# Infrastructure Upgrade Proposal: xtrm-lab.org (v2) ## Current Infrastructure State **Document Updated:** 2026-01-18 **Target Domain:** xtrm-lab.org --- ## Network Topology ### MikroTik hAP ax³ Router (192.168.31.1) | Parameter | Value | |-----------|-------| | RouterOS Version | 7.20.6 (stable) | | WAN IP (Static) | 62.73.120.142 | | LAN Subnet | 192.168.31.0/24 | | Docker Bridge | 172.17.0.0/24 | | SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1` | **SSH Users:** - `xtrm` - Primary admin user (key-based from Unraid) - `unraid` - Secondary admin user (key-based from Unraid) **Interfaces:** - `ether1` - WAN (62.73.120.142/23) - `bridge` - LAN (192.168.31.1/24) - `docker-bridge` - Container network (172.17.0.1/24) - `back-to-home-vpn` - WireGuard VPN (192.168.216.1/24) **Running Containers on MikroTik:** | Container | IP | Purpose | |-----------|-----|---------| | pihole:latest | 172.17.0.2 | DNS sinkhole (Pi-hole v6) | | unbound:latest | 172.17.0.3 | Recursive DNS resolver | ### MikroTik CSS326-24G-2S+ Switch (192.168.31.9) | Parameter | Value | |-----------|-------| | Role | Managed Layer 2 Switch | | Model | CSS326-24G-2S+ | | Ports | 24x Gigabit + 2x SFP | | OS | SwOS (MikroTik Switch OS) | | Web UI | http://192.168.31.9/index.html | | Username | admin | | Password | M0stW4nt3d@xtrm | **Uplink:** Connected to hAP ax³ via eth4_CCS324_Uplink ### MikroTik cAP ac (192.168.31.6) | Parameter | Value | |-----------|-------| | Role | CAPsMAN Managed Access Point | | RouterOS Version | 7.20.1 (stable) | | Identity | CAP XL ac | | Board | RBcAPGi-5acD2nD | | SSH Access | `ssh -p 2222 xtrm@192.168.31.6` | | SSH Password | M0stW4nt3d@xtrm | **Note:** SSH key (id_ed25519 from Desktop) installed for key-based auth. ### WiFi Networks | SSID | Password | Bands | Security | Purpose | |------|----------|-------|----------|---------| | XTRM | M0stW4nt3d@home | 2.4GHz + 5GHz | WPA/WPA2 (2.4GHz), WPA2/WPA3 (5GHz) | Main network | | XTRM2 | M0stW4nt3d@IoT | 2.4GHz | WPA/WPA2 | Legacy/IoT devices | **CAPsMAN:** hAP ax³ manages cAP ac via CAPsMAN (WiFi controller). See [09-MIKROTIK-WIFI-CAPSMAN.md](./09-MIKROTIK-WIFI-CAPSMAN.md) for full configuration. ### Unraid Server (192.168.31.2) **Tailscale IP:** 100.100.208.70 **Key Services:** | Service | Container Name | Port(s) | Network | External URL | |---------|---------------|---------|---------|--------------| | Portainer | portainer | 9002→9000, 9444→9443 | bridge | http://100.100.208.70:9002 (Tailscale) | | Pi-hole | binhex-official-pihole | 53, 80, 67 | br0 (192.168.31.4) | ph1.xtrm-lab.org | | Unbound | unbound | 53 | br0 (192.168.31.5) | - | | Traefik | traefik | 8001→80, 44301→443 | dockerproxy | traefik.xtrm-lab.org | | Authentik | authentik | 9000, 9443 | dockerproxy | auth.xtrm-lab.org | | Authentik Worker | authentik-worker | - | authentik | - | | Vaultwarden | vaultwarden | 4743→80 | bridge | vault.xtrm-lab.org | | Plex | plex | 32400 | host | plex.xtrm-lab.org | | Home Assistant | HomeAssistant_inabox | 8123 | host (192.168.31.15) | ha.xtrm-lab.org | | Transmission | transmission | 9091, 51413 | bridge | - | | Nextcloud | Nextcloud | 8666→80 | bridge | - | | PostgreSQL | postgresql17 | 5432 | bridge | - | | Redis | Redis | 6379 | bridge | - | | Uptime Kuma | UptimeKuma | 3001 | bridge | - | | NetAlertX | NetAlertX | 20211 | host | netalert.xtrm-lab.org | | UrBackup | UrBackup | 55414 | host | urbackup.xtrm-lab.org | | Homarr | homarr | 10004→7575 | bridge | - | | NetBox | netbox | 8090→8080 | dockerproxy | netbox.xtrm-lab.org | | NetBox Worker | netbox-worker | - | netbox | - | | NetBox Housekeeping | netbox-housekeeping | - | netbox | - | | NetBox PostgreSQL | netbox-postgres | 5432 | netbox | - | | NetBox Redis | netbox-redis | 6379 | netbox | - | | NetBox Redis Cache | netbox-redis-cache | 6379 | netbox | - | | Nebula Sync | nebula-sync | - | - | Pi-hole sync | | DoH Server | DoH-Server | 8053 | dockerproxy | doh.xtrm-lab.org | | stunnel DoT | stunnel-dot | 853 | bridge | dns.xtrm-lab.org:853 | | Pangolin | pangolin | 3003→3001, 3004→3002 | bridge | Fossorial controller | | Gitea | gitea | 3005→3000, 2222→22 | dockerproxy | git.xtrm-lab.org | | Woodpecker Server | woodpecker-server | 8008→8000 | dockerproxy | ci.xtrm-lab.org | | Woodpecker Agent | woodpecker-agent | - | dockerproxy | - | | RustDesk ID | rustdesk-hbbs | 21115-21116, 21118-21119 | bridge | rustdesk.xtrm-lab.org | | RustDesk Relay | rustdesk-hbbr | 21117 | bridge | rustdesk.xtrm-lab.org | --- ## Current NAT/Port Forwarding (MikroTik) | Rule | Protocol | WAN Port | Destination | Purpose | |------|----------|----------|-------------|---------| | Forward HTTP | TCP | 80 | 192.168.31.2:8001 | Traefik HTTP | | Forward HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik HTTPS | | Plex | TCP | 32400 | 192.168.31.2:32400 | Plex Media Server | | Transmission | TCP/UDP | 51413 | 192.168.31.2:51413 | BitTorrent | | DoT | TCP | 853 | 172.17.0.2:853 | DNS over TLS | | DoH | TCP/UDP | 5443 | 172.17.0.2:443 | DNS over HTTPS | | DNS Force | UDP/TCP | 53 | 172.17.0.2:53 | Force LAN DNS to Pi-hole | | RustDesk NAT Test | TCP | 21115 | 192.168.31.2:21115 | RustDesk NAT Test | | RustDesk ID TCP | TCP | 21116 | 192.168.31.2:21116 | RustDesk ID Server | | RustDesk ID UDP | UDP | 21116 | 192.168.31.2:21116 | RustDesk ID Server | | RustDesk Relay | TCP | 21117 | 192.168.31.2:21117 | RustDesk Relay | --- ## Current WireGuard Configuration **Interface:** `back-to-home-vpn` - Listen Port: 59188 - Address: 192.168.216.1/24 - Public Key: `3e+p++SJ6f5EURt6WCKApOLMQHWpURm/vn/0s9+EKzs=` **Existing Peers:** 1. hAP ax³ (secondary device) 2. Kaloyan's S25 Ultra (mobile) 3. Additional peer (unnamed) --- ## Traefik Configuration **Entry Points:** - HTTP (:80) → Redirects to HTTPS - HTTPS (:443) **Certificate Resolver:** Cloudflare DNS Challenge - Email: admin@xtrm-lab.org - DNS Provider: Cloudflare **Existing Middlewares:** - `default-headers` - Security headers (HSTS, XSS protection, etc.) - `authentik-forward-auth` - Forward auth to Authentik (configured but not applied) - `pihole1-redirect` / `pihole2-redirect` - Redirect root to /admin/ --- ## Authentik Configuration | Parameter | Value | |-----------|-------| | Version | 2025.8.1 | | URL | auth.xtrm-lab.org | | PostgreSQL Host | postgresql17 | | Database | authentik_db | | Redis Host | redis | | Network | dockerproxy | **Status:** Deployed but not yet integrated with services --- ## Portainer Configuration (Phase 6) | Parameter | Value | |-----------|-------| | Version | CE Latest | | HTTP Port | 9002 | | HTTPS Port | 9444 | | Data Path | /mnt/user/appdata/portainer | | Tailscale URL | http://100.100.208.70:9002 | | Local URL | http://192.168.31.2:9002 | **Status:** Deployed, awaiting initial setup and MikroTik connection (Phase 6.2/6.3) --- ## DNS Architecture ``` ┌─────────────────────────────────────┐ │ Internet │ └───────────────┬─────────────────────┘ │ ┌───────────────▼─────────────────────┐ │ MikroTik hAP ax³ (192.168.31.1) │ │ WAN: 62.73.120.142 │ └───────────────┬─────────────────────┘ │ ┌────────────────────────┼────────────────────────┐ │ │ │ ▼ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ Pi-hole (Router) │ │ Unraid Server │ │ LAN Devices │ │ 172.17.0.2 │ │ 192.168.31.2 │ │ 192.168.31.x │ │ Primary DNS │ │ │ │ │ └────────┬─────────┘ └────────┬─────────┘ └──────────────────┘ │ │ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ │ Unbound (Router) │ │ Unbound (Unraid) │ │ 172.17.0.3 │ │ 192.168.31.5 │ │ Recursive DNS │ │ Recursive DNS │ └──────────────────┘ └──────────────────┘ │ ▼ ┌──────────────────┐ │ Pi-hole (Unraid) │ │ 192.168.31.4 │ │ Secondary DNS │ └──────────────────┘ ``` --- ## Service Interruption Risk Assessment | Phase | Component | Interruption Risk | Mitigation | |-------|-----------|-------------------|------------| | 1 | Tailscale Integration | LOW | Add-on service, no changes to existing | | 1 | DoH Endpoint | LOW | New endpoint, existing DNS unaffected | | 2 | Pangolin/Gerbil | MEDIUM | New