jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f45ff1ddf43b20543014cd8a8a48a1bb1db012c
infrastructure/docs/00-CURRENT-STATE.md
jazzymc 4f45ff1ddf
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
docs: Add Docker organization section and update changelog 
- Document FolderView2 categories (10 categories, 38 containers)
- Note Dazzle Line Icons collection for folder icons
- Log container icon fixes (rustfs, gitea, woodpecker)
- Log FolderView2 reorganization
2026-01-18 18:41:09 +02:00

12 KiB
Raw Blame History

Infrastructure Upgrade Proposal: xtrm-lab.org (v2)

Current Infrastructure State

Document Updated: 2026-01-18 Target Domain: xtrm-lab.org

Network Topology

MikroTik hAP ax³ Router (192.168.31.1)

Parameter Value
RouterOS Version 7.20.6 (stable)
WAN IP (Static) 62.73.120.142
LAN Subnet 192.168.31.0/24
Docker Bridge 172.17.0.0/24
SSH Access ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1

Interfaces:

  • ether1 - WAN (62.73.120.142/23)
  • bridge - LAN (192.168.31.1/24)
  • docker-bridge - Container network (172.17.0.1/24)
  • back-to-home-vpn - WireGuard VPN (192.168.216.1/24)

Running Containers on MikroTik:

Container IP Purpose
pihole:latest 172.17.0.2 DNS sinkhole (Pi-hole v6)
unbound:latest 172.17.0.3 Recursive DNS resolver

Unraid Server (192.168.31.2)

Tailscale IP: 100.100.208.70

Key Services:

Service Container Name Port(s) Network External URL
Portainer portainer 9002→9000, 9444→9443 bridge http://100.100.208.70:9002 (Tailscale)
Pi-hole binhex-official-pihole 53, 80, 67 br0 (192.168.31.4) ph1.xtrm-lab.org
Unbound unbound 53 br0 (192.168.31.5) -
Traefik traefik 8001→80, 44301→443 dockerproxy traefik.xtrm-lab.org
Authentik authentik 9000, 9443 dockerproxy auth.xtrm-lab.org
Authentik Worker authentik-worker - authentik -
Vaultwarden vaultwarden 4743→80 bridge vault.xtrm-lab.org
Plex plex 32400 host plex.xtrm-lab.org
Home Assistant HomeAssistant_inabox 8123 host (192.168.31.15) ha.xtrm-lab.org
Transmission transmission 9091, 51413 bridge -
Nextcloud Nextcloud 8666→80 bridge -
PostgreSQL postgresql17 5432 bridge -
Redis Redis 6379 bridge -
Uptime Kuma UptimeKuma 3001 bridge -
NetAlertX NetAlertX 20211 host netalert.xtrm-lab.org
UrBackup UrBackup 55414 host urbackup.xtrm-lab.org
Homarr homarr 10004→7575 bridge -
Nebula Sync nebula-sync - - Pi-hole sync
DoH Server DoH-Server 8053 dockerproxy doh.xtrm-lab.org
stunnel DoT stunnel-dot 853 bridge dns.xtrm-lab.org:853
Pangolin pangolin 3003→3001, 3004→3002 bridge Fossorial controller
Gitea gitea 3005→3000, 2222→22 dockerproxy git.xtrm-lab.org
Woodpecker Server woodpecker-server 8008→8000 dockerproxy ci.xtrm-lab.org
Woodpecker Agent woodpecker-agent - dockerproxy -
RustDesk ID rustdesk-hbbs 21115-21116, 21118-21119 bridge rustdesk.xtrm-lab.org
RustDesk Relay rustdesk-hbbr 21117 bridge rustdesk.xtrm-lab.org

Current NAT/Port Forwarding (MikroTik)

Rule Protocol WAN Port Destination Purpose
Forward HTTP TCP 80 192.168.31.2:8001 Traefik HTTP
Forward HTTPS TCP 443 192.168.31.2:44301 Traefik HTTPS
Plex TCP 32400 192.168.31.2:32400 Plex Media Server
Transmission TCP/UDP 51413 192.168.31.2:51413 BitTorrent
DoT TCP 853 172.17.0.2:853 DNS over TLS
DoH TCP/UDP 5443 172.17.0.2:443 DNS over HTTPS
DNS Force UDP/TCP 53 172.17.0.2:53 Force LAN DNS to Pi-hole
RustDesk NAT Test TCP 21115 192.168.31.2:21115 RustDesk NAT Test
RustDesk ID TCP TCP 21116 192.168.31.2:21116 RustDesk ID Server
RustDesk ID UDP UDP 21116 192.168.31.2:21116 RustDesk ID Server
RustDesk Relay TCP 21117 192.168.31.2:21117 RustDesk Relay

Current WireGuard Configuration

Interface: back-to-home-vpn

  • Listen Port: 59188
  • Address: 192.168.216.1/24
  • Public Key: 3e+p++SJ6f5EURt6WCKApOLMQHWpURm/vn/0s9+EKzs=

Existing Peers:

  1. hAP ax³ (secondary device)
  2. Kaloyan's S25 Ultra (mobile)
  3. Additional peer (unnamed)

Traefik Configuration

Entry Points:

  • HTTP (:80) → Redirects to HTTPS
  • HTTPS (:443)

Certificate Resolver: Cloudflare DNS Challenge

Existing Middlewares:

  • default-headers - Security headers (HSTS, XSS protection, etc.)
  • authentik-forward-auth - Forward auth to Authentik (configured but not applied)
  • pihole1-redirect / pihole2-redirect - Redirect root to /admin/

Authentik Configuration

Parameter Value
Version 2025.8.1
URL auth.xtrm-lab.org
PostgreSQL Host postgresql17
Database authentik_db
Redis Host redis
Network dockerproxy

