# Infrastructure Upgrade Proposal: xtrm-lab.org (v2) ## Current Infrastructure State **Document Updated:** 2026-01-22 **Target Domain:** xtrm-lab.org --- ## Network Topology ### MikroTik hAP ax³ Router (192.168.31.1) | Parameter | Value | |-----------|-------| | RouterOS Version | 7.20.6 (stable) | | WAN IP (Static) | 62.73.120.142 | | LAN Subnet | 192.168.31.0/24 | | Docker Bridge | 172.17.0.0/24 | | SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1` | **SSH Users:** - `xtrm` - Primary admin user (key auth issues) - `unraid` - Secondary admin user (key-based from Unraid) ✓ Working **Interfaces:** - `ether1` - WAN (62.73.120.142/23) - `bridge` - LAN (192.168.31.1/24) - `docker-bridge` - Container network (172.17.0.1/24) - `back-to-home-vpn` - WireGuard VPN (192.168.216.1/24) **Running Containers on MikroTik:** | Container | IP | Storage | Purpose | |-----------|-----|---------|---------| | tailscale:latest | 172.17.0.4 | usb1/tailscale/root | Tailscale VPN client | | adguardhome:latest | 172.17.0.5 | usb1/agh2 | DNS sinkhole with DoH/DoT/DoQ | **Stopped Containers:** | Container | Issue | |-----------|-------| | unbound:latest | exited with status 1 | **AdGuard Home Configuration (172.17.0.5):** | Service | Port | Protocol | Status | |---------|------|----------|--------| | DNS | 5355 | UDP/TCP | Active (NAT from 53) | | Web UI | 80 | HTTP | Active | | DoH (DNS-over-HTTPS) | 443 | HTTPS | Active (TLS) | | DoT (DNS-over-TLS) | 853 | TCP | Active (TLS) | | DoQ (DNS-over-QUIC) | 8853 | UDP | Active (TLS) | **AdGuard Home Blocklists:** - StevenBlack Hosts - Hagezi Pro - Hagezi NSFW **AdGuard Home Custom Rules:** - ||dv-eu-prod.sentinelone.net^ - ||euce1-soc360.sentinelone.net^ - ||ampeco.jamfcloud.com^ - ||*.jamfcloud.com^ **TLS Certificate:** Let's Encrypt wildcard cert for `*.xtrm-lab.org` **Server Name:** `dns.xtrm-lab.org` **Certificate Expiry:** 2026-04-02 **⚠️ IMPORTANT:** Do NOT stop/restart the AdGuard Home container - MikroTik has a bug where the root directory disappears when container stops. ### MikroTik CSS326-24G-2S+ Switch (192.168.31.9) | Parameter | Value | |-----------|-------| | Role | Managed Layer 2 Switch | | Model | CSS326-24G-2S+ | | Ports | 24x Gigabit + 2x SFP | | OS | SwOS (MikroTik Switch OS) | | Web UI | http://192.168.31.9/index.html | ### MikroTik cAP ac (192.168.31.6) | Parameter | Value | |-----------|-------| | Role | CAPsMAN Managed Access Point | | RouterOS Version | 7.20.1 (stable) | | Identity | CAP XL ac | --- ## Unraid Server (192.168.31.2) **Tailscale IP:** 100.100.208.70 **SSH Access:** `ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422` ### Docker Networks | Network | Subnet | Purpose | |---------|--------|---------| | dockerproxy | 172.18.0.0/16 | Traefik-accessible services | | netbox | 172.24.0.0/16 | NetBox stack | | slurpit_slurpit-network | Auto | Slurp'it stack | | br0 | 192.168.31.0/24 | LAN macvlan | | bridge | 172.17.0.0/16 | Default Docker bridge | | host | - | Host network stack | ### Key Services | Service | Container | Static IP | External URL | |---------|-----------|-----------|--------------| | **Core Infrastructure** | | Reverse Proxy | traefik | 172.18.0.3 | traefik.xtrm-lab.org | | Docker Socket | dockersocket | 172.18.0.2 | - | | Dashboard | homarr | 172.18.0.4 | xtrm-lab.org | | **Security** | | Identity Provider | authentik | 172.18.0.11 | auth.xtrm-lab.org | | Authentik Worker | authentik-worker | 172.18.0.12 | - | | Password Manager | vaultwarden | 172.18.0.15 | vault.xtrm-lab.org | | **Databases** | | PostgreSQL | postgresql17 | 172.18.0.13 | - | | Redis | Redis | 172.18.0.14 | - | | **DNS (Unraid - Secondary)** | | Pi-hole (Unraid) | binhex-official-pihole | 192.168.31.4 | ph1.xtrm-lab.org | | Unbound (Unraid) | unbound | 192.168.31.5 | - | | DoH Server | DoH-Server | 172.18.0.22 | doh.xtrm-lab.org | | nebula-sync | nebula-sync | - | ⚠️ Crash-looping (incompatible with AdGuard) | | **DevOps** | | Git Server | gitea | 172.18.0.31 | git.xtrm-lab.org | | CI/CD Server | woodpecker-server | 172.18.0.32 | ci.xtrm-lab.org | | CI/CD Agent | woodpecker-agent | 172.18.0.33 | - | | **Network Management** | | NetBox | netbox | 172.24.0.5 | netbox.xtrm-lab.org | | NetDisco Web | netdisco-web | 172.18.0.41 | netdisco.xtrm-lab.org | | Unimus | unimus | host | unimus.xtrm-lab.org | | **Monitoring** | | Uptime Kuma | UptimeKuma | 172.18.0.20 | uptime.xtrm-lab.org | | NetAlertX | NetAlertX | host | netalert.xtrm-lab.org | | Speedtest Tracker | speedtest-tracker | 172.18.0.21 | speedtest.xtrm-lab.org | | **Media & Storage** | | Plex | plex | host | plex.xtrm-lab.org | | Nextcloud | Nextcloud | 172.18.0.24 | nextcloud.xtrm-lab.org | | **Remote Access** | | RustDesk ID | rustdesk-hbbs | bridge | rustdesk.xtrm-lab.org | | RustDesk Relay | rustdesk-hbbr | bridge | - | --- ## DNS Architecture ``` ┌─────────────────────────────────────┐ │ Internet │ │ (DoH/DoT/DoQ: dns.xtrm-lab.org) │ └───────────────┬─────────────────────┘ │ ┌───────────────▼─────────────────────┐ │ MikroTik hAP ax³ (192.168.31.1) │ │ Ports: 443(DoH), 853(DoT), │ │ 8853(DoQ), 53→5355(DNS) │ └───────────────┬─────────────────────┘ │ ┌────────────────────────┼────────────────────────┐ │ │ │ ▼ ▼ ▼ ┌──────────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ AdGuard Home │ │ Unraid Server │ │ LAN Devices │ │ 172.17.0.5:5355 │ │ 192.168.31.2 │ │ 192.168.31.x │ │ PRIMARY DNS │ │ │ │ │ │ DoH/DoT/DoQ Server │ └────────┬─────────┘ └──────────────────┘ └──────────────────────┘ │ ▼ ┌──────────────────┐ │ Pi-hole (Unraid) │ │ 192.168.31.4 │ │ SECONDARY DNS │ └────────┬─────────┘ │ ▼ ┌──────────────────┐ │ Unbound (Unraid) │ │ 192.168.31.5 │ │ Recursive DNS │ └──────────────────┘ ``` **Encrypted DNS Endpoints (MikroTik AdGuard Home):** - **DoH:** `https://dns.xtrm-lab.org/dns-query` - **DoT:** `tls://dns.xtrm-lab.org:853` - **DoQ:** `quic://dns.xtrm-lab.org:8853` **Note:** Pi-hole on Unraid serves as secondary/backup. nebula-sync is disabled (incompatible with AdGuard Home). --- ## Current NAT/Port Forwarding (MikroTik) | Rule | Protocol | Src/Dst Port | Destination | Purpose | |------|----------|--------------|-------------|---------| | Forward HTTP | TCP | 80 | 192.168.31.2:8001 | Traefik HTTP | | Forward HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik HTTPS | | Force DNS to AdGuard | UDP | 53→5355 | 172.17.0.5 | LAN DNS redirect | | Force DNS TCP | TCP | 53→5355 | 172.17.0.5 | LAN DNS redirect | | AdGuard Web UI | TCP | 80 | 172.17.0.5:80 | Internal web access | | DoT | TCP | 853 | 172.17.0.5:853 | DNS over TLS | | DoH (internal) | TCP | 443 | 172.17.0.5:443 | DNS over HTTPS | | Plex | TCP | 32400 | 192.168.31.2:32400 | Plex Media Server | | RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk Server | --- ## Traefik Configuration **Entry Points:** - HTTP (:80) → Redirects to HTTPS - HTTPS (:443) **Certificate Resolver:** Cloudflare DNS Challenge **TLS Certificates Location:** `/mnt/user/appdata/traefik/certs/` - `xtrm-lab.org.crt` - Wildcard certificate chain - `xtrm-lab.org.key` - Private key --- ## Migration Data **AdGuard Migration Config:** `/mnt/user/appdata/adguard-migration.json` Contains blocklists, custom rules, and client configurations for applying to new AdGuard Home instances. --- ## Backup & Cloud Sync ### Flash Backup Script - **Script Path:** /boot/config/plugins/user.scripts/scripts/flash-backup/script - **Schedule:** 0 3 * * * (Daily at 3:00 AM) - **Retention:** 7 days - **Cloud Sync:** drive:Backups/unraid-flash --- ## Reference Documents - [Phase 1: Global DNS Portability](./01-PHASE1-DNS-PORTABILITY.md) - [Phase 7: Gitea GitOps](./08-PHASE7-GITEA-GITOPS.md) - [Container IP Assignments](./13-CONTAINER-IP-ASSIGNMENTS.md)