infrastructure/docs/00-CURRENT-STATE.md

# Infrastructure Current State: xtrm-lab.org

## Document Updated: 2026-01-22
## Target Domain: xtrm-lab.org

---

## Network Topology Diagram

```mermaid
graph TB
    subgraph Internet
        WAN["WAN: 62.73.120.142"]
        DNS_EXT["dns.xtrm-lab.org<br/>DoH/DoT/DoQ"]
    end

    subgraph MikroTik["MikroTik hAP ax³ (192.168.31.1)"]
        ROUTER["RouterOS 7.20.6"]
        subgraph MK_Containers["Docker Containers"]
            AGH_MK["AdGuard Home<br/>172.17.0.5:5355<br/>PRIMARY DNS"]
            TS["Tailscale<br/>172.17.0.4"]
        end
    end

    subgraph Switch["CSS326-24G-2S+ (192.168.31.9)"]
        SW["24-Port Managed Switch"]
    end

    subgraph AP["cAP ac (192.168.31.6)"]
        WIFI["CAPsMAN AP"]
    end

    subgraph Unraid["Unraid Server (192.168.31.2)"]
        subgraph Core["Core Services"]
            TRAEFIK["Traefik<br/>172.18.0.3"]
            HOMARR["Homarr<br/>172.18.0.4"]
        end
        subgraph Security["Security"]
            AUTH["Authentik<br/>172.18.0.11"]
            VAULT["Vaultwarden<br/>172.18.0.15"]
        end
        subgraph DNS_Unraid["DNS Services"]
            AGH_UR["AdGuard Home<br/>192.168.31.4:53<br/>SECONDARY DNS"]
            UNBOUND["Unbound<br/>192.168.31.5"]
        end
        subgraph DevOps["DevOps"]
            GITEA["Gitea<br/>172.18.0.31"]
            WOODPECKER["Woodpecker CI<br/>172.18.0.32"]
        end
        subgraph Monitoring["Monitoring"]
            UPTIME["Uptime Kuma<br/>172.18.0.20"]
            NETBOX["NetBox<br/>172.24.0.5"]
        end
        subgraph Media["Media"]
            PLEX["Plex"]
            NEXTCLOUD["Nextcloud<br/>172.18.0.24"]
        end
    end

    subgraph LAN["LAN Devices (192.168.31.x)"]
        CLIENTS["Clients"]
    end

    WAN --> ROUTER
    DNS_EXT --> ROUTER
    ROUTER --> AGH_MK
    ROUTER --> TS
    ROUTER --> SW
    SW --> Unraid
    SW --> AP
    AP --> CLIENTS
    SW --> CLIENTS
    AGH_MK -.->|"Upstream DoH"| QUAD9["Quad9 DNS"]
    AGH_UR -.->|"Upstream DoH"| QUAD9
    CLIENTS -->|"DNS Queries"| AGH_MK
    CLIENTS -.->|"Failover"| AGH_UR
```

---

## MikroTik hAP ax³ Router (192.168.31.1)

| Parameter | Value |
|-----------|-------|
| RouterOS Version | 7.20.6 (stable) |
| WAN IP (Static) | 62.73.120.142 |
| LAN Subnet | 192.168.31.0/24 |
| Docker Bridge | 172.17.0.0/24 |
| SSH Access | Port 2222, user: jazzymc |

**Interfaces:**
- `ether1` - WAN (62.73.120.142/23)
- `bridge` - LAN (192.168.31.1/24)
- `docker-bridge` - Container network (172.17.0.1/24)
- `back-to-home-vpn` - WireGuard VPN (192.168.216.1/24)

### Running Containers on MikroTik

| Container | IP | Storage | Purpose |
|-----------|-----|---------|---------|
| tailscale | 172.17.0.4 | usb1/tailscale/root | Tailscale VPN client |
| adguardhome | 172.17.0.5 | disk1/agh-root + usb1 mount | DNS with DoH/DoT/DoQ |

### AdGuard Home (MikroTik) - PRIMARY DNS

| Service | Port | Protocol | Status |
|---------|------|----------|--------|
| DNS | 5355 (NAT from 53) | UDP/TCP | Active |
| Web UI | 80 | HTTP | Active |
| DoH | 443 | HTTPS | Active |
| DoT | 853 | TCP | Active |
| DoQ | 8853 | UDP | Active |

