Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized mirror from private repository - 2026-04-05 12:11:15 UTC
Some checks failed
Documentation / Deploy to GitHub Pages (push) Has been cancelled
Details
Documentation / Build Docusaurus (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Gitea Mirror Bot
2026-04-05 12:11:15 +00:00
commit 5cdf36e545
1395 changed files with 358118 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

210
docs/diagrams/10gbe-backbone.md Normal file
View File

@@ -0,0 +1,210 @@
# ⚡ 10GbE Backbone Network
## Overview
The Concord primary location features a high-speed 10 Gigabit Ethernet backbone connecting the NAS cluster and primary workstations, enabling fast file transfers, media streaming, and backup operations.
---
## 🔌 10GbE Topology (Mermaid)
```mermaid
graph LR
subgraph Internet["☁️ Internet (25Gbps Fiber)"]
ISP["Sonic Fiber<br/>25Gbps ↑↓"]
end
subgraph Router["🌐 TP-Link Archer BE800"]
TPLINK["TP-Link Archer BE800<br/>Tri-Band WiFi 7<br/>10G + SFP+ + 4x2.5G"]
end
subgraph Switch["⚡ 10GbE Switch"]
TLSX["TP-Link TL-SX1008<br/>8-Port 10GbE<br/>Unmanaged Switch"]
end
subgraph HighSpeed["⚡ 10GbE Devices"]
ATL["🗄️ Atlantis<br/>DS1823xs+<br/>10GbE via E10M20-T1<br/>192.168.0.200"]
CAL["🗄️ Calypso<br/>DS723+<br/>10GbE via E10G22-T1-Mini<br/>192.168.0.250"]
GUA["💻 Guava<br/>TrueNAS Scale<br/>Mellanox ConnectX-5<br/>192.168.0.100"]
DSK["🖥️ Shinku-Ryuu<br/>i7-14700K + RTX 4080<br/>Mellanox ConnectX-5<br/>192.168.0.3"]
end
subgraph GigE["🔌 1GbE / Other Devices"]
PROX["🖥️ Proxmox<br/>VM Host"]
PI_V["📡 RPi 5 Vish"]
GL_MT["📡 GL-MT3000<br/>HA Router"]
GL_BE["📡 GL-BE3600<br/>Exit Node Router"]
end
ISP -->|"25Gbps"| TPLINK
TPLINK -->|"10GbE"| TLSX
TLSX -->|"10GbE"| ATL
TLSX -->|"10GbE"| CAL
TLSX -->|"10GbE"| GUA
TLSX -->|"10GbE"| DSK
TPLINK -->|"1GbE"| PROX
TPLINK -->|"1GbE"| PI_V
TPLINK -->|"1GbE"| GL_MT
TPLINK -->|"1GbE"| GL_BE
classDef switch fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef nas fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef compute fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef router fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
class TLSX switch
class ATL,CAL nas
class GUA,DSK,PROX,ANUB,PI_V compute
class TPLINK router
```
---
## 📝 ASCII 10GbE Layout
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ 10 GIGABIT ETHERNET BACKBONE ║
║ Concord, CA • 25Gbps Internet • High-Speed LAN ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────┐
│ ☁️ INTERNET │
│ Sonic 25Gbps Fiber │
│ 25,000 Mbps ↑↓ │
└───────────┬─────────────┘
│ 25Gbps
┌─────────────────────────┐
│ 🌐 TP-Link Archer BE800 │
│ ═══════════════════════ │
│ WiFi 7 Tri-Band Router │
│ • 1x 10Gbps RJ45 Port │
│ • 1x 10Gbps SFP+ Port │
│ • 4x 2.5Gbps LAN Ports │
└─────┬─────────┬─────────┘
│ │
10GbE │ │ 2.5GbE
│ │
┌───────────────┘ └───────────────────────────┐
│ │
▼ ▼
┌───────────────────────────────┐ ┌─────────────────────────────────┐
│ ⚡ TP-Link TL-SX1008 │ │ 🔌 1GbE / ROUTER DEVICES │
│ ═══════════════════════════ │ │ ═══════════════════════════ │
│ 8-Port 10GbE Unmanaged │ │ │
