symlink to this file) |
**Run Claude:** `claude` or `/root/.local/bin/claude`
---
## IMPORTANT: First Run After Reboot
The infrastructure documentation lives in `/tmp/infrastructure/` which is **NOT persistent** across Unraid reboots (tmp is cleared on restart).
**Always run this command first when starting a new session:**
```bash
cd /tmp && ([ -d infrastructure ] && cd infrastructure && git pull || git clone "https://jazzymc:zRuHTu%5D7Q3LC%2Bq%3F@git.xtrm-lab.org/jazzymc/infrastructure.git")
```
This command:
1. Checks if `/tmp/infrastructure` exists
2. If yes → pulls latest changes
3. If no → clones the repository fresh
Without this, the `/root/CLAUDE.md` symlink will be broken and Claude won't have context.
---
## Infrastructure Documentation
**Repository:** https://git.xtrm-lab.org/jazzymc/infrastructure
**Local clone:** `/tmp/infrastructure`
### Documentation Structure
```
/tmp/infrastructure/docs/
├── 00-CURRENT-STATE.md # Current network/infrastructure state
├── 01-PHASE1-DNS-PORTABILITY.md # DNS portability plan
├── 02-PHASE2-FOSSORIAL-STACK.md # Fossorial stack setup
├── 03-PHASE3-AUTHENTIK-ZEROTRUST.md # Authentik zero-trust config
├── 04-PHASE4-REMOTE-GAMING.md # Remote gaming setup
├── 05-PHASE5-RUSTDESK.md # RustDesk deployment
├── 06-PHASE6-PORTAINER-MANAGEMENT.md # Portainer setup
├── 07-CHANGELOG.md # Change history
├── 08-PHASE7-GITEA-GITOPS.md # Gitea & Woodpecker CI
└── unraid-claude.md # This file
```
---
## Key Unraid Paths
| Item | Path |
|------|------|
| Docker appdata | `/mnt/user/appdata/` |
| Docker templates | `/boot/config/plugins/dockerMan/templates/` |
| FolderView2 config | `/boot/config/plugins/folder.view2/docker.json` |
| Flash drive (persistent) | `/boot/config/` |
| User shares | `/mnt/user/` |
| Disk shares | `/mnt/disk[1-n]/` |
| Cache | `/mnt/cache/` |
**Persistence note:** Only `/boot/config/` survives reboots. All plugin configs, Docker templates, and custom scripts should be stored there.
---
## Network Configuration
| Device | IP | Role |
|--------|-----|------|
| MikroTik Router | 192.168.31.1 | Gateway, primary DNS |
| Unraid Server | 192.168.31.2 | Docker host |
| Pi-hole (Unraid) | 192.168.31.4 | Secondary DNS |
| Unbound (Unraid) | 192.168.31.5 | Recursive resolver |
| Tailscale IP | 100.100.208.70 | Remote access |
**SSH to MikroTik:**
```bash
ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
```
---
## Docker Commands
### Quick Status
```bash
docker ps -a --format table {{.Names}}t{{.Status}} | sort
```
### Container Logs
```bash
docker logs container-name --tail 100 -f
```
### Recreate with Labels (Unraid)
Always include these labels for Unraid integration:
```bash
--label net.unraid.docker.managed=dockerman
--label net.unraid.docker.icon=ICON_URL_HERE
--label net.unraid.docker.webui=WEBUI_URL_HERE
```
**Icon Collection:** [Dazzle Line Icons](https://www.svgrepo.com/collection/dazzle-line-icons/)
---
## Documentation Update Routine
After any infrastructure change:
1. **Pull latest:** `cd /tmp/infrastructure && git pull`
2. **Update docs:** Edit relevant files in `docs/`
3. **Update changelog:** Add entry to `docs/07-CHANGELOG.md`
4. **Commit & push:**
```bash
cd /tmp/infrastructure
git add docs/
git commit -m "Description of changes"
git push
```
### Changelog Format
```markdown
## YYYY-MM-DD
- [PHASE X] Task description - COMPLETED/FIXED/ISSUE
- [SERVICE] service-name: status change or config change
- [DOCS] Documentation updates
- [UNRAID] Unraid-specific changes
```
---
## Git Credentials
- **Username:** jazzymc
- **Repo URL (with auth):** `https://jazzymc:zRuHTu%5D7Q3LC%2Bq%3F@git.xtrm-lab.org/jazzymc/infrastructure.git`
---
## Services Quick Reference
### GitOps
| Service | URL |
|---------|-----|
| Gitea | https://git.xtrm-lab.org |
| Woodpecker CI | https://ci.xtrm-lab.org |
### Core Services
| Service | URL |
|---------|-----|
| Traefik | https://traefik.xtrm-lab.org |
| Authentik | https://auth.xtrm-lab.org |
| Portainer | http://100.100.208.70:9002 (Tailscale) |
| Vaultwarden | https://vault.xtrm-lab.org |
| Home Assistant | https://ha.xtrm-lab.org |
### Monitoring
| Service | URL |
|---------|-----|
| Uptime Kuma | http://192.168.31.2:3001 |
| NetAlertX | https://netalert.xtrm-lab.org |
---
## FolderView2 Categories
| Category | Containers |
|----------|------------|
| Infrastructure | traefik, unbound, pihole, DoH-Server, stunnel-dot, pangolin, dockersocket, nebula-sync |
| Security | authentik, authentik-worker, vaultwarden |
| Monitoring | UptimeKuma, Uptime-Kuma-API, AutoKuma, NetAlertX, speedtest-tracker |
| DevOps | gitea, woodpecker-server, woodpecker-agent, postgresql17, Redis, pgAdmin4 |
| Media | plex, Libation, transmission |
| Storage/Backup | rustfs, UrBackup, TimeMachine, Nextcloud |
| Productivity | actual-budget, n8n, karakeep, homarr |
| Smart Home | HomeAssistant_inabox |
| Remote Access | rustdesk-hbbs, rustdesk-hbbr |
| Management | portainer, unimus |