jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add WIP docs for incomplete planned items
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
New WIP documents:
- FOSSORIAL-TUNNELS.md - Pangolin/Gerbil self-hosted tunnels (not deployed)
- VLAN-SEGMENTATION.md - Network segmentation plan (not implemented)
- REMOTE-GAMING.md - Sunshine/Moonlight streaming (in progress)

Changes:
- Renamed 05-CHANGELOG.md → 00-CHANGELOG.md
- Updated wip/README.md with all planned items

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
XTRM-Unraid
2026-01-25 11:25:46 +02:00
parent b250493d5a
commit de42738775
6 changed files with 444 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -26,7 +26,7 @@ docs/
├── 02-SERVICES-CRITICAL.md # DNS, Auth, Routing - must stay up
├── 03-SERVICES-OTHER.md # All other services
├── 04-HARDWARE-INVENTORY.md # Physical devices, specs, serials
├── 05-CHANGELOG.md # Major events only
├── 00-CHANGELOG.md # Major events only
├── wip/ # Planned changes & ideas
│ ├── UPGRADE-2026-HARDWARE.md
│ └── GITOPS-CONTAINERS.md
@@ -70,7 +70,7 @@ ssh -i ~/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
## Change Management
- **Major changes:** Document in `05-CHANGELOG.md`
- **Major changes:** Document in `00-CHANGELOG.md`
- **Minor changes:** Git commit messages only
- **Planned work:** Create doc in `wip/` folder

0
docs/05-CHANGELOG.md → docs/00-CHANGELOG.md
View File

137
docs/wip/FOSSORIAL-TUNNELS.md Normal file
View File

@@ -0,0 +1,137 @@
# Fossorial Tunnel Stack (Pangolin + Gerbil)
**Status:** 💡 IDEA
**Priority:** Low
**Depends On:** Hardware upgrade (XTRM-N1 for resilience)
---
## Overview
Self-hosted tunnel solution for exposing services without Cloudflare/VPS dependency.
| Component | Purpose |
|-----------|---------|
| **Pangolin** | Central controller/dashboard |
| **Gerbil** | WireGuard peer manager |
| **Newt** | Tunnel connector agent |
---
## Why Fossorial?
Current state uses Traefik + Cloudflare DNS for external access.
Fossorial would provide:
- Independent tunneling (no Cloudflare dependency)
- Self-healing WireGuard connections
- Web-based tunnel management
- Potential for MikroTik container fallback
---
## Architecture
```
Internet (62.73.120.142)
▼ UDP 51820
┌─────────────────────┐
│ Gerbil (WG Manager) │
│ :51820 WireGuard │
│ :8080 API │
└─────────┬───────────┘
┌─────────▼───────────┐
│ Pangolin (Dashboard)│
│ :3000 Web UI │
└─────────┬───────────┘
┌─────────▼───────────┐
│ Newt (Connector) │
│ Dials out to peers │
└─────────────────────┘
```
---
## Prerequisites
- [ ] Port 51820/UDP forwarded on MikroTik
- [ ] `fossorial` Docker network created
- [ ] Secret key generated
---
## Deployment Steps
### 1. Create Network
```bash
docker network create --driver bridge fossorial
```
### 2. Deploy Pangolin
```bash
docker run -d \
--name pangolin \
--network fossorial \
-p 3000:3000 \
-v /mnt/user/appdata/pangolin/data:/app/data \
-e PANGOLIN_BASE_URL=https://pangolin.xtrm-lab.org \
-e PANGOLIN_SECRET_KEY=$(openssl rand -hex 32) \
fossoriumtech/pangolin:latest
```
### 3. Deploy Gerbil
```bash
docker run -d \
--name gerbil \
--network fossorial \
--cap-add=NET_ADMIN \
-p 51820:51820/udp \
-p 8080:8080 \
-v /mnt/user/appdata/gerbil:/app/data \
-e GERBIL_PUBLIC_IP=62.73.120.142 \
-e GERBIL_PUBLIC_PORT=51820 \
fossoriumtech/gerbil:latest
```
### 4. Deploy Newt
```bash
docker run -d \
--name newt \
--network fossorial \
-v /mnt/user/appdata/newt:/app/data \
-e NEWT_PANGOLIN_URL=https://pangolin.xtrm-lab.org \
-e NEWT_ENDPOINT=62.73.120.142:51820 \
fossoriumtech/newt:latest
```
### 5. MikroTik NAT
```routeros
/ip/firewall/nat add chain=dstnat \
action=dst-nat to-addresses=192.168.31.2 to-ports=51820 \
protocol=udp dst-port=51820 \
comment="Fossorial WireGuard"
```
---
## Current WireGuard (Not Affected)
Existing back-to-home-vpn uses port **59188**, completely separate.
---
## Decision Points
1. **Is this needed?** Tailscale + Traefik already provides external access
2. **When to implement?** After XTRM-N1 survival node for fallback option
3. **Use case?** If Cloudflare/Tailscale goes down
---
## References
- Original planning: `archive/02-PHASE2-FOSSORIAL-STACK.md`
- GitHub: https://github.com/fossoriumtech

