docs: Network infrastructure cleanup - static IPs, local DNS, SSH access

- Complete static IP migration for all containers - Configure Pi-hole local DNS with .kav hostnames - Add SSH provisioning script for all containers - Create NETWORK-MAP.md with complete IP allocation - Create network-map.sh for dynamic map generation - Update INFRASTRUCTURE.md with new service map - Add .kav TLD and SSH policy decisions to DECISIONS.md 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 17:11:32 -05:00
parent 1d649c4349
commit 9051c84bae
5 changed files with 493 additions and 33 deletions
--- a/docs/DECISIONS.md
+++ b/docs/DECISIONS.md
@@ -41,6 +41,52 @@

 ## Network Architecture

+### Local DNS (.kav TLD)
+
+**Decision**: Use `.kav` as the local top-level domain for internal services
+**Reason**:
+- Unique to KavCorp network, avoids conflicts with real TLDs
+- Short and memorable
+- Works without additional configuration
+- Pi-hole handles resolution via `dns.hosts` in pihole.toml
+
+**Alternatives Considered**:
+- `.lan` - Common but can conflict with some routers
+- `.local` - Conflicts with mDNS/Bonjour
+- `.home.arpa` - RFC 8375 compliant but verbose
+
+**Usage**: All services accessible via `<service>.kav` (e.g., traefik.kav, sonarr.kav)
+
+### SSH Access Policy
+
+**Decision**: SSH from workstation only, no container-to-container SSH
+**Reason**:
+- Reduces attack surface
+- Single key to manage
+- Containers don't need to communicate via SSH
+
+**Implementation**:
+- Workstation ed25519 key added to all containers
+- `PermitRootLogin prohibit-password` (key-only)
+- Provisioning script: `scripts/provisioning/setup-ssh-access.sh`
+
+### IP Allocation Scheme
+
+**Decision**: Organized IP ranges by service type
+**Reason**: Easy to identify service type from IP, logical grouping
+
+| Range | Purpose |
+|-------|---------|
+| 10.4.2.1 | Gateway (OPNsense) |
+| 10.4.2.2-9 | Proxmox nodes |
+| 10.4.2.10-19 | Core infrastructure |
+| 10.4.2.20-29 | Media stack |
+| 10.4.2.30-39 | Other services |
+| 10.4.2.40-49 | Game servers |
+| 10.4.2.50-99 | IoT / Reserved |
+| 10.4.2.100-199 | DHCP pool |
+| 10.4.2.200-209 | Docker hosts |
+
 ### Network Isolation Strategy

 **Goal**: Isolate IoT (KavCorp-IOT) and Guest (KavCorp-Guest) WiFi networks from the main LAN, while allowing Smart Home VMs to access IoT devices.