docs: Network infrastructure cleanup - static IPs, local DNS, SSH access

- Complete static IP migration for all containers
- Configure Pi-hole local DNS with .kav hostnames
- Add SSH provisioning script for all containers
- Create NETWORK-MAP.md with complete IP allocation
- Create network-map.sh for dynamic map generation
- Update INFRASTRUCTURE.md with new service map
- Add .kav TLD and SSH policy decisions to DECISIONS.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/NETWORK-MAP.md

@@ -0,0 +1,157 @@
+# KavCorp Network Map
+
+> **Last Updated**: 2025-12-28
+> **Network**: 10.4.2.0/24
+> **Gateway**: 10.4.2.1 (OPNsense)
+> **DNS**: 10.4.2.11 (Pi-hole)
+
+## Network Topology
+
+```
+                              INTERNET
+                                  │
+                                  │ WAN (AT&T)
+                                  │ Public: 99.74.188.161
+                                  ▼
+                    ┌─────────────────────────────┐
+                    │     OPNsense (VM 130)       │
+                    │        10.4.2.1             │
+                    │   WAN: vmbr1 | LAN: vmbr0   │
+                    └──────────────┬──────────────┘
+                                   │
+       ┌───────────────────────────┼───────────────────────────┐
+       │                      vmbr0 Bridge                     │
+       │                    10.4.2.0/24 (LAN)                  │
+       └───┬───────┬───────┬───────┬───────┬───────────────────┘
+           │       │       │       │       │
+           ▼       ▼       ▼       ▼       ▼
+        ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐ ┌──────────┐  ┌─────────┐
+        │ pm1 │ │ pm2 │ │ pm3 │ │ pm4 │ │ elantris │  │ KavNas  │
+        │ .2  │ │ .6  │ │ .3  │ │ .5  │ │   .14    │  │  .13    │
+        └──┬──┘ └──┬──┘ └──┬──┘ └──┬──┘ └────┬─────┘  └─────────┘
+           │       │       │       │         │
+   ┌───────┘       │       │       │         └────────┐
+   │               │       │       │                  │
+   ▼               ▼       ▼       ▼                  ▼
+┌──────┐    ┌───────────┐ ┌────┐ ┌──────────┐    ┌─────────┐
+│HA    │    │Media Stack│ │Game│ │  Infra   │    │  Media  │
+│Zwave │    │ Services  │ │Svcs│ │ Services │    │ Storage │
+│Twing.│    │           │ │    │ │          │    │         │
+└──────┘    └───────────┘ └────┘ └──────────┘    └─────────┘
+```
+
+## IP Address Allocation
+
+### Proxmox Nodes (10.4.2.2-9)
+
+| IP | Hostname | Description |
+|----|----------|-------------|
+| 10.4.2.2 | pm1.kav | Proxmox node 1 |
+| 10.4.2.3 | pm3.kav | Proxmox node 3 |
+| 10.4.2.5 | pm4.kav | Proxmox node 4 |
+| 10.4.2.6 | pm2.kav | Proxmox node 2 (primary management) |
+| 10.4.2.14 | elantris.kav | Proxmox node 5 (128GB RAM, ZFS) |
+
+### Core Infrastructure (10.4.2.10-19)
+
+| IP | Hostname | Service | VMID | Node |
+|----|----------|---------|------|------|
+| 10.4.2.1 | opnsense.kav | OPNsense Gateway | 130 | pm4 |
+| 10.4.2.10 | traefik.kav | Reverse Proxy | 104 | pm2 |
+| 10.4.2.11 | pihole.kav | DNS Server | 103 | pm4 |
+| 10.4.2.12 | authelia.kav | SSO Authentication | 116 | pm2 |
+| 10.4.2.13 | kavnas.kav | Synology NAS | - | - |
+| 10.4.2.15 | vaultwarden.kav | Password Manager | 125 | pm4 |
+| 10.4.2.16 | unifi.kav | UniFi Controller | 111 | pm4 |