│ • All ports 10GBASE-T │ │ ┌─────────┐ ┌─────────┐ │
│ • 160Gbps switching capacity │ │ │ Proxmox │ │RPi 5 │ │
│ • Fanless, silent operation │ │ │ VM Host │ │ Vish │ │
│ │ │ │ 1GbE │ │ 1GbE │ │
│ Port Layout: │ │ └─────────┘ └─────────┘ │
│ ┌───┬───┬───┬───┬───┬───┬───┬───┐ │ │
│ │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ 8 │ │ ┌─────────┐ ┌─────────┐ │
│ └─┬─┴─┬─┴─┬─┴─┬─┴───┴───┴───┴───┘ │ │GL-BE3600│ │GL-MT3000│ │
│ │ │ │ │ (unused) │ │exit node│ │HA subnet│ │
└────┼───┼───┼───┼──────────────────┘ │ └─────────┘ └─────────┘ │
│ │ │ │ └─────────────────────────────────┘
│ │ │ │
10GbE│ │ │ │10GbE
│ │ │ │
▼ ▼ ▼ ▼
┌────────────────────────────────────────────────────────────────────┐
│ ⚡ 10GbE CONNECTED DEVICES │
│ ══════════════════════════════════════════════════════════════ │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ ATLANTIS │ │ CALYPSO │ │ GUAVA │ │
│ │ ═════════════ │ │ ═════════════ │ │ ═════════════ │ │
│ │ 192.168.0.200 │ │ 192.168.0.250 │ │ 192.168.0.100 │ │
│ │ │ │ │ │ │ │
│ │ DS1823xs+ │ │ DS723+ │ │ TrueNAS Scale │ │
│ │ 8-Bay NAS │ │ 2-Bay NAS │ │ Ryzen 5 8600G │ │
│ │ │ │ │ │ │ │
│ │ 8x 16TB HDDs │ │ 2x 12TB HDDs │ │ 2x 4TB SSD │ │
│ │ = 128TB Raw │ │ = 24TB Raw │ │ = 8TB Raw │ │
│ │ │ │ │ │ │ │
│ │ ┌───────────┐ │ │ ┌───────────┐ │ │ ┌───────────┐ │ │
│ │ │ E10M20-T1 │ │ │ │E10G22-T1 │ │ │ │ Mellanox │ │ │
│ │ │ 10GbE+M.2 │ │ │ │ -Mini │ │ │ │ConnectX-5 │ │ │
│ │ │ PCIe │ │ │ │ 10GbE │ │ │ │ 10/25GbE │ │ │
│ │ └───────────┘ │ │ └───────────┘ │ │ └───────────┘ │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
│ ┌─────────────────┐ │
│ │ SHINKU-RYUU │ │
│ │ ═════════════ │ │
│ │ 192.168.0.3 │ │
│ │ │ │
│ │ i7-14700K │ │
│ │ RTX 4080 16GB │ │
│ │ 96GB DDR5 │ │
│ │ ┌───────────┐ │ │
│ │ │ Mellanox │ │ │
│ │ │ConnectX-5 │ │ │
│ │ │ 10/25GbE │ │ │
│ │ └───────────┘ │ │
│ └─────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ PERFORMANCE BENCHMARKS ║
║ ═════════════════════ ║
║ ║
║ • NAS-to-NAS Transfer (Atlantis ↔ Calypso): ~1.1 GB/s (8.8 Gbps) ║
║ • Desktop → Atlantis Sequential Write: ~1.0 GB/s (8.0 Gbps) ║
║ • Atlantis → Desktop Sequential Read: ~1.1 GB/s (8.8 Gbps) ║
║ • 4K Video Stream (single): ~100 Mbps (0.1 Gbps) ║
║ • 4K Video Streams (concurrent, theoretical): ~80 streams ║
║ ║
║ Bottlenecks: ║
║ • None for 10GbE devices - full speed to switch via router's 10G uplink ║
║ • 1GbE devices: Proxmox host, RPi 5, GL routers connected via router's GbE ports ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 📊 Hardware Specifications
### TP-Link TL-SX1008 (10GbE Switch)
| Specification | Value |
|---------------|-------|
| Ports | 8x 10GBASE-T (RJ45) |
| Switching Capacity | 160 Gbps |
| Forwarding Rate | 119.04 Mpps |
| Management | Unmanaged |
| Cooling | Fanless (silent) |
| Power | ~15W typical |
### 10GbE Network Cards
| Device | NIC Model | Interface | Notes |
|--------|-----------|-----------|-------|
| Atlantis | Synology E10M20-T1 | PCIe 3.0 x8 | Combo 10GbE + M.2 slot |
| Calypso | Synology E10G22-T1-Mini | PCIe 3.0 | Official Synology 10GbE (Intel X550-AT) |
