Files

Kaloyan Danchev ecbce1ca94

ci/woodpecker/push/woodpecker Pipeline was successful

Details

Add VRRP failover infrastructure documentation (Nobara)

Deployed automatic failover for critical services (Traefik, Vaultwarden,
Authentik, AdGuard) from Unraid to Nobara workstation via Keepalived VRRP
with VIP 192.168.10.250. ~4 second failover time.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-13 18:03:26 +02:00

5.0 KiB

Raw Blame History

Critical Services

Last Updated: 2026-01-31

Services that must remain operational for network functionality and security.

Priority Levels

Priority	Meaning	Recovery Target
P0	Network offline without this	< 5 minutes
P1	Major functionality impacted	< 1 hour

P0 - Network Core

DNS (AdGuard Home)

Instance	Host	IP	Role
Primary	HAP1 (container)	172.17.0.2	Main DNS
Secondary	XTRM-U (macvlan)	192.168.10.10	Failover DNS

Failover: Automatic via Netwatch (ping + DNS resolution checks)

Config Sync: adguardhome-sync (every 30 min, Unraid → MikroTik)

Upstream: Quad9 DoH (https://dns.quad9.net/dns-query)

Web UI:

Primary: http://192.168.10.1:3000
Secondary: http://192.168.10.10:3000
Credentials: jazzymc / 7RqWElENNbZnPW

Recovery:

If primary fails → automatic failover to secondary (192.168.10.10)
Manual restart: /container start [find name~"adguard"]

Routing (HAP1)

Function	Details
WAN	62.73.120.142 via Vivacom fiber
VLANs	10 (Mgmt), 20 (Trusted), 25 (Kids), 30 (IoT), 40 (CatchAll)
NAT	Port forwarding to XTRM-U (192.168.10.20)
Firewall	RouterOS firewall rules

Recovery:

Physical access to HAP1
Reset: hold reset button 5s
Reconfigure via WinBox or SSH (port 2222)

DHCP (HAP1)

VLAN	Pool	Range
10 (Mgmt)	pool-vlan10	192.168.10.100-200
20 (Trusted)	pool-vlan20	192.168.20.100-200
25 (Kids)	pool-vlan25	192.168.25.100-200
30 (IoT)	pool-vlan30	192.168.30.100-200
40 (CatchAll)	dhcp	192.168.1.10-254

Lease Time: 30 minutes

P1 - Authentication & Secrets

Authentik (SSO)

Component	IP	Purpose
authentik	172.18.0.11	Web UI + OIDC
authentik-worker	172.18.0.12	Background tasks

URL: https://auth.xtrm-lab.org

Protects:

Traefik forward auth (all *.xtrm-lab.org)
Gitea OAuth
Woodpecker OAuth
NetBox OAuth
NetDisco SSO

Recovery:

cd /mnt/user/appdata/authentik
docker compose up -d

Database: postgresql17 (authentik_db)

Vaultwarden (Passwords)

Component	IP	Purpose
vaultwarden	172.18.0.15	Password manager

URL: https://vault.xtrm-lab.org

Data: /mnt/user/appdata/vaultwarden/

Recovery:

docker start vaultwarden

Backup: Part of Unraid flash backup

P1 - Reverse Proxy

Traefik

Component	IP	Ports
traefik	172.18.0.3	8001→80, 44301→443

Config: /mnt/user/appdata/traefik/

traefik.yml - Static config
dynamic.yml - Routers & services

TLS: Let's Encrypt wildcard for *.xtrm-lab.org

Recovery:

docker start traefik

Shared Infrastructure

PostgreSQL 17

IP	Databases
172.18.0.13	authentik_db, netbox, gitea, netdisco_db, diode, hydra

Data: /mnt/user/appdata/postgresql17/

Recovery:

docker start postgresql17
# Wait for DB to be ready before starting dependents

Redis

IP	Consumers
172.18.0.14	Authentik, NetBox, Diode

Recovery:

docker start Redis

Startup Order

When recovering from full outage:

postgresql17 - Database (wait 30s)
Redis - Cache/queue (wait 10s)
traefik - Reverse proxy
authentik + authentik-worker - SSO
vaultwarden - Passwords
All other services

Monitoring

Uptime Kuma

URL	Monitors
https://uptime.xtrm-lab.org	27 services

Alerts: Configured per service (email/webhook)

Backup Strategy

Data	Location	Frequency
Unraid Flash	Google Drive	Daily
PostgreSQL	`/mnt/user/Backup/`	Daily
Vaultwarden	Unraid Flash	With flash backup
Authentik	PostgreSQL + `/mnt/user/appdata/authentik/`	Daily

Active Failover: XTRM-Nobara

Critical services are replicated on the Nobara workstation with automatic VRRP failover:

Service	Primary (XTRM-U)	Failover (XTRM-Nobara)
Traefik	192.168.10.20	192.168.10.103
Vaultwarden	192.168.10.20	192.168.10.103
Authentik	192.168.10.20	192.168.10.103
AdGuard Home	192.168.10.20	192.168.10.103

VIP: 192.168.10.250 (floats between XTRM-U and XTRM-Nobara via Keepalived VRRP)

Failover time: ~4 seconds

See: 10-FAILOVER-NOBARA.md for full documentation.

Future: XTRM-N1 Survival Node

When hardware upgrade completes, these services will have replicas on XTRM-N1:

Service	Primary	Replica
DNS	HAP1	XTRM-N1
Vaultwarden	XTRM-N5	XTRM-N1
Authentik	XTRM-N5	XTRM-N1

See: wip/UPGRADE-2026-HARDWARE.md

5.0 KiB Raw Blame History

Critical Services

Priority Levels

P0 - Network Core

DNS (AdGuard Home)

Routing (HAP1)

DHCP (HAP1)

P1 - Authentication & Secrets

Authentik (SSO)

Vaultwarden (Passwords)

P1 - Reverse Proxy

Traefik

Shared Infrastructure

PostgreSQL 17

Redis

Startup Order

Monitoring

Uptime Kuma

Backup Strategy

Active Failover: XTRM-Nobara

Future: XTRM-N1 Survival Node

5.0 KiB

Raw Blame History