kavren
9051c84bae
- Complete static IP migration for all containers - Configure Pi-hole local DNS with .kav hostnames - Add SSH provisioning script for all containers - Create NETWORK-MAP.md with complete IP allocation - Create network-map.sh for dynamic map generation - Update INFRASTRUCTURE.md with new service map - Add .kav TLD and SSH policy decisions to DECISIONS.md 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
8.0 KiB
8.0 KiB
Infrastructure Reference
Purpose: Single source of truth for all infrastructure details - nodes, IPs, services, storage, network Update Frequency: Immediately when infrastructure changes
Proxmox Cluster Nodes
| Hostname | IP Address | Role | Resources |
|---|---|---|---|
| pm1 | 10.4.2.2 | Proxmox cluster node | - |
| pm2 | 10.4.2.6 | Proxmox cluster node (primary management) | - |
| pm3 | 10.4.2.3 | Proxmox cluster node | - |
| pm4 | 10.4.2.5 | Proxmox cluster node | - |
| elantris | 10.4.2.14 | Proxmox cluster node (Debian-based) | 128GB RAM, ZFS storage (24TB) |
Cluster Name: KavCorp Network: 10.4.2.0/24 Gateway: 10.4.2.1 (OPNsense) DNS: 10.4.2.11 (Pi-hole) Local Domain: .kav
Service Map
See NETWORK-MAP.md for complete IP allocation details.
Core Infrastructure (10.4.2.10-19)
| Service | IP:Port | Location | Domain | Local DNS |
|---|---|---|---|---|
| OPNsense | 10.4.2.1 | VM 130 (pm4) | opnsense.kavcorp.com | opnsense.kav |
| Traefik | 10.4.2.10 | LXC 104 (pm2) | - | traefik.kav |
| Pi-hole | 10.4.2.11 | LXC 103 (pm4) | pihole.kavcorp.com | pihole.kav |
| Authelia | 10.4.2.12:9091 | LXC 116 (pm2) | auth.kavcorp.com | authelia.kav |
| KavNas | 10.4.2.13 | Synology NAS | - | kavnas.kav |
| Vaultwarden | 10.4.2.15 | LXC 125 (pm4) | vtw.kavcorp.com | vaultwarden.kav |
| UniFi Controller | 10.4.2.16:8443 | LXC 111 (pm4) | unifi.kavcorp.com | unifi.kav |
Media Stack (10.4.2.20-29)
| Service | IP:Port | Location | Domain | Local DNS |
|---|---|---|---|---|
| Sonarr | 10.4.2.20:8989 | LXC 105 (pm2) | sonarr.kavcorp.com | sonarr.kav |
| Whisparr | 10.4.2.21:6969 | LXC 117 (pm2) | whisparr.kavcorp.com | whisparr.kav |
| Prowlarr | 10.4.2.22:9696 | LXC 114 (pm2) | prowlarr.kavcorp.com | prowlarr.kav |
| Bazarr | 10.4.2.23:6767 | LXC 119 (pm2) | bazarr.kavcorp.com | bazarr.kav |
| Radarr | 10.4.2.24:7878 | LXC 108 (pm2) | radarr.kavcorp.com | radarr.kav |
| Jellyseerr | 10.4.2.25:5055 | LXC 115 (pm2) | jellyseerr.kavcorp.com | jellyseerr.kav |
| Jellyfin | 10.4.2.26:8096 | LXC 121 (elantris) | jellyfin.kavcorp.com | jellyfin.kav |
| Kometa | 10.4.2.27 | LXC 120 (pm2) | - | kometa.kav |
| Recyclarr | 10.4.2.28 | LXC 122 (pm2) | - | recyclarr.kav |
| Notifiarr | 10.4.2.29 | LXC 118 (pm2) | - | notifiarr.kav |
Services (10.4.2.30-39)
| Service | IP:Port | Location | Domain | Local DNS |
|---|---|---|---|---|
| Immich | 10.4.2.30:2283 | LXC 126 (pm4) | immich.kavcorp.com | immich.kav |
| Gitea | 10.4.2.31:3000 | LXC 127 (pm4) | git.kavcorp.com | gitea.kav |
| Frigate | 10.4.2.32:8971 | LXC 128 (pm3) | frigate.kavcorp.com | frigate.kav |
| Home Assistant | 10.4.2.33:8123 | VM 100 (pm1) | hass.kavcorp.com | homeassistant.kav |
| Ollama | 10.4.2.34:11434 | LXC 123 (elantris) | ollama.kavcorp.com | ollama.kav |
| Twingate | 10.4.2.35 | LXC 101 (pm1) | - | twingate.kav |
| Foundry VTT | 10.4.2.37:30000 | LXC 112 (pm3) | vtt.kavcorp.com | foundryvtt.kav |
Game Servers (10.4.2.40-49)
| Service | IP:Port | Location | Domain | Local DNS |
|---|---|---|---|---|
| AMP | 10.4.2.40:8080 | LXC 124 (elantris) | amp.kavcorp.com | amp.kav |
IoT / Home Automation (10.4.2.50-99)
| Service | IP:Port | Location | Domain | Local DNS |
|---|---|---|---|---|
| Z-Wave JS UI | 10.4.2.50 | LXC 102 (pm1) | - | zwave.kav |
| MQTT | 10.4.2.51:1883 | LXC 106 (pm3) | - | mqtt.kav |
Docker Hosts (10.4.2.200-209)
| Service | IP | Location | Local DNS |
|---|---|---|---|
| docker-pm2 | 10.4.2.200 | LXC 113 (pm2) | docker-pm2.kav |
