infrastructure/docs/00-CURRENT-STATE.md

# Infrastructure Upgrade Proposal: xtrm-lab.org (v2)

## Current Infrastructure State

**Document Updated:** 2026-01-21
**Target Domain:** xtrm-lab.org

---

## Network Topology

### MikroTik hAP ax³ Router (192.168.31.1)

| Parameter | Value |
|-----------|-------|
| RouterOS Version | 7.20.6 (stable) |
| WAN IP (Static) | 62.73.120.142 |
| LAN Subnet | 192.168.31.0/24 |
| Docker Bridge | 172.17.0.0/24 |
| SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1` |

**SSH Users:**
- `xtrm` - Primary admin user (key-based from Unraid)
- `unraid` - Secondary admin user (key-based from Unraid)

**Interfaces:**
- `ether1` - WAN (62.73.120.142/23)
- `bridge` - LAN (192.168.31.1/24)
- `docker-bridge` - Container network (172.17.0.1/24)
- `back-to-home-vpn` - WireGuard VPN (192.168.216.1/24)

**SNMP Configuration:**
| Device | Community | Access | Status |
|--------|-----------|--------|--------|
| hAP ax³ | `netdisco` | 192.168.31.2 only | Enabled |
| CSS326 | `public` | Any (SwOS limit) | Enabled |
| cAP ac | `netdisco` | 192.168.31.2 only | Enabled |

**Running Containers on MikroTik:**
| Container | IP | Purpose |
|-----------|-----|---------|
| pihole:latest | 172.17.0.2 | DNS sinkhole (Pi-hole v6) |
| unbound:latest | 172.17.0.3 | Recursive DNS resolver |

### MikroTik CSS326-24G-2S+ Switch (192.168.31.9)

| Parameter | Value |
|-----------|-------|
| Role | Managed Layer 2 Switch |
| Model | CSS326-24G-2S+ |
| Ports | 24x Gigabit + 2x SFP |
| OS | SwOS (MikroTik Switch OS) |
| Web UI | http://192.168.31.9/index.html |

### MikroTik cAP ac (192.168.31.6)

| Parameter | Value |
|-----------|-------|
| Role | CAPsMAN Managed Access Point |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |

---

## Unraid Server (192.168.31.2)

**Tailscale IP:** 100.100.208.70
**SSH Access:** `ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422`

### Docker Networks

| Network | Subnet | Purpose |
|---------|--------|---------|
| dockerproxy | 172.18.0.0/16 | Traefik-accessible services |
| netbox | 172.24.0.0/16 | NetBox stack |
| slurpit_slurpit-network | Auto | Slurp'it stack |
| br0 | 192.168.31.0/24 | LAN macvlan |
| bridge | 172.17.0.0/16 | Default Docker bridge |
| host | - | Host network stack |

