jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e870bddac8debbb57d3c3b860ef0a92956fab89f
infrastructure/docs/00-CURRENT-STATE.md
XTRM-Unraid e870bddac8 docs: Update for NetBox Discovery (Diode) setup and Slurpit removal 
- Removed Slurpit section from current state (stack removed)
- Added NetBox Discovery (Diode) architecture documentation
- Added NetDisco to NetBox sync script documentation
- Updated network diagram with Diode components
- Added changelog entries for 2026-01-23

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-23 17:46:56 +02:00

11 KiB
Raw Blame History

Infrastructure Current State: xtrm-lab.org

Document Updated: 2026-01-23

Target Domain: xtrm-lab.org

Network Topology Diagram

graph TB
    subgraph Internet
        WAN["WAN: 62.73.120.142"]
        DNS_EXT["dns.xtrm-lab.org<br/>DoH/DoT/DoQ"]
    end

    subgraph MikroTik["MikroTik hAP ax³ (192.168.31.1)"]
        ROUTER["RouterOS 7.20.6"]
        subgraph MK_Containers["Docker Containers"]
            AGH_MK["AdGuard Home<br/>172.17.0.5:5355<br/>PRIMARY DNS"]
            TS["Tailscale<br/>172.17.0.4"]
        end
    end

    subgraph Switch["CSS326-24G-2S+ (192.168.31.9)"]
        SW["24-Port Managed Switch"]
    end

    subgraph AP["cAP ac (192.168.31.6)"]
        WIFI["CAPsMAN AP"]
    end

    subgraph Unraid["Unraid Server (192.168.31.2)"]
        subgraph Core["Core Services"]
            TRAEFIK["Traefik<br/>172.18.0.3"]
            HOMARR["Homarr<br/>172.18.0.4"]
        end
        subgraph Security["Security"]
            AUTH["Authentik<br/>172.18.0.11"]
            VAULT["Vaultwarden<br/>172.18.0.15"]
        end
        subgraph DNS_Unraid["DNS Services"]
            AGH_UR["AdGuard Home<br/>192.168.31.4:53<br/>SECONDARY DNS"]
            UNBOUND["Unbound<br/>192.168.31.5"]
        end
        subgraph DevOps["DevOps"]
            GITEA["Gitea<br/>172.18.0.31"]
            WOODPECKER["Woodpecker CI<br/>172.18.0.32"]
        end
        subgraph Monitoring["Monitoring"]
            UPTIME["Uptime Kuma<br/>172.18.0.20"]
            NETBOX["NetBox<br/>172.18.0.61"]
            DIODE["NetBox Discovery<br/>172.24.0.10"]
        end
        subgraph Media["Media"]
            PLEX["Plex"]
            NEXTCLOUD["Nextcloud<br/>172.18.0.24"]
        end
    end

    subgraph LAN["LAN Devices (192.168.31.x)"]
        CLIENTS["Clients"]
    end

    WAN --> ROUTER
    DNS_EXT --> ROUTER
    ROUTER --> AGH_MK
    ROUTER --> TS
    ROUTER --> SW
    SW --> Unraid
    SW --> AP
    AP --> CLIENTS
    SW --> CLIENTS
    AGH_MK -.->|"Upstream DoH"| QUAD9["Quad9 DNS"]
    AGH_UR -.->|"Upstream DoH"| QUAD9
    CLIENTS -->|"DNS Queries"| AGH_MK
    CLIENTS -.->|"Failover"| AGH_UR

MikroTik hAP ax³ Router (192.168.31.1)

Parameter Value
RouterOS Version 7.20.6 (stable)
WAN IP (Static) 62.73.120.142
LAN Subnet 192.168.31.0/24
Docker Bridge 172.17.0.0/24
SSH Access Port 2222, user: jazzymc

Interfaces:

  • ether1 - WAN (62.73.120.142/23)
  • bridge - LAN (192.168.31.1/24)
  • docker-bridge - Container network (172.17.0.1/24)
  • back-to-home-vpn - WireGuard VPN (192.168.216.1/24)

Running Containers on MikroTik

Container IP Storage Purpose
tailscale 172.17.0.4 usb1/tailscale/root Tailscale VPN client
adguardhome 172.17.0.5 disk1/agh-root + usb1 mount DNS with DoH/DoT/DoQ