+
+### Media Stack (10.4.2.20-29)
+
+| IP | Hostname | Service | VMID | Node |
+|----|----------|---------|------|------|
+| 10.4.2.20 | sonarr.kav | TV Shows | 105 | pm2 |
+| 10.4.2.21 | whisparr.kav | Adult Content | 117 | pm2 |
+| 10.4.2.22 | prowlarr.kav | Indexer Manager | 114 | pm2 |
+| 10.4.2.23 | bazarr.kav | Subtitles | 119 | pm2 |
+| 10.4.2.24 | radarr.kav | Movies | 108 | pm2 |
+| 10.4.2.25 | jellyseerr.kav | Media Requests | 115 | pm2 |
+| 10.4.2.26 | jellyfin.kav | Media Server | 121 | elantris |
+| 10.4.2.27 | kometa.kav | Plex Meta Manager | 120 | pm2 |
+| 10.4.2.28 | recyclarr.kav | Quality Profiles | 122 | pm2 |
+| 10.4.2.29 | notifiarr.kav | Notifications | 118 | pm2 |
+
+### Services (10.4.2.30-39)
+
+| IP | Hostname | Service | VMID | Node |
+|----|----------|---------|------|------|
+| 10.4.2.30 | immich.kav | Photo Management | 126 | pm4 |
+| 10.4.2.31 | gitea.kav | Git Server | 127 | pm4 |
+| 10.4.2.32 | frigate.kav | NVR | 128 | pm3 |
+| 10.4.2.33 | homeassistant.kav | Home Automation | 100 | pm1 (VM) |
+| 10.4.2.34 | ollama.kav | LLM Server | 123 | elantris |
+| 10.4.2.35 | twingate.kav | Zero Trust Access | 101 | pm1 |
+| 10.4.2.37 | foundryvtt.kav | Virtual Tabletop | 112 | pm3 |
+
+### Game Servers (10.4.2.40-49)
+
+| IP | Hostname | Service | VMID | Node |
+|----|----------|---------|------|------|
+| 10.4.2.40 | amp.kav | Game Server Manager | 124 | elantris |
+
+### IoT / Home Automation (10.4.2.50-99)
+
+| IP | Hostname | Service | VMID | Node |
+|----|----------|---------|------|------|
+| 10.4.2.50 | zwave.kav | Z-Wave JS UI | 102 | pm1 |
+| 10.4.2.51 | mqtt.kav | MQTT Broker | 106 | pm3 |
+
+### Docker Hosts (10.4.2.200-209)
+
+| IP | Hostname | Service | VMID | Node |
+|----|----------|---------|------|------|
+| 10.4.2.200 | docker-pm2.kav | Docker Host | 113 | pm2 |
+| 10.4.2.201 | docker-pm4.kav | Docker Host | 110 | pm4 |
+| 10.4.2.202 | docker-pm3.kav | Docker Host | 109 | pm3 (VM) |
+| 10.4.2.203 | dockge.kav | Docker Management | 107 | pm3 |
+
+## IP Range Summary
+
+| Range | Purpose | Status |
+|-------|---------|--------|
+| 10.4.2.1 | OPNsense Gateway | Assigned |
+| 10.4.2.2-9 | Proxmox Nodes | Assigned |
+| 10.4.2.10-19 | Core Infrastructure | Assigned |
+| 10.4.2.20-29 | Media Stack | Assigned |
+| 10.4.2.30-39 | Services | Partially used |
+| 10.4.2.40-49 | Game Servers | Partially used |
+| 10.4.2.50-99 | IoT / Reserved | Partially used |
+| 10.4.2.100-199 | DHCP Pool | Dynamic |
+| 10.4.2.200-209 | Docker Hosts | Assigned |
+| 10.4.2.210-239 | Reserved | Available |
+| 10.4.2.240-249 | Network Controllers | Reserved |
+| 10.4.2.250-254 | Network Gear | Reserved |
+
+## Access Methods
+
+### SSH Access
+All containers have SSH enabled with key-based authentication:
+```bash
+ssh root@<service>.kav
+# Example: ssh root@traefik.kav
+```
+
+### Web Access
+All web services are accessible via Traefik reverse proxy:
+- External: `https://<service>.kavcorp.com`
+- Internal: `http://<ip>:<port>`
+
+### Local DNS
+Pi-hole provides `.kav` domain resolution for all services.
+Configure your device to use `10.4.2.11` as DNS server.
+
+## Generating Updated Map
+
+Use the network map script to generate a current view:
+```bash
+cd /home/kavren/proxmox-infra
+./scripts/monitoring/network-map.sh
+```