kavren/proxmox-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: Network infrastructure cleanup - static IPs, local DNS, SSH access

Browse Source 
- Complete static IP migration for all containers
- Configure Pi-hole local DNS with .kav hostnames
- Add SSH provisioning script for all containers
- Create NETWORK-MAP.md with complete IP allocation
- Create network-map.sh for dynamic map generation
- Update INFRASTRUCTURE.md with new service map
- Add .kav TLD and SSH policy decisions to DECISIONS.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
kavren
2025-12-28 17:11:32 -05:00
parent 1d649c4349
commit 9051c84bae
5 changed files with 493 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

117
docs/INFRASTRUCTURE.md
View File

@@ -15,38 +15,81 @@
**Cluster Name**: KavCorp
**Network**: 10.4.2.0/24
**Gateway**: 10.4.2.254
**Gateway**: 10.4.2.1 (OPNsense)
**DNS**: 10.4.2.11 (Pi-hole)
**Local Domain**: .kav
## Service Map
| Service | IP:Port | Location | Domain | Auth |
|---------|---------|----------|--------|------|
| **Proxmox Web UI** | 10.4.2.6:8006 | pm2 | pm.kavcorp.com | Proxmox built-in |
| **Traefik** | 10.4.2.10 | LXC 104 (pm2) | - | None (reverse proxy) |
| **Authelia** | 10.4.2.19 | LXC 116 (pm2) | auth.kavcorp.com | SSO provider |
| **Sonarr** | 10.4.2.15:8989 | LXC 105 (pm2) | sonarr.kavcorp.com | Built-in |
| **Radarr** | 10.4.2.16:7878 | LXC 108 (pm2) | radarr.kavcorp.com | Built-in |
| **Prowlarr** | 10.4.2.17:9696 | LXC 114 (pm2) | prowlarr.kavcorp.com | Built-in |
| **Jellyseerr** | 10.4.2.18:5055 | LXC 115 (pm2) | jellyseerr.kavcorp.com | Built-in |
| **Whisparr** | 10.4.2.20:6969 | LXC 117 (pm2) | whisparr.kavcorp.com | Built-in |
| **Notifiarr** | 10.4.2.21 | LXC 118 (pm2) | - | API key |
| **Jellyfin** | 10.4.2.21:8096 | LXC 121 (elantris) | jellyfin.kavcorp.com | Built-in |
| **Bazarr** | 10.4.2.22:6767 | LXC 119 (pm2) | bazarr.kavcorp.com | Built-in |
| **Kometa** | 10.4.2.23 | LXC 120 (pm2) | - | N/A |
| **Recyclarr** | 10.4.2.25 | LXC 122 (pm2) | - | CLI only |
| **NZBGet** | 10.4.2.13:6789 | Docker (kavnas) | nzbget.kavcorp.com | Built-in |
| **Home Assistant** | 10.4.2.175:8123 | VM 100 (pm1) | hass.kavcorp.com | Built-in (DHCP) |
| **Frigate** | 10.4.2.176:8971 | LXC 128 (pm3) | frigate.kavcorp.com | Built-in (auth required, DHCP) |
| **Foundry VTT** | 10.4.2.37:30000 | LXC 112 (pm3) | vtt.kavcorp.com | Built-in |
| **llama.cpp** | 10.4.2.224:11434 | LXC 123 (elantris) | ollama.kavcorp.com | None (API) |
| **AMP** | 10.4.2.26:8080 | LXC 124 (elantris) | amp.kavcorp.com | Built-in |
| **Vaultwarden** | 10.4.2.212 | LXC 125 (pm4) | vtw.kavcorp.com | Built-in |
| **Immich** | 10.4.2.24:2283 | LXC 126 (pm4) | immich.kavcorp.com | Built-in |
| **Gitea** | 10.4.2.7:3000 | LXC 127 (pm4) | git.kavcorp.com | Built-in |
| **Pi-hole** | 10.4.2.129 | LXC 103 (pm4) | pihole.kavcorp.com | Built-in |
| **UniFi Controller** | 10.4.2.242:8443 | LXC 111 (pm4) | unifi.kavcorp.com | Built-in |
| **OPNsense (KavSense)** | 10.4.2.1 | VM 130 (pm4) | opnsense.kavcorp.com | Built-in (net0: vmbr0/LAN, net1: vmbr1/WAN) |
| **KavNas** | 10.4.2.13 | Synology NAS | - | NAS auth |
> See [NETWORK-MAP.md](NETWORK-MAP.md) for complete IP allocation details.
### Core Infrastructure (10.4.2.10-19)
| Service | IP:Port | Location | Domain | Local DNS |
|---------|---------|----------|--------|-----------|
| **OPNsense** | 10.4.2.1 | VM 130 (pm4) | opnsense.kavcorp.com | opnsense.kav |
| **Traefik** | 10.4.2.10 | LXC 104 (pm2) | - | traefik.kav |
| **Pi-hole** | 10.4.2.11 | LXC 103 (pm4) | pihole.kavcorp.com | pihole.kav |
| **Authelia** | 10.4.2.12:9091 | LXC 116 (pm2) | auth.kavcorp.com | authelia.kav |
| **KavNas** | 10.4.2.13 | Synology NAS | - | kavnas.kav |
| **Vaultwarden** | 10.4.2.15 | LXC 125 (pm4) | vtw.kavcorp.com | vaultwarden.kav |
| **UniFi Controller** | 10.4.2.16:8443 | LXC 111 (pm4) | unifi.kavcorp.com | unifi.kav |
