Files

kavren e0a64b1b92 docs: Add DHCP-based network isolation strategy

- Document OPNsense WAN configuration (pm4 vmbr1 with USB NIC)
- Add DHCP-based isolation workaround for unmanaged Gigabyte switches
- Plan subnet scheme: LAN (10.4.2.0/24), IoT (10.4.10.0/24), Guest (10.4.20.0/24)
- Document planned OPNsense firewall rules for isolation
- Update tasks with OPNsense migration and isolation steps
- Fix Claude Code hooks settings (remove matcher from Stop hook)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2025-12-21 19:20:07 -05:00

5.8 KiB

Raw Blame History

Infrastructure Reference

Purpose: Single source of truth for all infrastructure details - nodes, IPs, services, storage, network Update Frequency: Immediately when infrastructure changes

Proxmox Cluster Nodes

Hostname	IP Address	Role	Resources
pm1	10.4.2.2	Proxmox cluster node	-
pm2	10.4.2.6	Proxmox cluster node (primary management)	-
pm3	10.4.2.3	Proxmox cluster node	-
pm4	10.4.2.5	Proxmox cluster node	-
elantris	10.4.2.14	Proxmox cluster node (Debian-based)	128GB RAM, ZFS storage (24TB)

Cluster Name: KavCorp Network: 10.4.2.0/24 Gateway: 10.4.2.254

Service Map

Service	IP:Port	Location	Domain	Auth
Proxmox Web UI	10.4.2.6:8006	pm2	pm.kavcorp.com	Proxmox built-in
Traefik	10.4.2.10	LXC 104 (pm2)	-	None (reverse proxy)
Authelia	10.4.2.19	LXC 116 (pm2)	auth.kavcorp.com	SSO provider
Sonarr	10.4.2.15:8989	LXC 105 (pm2)	sonarr.kavcorp.com	Built-in
Radarr	10.4.2.16:7878	LXC 108 (pm2)	radarr.kavcorp.com	Built-in
Prowlarr	10.4.2.17:9696	LXC 114 (pm2)	prowlarr.kavcorp.com	Built-in
Jellyseerr	10.4.2.18:5055	LXC 115 (pm2)	jellyseerr.kavcorp.com	Built-in
Whisparr	10.4.2.20:6969	LXC 117 (pm2)	whisparr.kavcorp.com	Built-in
Notifiarr	10.4.2.21	LXC 118 (pm2)	-	API key
Jellyfin	10.4.2.21:8096	LXC 121 (elantris)	jellyfin.kavcorp.com	Built-in
Bazarr	10.4.2.22:6767	LXC 119 (pm2)	bazarr.kavcorp.com	Built-in
Kometa	10.4.2.23	LXC 120 (pm2)	-	N/A
Recyclarr	10.4.2.25	LXC 122 (pm2)	-	CLI only
NZBGet	10.4.2.13:6789	Docker (kavnas)	nzbget.kavcorp.com	Built-in
Home Assistant	10.4.2.62:8123	VM 100 (pm1)	hass.kavcorp.com	Built-in
Frigate	10.4.2.8:8971	LXC 128 (pm3)	frigate.kavcorp.com	Built-in (auth required)
Foundry VTT	10.4.2.37:30000	LXC 112 (pm3)	vtt.kavcorp.com	Built-in
llama.cpp	10.4.2.224:11434	LXC 123 (elantris)	ollama.kavcorp.com	None (API)
AMP	10.4.2.26:8080	LXC 124 (elantris)	amp.kavcorp.com	Built-in
Vaultwarden	10.4.2.212	LXC 125 (pm4)	vtw.kavcorp.com	Built-in
Immich	10.4.2.24:2283	LXC 126 (pm4)	immich.kavcorp.com	Built-in
Gitea	10.4.2.7:3000	LXC 127 (pm4)	git.kavcorp.com	Built-in
Pi-hole	10.4.2.129	LXC 103 (pm4)	pihole.kavcorp.com	Built-in
UniFi Controller	10.4.2.242:8443	LXC 111 (pm4)	-	Built-in
OPNsense (KavSense)	10.4.2.1	VM 130 (pm4)	-	Built-in (net0: vmbr0/LAN, net1: vmbr1/WAN)
KavNas	10.4.2.13	Synology NAS	-	NAS auth

Storage Architecture

NFS Mounts (Shared)

Mount Name	Source	Mount Point	Size	Usage
elantris-media	elantris:/el-pool/media	/mnt/pve/elantris-media	~24TB	Media files (movies, TV, anime)
KavNas	kavnas:10.4.2.13:/volume1	/mnt/pve/KavNas	~23TB	Backups, ISOs, LXC storage, downloads

Local Storage (Per-Node)

Storage	Type	Size	Usage
local	Directory	~100GB	Backups, templates, ISOs
local-lvm	LVM thin pool	~350-375GB	VM/LXC disks

ZFS Pools

Pool	Location	Size	Usage
el-pool	elantris	24TB	Large data storage

Media Folders

Path	Type	Permissions	Notes
/mnt/pve/elantris-media/movies	NFS	777	Movie library
/mnt/pve/elantris-media/tv	NFS	777	TV show library
/mnt/pve/elantris-media/anime	NFS	777	Anime library
/mnt/pve/elantris-media/processing	NFS	777	Processing/cleanup folder
/mnt/pve/KavNas/downloads	NFS	777	Download client output

Network Configuration

DNS & Domains

Domain: kavcorp.com DNS Provider: Namecheap Public IP: 99.74.188.161

All *.kavcorp.com subdomains route through Traefik reverse proxy (10.4.2.10) for SSL termination and routing.

Bridges

All Nodes (vmbr0)

Setting	Value
Bridge	vmbr0
Physical Interface	eno1
CIDR	10.4.2.0/24
Gateway	10.4.2.254

pm4 Only (vmbr1 - WAN for OPNsense)

Setting	Value
Bridge	vmbr1
Physical Interface	enx6c1ff76e4d47 (USB 2.5G NIC)
Purpose	WAN uplink to AT&T modem
Used by	VM 130 (OPNsense) net1

Planned Subnets (DHCP-based Isolation)

Subnet	Range	Purpose	Gateway
Main LAN	10.4.2.0/24	Trusted devices, Proxmox, services	10.4.2.1 (OPNsense)
IoT	10.4.10.0/24	KavCorp-IOT WiFi devices	10.4.10.1 (OPNsense)
Guest	10.4.20.0/24	KavCorp-Guest WiFi devices	10.4.20.1 (OPNsense)

Note: Using DHCP-based isolation due to unmanaged Gigabyte switches (no VLAN support). See DECISIONS.md for details.

Access & Credentials

SSH Access

User: kavren (from local machine)
User: root (between cluster nodes)
Key Type: ed25519
Node-to-Node: Passwordless SSH configured for cluster operations

Important Paths

Traefik (LXC 104):

Config: /etc/traefik/traefik.yaml
Service configs: /etc/traefik/conf.d/*.yaml
SSL certs: /etc/traefik/ssl/acme.json
Service file: /etc/systemd/system/traefik.service.d/override.conf

Media Services:

Sonarr config: /var/lib/sonarr/
Radarr config: /var/lib/radarr/
Recyclarr config: /root/.config/recyclarr/recyclarr.yml

NZBGet (Docker on kavnas):

Config: /volume1/docker/nzbget/config/nzbget.conf
Downloads: /volume1/Media/downloads/

5.8 KiB Raw Blame History