containers, may conflict with WG port 51820 | | 2 | Newt Connector | LOW | Outbound only | | 3 | Authentik Forward Auth | HIGH | Will gate all services - test thoroughly | | 4 | Sunshine/Moonlight | LOW | New service, Tailscale-only access | | 5 | RustDesk | MEDIUM | New ports required on MikroTik | | 6 | Portainer | LOW | Management tool only, no service impact | --- ## Ports Required for Full Implementation ### New MikroTik Port Forwards Needed: | Service | Protocol | Port(s) | Destination | Phase | |---------|----------|---------|-------------|-------| | WireGuard (Fossorial) | UDP | 51820 | 192.168.31.2:51820 | 2 | | RustDesk ID TCP | TCP | 21115-21117 | 192.168.31.2:21115-21117 | 5 | | RustDesk Relay | TCP | 21118-21119 | 192.168.31.2:21118-21119 | 5 | | RustDesk NAT | UDP | 21116 | 192.168.31.2:21116 | 5 | --- ## Next Steps Proceed to individual phase documents: 1. [Phase 1: Global DNS Portability](./01-PHASE1-DNS-PORTABILITY.md) 2. [Phase 2: Fossorial Tunnel Stack](./02-PHASE2-FOSSORIAL-STACK.md) 3. [Phase 3: Identity & Zero Trust](./03-PHASE3-AUTHENTIK-ZEROTRUST.md) 4. [Phase 4: Remote Gaming](./04-PHASE4-REMOTE-GAMING.md) 5. [Phase 5: RustDesk Setup](./05-PHASE5-RUSTDESK.md) 6. [Phase 6: Portainer Management](./06-PHASE6-PORTAINER-MANAGEMENT.md) 7. [Phase 7: Gitea GitOps](./08-PHASE7-GITEA-GITOPS.md) **Reference Documents:** - [MikroTik WiFi & CAPsMAN Configuration](./09-MIKROTIK-WIFI-CAPSMAN.md) --- ## Completed Infrastructure Tasks ### Static IP Assignment for Critical Services **Status:** COMPLETED (2026-01-18) **Priority:** High **Reason:** Critical services should have static IPs outside DHCP/dynamic lease range to prevent IP conflicts and ensure reliable inter-container communication. #### dockerproxy Network (172.18.0.0/16) Static IP range: 172.18.0.2 - 172.18.0.50 | Service | Static IP | |---------|-----------| | dockersocket | 172.18.0.2 | | traefik | 172.18.0.3 | | authentik | 172.18.0.11 | | authentik-worker | 172.18.0.12 | | postgresql17 | 172.18.0.13 | | Redis | 172.18.0.14 | | vaultwarden | 172.18.0.15 | #### bridge Network (172.17.0.0/16) Static IP range: 172.17.0.2 - 172.17.0.50 | Service | Static IP | |---------|-----------| | portainer | 172.17.0.2 | | rustdesk-hbbs | 172.17.0.3 | | rustdesk-hbbr | 172.17.0.4 | #### Implementation Steps 1. [x] Update Docker network IPAM config to reserve static range 2. [x] Recreate critical containers with --ip flag or docker-compose static IP 3. [x] Update any hardcoded references to old IPs 4. [x] Test inter-container connectivity 5. [x] Document final IP assignments **Note:** IPs assigned via `docker network connect --ip`. To persist across container recreation, update Unraid Docker templates or use docker-compose. --- ## Unraid Docker Organization ### FolderView2 Plugin Docker containers are organized into categories using the FolderView2 plugin. **Icon Collection:** [Dazzle Line Icons](https://www.svgrepo.com/collection/dazzle-line-icons/) from SVGRepo **Categories:** | Category | Containers | Icon | |----------|------------|------| | Infrastructure | traefik, unbound, binhex-official-pihole, DoH-Server, stunnel-dot, pangolin, dockersocket, nebula-sync | network.svg | | Security | authentik, authentik-worker, vaultwarden | shield-lock.svg | | Monitoring | UptimeKuma, Uptime-Kuma-API, AutoKuma, NetAlertX, speedtest-tracker, netbox, netbox-worker, netbox-housekeeping | monitoring.svg | | DevOps | gitea, woodpecker-server, woodpecker-agent, postgresql17, Redis, pgAdmin4, netbox-postgres, netbox-redis, netbox-redis-cache | database-03.svg | | Media | plex, Libation, transmission | media-play-circle.svg | | Storage/Backup | rustfs, UrBackup, TimeMachine, Nextcloud | clock-rewind.svg | | Productivity | actual-budget, n8n, karakeep, homarr | dashboard.svg | | Smart Home | HomeAssistant_inabox | smart-home.svg | | Remote Access | rustdesk-hbbs, rustdesk-hbbr | remote.svg | | Management | portainer, unimus | settings.svg | **Config Location:** `/boot/config/plugins/folder.view2/docker.json`