35
docs/wip/README.md
View File

@@ -1,8 +1,10 @@
# Work In Progress
This folder contains planned changes, evaluations, and ideas that are not yet implemented.
Planned changes, evaluations, and ideas not yet implemented.
## Document Status
---
## Document Status Legend
| Status | Meaning |
|--------|---------|
@@ -10,7 +12,32 @@ This folder contains planned changes, evaluations, and ideas that are not yet im
| 🔬 EVALUATING | Under investigation/research |
| 💡 IDEA | Concept, needs further definition |
---
## Current Items
- `UPGRADE-2026-HARDWARE.md` - Hardware upgrade plan (N5 Air + N100)
- `GITOPS-CONTAINERS.md` - Container GitOps implementation (Phase 2)
### Hardware & Infrastructure
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [UPGRADE-2026-HARDWARE.md](UPGRADE-2026-HARDWARE.md) | 📋 PLANNED | High | N5 Air + N100 server migration |
| [GITOPS-CONTAINERS.md](GITOPS-CONTAINERS.md) | 💡 IDEA | Medium | Container config in Git with CI/CD |
### Network
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [VLAN-SEGMENTATION.md](VLAN-SEGMENTATION.md) | 📋 PLANNED | Medium | Network segmentation (Secure/IoT/Kids/Guest) |
| [FOSSORIAL-TUNNELS.md](FOSSORIAL-TUNNELS.md) | 💡 IDEA | Low | Self-hosted Pangolin/Gerbil tunnels |
### Applications
| Document | Status | Priority | Description |
|----------|--------|----------|-------------|
| [REMOTE-GAMING.md](REMOTE-GAMING.md) | 🔬 EVALUATING | Low | Sunshine + Moonlight game streaming |
---
## Completed Items
Move to main docs or archive when done. Update `05-CHANGELOG.md` with major completions.

132
docs/wip/REMOTE-GAMING.md Normal file
View File

@@ -0,0 +1,132 @@
# Remote Gaming (Sunshine + Moonlight)
**Status:** 🔬 EVALUATING
**Priority:** Low
**Host:** Nobara Linux (xtrm-pc)
---
## Goal
60FPS game streaming from Nobara PC (AMD RX 6600) to MacBook/Android via Tailscale.
---
## Current State
| Component | Status |
|-----------|--------|
| Tailscale on Nobara | ✅ IP: 100.98.57.73 |
| VA-API encoding | ✅ H.264/HEVC working |
| Sunshine Flatpak | ❌ Failed (sandbox issues) |
| Sunshine Native | ⏳ Pending |
| Moonlight pairing | ⏳ Pending |
---
## Hardware
| Component | Value |
|-----------|-------|
| GPU | AMD Radeon RX 6600M (Navi 23) |
| Driver | Mesa Gallium 25.3.2 (radeonsi) |
| VA-API | v1.22 with H.264/HEVC encode |
---
## Flatpak Issues
The Flatpak Sunshine failed due to:
1. **wlr capture:** KDE Plasma lacks wlr-export-dmabuf
2. **PipeWire:** XDG portal blocked in sandbox
3. **KMS capture:** Can't setcap sandboxed binaries
**Solution:** Use native DNF installation
---
## Next Steps
### 1. Remove Flatpak (if installed)
```bash
flatpak remove dev.lizardbyte.app.Sunshine -y
```
### 2. Install Native Sunshine
```bash
sudo dnf copr enable lizardbyte/stable -y
sudo dnf install sunshine -y
```
### 3. Set KMS Permission
```bash
sudo setcap cap_sys_admin+p $(readlink -f $(which sunshine))
```
### 4. Enable Service
```bash
systemctl --user enable --now sunshine
```
### 5. Configure
1. Open https://localhost:47990
2. Set admin password
3. Video settings:
- Encoder: vaapi
- Adapter: /dev/dri/renderD128
### 6. Moonlight Pairing
1. Open Moonlight on MacBook
2. Add host: 100.98.57.73 (or xtrm-pc)
3. Enter 4-digit PIN in Sunshine Web UI
---
## Tailscale Network
| Device | Tailscale IP |
|--------|--------------|
| xtrm-pc (Nobara) | 100.98.57.73 |
| MacBook | 100.68.118.59 |
| xtrm-unraid | 100.100.208.70 |
---
## Firewall (Tailscale only)
```bash
sudo firewall-cmd --permanent --zone=trusted --add-source=100.64.0.0/10
sudo firewall-cmd --permanent --zone=trusted --add-port=47984-48010/tcp
sudo firewall-cmd --permanent --zone=trusted --add-port=47998-48010/udp
sudo firewall-cmd --reload
```
---
## Streaming Settings
| Setting | LAN | Remote |
|---------|-----|--------|
| Bitrate | 50-80 Mbps | 20-40 Mbps |
| FPS | 60-120 | 60 |
| Resolution | Native | 1080p |
| Codec | HEVC | HEVC |
---
## Verification Checklist
- [x] Tailscale running: 100.98.57.73
- [x] VA-API verified: H.264 + HEVC
- [ ] Sunshine installed (native)
- [ ] KMS capture working
- [ ] Sunshine Web UI accessible
- [ ] Moonlight paired
- [ ] Desktop streaming works
- [ ] Game streaming 60 FPS
---
## References
- Original document: `archive/04-PHASE4-REMOTE-GAMING.md`

