jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4cd8caa27e263a3e7afdb87c8eedf6cf0a356176
infrastructure/docs/00-CURRENT-STATE.md
XTRM-Unraid 09209bf863
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
docs: AdGuard Home on MikroTik - complete setup 
- Replaced Pi-hole with AdGuard Home (172.17.0.5:5355)
- Configured DoH/DoT/DoQ with TLS certificates
- Added blocklists: StevenBlack, Hagezi Pro, Hagezi NSFW
- Added custom rules and 6 client devices
- Updated NAT rules for DNS redirect
- Documented MikroTik container root-dir bug
- Saved migration config for Unraid setup

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 11:44:24 +02:00

247 lines
9.4 KiB
Markdown
Raw Blame History

# Infrastructure Upgrade Proposal: xtrm-lab.org (v2)
## Current Infrastructure State
**Document Updated:** 2026-01-22
**Target Domain:** xtrm-lab.org
---
## Network Topology
### MikroTik hAP ax³ Router (192.168.31.1)
| Parameter | Value |
|-----------|-------|
| RouterOS Version | 7.20.6 (stable) |
| WAN IP (Static) | 62.73.120.142 |
| LAN Subnet | 192.168.31.0/24 |
| Docker Bridge | 172.17.0.0/24 |
| SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1` |
**SSH Users:**
- `xtrm` - Primary admin user (key auth issues)
- `unraid` - Secondary admin user (key-based from Unraid) ✓ Working
**Interfaces:**
- `ether1` - WAN (62.73.120.142/23)
- `bridge` - LAN (192.168.31.1/24)
- `docker-bridge` - Container network (172.17.0.1/24)
- `back-to-home-vpn` - WireGuard VPN (192.168.216.1/24)
**Running Containers on MikroTik:**
| Container | IP | Storage | Purpose |
|-----------|-----|---------|---------|
| tailscale:latest | 172.17.0.4 | usb1/tailscale/root | Tailscale VPN client |
| adguardhome:latest | 172.17.0.5 | usb1/agh2 | DNS sinkhole with DoH/DoT/DoQ |
**Stopped Containers:**
| Container | Issue |
|-----------|-------|
| unbound:latest | exited with status 1 |
**AdGuard Home Configuration (172.17.0.5):**
| Service | Port | Protocol | Status |
|---------|------|----------|--------|
| DNS | 5355 | UDP/TCP | Active (NAT from 53) |
| Web UI | 80 | HTTP | Active |
| DoH (DNS-over-HTTPS) | 443 | HTTPS | Active (TLS) |
| DoT (DNS-over-TLS) | 853 | TCP | Active (TLS) |
| DoQ (DNS-over-QUIC) | 8853 | UDP | Active (TLS) |
**AdGuard Home Blocklists:**
- StevenBlack Hosts
- Hagezi Pro
- Hagezi NSFW
**AdGuard Home Custom Rules:**
- ||dv-eu-prod.sentinelone.net^
- ||euce1-soc360.sentinelone.net^
- ||ampeco.jamfcloud.com^
- ||*.jamfcloud.com^
**TLS Certificate:** Let's Encrypt wildcard cert for `*.xtrm-lab.org`
**Server Name:** `dns.xtrm-lab.org`
**Certificate Expiry:** 2026-04-02
**⚠️ IMPORTANT:** Do NOT stop/restart the AdGuard Home container - MikroTik has a bug where the root directory disappears when container stops.
### MikroTik CSS326-24G-2S+ Switch (192.168.31.9)
| Parameter | Value |
|-----------|-------|
| Role | Managed Layer 2 Switch |
| Model | CSS326-24G-2S+ |
| Ports | 24x Gigabit + 2x SFP |
| OS | SwOS (MikroTik Switch OS) |
| Web UI | http://192.168.31.9/index.html |
### MikroTik cAP ac (192.168.31.6)
| Parameter | Value |
|-----------|-------|
| Role | CAPsMAN Managed Access Point |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |
---
## Unraid Server (192.168.31.2)
**Tailscale IP:** 100.100.208.70
**SSH Access:** `ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422`
### Docker Networks
| Network | Subnet | Purpose |
|---------|--------|---------|
| dockerproxy | 172.18.0.0/16 | Traefik-accessible services |
| netbox | 172.24.0.0/16 | NetBox stack |
| slurpit_slurpit-network | Auto | Slurp'it stack |
| br0 | 192.168.31.0/24 | LAN macvlan |
| bridge | 172.17.0.0/16 | Default Docker bridge |
| host | - | Host network stack |
### Key Services
| Service | Container | Static IP | External URL |
|---------|-----------|-----------|--------------|
| **Core Infrastructure** |
| Reverse Proxy | traefik | 172.18.0.3 | traefik.xtrm-lab.org |
| Docker Socket | dockersocket | 172.18.0.2 | - |
| Dashboard | homarr | 172.18.0.4 | xtrm-lab.org |
| **Security** |
| Identity Provider | authentik | 172.18.0.11 | auth.xtrm-lab.org |
| Authentik Worker | authentik-worker | 172.18.0.12 | - |
| Password Manager | vaultwarden | 172.18.0.15 | vault.xtrm-lab.org |
| **Databases** |