**Configuration:**
- Upstream: Quad9 DoH (https://dns10.quad9.net/dns-query)
- TLS Certificate: Let's Encrypt wildcard (\*.xtrm-lab.org)
- Server Name: dns.xtrm-lab.org
- Certificate Expiry: 2026-04-02
- Credentials: jazzymc / 7RqWElENNbZnPW

**Persistence:** root-dir on disk1 + data mount on usb1 (survives container restart)

---

## MikroTik CSS326-24G-2S+ Switch (192.168.31.9)

| Parameter | Value |
|-----------|-------|
| Role | Managed Layer 2 Switch |
| Ports | 24x Gigabit + 2x SFP |
| OS | SwOS |
| Web UI | https://sw.xtrm-lab.org |

---

## MikroTik cAP ac (192.168.31.6)

| Parameter | Value |
|-----------|-------|
| Role | CAPsMAN Managed Access Point |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |

---

## Unraid Server (192.168.31.2)

**Tailscale IP:** 100.100.208.70
**SSH Access:** `ssh -i ~/.ssh/id_ed25519_unraid root@192.168.31.2 -p 422`

### Docker Networks

| Network | Subnet | Purpose |
|---------|--------|---------|
| br0 | 192.168.31.0/24 | LAN macvlan (AdGuard Home) |
| dockerproxy | 172.18.0.0/16 | Traefik-accessible services |
| netbox | 172.24.0.0/16 | NetBox stack |
| bridge | 172.17.0.0/16 | Default Docker bridge |

### Key Services

| Service | Container | IP | External URL |
|---------|-----------|---|--------------|
| **Core** ||||
| Reverse Proxy | traefik | 172.18.0.3 | traefik.xtrm-lab.org |
| Dashboard | homarr | 172.18.0.4 | xtrm-lab.org |
| **Security** ||||
| Identity Provider | authentik | 172.18.0.11 | auth.xtrm-lab.org |
| Password Manager | vaultwarden | 172.18.0.15 | vault.xtrm-lab.org |
| **DNS** ||||
| AdGuard Home | adguardhome | 192.168.31.4 | - |
| Unbound | unbound | 192.168.31.5 | - |
| **DevOps** ||||
| Git Server | gitea | 172.18.0.31 | git.xtrm-lab.org |
| CI/CD Server | woodpecker-server | 172.18.0.32 | ci.xtrm-lab.org |
| **Monitoring** ||||
| Uptime Kuma | UptimeKuma | 172.18.0.20 | uptime.xtrm-lab.org |
| NetBox | netbox | 172.24.0.5 | netbox.xtrm-lab.org |
| **Media** ||||
| Plex | plex | host | plex.xtrm-lab.org |
| Nextcloud | Nextcloud | 172.18.0.24 | nextcloud.xtrm-lab.org |
| **Remote Access** ||||
| RustDesk | rustdesk-hbbs/hbbr | bridge | rustdesk.xtrm-lab.org |

### AdGuard Home (Unraid) - SECONDARY DNS

| Setting | Value |
|---------|-------|
| IP Address | 192.168.31.4 |
| Network | br0 (macvlan) |
| Web UI | http://192.168.31.4:3000 |
| DNS | 192.168.31.4:53 |
| DoT | 192.168.31.4:853 |
| Credentials | jazzymc / 7RqWElENNbZnPW |

**Configuration (synced with MikroTik):**
- Upstream: Quad9 DoH
- TLS Certificate: Let's Encrypt wildcard
- 6 Clients configured
- Custom filtering rules (SentinelOne, Jamf)

**Data Location:** /mnt/user/appdata/adguardhome/

**Stopped Services:**
- binhex-official-pihole (replaced by AdGuard Home)
- nebula-sync (incompatible with AdGuard Home)

---

## DNS Architecture

```mermaid
flowchart TB
    subgraph External["External Access"]
        DOH["DoH: https://dns.xtrm-lab.org/dns-query"]
        DOT["DoT: tls://dns.xtrm-lab.org:853"]
        DOQ["DoQ: quic://dns.xtrm-lab.org:8853"]
    end

    subgraph MikroTik["MikroTik Router"]
        NAT["NAT: 53 → 5355"]
        AGH1["AdGuard Home<br/>172.17.0.5:5355<br/>PRIMARY"]
    end

    subgraph Unraid["Unraid Server"]
        AGH2["AdGuard Home<br/>192.168.31.4:53<br/>SECONDARY"]
    end

    subgraph Upstream["Upstream DNS"]
        Q9["Quad9 DoH<br/>dns10.quad9.net"]
    end

    subgraph Clients["LAN Clients"]
        C1["IPhone Dancho"]
        C2["IPhone Kimi"]
        C3["Laptop Dari"]
        C4["Laptop Kimi"]
        C5["PC Dancho"]
        C6["ROG Ally Teodor"]
    end

    External --> MikroTik
    Clients -->|"Primary"| NAT
    NAT --> AGH1
    Clients -.->|"Failover"| AGH2
    AGH1 --> Q9
    AGH2 --> Q9
```

