jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6b14a4dd9fa378644e929517b1d93e2db97b8ca2
infrastructure/docs/00-CURRENT-STATE.md
XTRM-Unraid 09209bf863
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
docs: AdGuard Home on MikroTik - complete setup 
- Replaced Pi-hole with AdGuard Home (172.17.0.5:5355)
- Configured DoH/DoT/DoQ with TLS certificates
- Added blocklists: StevenBlack, Hagezi Pro, Hagezi NSFW
- Added custom rules and 6 client devices
- Updated NAT rules for DNS redirect
- Documented MikroTik container root-dir bug
- Saved migration config for Unraid setup

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-22 11:44:24 +02:00

9.4 KiB
Raw Blame History

Infrastructure Upgrade Proposal: xtrm-lab.org (v2)

Current Infrastructure State

Document Updated: 2026-01-22 Target Domain: xtrm-lab.org

Network Topology

MikroTik hAP ax³ Router (192.168.31.1)

Parameter Value
RouterOS Version 7.20.6 (stable)
WAN IP (Static) 62.73.120.142
LAN Subnet 192.168.31.0/24
Docker Bridge 172.17.0.0/24
SSH Access ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1

SSH Users:

  • xtrm - Primary admin user (key auth issues)
  • unraid - Secondary admin user (key-based from Unraid) ✓ Working

Interfaces:

  • ether1 - WAN (62.73.120.142/23)
  • bridge - LAN (192.168.31.1/24)
  • docker-bridge - Container network (172.17.0.1/24)
  • back-to-home-vpn - WireGuard VPN (192.168.216.1/24)

Running Containers on MikroTik:

Container IP Storage Purpose
tailscale:latest 172.17.0.4 usb1/tailscale/root Tailscale VPN client
adguardhome:latest 172.17.0.5 usb1/agh2 DNS sinkhole with DoH/DoT/DoQ

Stopped Containers:

Container Issue
unbound:latest exited with status 1

AdGuard Home Configuration (172.17.0.5):

Service Port Protocol Status
DNS 5355 UDP/TCP Active (NAT from 53)
Web UI 80 HTTP Active
DoH (DNS-over-HTTPS) 443 HTTPS Active (TLS)
DoT (DNS-over-TLS) 853 TCP Active (TLS)
DoQ (DNS-over-QUIC) 8853 UDP Active (TLS)

AdGuard Home Blocklists:

  • StevenBlack Hosts
  • Hagezi Pro
  • Hagezi NSFW

AdGuard Home Custom Rules:

  • ||dv-eu-prod.sentinelone.net^
  • ||euce1-soc360.sentinelone.net^
  • ||ampeco.jamfcloud.com^
  • ||*.jamfcloud.com^

TLS Certificate: Let's Encrypt wildcard cert for *.xtrm-lab.org Server Name: dns.xtrm-lab.org Certificate Expiry: 2026-04-02

⚠️ IMPORTANT: Do NOT stop/restart the AdGuard Home container - MikroTik has a bug where the root directory disappears when container stops.

MikroTik CSS326-24G-2S+ Switch (192.168.31.9)

Parameter Value
Role Managed Layer 2 Switch
Model CSS326-24G-2S+
Ports 24x Gigabit + 2x SFP
OS SwOS (MikroTik Switch OS)
Web UI http://192.168.31.9/index.html

MikroTik cAP ac (192.168.31.6)

Parameter Value
Role CAPsMAN Managed Access Point
RouterOS Version 7.20.1 (stable)
Identity CAP XL ac

Unraid Server (192.168.31.2)

Tailscale IP: 100.100.208.70 SSH Access: ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422

Docker Networks

Network Subnet Purpose
dockerproxy 172.18.0.0/16 Traefik-accessible services
netbox 172.24.0.0/16 NetBox stack
slurpit_slurpit-network Auto Slurp'it stack
br0 192.168.31.0/24 LAN macvlan
bridge 172.17.0.0/16 Default Docker bridge
host - Host network stack

Key Services

Service Container Static IP External URL
Core Infrastructure
Reverse Proxy traefik 172.18.0.3 traefik.xtrm-lab.org
Docker Socket dockersocket 172.18.0.2 -
Dashboard homarr 172.18.0.4 xtrm-lab.org
Security
Identity Provider authentik 172.18.0.11 auth.xtrm-lab.org
Authentik Worker authentik-worker 172.18.0.12 -
Password Manager vaultwarden 172.18.0.15 vault.xtrm-lab.org
Databases
PostgreSQL postgresql17 172.18.0.13 -
Redis Redis 172.18.0.14 -
DNS (Unraid - Secondary)
Pi-hole (Unraid) binhex-official-pihole 192.168.31.4 ph1.xtrm-lab.org
Unbound (Unraid) unbound 192.168.31.5 -
DoH Server DoH-Server 172.18.0.22 doh.xtrm-lab.org
nebula-sync nebula-sync - ⚠️ Crash-looping (incompatible with AdGuard)
DevOps
Git Server gitea 172.18.0.31 git.xtrm-lab.org
CI/CD Server woodpecker-server 172.18.0.32 ci.xtrm-lab.org
CI/CD Agent woodpecker-agent 172.18.0.33 -
Network Management
NetBox netbox 172.24.0.5 netbox.xtrm-lab.org
NetDisco Web netdisco-web 172.18.0.41 netdisco.xtrm-lab.org
Unimus unimus host unimus.xtrm-lab.org
Monitoring
Uptime Kuma UptimeKuma 172.18.0.20 uptime.xtrm-lab.org
NetAlertX NetAlertX host netalert.xtrm-lab.org
Speedtest Tracker speedtest-tracker 172.18.0.21 speedtest.xtrm-lab.org
Media & Storage
Plex plex host plex.xtrm-lab.org
Nextcloud Nextcloud 172.18.0.24 nextcloud.xtrm-lab.org
Remote Access
RustDesk ID rustdesk-hbbs bridge rustdesk.xtrm-lab.org
RustDesk Relay rustdesk-hbbr bridge -

DNS Architecture

                    ┌─────────────────────────────────────┐
                    │           Internet                   │
                    │   (DoH/DoT/DoQ: dns.xtrm-lab.org)   │
                    └───────────────┬─────────────────────┘
                                    │
                    ┌───────────────▼─────────────────────┐
                    │   MikroTik hAP ax³ (192.168.31.1)   │
                    │   Ports: 443(DoH), 853(DoT),        │
                    │          8853(DoQ), 53→5355(DNS)    │
                    └───────────────┬─────────────────────┘
                                    │
           ┌────────────────────────┼────────────────────────┐
           │                        │                        │
           ▼                        ▼                        ▼
┌──────────────────────┐   ┌──────────────────┐    ┌──────────────────┐
│ AdGuard Home         │   │ Unraid Server    │    │ LAN Devices      │
│ 172.17.0.5:5355      │   │ 192.168.31.2     │    │ 192.168.31.x     │
│ PRIMARY DNS          │   │                  │    │                  │
│ DoH/DoT/DoQ Server   │   └────────┬─────────┘    └──────────────────┘
└──────────────────────┘            │
                                    ▼
                           ┌──────────────────┐
                           │ Pi-hole (Unraid) │
                           │ 192.168.31.4     │
                           │ SECONDARY DNS    │
                           └────────┬─────────┘
                                    │
                                    ▼
                           ┌──────────────────┐
                           │ Unbound (Unraid) │
                           │ 192.168.31.5     │
                           │ Recursive DNS    │
                           └──────────────────┘

Encrypted DNS Endpoints (MikroTik AdGuard Home):

  • DoH: https://dns.xtrm-lab.org/dns-query
  • DoT: tls://dns.xtrm-lab.org:853
  • DoQ: quic://dns.xtrm-lab.org:8853

Note: Pi-hole on Unraid serves as secondary/backup. nebula-sync is disabled (incompatible with AdGuard Home).

Current NAT/Port Forwarding (MikroTik)

Rule Protocol Src/Dst Port Destination Purpose
Forward HTTP TCP 80 192.168.31.2:8001 Traefik HTTP
Forward HTTPS TCP 443 192.168.31.2:44301 Traefik HTTPS
Force DNS to AdGuard UDP 53→5355 172.17.0.5 LAN DNS redirect
Force DNS TCP TCP 53→5355 172.17.0.5 LAN DNS redirect
AdGuard Web UI TCP 80 172.17.0.5:80 Internal web access
DoT TCP 853 172.17.0.5:853 DNS over TLS
DoH (internal) TCP 443 172.17.0.5:443 DNS over HTTPS
Plex TCP 32400 192.168.31.2:32400 Plex Media Server
RustDesk TCP/UDP 21115-21119 192.168.31.2 RustDesk Server

Traefik Configuration

Entry Points:

  • HTTP (:80) → Redirects to HTTPS
  • HTTPS (:443)

Certificate Resolver: Cloudflare DNS Challenge

TLS Certificates Location: /mnt/user/appdata/traefik/certs/

  • xtrm-lab.org.crt - Wildcard certificate chain
  • xtrm-lab.org.key - Private key

Migration Data

AdGuard Migration Config: /mnt/user/appdata/adguard-migration.json

Contains blocklists, custom rules, and client configurations for applying to new AdGuard Home instances.

Backup & Cloud Sync

Flash Backup Script

  • Script Path: /boot/config/plugins/user.scripts/scripts/flash-backup/script
  • Schedule: 0 3 * * * (Daily at 3:00 AM)
  • Retention: 7 days
  • Cloud Sync: drive:Backups/unraid-flash

Reference Documents

Reference in New Issue View Git Blame Copy Permalink