AdGuard Home (MikroTik) - PRIMARY DNS

Service Port Protocol Status
DNS 5355 (NAT from 53) UDP/TCP Active
Web UI 80 HTTP Active
DoH 443 HTTPS Active
DoT 853 TCP Active
DoQ 8853 UDP Active

Configuration:

  • Upstream: Quad9 DoH (https://dns10.quad9.net/dns-query)
  • TLS Certificate: Let's Encrypt wildcard (*.xtrm-lab.org)
  • Server Name: dns.xtrm-lab.org
  • Certificate Expiry: 2026-04-02
  • Credentials: jazzymc / 7RqWElENNbZnPW

Persistence: root-dir on disk1 + data mount on usb1 (survives container restart)

MikroTik CSS326-24G-2S+ Switch (192.168.31.9)

Parameter Value
Role Managed Layer 2 Switch
Ports 24x Gigabit + 2x SFP
OS SwOS
Web UI https://sw.xtrm-lab.org

MikroTik cAP ac (192.168.31.6)

Parameter Value
Role CAPsMAN Managed Access Point
RouterOS Version 7.20.1 (stable)
Identity CAP XL ac

Unraid Server (192.168.31.2)

Tailscale IP: 100.100.208.70 SSH Access: ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422

Docker Networks

Network Subnet Purpose
br0 192.168.31.0/24 LAN macvlan (AdGuard Home)
dockerproxy 172.18.0.0/16 Traefik-accessible services
diode_default 172.24.0.0/16 NetBox Discovery (Diode)
bridge 172.17.0.0/16 Default Docker bridge

Key Services

Service Container IP External URL
Core
Reverse Proxy traefik 172.18.0.3 traefik.xtrm-lab.org
Dashboard homarr 172.18.0.4 xtrm-lab.org
Security
Identity Provider authentik 172.18.0.11 auth.xtrm-lab.org
Password Manager vaultwarden 172.18.0.15 vault.xtrm-lab.org
DNS
AdGuard Home adguardhome 192.168.31.4 -
Unbound unbound 192.168.31.5 -
DevOps
Git Server gitea 172.18.0.31 git.xtrm-lab.org
CI/CD Server woodpecker-server 172.18.0.32 ci.xtrm-lab.org
Monitoring
Uptime Kuma UptimeKuma 172.18.0.20 uptime.xtrm-lab.org
NetBox netbox 172.18.0.61 netbox.xtrm-lab.org
Media
Plex plex host plex.xtrm-lab.org
Nextcloud Nextcloud 172.18.0.24 nextcloud.xtrm-lab.org
Remote Access
RustDesk rustdesk-hbbs/hbbr bridge rustdesk.xtrm-lab.org

AdGuard Home (Unraid) - SECONDARY DNS

Setting Value
IP Address 192.168.31.4
Network br0 (macvlan)
Web UI http://192.168.31.4:3000
DNS 192.168.31.4:53
DoT 192.168.31.4:853
Credentials jazzymc / 7RqWElENNbZnPW

Configuration (synced with MikroTik):

  • Upstream: Quad9 DoH
  • TLS Certificate: Let's Encrypt wildcard
  • 6 Clients configured
  • Custom filtering rules (SentinelOne, Jamf)

Data Location: /mnt/user/appdata/adguardhome/

Stopped Services:

  • binhex-official-pihole (replaced by AdGuard Home)
  • nebula-sync (incompatible with AdGuard Home)

DNS Architecture

flowchart TB
    subgraph External["External Access"]
        DOH["DoH: https://dns.xtrm-lab.org/dns-query"]
        DOT["DoT: tls://dns.xtrm-lab.org:853"]
        DOQ["DoQ: quic://dns.xtrm-lab.org:8853"]
    end

    subgraph MikroTik["MikroTik Router"]
        NAT["NAT: 53 → 5355"]
        AGH1["AdGuard Home<br/>172.17.0.5:5355<br/>PRIMARY"]
    end

    subgraph Unraid["Unraid Server"]
        AGH2["AdGuard Home<br/>192.168.31.4:53<br/>SECONDARY"]
    end

    subgraph Upstream["Upstream DNS"]
        Q9["Quad9 DoH<br/>dns10.quad9.net"]
    end

    subgraph Clients["LAN Clients"]
        C1["IPhone Dancho"]
        C2["IPhone Kimi"]
        C3["Laptop Dari"]
        C4["Laptop Kimi"]
        C5["PC Dancho"]
        C6["ROG Ally Teodor"]
    end