### Media Stack (10.4.2.20-29)
| Service | IP:Port | Location | Domain | Local DNS |
|---------|---------|----------|--------|-----------|
| **Sonarr** | 10.4.2.20:8989 | LXC 105 (pm2) | sonarr.kavcorp.com | sonarr.kav |
| **Whisparr** | 10.4.2.21:6969 | LXC 117 (pm2) | whisparr.kavcorp.com | whisparr.kav |
| **Prowlarr** | 10.4.2.22:9696 | LXC 114 (pm2) | prowlarr.kavcorp.com | prowlarr.kav |
| **Bazarr** | 10.4.2.23:6767 | LXC 119 (pm2) | bazarr.kavcorp.com | bazarr.kav |
| **Radarr** | 10.4.2.24:7878 | LXC 108 (pm2) | radarr.kavcorp.com | radarr.kav |
| **Jellyseerr** | 10.4.2.25:5055 | LXC 115 (pm2) | jellyseerr.kavcorp.com | jellyseerr.kav |
| **Jellyfin** | 10.4.2.26:8096 | LXC 121 (elantris) | jellyfin.kavcorp.com | jellyfin.kav |
| **Kometa** | 10.4.2.27 | LXC 120 (pm2) | - | kometa.kav |
| **Recyclarr** | 10.4.2.28 | LXC 122 (pm2) | - | recyclarr.kav |
| **Notifiarr** | 10.4.2.29 | LXC 118 (pm2) | - | notifiarr.kav |
### Services (10.4.2.30-39)
| Service | IP:Port | Location | Domain | Local DNS |
|---------|---------|----------|--------|-----------|
| **Immich** | 10.4.2.30:2283 | LXC 126 (pm4) | immich.kavcorp.com | immich.kav |
| **Gitea** | 10.4.2.31:3000 | LXC 127 (pm4) | git.kavcorp.com | gitea.kav |
| **Frigate** | 10.4.2.32:8971 | LXC 128 (pm3) | frigate.kavcorp.com | frigate.kav |
| **Home Assistant** | 10.4.2.33:8123 | VM 100 (pm1) | hass.kavcorp.com | homeassistant.kav |
| **Ollama** | 10.4.2.34:11434 | LXC 123 (elantris) | ollama.kavcorp.com | ollama.kav |
| **Twingate** | 10.4.2.35 | LXC 101 (pm1) | - | twingate.kav |
| **Foundry VTT** | 10.4.2.37:30000 | LXC 112 (pm3) | vtt.kavcorp.com | foundryvtt.kav |
### Game Servers (10.4.2.40-49)
| Service | IP:Port | Location | Domain | Local DNS |
|---------|---------|----------|--------|-----------|
| **AMP** | 10.4.2.40:8080 | LXC 124 (elantris) | amp.kavcorp.com | amp.kav |
### IoT / Home Automation (10.4.2.50-99)
| Service | IP:Port | Location | Domain | Local DNS |
|---------|---------|----------|--------|-----------|
| **Z-Wave JS UI** | 10.4.2.50 | LXC 102 (pm1) | - | zwave.kav |
| **MQTT** | 10.4.2.51:1883 | LXC 106 (pm3) | - | mqtt.kav |
### Docker Hosts (10.4.2.200-209)
| Service | IP | Location | Local DNS |
|---------|-----|----------|-----------|
| **docker-pm2** | 10.4.2.200 | LXC 113 (pm2) | docker-pm2.kav |
| **docker-pm4** | 10.4.2.201 | LXC 110 (pm4) | docker-pm4.kav |
| **docker-pm3** | 10.4.2.202 | VM 109 (pm3) | docker-pm3.kav |
| **Dockge** | 10.4.2.203 | LXC 107 (pm3) | dockge.kav |
### Other
| Service | IP:Port | Location | Domain |
|---------|---------|----------|--------|
| **NZBGet** | 10.4.2.13:6789 | Docker (kavnas) | nzbget.kavcorp.com |
| **Proxmox Web UI** | 10.4.2.6:8006 | pm2 | pm.kavcorp.com |
## Storage Architecture
@@ -98,7 +141,7 @@ All `*.kavcorp.com` subdomains route through Traefik reverse proxy (10.4.2.10) f
| Bridge | vmbr0 |
| Physical Interface | eno1 |
| CIDR | 10.4.2.0/24 |
| Gateway | 10.4.2.254 |
| Gateway | 10.4.2.1 (OPNsense) |
#### pm4 Only (vmbr1 - WAN for OPNsense)
| Setting | Value |
@@ -134,10 +177,18 @@ All `*.kavcorp.com` subdomains route through Traefik reverse proxy (10.4.2.10) f
### SSH Access
- **User**: kavren (from local machine)
- **User**: root (between cluster nodes)
**Proxmox Nodes:**
- **User**: root (from workstation or between nodes)
- **Key Type**: ed25519
- **Node-to-Node**: Passwordless SSH configured for cluster operations
- **Access**: `ssh pm1`, `ssh pm2`, `ssh pm3`, `ssh pm4`, `ssh elantris`
**LXC Containers:**
- **User**: root
- **Key Type**: ed25519 (workstation key provisioned)
- **Access**: `ssh root@<service>.kav` (e.g., `ssh root@traefik.kav`)
- **Provisioning Script**: `scripts/provisioning/setup-ssh-access.sh`
All containers have SSH enabled with key-based authentication (PermitRootLogin prohibit-password).
### Important Paths