XTRM-Unraid
9226e1494b
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Fixed MikroTik AdGuard container persistence (disk1 root + usb1 mount) - Deployed AdGuard Home on Unraid at 192.168.31.4 (replacing Pi-hole) - Synced configuration: 6 clients, Quad9 DoH, TLS certs, filtering rules - Added Mermaid diagrams for network topology and DNS architecture
8.0 KiB
8.0 KiB
Infrastructure Current State: xtrm-lab.org
Document Updated: 2026-01-22
Target Domain: xtrm-lab.org
Network Topology Diagram
graph TB
subgraph Internet
WAN["WAN: 62.73.120.142"]
DNS_EXT["dns.xtrm-lab.org<br/>DoH/DoT/DoQ"]
end
subgraph MikroTik["MikroTik hAP ax³ (192.168.31.1)"]
ROUTER["RouterOS 7.20.6"]
subgraph MK_Containers["Docker Containers"]
AGH_MK["AdGuard Home<br/>172.17.0.5:5355<br/>PRIMARY DNS"]
TS["Tailscale<br/>172.17.0.4"]
end
end
subgraph Switch["CSS326-24G-2S+ (192.168.31.9)"]
SW["24-Port Managed Switch"]
end
subgraph AP["cAP ac (192.168.31.6)"]
WIFI["CAPsMAN AP"]
end
subgraph Unraid["Unraid Server (192.168.31.2)"]
subgraph Core["Core Services"]
TRAEFIK["Traefik<br/>172.18.0.3"]
HOMARR["Homarr<br/>172.18.0.4"]
end
subgraph Security["Security"]
AUTH["Authentik<br/>172.18.0.11"]
VAULT["Vaultwarden<br/>172.18.0.15"]
end
subgraph DNS_Unraid["DNS Services"]
AGH_UR["AdGuard Home<br/>192.168.31.4:53<br/>SECONDARY DNS"]
UNBOUND["Unbound<br/>192.168.31.5"]
end
subgraph DevOps["DevOps"]
GITEA["Gitea<br/>172.18.0.31"]
WOODPECKER["Woodpecker CI<br/>172.18.0.32"]
end
subgraph Monitoring["Monitoring"]
UPTIME["Uptime Kuma<br/>172.18.0.20"]
NETBOX["NetBox<br/>172.24.0.5"]
end
subgraph Media["Media"]
PLEX["Plex"]
NEXTCLOUD["Nextcloud<br/>172.18.0.24"]
end
end
subgraph LAN["LAN Devices (192.168.31.x)"]
CLIENTS["Clients"]
end
WAN --> ROUTER
DNS_EXT --> ROUTER
ROUTER --> AGH_MK
ROUTER --> TS
ROUTER --> SW
SW --> Unraid
SW --> AP
AP --> CLIENTS
SW --> CLIENTS
AGH_MK -.->|"Upstream DoH"| QUAD9["Quad9 DNS"]
AGH_UR -.->|"Upstream DoH"| QUAD9
CLIENTS -->|"DNS Queries"| AGH_MK
CLIENTS -.->|"Failover"| AGH_UR
MikroTik hAP ax³ Router (192.168.31.1)
| Parameter | Value |
|---|---|
| RouterOS Version | 7.20.6 (stable) |
| WAN IP (Static) | 62.73.120.142 |
| LAN Subnet | 192.168.31.0/24 |
| Docker Bridge | 172.17.0.0/24 |
| SSH Access | Port 2222, user: jazzymc |
Interfaces:
ether1- WAN (62.73.120.142/23)bridge- LAN (192.168.31.1/24)docker-bridge- Container network (172.17.0.1/24)back-to-home-vpn- WireGuard VPN (192.168.216.1/24)
Running Containers on MikroTik
| Container | IP | Storage | Purpose |
|---|---|---|---|
| tailscale | 172.17.0.4 | usb1/tailscale/root | Tailscale VPN client |
| adguardhome | 172.17.0.5 | disk1/agh-root + usb1 mount | DNS with DoH/DoT/DoQ |
AdGuard Home (MikroTik) - PRIMARY DNS
| Service | Port | Protocol | Status |
|---|---|---|---|
| DNS | 5355 (NAT from 53) | UDP/TCP | Active |
| Web UI | 80 | HTTP | Active |
| DoH | 443 | HTTPS | Active |
| DoT | 853 | TCP | Active |
| DoQ | 8853 | UDP | Active |
Configuration:
- Upstream: Quad9 DoH (https://dns10.quad9.net/dns-query)
- TLS Certificate: Let's Encrypt wildcard (*.xtrm-lab.org)
- Server Name: dns.xtrm-lab.org
- Certificate Expiry: 2026-04-02
- Credentials: jazzymc / 7RqWElENNbZnPW
Persistence: root-dir on disk1 + data mount on usb1 (survives container restart)
MikroTik CSS326-24G-2S+ Switch (192.168.31.9)
| Parameter | Value |
|---|---|
| Role | Managed Layer 2 Switch |
| Ports | 24x Gigabit + 2x SFP |
| OS | SwOS |
| Web UI | http://192.168.31.9 |
MikroTik cAP ac (192.168.31.6)
| Parameter | Value |
|---|---|
| Role | CAPsMAN Managed Access Point |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |
Unraid Server (192.168.31.2)
Tailscale IP: 100.100.208.70