---

## Configured Clients (Both AdGuard Instances)

| Client | MAC Address | Tags |
|--------|-------------|------|
| IPhone (Dancho) | f2:b8:14:61:c8:27 | - |
| IPhone (Kimi) | 2a:2b:ba:86:d4:af | user_child |
| Laptop (Dari) | 34:f6:4b:b3:14:83 | user_child |
| Laptop (Kimi) | 90:91:64:70:0d:86 | user_child |
| PC (Dancho) | 70:85:c2:75:64:e5 | - |
| ROG Ally (Teodor) | cc:5e:f8:d3:37:d3 | user_child |

---

## Custom Filtering Rules

```
||dv-eu-prod.sentinelone.net^
||euce1-soc360.sentinelone.net^
||ampeco.jamfcloud.com^
||*.jamfcloud.com^
```

---

## NAT/Port Forwarding (MikroTik)

| Rule | Protocol | Port | Destination | Purpose |
|------|----------|------|-------------|---------|
| HTTP | TCP | 80 | 192.168.31.2:8001 | Traefik |
| HTTPS | TCP | 443 | 192.168.31.2:44301 | Traefik |
| DNS UDP | UDP | 53→5355 | 172.17.0.5 | AdGuard Home |
| DNS TCP | TCP | 53→5355 | 172.17.0.5 | AdGuard Home |
| DoT | TCP | 853 | 172.17.0.5 | DNS over TLS |
| DoQ | UDP | 8853 | 172.17.0.5 | DNS over QUIC |
| Plex | TCP | 32400 | 192.168.31.2 | Plex Media |
| RustDesk | TCP/UDP | 21115-21119 | 192.168.31.2 | RustDesk |

---

## Reference Documents

- [Phase 1: DNS Portability](./01-PHASE1-DNS-PORTABILITY.md)
- [Phase 7: Gitea GitOps](./08-PHASE7-GITEA-GITOPS.md)
- [Changelog](./06-CHANGELOG.md)

---

## Network Discovery & Management

### Slurp'it Stack

| Container | IP | Purpose |
|-----------|-----|---------|
| slurpit-portal | 172.18.0.129 | Web UI (slurpit.xtrm-lab.org) |
| slurpit-scanner | 172.25.0.5 | SNMP network scanner |
| slurpit-scraper | 172.25.0.3 | Device data collector |
| slurpit-warehouse | 172.25.0.4 | Data storage API |
| slurpit-mariadb | 172.25.0.2 | Portal database |
| slurpit-mongodb | 172.25.0.6 | Discovery database |

**Status:** Operational
**Discovered Devices:** 1 (MikroTik Router)
**SNMP Communities:** public, netdisco

**Configuration:**
- SNMP v2c credentials configured
- Scan target: 192.168.31.0/24
- NetBox integration: Enabled (plugin_online: 1)

**Pending Tasks:**
- Add SSH credentials to Vault for device scraping
- Troubleshoot SNMP discovery of switch and AP

### NetDisco

| Container | IP | Purpose |
|-----------|-----|---------|
| netdisco-web | 172.18.0.41 | Web UI (netdisco.xtrm-lab.org) |
| netdisco-backend | 172.18.0.42 | SNMP poller |

### NetBox (IPAM/DCIM)

| Container | IP | Purpose |
|-----------|-----|---------|
| netbox | 172.24.0.5 | Web UI (netbox.xtrm-lab.org) |
| netbox-postgres | 172.24.0.4 | Database |
| netbox-redis | 172.24.0.2 | Cache |
| netbox-worker | 172.24.0.6 | Background tasks |

**NetBox Slurp'it Plugin:** Installed and configured

---

## Agent Service Account

A dedicated service account `agent` was created for automated tools:

| Device | Username | Auth Method | Port |
|--------|----------|-------------|------|
| Unraid | agent | SSH Key + Password | 422 |
| MikroTik Router | agent | SSH Key | 2222 |
| MikroTik AP | agent | Password | 2222 |
| MikroTik Switch | N/A | No SSH (SwOS) | - |

**Credentials:** See docs/AGENT-CREDENTIALS.md (gitignored, local only)