### Key Services

| Service | Container | Static IP | External URL |
|---------|-----------|-----------|--------------|
| **Core Infrastructure** |
| Reverse Proxy | traefik | 172.18.0.3 | traefik.xtrm-lab.org |
| Docker Socket | dockersocket | 172.18.0.2 | - |
| Dashboard | homarr | 172.18.0.4 | xtrm-lab.org |
| **Security** |
| Identity Provider | authentik | 172.18.0.11 | auth.xtrm-lab.org |
| Authentik Worker | authentik-worker | 172.18.0.12 | - |
| Password Manager | vaultwarden | 172.18.0.15 | vault.xtrm-lab.org |
| **Databases** |
| PostgreSQL | postgresql17 | 172.18.0.13 | - |
| Redis | Redis | 172.18.0.14 | - |
| **DNS** |
| Pi-hole (Unraid) | binhex-official-pihole | 192.168.31.4 | ph1.xtrm-lab.org |
| Unbound (Unraid) | unbound | 192.168.31.5 | - |
| DoH Server | DoH-Server | 172.18.0.22 | doh.xtrm-lab.org |
| **DevOps** |
| Git Server | gitea | 172.18.0.31 | git.xtrm-lab.org |
| CI/CD Server | woodpecker-server | 172.18.0.32 | ci.xtrm-lab.org |
| CI/CD Agent | woodpecker-agent | 172.18.0.33 | - |
| **Network Management** |
| NetBox | netbox | 172.24.0.5 | netbox.xtrm-lab.org |
| NetBox Worker | netbox-worker | 172.24.0.6 | - |
| NetBox PostgreSQL | netbox-postgres | 172.24.0.4 | - |
| NetBox Redis | netbox-redis | 172.24.0.2 | - |
| NetBox Redis Cache | netbox-redis-cache | 172.24.0.3 | - |
| NetDisco Web | netdisco-web | 172.18.0.41 | netdisco.xtrm-lab.org |
| NetDisco Backend | netdisco-backend | 172.18.0.42 | - |
| Unimus | unimus | host | unimus.xtrm-lab.org |
| **Slurp'it Discovery** |
| Slurp'it Portal | slurpit-portal | dockerproxy | slurpit.xtrm-lab.org |
| Slurp'it Scanner | slurpit-scanner | slurpit-network | - |
| Slurp'it Scraper | slurpit-scraper | slurpit-network | - |
| Slurp'it Warehouse | slurpit-warehouse | slurpit-network | - |
| Slurp'it MariaDB | slurpit-mariadb | slurpit-network | - |
| Slurp'it MongoDB | slurpit-mongodb | slurpit-network | - |
| **Monitoring** |
| Uptime Kuma | UptimeKuma | 172.18.0.20 | uptime.xtrm-lab.org |
| Uptime Kuma API | Uptime-Kuma-API | 172.18.0.18 | - |
| AutoKuma | AutoKuma | 172.18.0.19 | - |
| NetAlertX | NetAlertX | host | netalert.xtrm-lab.org |
| Speedtest Tracker | speedtest-tracker | 172.18.0.21 | speedtest.xtrm-lab.org |
| **Productivity** |
| Actual Budget | actual-budget | 172.18.0.16 | actual.xtrm-lab.org |
| n8n | n8n | 172.18.0.17 | n8n.xtrm-lab.org |
| Karakeep | karakeep | 172.18.0.25 | karakeep.xtrm-lab.org |
| **Media & Storage** |
| Plex | plex | host | plex.xtrm-lab.org |
| Nextcloud | Nextcloud | 172.18.0.24 | nextcloud.xtrm-lab.org |
| Libation | Libation | 172.18.0.23 | - |
| Transmission | transmission | 172.18.0.26 | - |
| Time Machine | TimeMachine | 192.168.31.12 | - |
| **Remote Access** |
| RustDesk ID | rustdesk-hbbs | bridge | rustdesk.xtrm-lab.org |
| RustDesk Relay | rustdesk-hbbr | bridge | - |
| **Other** |
| Home Assistant | HomeAssistant_inabox | host | ha.xtrm-lab.org |
| UrBackup | UrBackup | host | urbackup.xtrm-lab.org |
| Portainer | portainer | bridge | 192.168.31.2:9002 |
| Pangolin | pangolin | 172.18.0.51 | - |

---

## Docker Compose Managed Stacks

| Stack | Location | Containers |
|-------|----------|------------|
| NetBox | `/mnt/user/appdata/netbox/docker-compose.yml` | netbox, netbox-worker, netbox-postgres, netbox-redis, netbox-redis-cache |
| NetDisco | `/mnt/user/appdata/netdisco/docker-compose.yml` | netdisco-web, netdisco-backend |
| Gitea | `/mnt/user/appdata/gitea/docker-compose.yml` | gitea |
| Woodpecker | `/mnt/user/appdata/woodpecker/docker-compose.yml` | woodpecker-server, woodpecker-agent |
| Pangolin | `/mnt/user/appdata/pangolin/docker-compose.yml` | pangolin |
| Slurp'it | `/mnt/user/appdata/slurpit/docker-compose.yml` | slurpit-portal, slurpit-scanner, slurpit-scraper, slurpit-warehouse, slurpit-mariadb, slurpit-mongodb |