142
docs/wip/VLAN-SEGMENTATION.md Normal file
View File

@@ -0,0 +1,142 @@
# VLAN Network Segmentation
**Status:** 📋 PLANNED
**Priority:** Medium
**Risk:** HIGH (network disruption during implementation)
---
## Overview
Segment flat 192.168.31.0/24 network into VLANs for security isolation.
---
## Proposed VLANs
| VLAN | Name | Subnet | Gateway | Purpose |
|------|------|--------|---------|---------|
| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Infrastructure devices only |
| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers |
| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras |
| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices |
| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi |
---
## WiFi SSID Mapping
| SSID | VLAN | Purpose |
|------|------|---------|
| XTRM | 10 | Primary (trusted devices) |
| XTRM-IoT | 20 | IoT devices |
| XTRM-Kids | 30 | Kids devices |
| XTRM-Guest | 40 | Guest access |
---
## Device Assignments
### VLAN 10 - Secure
| Device | Current IP | New IP |
|--------|------------|--------|
| XTRM-U/N5 | 192.168.31.2 | 192.168.10.2 |
| Nobara PC | 192.168.31.95 | 192.168.10.10 |
| MacBook | 192.168.31.99 | 192.168.10.15 |
| S25 Ultra | 192.168.31.98 | 192.168.10.20 |
### VLAN 20 - IoT
| Device | Current IP | New IP |
|--------|------------|--------|
| Home Assistant | 192.168.31.102 | 192.168.20.2 |
| Chromecast | 192.168.31.134 | 192.168.20.10 |
| Roborock S7 | 192.168.31.104 | 192.168.20.11 |
| Reolink Doorbell | 192.168.31.68 | 192.168.20.13 |
| HP Printer | 192.168.31.19 | 192.168.20.20 |
### VLAN 30 - Kids
| Device | Current IP | New IP |
|--------|------------|--------|
| Nora MacBook | 192.168.31.79 | 192.168.30.10 |
| Kimi Notebook | 192.168.31.108 | 192.168.30.11 |
| Dancho iPhone | 192.168.31.114 | 192.168.30.13 |
---
## Cross-VLAN Access Requirements
### S25 → Chromecast (Casting)
```routeros
/ip/firewall/filter add chain=forward \
src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \
dst-port=8008,8009,8443 protocol=tcp action=accept
```
### Secure → Home Assistant
```routeros
/ip/firewall/filter add chain=forward \
src-address=192.168.10.0/24 dst-address=192.168.20.2 \
dst-port=8123 protocol=tcp action=accept
```
### mDNS Reflector (Device Discovery)
```routeros
/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20
```
---
## Implementation Steps
### Phase 1: Router (HAP1)
1. Create VLAN interfaces
2. Assign IP addresses
3. Create DHCP servers per VLAN
4. Configure firewall rules
### Phase 2: Switch (CSS326)
1. Enable VLAN mode in SwOS
2. Configure trunk port (to HAP1)
3. Assign access VLANs to ports
4. Set PVIDs
### Phase 3: WiFi (CAPsMAN)
1. Create VLAN-tagged SSIDs
2. Update provisioning rules
3. Apply to CAP
---
## Risks
| Risk | Impact | Mitigation |
|------|--------|------------|
| All devices lose connectivity | HIGH | Schedule maintenance window |
| Docker br0 containers break | MEDIUM | Reconfigure macvlan |
| Static IPs need updating | LOW | Pre-configure DHCP reservations |
---
## Rollback
Disable VLAN filtering immediately:
```routeros
/interface/bridge/set bridge vlan-filtering=no
```
---
## Prerequisites
- [ ] Map CSS326 switch ports to devices
- [ ] Backup MikroTik config
- [ ] Schedule maintenance window (30-60 min)
- [ ] Decide WiFi passwords for new SSIDs
- [ ] Console/serial access to router (in case of lockout)
---
## References
- Full planning document: `archive/10-VLAN-NETWORK-SEGMENTATION.md`
- Device inventory: `archive/11-NETWORK-ASSET-INVENTORY.md`