| PostgreSQL | postgresql17 | 172.18.0.13 | - |
| Redis | Redis | 172.18.0.14 | - |
| **DNS (Unraid - Secondary)** |
| Pi-hole (Unraid) | binhex-official-pihole | 192.168.31.4 | ph1.xtrm-lab.org |
| Unbound (Unraid) | unbound | 192.168.31.5 | - |
| DoH Server | DoH-Server | 172.18.0.22 | doh.xtrm-lab.org |
| nebula-sync | nebula-sync | - | ⚠️ Crash-looping (incompatible with AdGuard) |
| **DevOps** |
| Git Server | gitea | 172.18.0.31 | git.xtrm-lab.org |
| CI/CD Server | woodpecker-server | 172.18.0.32 | ci.xtrm-lab.org |
| CI/CD Agent | woodpecker-agent | 172.18.0.33 | - |
| **Network Management** |
| NetBox | netbox | 172.24.0.5 | netbox.xtrm-lab.org |
| NetDisco Web | netdisco-web | 172.18.0.41 | netdisco.xtrm-lab.org |
| Unimus | unimus | host | unimus.xtrm-lab.org |
| **Monitoring** |
| Uptime Kuma | UptimeKuma | 172.18.0.20 | uptime.xtrm-lab.org |
| NetAlertX | NetAlertX | host | netalert.xtrm-lab.org |
| Speedtest Tracker | speedtest-tracker | 172.18.0.21 | speedtest.xtrm-lab.org |
| **Media & Storage** |
| Plex | plex | host | plex.xtrm-lab.org |
| Nextcloud | Nextcloud | 172.18.0.24 | nextcloud.xtrm-lab.org |
| **Remote Access** |
| RustDesk ID | rustdesk-hbbs | bridge | rustdesk.xtrm-lab.org |
| RustDesk Relay | rustdesk-hbbr | bridge | - |
---
## DNS Architecture
```
┌─────────────────────────────────────┐
│ Internet │
│ (DoH/DoT/DoQ: dns.xtrm-lab.org) │
└───────────────┬─────────────────────┘
┌───────────────▼─────────────────────┐
│ MikroTik hAP ax³ (192.168.31.1) │
│ Ports: 443(DoH), 853(DoT), │
│ 8853(DoQ), 53→5355(DNS) │
└───────────────┬─────────────────────┘
┌────────────────────────┼────────────────────────┐
│ │ │
▼ ▼ ▼
┌──────────────────────┐ ┌──────────────────┐ ┌──────────────────┐
│ AdGuard Home │ │ Unraid Server │ │ LAN Devices │
│ 172.17.0.5:5355 │ │ 192.168.31.2 │ │ 192.168.31.x │
│ PRIMARY DNS │ │ │ │ │
│ DoH/DoT/DoQ Server │ └────────┬─────────┘ └──────────────────┘
└──────────────────────┘ │
┌──────────────────┐
│ Pi-hole (Unraid) │
│ 192.168.31.4 │
│ SECONDARY DNS │
└────────┬─────────┘
┌──────────────────┐
│ Unbound (Unraid) │
│ 192.168.31.5 │
│ Recursive DNS │
└──────────────────┘
```
**Encrypted DNS Endpoints (MikroTik AdGuard Home):**
- **DoH:** `https://dns.xtrm-lab.org/dns-query`
- **DoT:** `tls://dns.xtrm-lab.org:853`
- **DoQ:** `quic://dns.xtrm-lab.org:8853`
**Note:** Pi-hole on Unraid serves as secondary/backup. nebula-sync is disabled (incompatible with AdGuard Home).
---
## Current NAT/Port Forwarding (MikroTik)
| Rule | Protocol | Src/Dst Port | Destination | Purpose |
|------|----------|--------------|-------------|---------|
| Forward HTTP | TCP | 80 | 192.168.31.2:8001 | Traefik HTTP |
| Forward HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik HTTPS |
| Force DNS to AdGuard | UDP | 53→5355 | 172.17.0.5 | LAN DNS redirect |
| Force DNS TCP | TCP | 53→5355 | 172.17.0.5 | LAN DNS redirect |
| AdGuard Web UI | TCP | 80 | 172.17.0.5:80 | Internal web access |
| DoT | TCP | 853 | 172.17.0.5:853 | DNS over TLS |
| DoH (internal) | TCP | 443 | 172.17.0.5:443 | DNS over HTTPS |
| Plex | TCP | 32400 | 192.168.31.2:32400 | Plex Media Server |
| RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk Server |
---
## Traefik Configuration
**Entry Points:**
- HTTP (:80) → Redirects to HTTPS
- HTTPS (:443)
**Certificate Resolver:** Cloudflare DNS Challenge
**TLS Certificates Location:** `/mnt/user/appdata/traefik/certs/`
- `xtrm-lab.org.crt` - Wildcard certificate chain
- `xtrm-lab.org.key` - Private key
---
## Migration Data
**AdGuard Migration Config:** `/mnt/user/appdata/adguard-migration.json`
Contains blocklists, custom rules, and client configurations for applying to new AdGuard Home instances.
---
## Backup & Cloud Sync
### Flash Backup Script
- **Script Path:** /boot/config/plugins/user.scripts/scripts/flash-backup/script
- **Schedule:** 0 3 * * * (Daily at 3:00 AM)
- **Retention:** 7 days
- **Cloud Sync:** drive:Backups/unraid-flash
---
## Reference Documents
- [Phase 1: Global DNS Portability](./01-PHASE1-DNS-PORTABILITY.md)
- [Phase 7: Gitea GitOps](./08-PHASE7-GITEA-GITOPS.md)
- [Container IP Assignments](./13-CONTAINER-IP-ASSIGNMENTS.md)
Reference in New Issue View Git Blame Copy Permalink