---

## NetBox Plugins

| Plugin | Version | Status |
|--------|---------|--------|
| slurpit_netbox | 1.2.7 | Active |

**Note:** Plugin config mounted from `/mnt/user/appdata/netbox/config/plugins.py`

---

## DNS Architecture

```
                    ┌─────────────────────────────────────┐
                    │           Internet                   │
                    └───────────────┬─────────────────────┘
                                    │
                    ┌───────────────▼─────────────────────┐
                    │   MikroTik hAP ax³ (192.168.31.1)   │
                    │   WAN: 62.73.120.142                │
                    └───────────────┬─────────────────────┘
                                    │
           ┌────────────────────────┼────────────────────────┐
           │                        │                        │
           ▼                        ▼                        ▼
┌──────────────────┐   ┌──────────────────┐    ┌──────────────────┐
│ Pi-hole (Router) │   │ Unraid Server    │    │ LAN Devices      │
│ 172.17.0.2       │   │ 192.168.31.2     │    │ 192.168.31.x     │
│ Primary DNS      │   │                  │    │                  │
└────────┬─────────┘   └────────┬─────────┘    └──────────────────┘
         │                      │
         ▼                      ▼
┌──────────────────┐   ┌──────────────────┐
│ Unbound (Router) │   │ Unbound (Unraid) │
│ 172.17.0.3       │   │ 192.168.31.5     │
│ Recursive DNS    │   │ Recursive DNS    │
└──────────────────┘   └──────────────────┘
                               │
                               ▼
                       ┌──────────────────┐
                       │ Pi-hole (Unraid) │
                       │ 192.168.31.4     │
                       │ Secondary DNS    │
                       └──────────────────┘
```

---

## Current NAT/Port Forwarding (MikroTik)

| Rule | Protocol | WAN Port | Destination | Purpose |
|------|----------|----------|-------------|---------|
| Forward HTTP | TCP | 80 | 192.168.31.2:8001 | Traefik HTTP |
| Forward HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik HTTPS |
| Plex | TCP | 32400 | 192.168.31.2:32400 | Plex Media Server |
| Transmission | TCP/UDP | 51413 | 192.168.31.2:51413 | BitTorrent |
| DoT | TCP | 853 | 172.17.0.2:853 | DNS over TLS |
| DoH | TCP/UDP | 5443 | 172.17.0.2:443 | DNS over HTTPS |
| DNS Force | UDP/TCP | 53 | 172.17.0.2:53 | Force LAN DNS to Pi-hole |
| RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk Server |

---

## Traefik Configuration

**Entry Points:**
- HTTP (:80) → Redirects to HTTPS
- HTTPS (:443)

**Certificate Resolver:** Cloudflare DNS Challenge

**Docker Provider Constraint:** `traefik.constraint=valid`
- Containers need this label to be auto-discovered
- Otherwise add routes to `/mnt/user/appdata/traefik/dynamic.yml`

---

## Reference Documents

- [Phase 1: Global DNS Portability](./01-PHASE1-DNS-PORTABILITY.md)
- [Phase 2: Fossorial Tunnel Stack](./02-PHASE2-FOSSORIAL-STACK.md)
- [Phase 3: Identity & Zero Trust](./03-PHASE3-AUTHENTIK-ZEROTRUST.md)
- [Phase 4: Remote Gaming](./04-PHASE4-REMOTE-GAMING.md)
- [Phase 5: RustDesk Setup](./05-PHASE5-RUSTDESK.md)
- [Phase 6: Portainer Management](./06-PHASE6-PORTAINER-MANAGEMENT.md)
- [Phase 7: Gitea GitOps](./08-PHASE7-GITEA-GITOPS.md)
- [Phase 8: NetDisco Integration](./12-PHASE8-NETDISCO-INTEGRATION.md)
- [Container IP Assignments](./13-CONTAINER-IP-ASSIGNMENTS.md)
- [MikroTik WiFi & CAPsMAN](./09-MIKROTIK-WIFI-CAPSMAN.md)