    External --> MikroTik
    Clients -->|"Primary"| NAT
    NAT --> AGH1
    Clients -.->|"Failover"| AGH2
    AGH1 --> Q9
    AGH2 --> Q9

Configured Clients (Both AdGuard Instances)

Client MAC Address Tags
IPhone (Dancho) f2:b8:14:61:c8:27 -
IPhone (Kimi) 2a:2b:ba:86:d4:af user_child
Laptop (Dari) 34:f6:4b:b3:14:83 user_child
Laptop (Kimi) 90:91:64:70:0d:86 user_child
PC (Dancho) 70:85:c2:75:64:e5 -
ROG Ally (Teodor) cc:5e:f8:d3:37:d3 user_child

Custom Filtering Rules

||dv-eu-prod.sentinelone.net^
||euce1-soc360.sentinelone.net^
||ampeco.jamfcloud.com^
||*.jamfcloud.com^

NAT/Port Forwarding (MikroTik)

Rule Protocol Port Destination Purpose
HTTP TCP 80 192.168.31.2:8001 Traefik
HTTPS TCP 443 192.168.31.2:44301 Traefik
DNS UDP UDP 53→5355 172.17.0.5 AdGuard Home
DNS TCP TCP 53→5355 172.17.0.5 AdGuard Home
DoT TCP 853 172.17.0.5 DNS over TLS
DoQ UDP 8853 172.17.0.5 DNS over QUIC
Plex TCP 32400 192.168.31.2 Plex Media
RustDesk TCP/UDP 21115-21119 192.168.31.2 RustDesk

Reference Documents

Network Discovery & Management

NetBox (IPAM/DCIM)

Container IP Purpose
netbox 172.18.0.61 Web UI (netbox.xtrm-lab.org)
netbox-postgres - Database
netbox-redis - Cache
netbox-redis-cache - Redis cache
netbox-worker - Background tasks

Plugins Installed:

  • netboxlabs-diode-netbox-plugin (NetBox Discovery integration)

NetBox Discovery (Diode)

NetBox Labs Diode provides automated network discovery and data ingestion into NetBox.

Container IP Purpose
diode-ingress-nginx-1 172.24.0.10 API Gateway
diode-diode-auth-1 - OAuth2 authentication
diode-diode-ingester-1 - Data ingestion service
diode-diode-reconciler-1 - Data reconciliation
diode-hydra-1 - OAuth2 provider (Ory Hydra)
diode-postgres-1 - Database
diode-redis-1 - Cache
diode-discovery-agent host network Network scanner (orb-agent)

Data Location: /mnt/user/appdata/diode/

Discovery Agent Configuration:

  • Schedule: Every 30 minutes
  • Target: 192.168.31.0/24
  • Ports scanned: 22, 80, 161, 443
  • Site: Home

OAuth2 Credentials:

  • diode-ingest: For data ingestion
  • netbox-to-diode: For NetBox plugin
  • diode-to-netbox: For reconciler

NetDisco

NetDisco provides SNMP-based network discovery and ARP table collection.

Container IP Purpose
netdisco-web 172.18.0.41 Web UI (netdisco.xtrm-lab.org)
netdisco-backend 172.18.0.42 SNMP poller

Database: postgresql17 (shared)

  • Database: netdisco_db
  • User: netdisco_user

Discovered Data:

  • 4 SNMP-enabled devices
  • 42 ARP entries (all network hosts)

NetDisco to NetBox Sync

A scheduled sync script pushes NetDisco data to NetBox via Diode.

Location: /mnt/user/appdata/netdisco-netbox-sync/

File Purpose
sync.py Python sync script
Dockerfile Container build file
docker-compose.yml Deployment config

Sync Configuration:

  • Source: NetDisco PostgreSQL database
  • Target: NetBox via Diode gRPC API
  • Data synced: Devices (with vendor, model, OS) and IP addresses (with MAC)

Run manually:

cd /mnt/user/appdata/netdisco-netbox-sync
docker compose run --rm netdisco-netbox-sync

Agent Service Account

A dedicated service account agent was created for automated tools:

Device Username Auth Method Port
Unraid agent SSH Key + Password 422
MikroTik Router agent SSH Key 2222
MikroTik AP agent Password 2222
MikroTik Switch N/A No SSH (SwOS) -

Credentials: See docs/AGENT-CREDENTIALS.md (gitignored, local only)

Reference in New Issue View Git Blame Copy Permalink