Status: Deployed but not yet integrated with services

Portainer Configuration (Phase 6)

Parameter Value
Version CE Latest
HTTP Port 9002
HTTPS Port 9444
Data Path /mnt/user/appdata/portainer
Tailscale URL http://100.100.208.70:9002
Local URL http://192.168.31.2:9002

Status: Deployed, awaiting initial setup and MikroTik connection (Phase 6.2/6.3)

DNS Architecture

                    ┌─────────────────────────────────────┐
                    │           Internet                   │
                    └───────────────┬─────────────────────┘
                                    │
                    ┌───────────────▼─────────────────────┐
                    │   MikroTik hAP ax³ (192.168.31.1)   │
                    │   WAN: 62.73.120.142                │
                    └───────────────┬─────────────────────┘
                                    │
           ┌────────────────────────┼────────────────────────┐
           │                        │                        │
           ▼                        ▼                        ▼
┌──────────────────┐   ┌──────────────────┐    ┌──────────────────┐
│ Pi-hole (Router) │   │ Unraid Server    │    │ LAN Devices      │
│ 172.17.0.2       │   │ 192.168.31.2     │    │ 192.168.31.x     │
│ Primary DNS      │   │                  │    │                  │
└────────┬─────────┘   └────────┬─────────┘    └──────────────────┘
         │                      │
         ▼                      ▼
┌──────────────────┐   ┌──────────────────┐
│ Unbound (Router) │   │ Unbound (Unraid) │
│ 172.17.0.3       │   │ 192.168.31.5     │
│ Recursive DNS    │   │ Recursive DNS    │
└──────────────────┘   └──────────────────┘
                               │
                               ▼
                       ┌──────────────────┐
                       │ Pi-hole (Unraid) │
                       │ 192.168.31.4     │
                       │ Secondary DNS    │
                       └──────────────────┘

Service Interruption Risk Assessment

Phase Component Interruption Risk Mitigation
1 Tailscale Integration LOW Add-on service, no changes to existing
1 DoH Endpoint LOW New endpoint, existing DNS unaffected
2 Pangolin/Gerbil MEDIUM New containers, may conflict with WG port 51820
2 Newt Connector LOW Outbound only
3 Authentik Forward Auth HIGH Will gate all services - test thoroughly
4 Sunshine/Moonlight LOW New service, Tailscale-only access
5 RustDesk MEDIUM New ports required on MikroTik
6 Portainer LOW Management tool only, no service impact

Ports Required for Full Implementation

New MikroTik Port Forwards Needed:

Service Protocol Port(s) Destination Phase
WireGuard (Fossorial) UDP 51820 192.168.31.2:51820 2
RustDesk ID TCP TCP 21115-21117 192.168.31.2:21115-21117 5
RustDesk Relay TCP 21118-21119 192.168.31.2:21118-21119 5
RustDesk NAT UDP 21116 192.168.31.2:21116 5

Next Steps

Proceed to individual phase documents:

  1. Phase 1: Global DNS Portability
  2. Phase 2: Fossorial Tunnel Stack
  3. Phase 3: Identity & Zero Trust
  4. Phase 4: Remote Gaming
  5. Phase 5: RustDesk Setup
  6. Phase 6: Portainer Management

Completed Infrastructure Tasks

Static IP Assignment for Critical Services

Status: COMPLETED (2026-01-18) Priority: High Reason: Critical services should have static IPs outside DHCP/dynamic lease range to prevent IP conflicts and ensure reliable inter-container communication.

dockerproxy Network (172.18.0.0/16)

Static IP range: 172.18.0.2 - 172.18.0.50

Service Static IP
dockersocket 172.18.0.2
traefik 172.18.0.3
authentik 172.18.0.11
authentik-worker 172.18.0.12
postgresql17 172.18.0.13
Redis 172.18.0.14
vaultwarden 172.18.0.15

bridge Network (172.17.0.0/16)

Static IP range: 172.17.0.2 - 172.17.0.50

Service Static IP
portainer 172.17.0.2
rustdesk-hbbs 172.17.0.3
rustdesk-hbbr 172.17.0.4

Implementation Steps

  1. Update Docker network IPAM config to reserve static range
  2. Recreate critical containers with --ip flag or docker-compose static IP
  3. Update any hardcoded references to old IPs
  4. Test inter-container connectivity
  5. Document final IP assignments

Note: IPs assigned via docker network connect --ip. To persist across container recreation, update Unraid Docker templates or use docker-compose.

Unraid Docker Organization

FolderView2 Plugin

Docker containers are organized into categories using the FolderView2 plugin.

Icon Collection: Dazzle Line Icons from SVGRepo

Categories:

Category Containers Icon
Infrastructure traefik, unbound, binhex-official-pihole, DoH-Server, stunnel-dot, pangolin, dockersocket, nebula-sync network.svg
Security authentik, authentik-worker, vaultwarden shield-lock.svg
Monitoring UptimeKuma, Uptime-Kuma-API, AutoKuma, NetAlertX, speedtest-tracker monitoring.svg
DevOps gitea, woodpecker-server, woodpecker-agent, postgresql17, Redis, pgAdmin4 database-03.svg
Media plex, Libation, transmission media-play-circle.svg
Storage/Backup rustfs, UrBackup, TimeMachine, Nextcloud clock-rewind.svg
Productivity actual-budget, n8n, karakeep, homarr dashboard.svg
Smart Home HomeAssistant_inabox smart-home.svg
Remote Access rustdesk-hbbs, rustdesk-hbbr remote.svg
Management portainer, unimus settings.svg

Config Location: /boot/config/plugins/folder.view2/docker.json

Reference in New Issue View Git Blame Copy Permalink