SSH Access: ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422
Docker Networks
| Network | Subnet | Purpose |
|---|---|---|
| br0 | 192.168.31.0/24 | LAN macvlan (AdGuard Home) |
| dockerproxy | 172.18.0.0/16 | Traefik-accessible services |
| netbox | 172.24.0.0/16 | NetBox stack |
| bridge | 172.17.0.0/16 | Default Docker bridge |
Key Services
| Service | Container | IP | External URL |
|---|---|---|---|
| Core | |||
| Reverse Proxy | traefik | 172.18.0.3 | traefik.xtrm-lab.org |
| Dashboard | homarr | 172.18.0.4 | xtrm-lab.org |
| Security | |||
| Identity Provider | authentik | 172.18.0.11 | auth.xtrm-lab.org |
| Password Manager | vaultwarden | 172.18.0.15 | vault.xtrm-lab.org |
| DNS | |||
| AdGuard Home | adguardhome | 192.168.31.4 | - |
| Unbound | unbound | 192.168.31.5 | - |
| DevOps | |||
| Git Server | gitea | 172.18.0.31 | git.xtrm-lab.org |
| CI/CD Server | woodpecker-server | 172.18.0.32 | ci.xtrm-lab.org |
| Monitoring | |||
| Uptime Kuma | UptimeKuma | 172.18.0.20 | uptime.xtrm-lab.org |
| NetBox | netbox | 172.24.0.5 | netbox.xtrm-lab.org |
| Media | |||
| Plex | plex | host | plex.xtrm-lab.org |
| Nextcloud | Nextcloud | 172.18.0.24 | nextcloud.xtrm-lab.org |
| Remote Access | |||
| RustDesk | rustdesk-hbbs/hbbr | bridge | rustdesk.xtrm-lab.org |
AdGuard Home (Unraid) - SECONDARY DNS
| Setting | Value |
|---|---|
| IP Address | 192.168.31.4 |
| Network | br0 (macvlan) |
| Web UI | http://192.168.31.4:3000 |
| DNS | 192.168.31.4:53 |
| DoT | 192.168.31.4:853 |
| Credentials | jazzymc / 7RqWElENNbZnPW |
Configuration (synced with MikroTik):
- Upstream: Quad9 DoH
- TLS Certificate: Let's Encrypt wildcard
- 6 Clients configured
- Custom filtering rules (SentinelOne, Jamf)
Data Location: /mnt/user/appdata/adguardhome/
Stopped Services:
- binhex-official-pihole (replaced by AdGuard Home)
- nebula-sync (incompatible with AdGuard Home)
DNS Architecture
flowchart TB
subgraph External["External Access"]
DOH["DoH: https://dns.xtrm-lab.org/dns-query"]
DOT["DoT: tls://dns.xtrm-lab.org:853"]
DOQ["DoQ: quic://dns.xtrm-lab.org:8853"]
end
subgraph MikroTik["MikroTik Router"]
NAT["NAT: 53 → 5355"]
AGH1["AdGuard Home<br/>172.17.0.5:5355<br/>PRIMARY"]
end
subgraph Unraid["Unraid Server"]
AGH2["AdGuard Home<br/>192.168.31.4:53<br/>SECONDARY"]
end
subgraph Upstream["Upstream DNS"]
Q9["Quad9 DoH<br/>dns10.quad9.net"]
end
subgraph Clients["LAN Clients"]
C1["IPhone Dancho"]
C2["IPhone Kimi"]
C3["Laptop Dari"]
C4["Laptop Kimi"]
C5["PC Dancho"]
C6["ROG Ally Teodor"]
end
External --> MikroTik
Clients -->|"Primary"| NAT
NAT --> AGH1
Clients -.->|"Failover"| AGH2
AGH1 --> Q9
AGH2 --> Q9
Configured Clients (Both AdGuard Instances)
| Client | MAC Address | Tags |
|---|---|---|
| IPhone (Dancho) | f2:b8:14:61:c8:27 | - |
| IPhone (Kimi) | 2a:2b:ba:86:d4:af | user_child |
| Laptop (Dari) | 34:f6:4b:b3:14:83 | user_child |
| Laptop (Kimi) | 90:91:64:70:0d:86 | user_child |
| PC (Dancho) | 70:85:c2:75:64:e5 | - |
| ROG Ally (Teodor) | cc:5e:f8:d3:37:d3 | user_child |
Custom Filtering Rules
||dv-eu-prod.sentinelone.net^
||euce1-soc360.sentinelone.net^
||ampeco.jamfcloud.com^
||*.jamfcloud.com^
NAT/Port Forwarding (MikroTik)
| Rule | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
| HTTP | TCP | 80 | 192.168.31.2:8001 | Traefik |
| HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik |
| DNS UDP | UDP | 53→5355 | 172.17.0.5 | AdGuard Home |
| DNS TCP | TCP | 53→5355 | 172.17.0.5 | AdGuard Home |
| DoT | TCP | 853 | 172.17.0.5 | DNS over TLS |
| DoQ | UDP | 8853 | 172.17.0.5 | DNS over QUIC |
| Plex | TCP | 32400 | 192.168.31.2 | Plex Media |
| RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk |