diff --git a/README.md b/README.md index 1154264..0c0ab29 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ docs/ ├── 02-SERVICES-CRITICAL.md # DNS, Auth, Routing - must stay up ├── 03-SERVICES-OTHER.md # All other services ├── 04-HARDWARE-INVENTORY.md # Physical devices, specs, serials -├── 05-CHANGELOG.md # Major events only +├── 00-CHANGELOG.md # Major events only ├── wip/ # Planned changes & ideas │ ├── UPGRADE-2026-HARDWARE.md │ └── GITOPS-CONTAINERS.md @@ -70,7 +70,7 @@ ssh -i ~/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1 ## Change Management -- **Major changes:** Document in `05-CHANGELOG.md` +- **Major changes:** Document in `00-CHANGELOG.md` - **Minor changes:** Git commit messages only - **Planned work:** Create doc in `wip/` folder diff --git a/docs/05-CHANGELOG.md b/docs/00-CHANGELOG.md similarity index 100% rename from docs/05-CHANGELOG.md rename to docs/00-CHANGELOG.md diff --git a/docs/wip/FOSSORIAL-TUNNELS.md b/docs/wip/FOSSORIAL-TUNNELS.md new file mode 100644 index 0000000..7472028 --- /dev/null +++ b/docs/wip/FOSSORIAL-TUNNELS.md @@ -0,0 +1,137 @@ +# Fossorial Tunnel Stack (Pangolin + Gerbil) + +**Status:** 💡 IDEA +**Priority:** Low +**Depends On:** Hardware upgrade (XTRM-N1 for resilience) + +--- + +## Overview + +Self-hosted tunnel solution for exposing services without Cloudflare/VPS dependency. + +| Component | Purpose | +|-----------|---------| +| **Pangolin** | Central controller/dashboard | +| **Gerbil** | WireGuard peer manager | +| **Newt** | Tunnel connector agent | + +--- + +## Why Fossorial? + +Current state uses Traefik + Cloudflare DNS for external access. + +Fossorial would provide: +- Independent tunneling (no Cloudflare dependency) +- Self-healing WireGuard connections +- Web-based tunnel management +- Potential for MikroTik container fallback + +--- + +## Architecture + +``` +Internet (62.73.120.142) + │ + ▼ UDP 51820 +┌─────────────────────┐ +│ Gerbil (WG Manager) │ +│ :51820 WireGuard │ +│ :8080 API │ +└─────────┬───────────┘ + │ +┌─────────▼───────────┐ +│ Pangolin (Dashboard)│ +│ :3000 Web UI │ +└─────────┬───────────┘ + │ +┌─────────▼───────────┐ +│ Newt (Connector) │ +│ Dials out to peers │ +└─────────────────────┘ +``` + +--- + +## Prerequisites + +- [ ] Port 51820/UDP forwarded on MikroTik +- [ ] `fossorial` Docker network created +- [ ] Secret key generated + +--- + +## Deployment Steps + +### 1. Create Network +```bash +docker network create --driver bridge fossorial +``` + +### 2. Deploy Pangolin +```bash +docker run -d \ + --name pangolin \ + --network fossorial \ + -p 3000:3000 \ + -v /mnt/user/appdata/pangolin/data:/app/data \ + -e PANGOLIN_BASE_URL=https://pangolin.xtrm-lab.org \ + -e PANGOLIN_SECRET_KEY=$(openssl rand -hex 32) \ + fossoriumtech/pangolin:latest +``` + +### 3. Deploy Gerbil +```bash +docker run -d \ + --name gerbil \ + --network fossorial \ + --cap-add=NET_ADMIN \ + -p 51820:51820/udp \ + -p 8080:8080 \ + -v /mnt/user/appdata/gerbil:/app/data \ + -e GERBIL_PUBLIC_IP=62.73.120.142 \ + -e GERBIL_PUBLIC_PORT=51820 \ + fossoriumtech/gerbil:latest +``` + +### 4. Deploy Newt +```bash +docker run -d \ + --name newt \ + --network fossorial \ + -v /mnt/user/appdata/newt:/app/data \ + -e NEWT_PANGOLIN_URL=https://pangolin.xtrm-lab.org \ + -e NEWT_ENDPOINT=62.73.120.142:51820 \ + fossoriumtech/newt:latest +``` + +### 5. MikroTik NAT +```routeros +/ip/firewall/nat add chain=dstnat \ + action=dst-nat to-addresses=192.168.31.2 to-ports=51820 \ + protocol=udp dst-port=51820 \ + comment="Fossorial WireGuard" +``` + +--- + +## Current WireGuard (Not Affected) + +Existing back-to-home-vpn uses port **59188**, completely separate. + +--- + +## Decision Points + +1. **Is this needed?** Tailscale + Traefik already provides external access +2. **When to implement?** After XTRM-N1 survival node for fallback option +3. **Use case?** If Cloudflare/Tailscale goes down + +--- + +## References + +- Original planning: `archive/02-PHASE2-FOSSORIAL-STACK.md` +- GitHub: https://github.com/fossoriumtech diff --git a/docs/wip/README.md b/docs/wip/README.md index dd9462c..75a63f8 100644 --- a/docs/wip/README.md +++ b/docs/wip/README.md @@ -1,8 +1,10 @@ # Work In Progress -This folder contains planned changes, evaluations, and ideas that are not yet implemented. +Planned changes, evaluations, and ideas not yet implemented. -## Document Status +--- + +## Document Status Legend | Status | Meaning | |--------|---------| @@ -10,7 +12,32 @@ This folder contains planned changes, evaluations, and ideas that are not yet im | 🔬 EVALUATING | Under investigation/research | | 💡 IDEA | Concept, needs further definition | +--- + ## Current Items -- `UPGRADE-2026-HARDWARE.md` - Hardware upgrade plan (N5 Air + N100) -- `GITOPS-CONTAINERS.md` - Container GitOps implementation (Phase 2) +### Hardware & Infrastructure + +| Document | Status | Priority | Description | +|----------|--------|----------|-------------| +| [UPGRADE-2026-HARDWARE.md](UPGRADE-2026-HARDWARE.md) | 📋 PLANNED | High | N5 Air + N100 server migration | +| [GITOPS-CONTAINERS.md](GITOPS-CONTAINERS.md) | 💡 IDEA | Medium | Container config in Git with CI/CD | + +### Network + +| Document | Status | Priority | Description | +|----------|--------|----------|-------------| +| [VLAN-SEGMENTATION.md](VLAN-SEGMENTATION.md) | 📋 PLANNED | Medium | Network segmentation (Secure/IoT/Kids/Guest) | +| [FOSSORIAL-TUNNELS.md](FOSSORIAL-TUNNELS.md) | 💡 IDEA | Low | Self-hosted Pangolin/Gerbil tunnels | + +### Applications + +| Document | Status | Priority | Description | +|----------|--------|----------|-------------| +| [REMOTE-GAMING.md](REMOTE-GAMING.md) | 🔬 EVALUATING | Low | Sunshine + Moonlight game streaming | + +--- + +## Completed Items + +Move to main docs or archive when done. Update `05-CHANGELOG.md` with major completions. diff --git a/docs/wip/REMOTE-GAMING.md b/docs/wip/REMOTE-GAMING.md new file mode 100644 index 0000000..c819eb7 --- /dev/null +++ b/docs/wip/REMOTE-GAMING.md @@ -0,0 +1,132 @@ +# Remote Gaming (Sunshine + Moonlight) + +**Status:** 🔬 EVALUATING +**Priority:** Low +**Host:** Nobara Linux (xtrm-pc) + +--- + +## Goal + +60FPS game streaming from Nobara PC (AMD RX 6600) to MacBook/Android via Tailscale. + +--- + +## Current State + +| Component | Status | +|-----------|--------| +| Tailscale on Nobara | ✅ IP: 100.98.57.73 | +| VA-API encoding | ✅ H.264/HEVC working | +| Sunshine Flatpak | ❌ Failed (sandbox issues) | +| Sunshine Native | ⏳ Pending | +| Moonlight pairing | ⏳ Pending | + +--- + +## Hardware + +| Component | Value | +|-----------|-------| +| GPU | AMD Radeon RX 6600M (Navi 23) | +| Driver | Mesa Gallium 25.3.2 (radeonsi) | +| VA-API | v1.22 with H.264/HEVC encode | + +--- + +## Flatpak Issues + +The Flatpak Sunshine failed due to: +1. **wlr capture:** KDE Plasma lacks wlr-export-dmabuf +2. **PipeWire:** XDG portal blocked in sandbox +3. **KMS capture:** Can't setcap sandboxed binaries + +**Solution:** Use native DNF installation + +--- + +## Next Steps + +### 1. Remove Flatpak (if installed) +```bash +flatpak remove dev.lizardbyte.app.Sunshine -y +``` + +### 2. Install Native Sunshine +```bash +sudo dnf copr enable lizardbyte/stable -y +sudo dnf install sunshine -y +``` + +### 3. Set KMS Permission +```bash +sudo setcap cap_sys_admin+p $(readlink -f $(which sunshine)) +``` + +### 4. Enable Service +```bash +systemctl --user enable --now sunshine +``` + +### 5. Configure +1. Open https://localhost:47990 +2. Set admin password +3. Video settings: + - Encoder: vaapi + - Adapter: /dev/dri/renderD128 + +### 6. Moonlight Pairing +1. Open Moonlight on MacBook +2. Add host: 100.98.57.73 (or xtrm-pc) +3. Enter 4-digit PIN in Sunshine Web UI + +--- + +## Tailscale Network + +| Device | Tailscale IP | +|--------|--------------| +| xtrm-pc (Nobara) | 100.98.57.73 | +| MacBook | 100.68.118.59 | +| xtrm-unraid | 100.100.208.70 | + +--- + +## Firewall (Tailscale only) + +```bash +sudo firewall-cmd --permanent --zone=trusted --add-source=100.64.0.0/10 +sudo firewall-cmd --permanent --zone=trusted --add-port=47984-48010/tcp +sudo firewall-cmd --permanent --zone=trusted --add-port=47998-48010/udp +sudo firewall-cmd --reload +``` + +--- + +## Streaming Settings + +| Setting | LAN | Remote | +|---------|-----|--------| +| Bitrate | 50-80 Mbps | 20-40 Mbps | +| FPS | 60-120 | 60 | +| Resolution | Native | 1080p | +| Codec | HEVC | HEVC | + +--- + +## Verification Checklist + +- [x] Tailscale running: 100.98.57.73 +- [x] VA-API verified: H.264 + HEVC +- [ ] Sunshine installed (native) +- [ ] KMS capture working +- [ ] Sunshine Web UI accessible +- [ ] Moonlight paired +- [ ] Desktop streaming works +- [ ] Game streaming 60 FPS + +--- + +## References + +- Original document: `archive/04-PHASE4-REMOTE-GAMING.md` diff --git a/docs/wip/VLAN-SEGMENTATION.md b/docs/wip/VLAN-SEGMENTATION.md new file mode 100644 index 0000000..ac2bfbb --- /dev/null +++ b/docs/wip/VLAN-SEGMENTATION.md @@ -0,0 +1,142 @@ +# VLAN Network Segmentation + +**Status:** 📋 PLANNED +**Priority:** Medium +**Risk:** HIGH (network disruption during implementation) + +--- + +## Overview + +Segment flat 192.168.31.0/24 network into VLANs for security isolation. + +--- + +## Proposed VLANs + +| VLAN | Name | Subnet | Gateway | Purpose | +|------|------|--------|---------|---------| +| 1 | Management | 192.168.31.0/24 | 192.168.31.1 | Infrastructure devices only | +| 10 | Secure | 192.168.10.0/24 | 192.168.10.1 | Trusted devices, servers | +| 20 | IoT | 192.168.20.0/24 | 192.168.20.1 | Smart home, cameras | +| 30 | Kids | 192.168.30.0/24 | 192.168.30.1 | Kids devices | +| 40 | Guest | 192.168.40.0/24 | 192.168.40.1 | Guest WiFi | + +--- + +## WiFi SSID Mapping + +| SSID | VLAN | Purpose | +|------|------|---------| +| XTRM | 10 | Primary (trusted devices) | +| XTRM-IoT | 20 | IoT devices | +| XTRM-Kids | 30 | Kids devices | +| XTRM-Guest | 40 | Guest access | + +--- + +## Device Assignments + +### VLAN 10 - Secure +| Device | Current IP | New IP | +|--------|------------|--------| +| XTRM-U/N5 | 192.168.31.2 | 192.168.10.2 | +| Nobara PC | 192.168.31.95 | 192.168.10.10 | +| MacBook | 192.168.31.99 | 192.168.10.15 | +| S25 Ultra | 192.168.31.98 | 192.168.10.20 | + +### VLAN 20 - IoT +| Device | Current IP | New IP | +|--------|------------|--------| +| Home Assistant | 192.168.31.102 | 192.168.20.2 | +| Chromecast | 192.168.31.134 | 192.168.20.10 | +| Roborock S7 | 192.168.31.104 | 192.168.20.11 | +| Reolink Doorbell | 192.168.31.68 | 192.168.20.13 | +| HP Printer | 192.168.31.19 | 192.168.20.20 | + +### VLAN 30 - Kids +| Device | Current IP | New IP | +|--------|------------|--------| +| Nora MacBook | 192.168.31.79 | 192.168.30.10 | +| Kimi Notebook | 192.168.31.108 | 192.168.30.11 | +| Dancho iPhone | 192.168.31.114 | 192.168.30.13 | + +--- + +## Cross-VLAN Access Requirements + +### S25 → Chromecast (Casting) +```routeros +/ip/firewall/filter add chain=forward \ + src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \ + dst-port=8008,8009,8443 protocol=tcp action=accept +``` + +### Secure → Home Assistant +```routeros +/ip/firewall/filter add chain=forward \ + src-address=192.168.10.0/24 dst-address=192.168.20.2 \ + dst-port=8123 protocol=tcp action=accept +``` + +### mDNS Reflector (Device Discovery) +```routeros +/ip/dns/set mdns-repeat-ifaces=vlan10,vlan20 +``` + +--- + +## Implementation Steps + +### Phase 1: Router (HAP1) +1. Create VLAN interfaces +2. Assign IP addresses +3. Create DHCP servers per VLAN +4. Configure firewall rules + +### Phase 2: Switch (CSS326) +1. Enable VLAN mode in SwOS +2. Configure trunk port (to HAP1) +3. Assign access VLANs to ports +4. Set PVIDs + +### Phase 3: WiFi (CAPsMAN) +1. Create VLAN-tagged SSIDs +2. Update provisioning rules +3. Apply to CAP + +--- + +## Risks + +| Risk | Impact | Mitigation | +|------|--------|------------| +| All devices lose connectivity | HIGH | Schedule maintenance window | +| Docker br0 containers break | MEDIUM | Reconfigure macvlan | +| Static IPs need updating | LOW | Pre-configure DHCP reservations | + +--- + +## Rollback + +Disable VLAN filtering immediately: +```routeros +/interface/bridge/set bridge vlan-filtering=no +``` + +--- + +## Prerequisites + +- [ ] Map CSS326 switch ports to devices +- [ ] Backup MikroTik config +- [ ] Schedule maintenance window (30-60 min) +- [ ] Decide WiFi passwords for new SSIDs +- [ ] Console/serial access to router (in case of lockout) + +--- + +## References + +- Full planning document: `archive/10-VLAN-NETWORK-SEGMENTATION.md` +- Device inventory: `archive/11-NETWORK-ASSET-INVENTORY.md`