| docker-pm4 | 10.4.2.201 | LXC 110 (pm4) | docker-pm4.kav |
| docker-pm3 | 10.4.2.202 | VM 109 (pm3) | docker-pm3.kav |
| Dockge | 10.4.2.203 | LXC 107 (pm3) | dockge.kav |
Other
| Service | IP:Port | Location | Domain |
|---|---|---|---|
| NZBGet | 10.4.2.13:6789 | Docker (kavnas) | nzbget.kavcorp.com |
| Proxmox Web UI | 10.4.2.6:8006 | pm2 | pm.kavcorp.com |
Storage Architecture
NFS Mounts (Shared)
| Mount Name | Source | Mount Point | Size | Usage |
|---|---|---|---|---|
| elantris-media | elantris:/el-pool/media | /mnt/pve/elantris-media | ~24TB | Media files (movies, TV, anime) |
| KavNas | kavnas:10.4.2.13:/volume1 | /mnt/pve/KavNas | ~23TB | Backups, ISOs, LXC storage, downloads |
Local Storage (Per-Node)
| Storage | Type | Size | Usage |
|---|---|---|---|
| local | Directory | ~100GB | Backups, templates, ISOs |
| local-lvm | LVM thin pool | ~350-375GB | VM/LXC disks |
ZFS Pools
| Pool | Location | Size | Usage |
|---|---|---|---|
| el-pool | elantris | 24TB | Large data storage |
Media Folders
| Path | Type | Permissions | Notes |
|---|---|---|---|
| /mnt/pve/elantris-media/movies | NFS | 777 | Movie library |
| /mnt/pve/elantris-media/tv | NFS | 777 | TV show library |
| /mnt/pve/elantris-media/anime | NFS | 777 | Anime library |
| /mnt/pve/elantris-media/processing | NFS | 777 | Processing/cleanup folder |
| /mnt/pve/KavNas/downloads | NFS | 777 | Download client output |
Network Configuration
DNS & Domains
Domain: kavcorp.com DNS Provider: Namecheap Public IP: 99.74.188.161
All *.kavcorp.com subdomains route through Traefik reverse proxy (10.4.2.10) for SSL termination and routing.
Bridges
All Nodes (vmbr0)
| Setting | Value |
|---|---|
| Bridge | vmbr0 |
| Physical Interface | eno1 |
| CIDR | 10.4.2.0/24 |
| Gateway | 10.4.2.1 (OPNsense) |
pm4 Only (vmbr1 - WAN for OPNsense)
| Setting | Value |
|---|---|
| Bridge | vmbr1 |
| Physical Interface | enx6c1ff76e4d47 (USB 2.5G NIC) |
| Purpose | WAN uplink to AT&T modem |
| Used by | VM 130 (OPNsense) net1 |
VLANs and Subnets
| VLAN | Subnet | Gateway | DHCP Range | Purpose |
|---|---|---|---|---|
| - | 10.4.2.0/24 | 10.4.2.1 | .100-.200 | Infrastructure (Proxmox, core services) |
| 10 | 10.4.10.0/24 | 10.4.10.1 | .100-.200 | Trusted (user devices) |
| 20 | 10.4.20.0/24 | 10.4.20.1 | .100-.200 | IoT (KavCorp-IOT SSID) |
| 30 | 10.4.30.0/24 | 10.4.30.1 | .100-.200 | Guest (KavCorp-Guest SSID) |
VLAN Traffic Path: UniFi AP → Unmanaged Switch → pm4 vmbr0 → OPNsense vtnet0
Required pm4 vmbr0 Configuration:
bridge-vlan-aware yesin /etc/network/interfaces- VLANs 10, 20, 30 added to eno1:
post-up bridge vlan add dev eno1 vid {10,20,30} - VLANs 10, 20, 30 added to veth103i0 (Pi-hole): via hookscript
local:snippets/pihole-vlan.sh
Pi-hole Configuration (LXC 103):
listeningMode = "ALL"in /etc/pihole/pihole.toml (to accept DNS from all subnets)- Gateway: 10.4.2.1 (OPNsense) for proper VLAN routing
See DECISIONS.md for firewall rules and network isolation strategy.
Access & Credentials
SSH Access
Proxmox Nodes:
- User: root (from workstation or between nodes)
- Key Type: ed25519
- Access:
ssh pm1,ssh pm2,ssh pm3,ssh pm4,ssh elantris
LXC Containers:
- User: root
- Key Type: ed25519 (workstation key provisioned)
- Access:
ssh root@<service>.kav(e.g.,ssh root@traefik.kav) - Provisioning Script:
scripts/provisioning/setup-ssh-access.sh
All containers have SSH enabled with key-based authentication (PermitRootLogin prohibit-password).
Important Paths
Traefik (LXC 104):
- Config:
/etc/traefik/traefik.yaml - Service configs:
/etc/traefik/conf.d/*.yaml - SSL certs:
/etc/traefik/ssl/acme.json - Service file:
/etc/systemd/system/traefik.service.d/override.conf
Media Services:
- Sonarr config:
/var/lib/sonarr/ - Radarr config:
/var/lib/radarr/ - Recyclarr config:
/root/.config/recyclarr/recyclarr.yml
NZBGet (Docker on kavnas):
- Config:
/volume1/docker/nzbget/config/nzbget.conf - Downloads:
/volume1/Media/downloads/