| Guava | Mellanox ConnectX-5 (MT27800) | PCIe | 2-port; 10/25GbE capable; running at 10Gbps |
| Shinku-Ryuu | Mellanox ConnectX-5 (2-port) | PCIe | 10/25GbE capable; running at 10Gbps |
---
## 🔧 Cable Requirements
All 10GbE connections use **Cat6a or Cat7** cables for reliable 10Gbps performance:
| Connection | Cable Type | Length | Notes |
|------------|------------|--------|-------|
| Switch → Atlantis | Cat6a | ~2m | Shielded recommended |
| Switch → Calypso | Cat6a | ~2m | Shielded recommended |
| Switch → Guava | Cat6a | ~3m | |
| Switch → Desktop | Cat6a | ~5m | |
| Router → Switch | Cat6a | ~1m | 2.5GbE link |
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - Complete network overview
- [Storage Topology](storage-topology.md) - NAS storage configuration

115
docs/diagrams/README.md Normal file
View File

@@ -0,0 +1,115 @@
# 📊 Homelab Infrastructure Diagrams
This directory contains visual documentation of the homelab infrastructure, including network topology, service architecture, and storage layouts. All diagrams use [Mermaid.js](https://mermaid.js.org/) for rendering.
## 📁 Diagram Index
| Diagram | Description | Format |
|---------|-------------|--------|
| [Network Topology](network-topology.md) | Physical and logical network layout across all locations | Mermaid + ASCII |
| [Tailscale Mesh](tailscale-mesh.md) | VPN mesh network connecting all locations | Mermaid + ASCII |
| [10GbE Backbone](10gbe-backbone.md) | High-speed network backbone in Concord | Mermaid + ASCII |
| [Service Architecture](service-architecture.md) | How services interact, auth flows, CI/CD pipeline | Mermaid |
| [Storage Topology](storage-topology.md) | NAS cluster, volumes, and backup flows | Mermaid + ASCII |
| [Location Overview](location-overview.md) | Geographic distribution of infrastructure | Mermaid |
### Service Architecture Sections
- Media Stack (Arr suite, Plex, streaming)
- Monitoring Stack (Prometheus, Grafana)
- **Authentication Stack (Authentik + NPM)** ⭐ NEW
- Communication Stack (Matrix, Mastodon, Mattermost)
- **CI/CD Pipeline (Gitea Actions + Ansible)** ⭐ NEW
- AI/ML Stack (Ollama, vLLM, Olares)
- DCIM/IPAM (NetBox)
## 🔐 Key Architecture Components
### Authentication & Proxy Stack
```
┌─────────────────────────────────────────────────────────────────────┐
│ Internet → Cloudflare → NPM (matrix-ubuntu) → Authentik (Calypso) │
│ ↓ │
│ Protected Services │
└─────────────────────────────────────────────────────────────────────┘
```
| Component | Host | Port | Purpose |
|-----------|------|------|---------|
| **Nginx Proxy Manager** | matrix-ubuntu | :81/:443 | Reverse proxy, SSL termination |
| **Authentik Server** | Calypso | :9000 | Identity provider, SSO |
| **Authentik Outpost** | Calypso | :9444 | Forward auth proxy |
| **Headscale** | Calypso | :8080 | Self-hosted Tailscale controller |
| **WireGuard** | Atlantis | :51820 | VPN server |
### Service Protection via Authentik
| Domain | Service | Auth Type |
|--------|---------|-----------|
| sso.vish.gg | Authentik | - (IdP) |
| git.vish.gg | Gitea | OAuth2/OIDC |
| gf.vish.gg | Grafana | OAuth2/OIDC |
| nb.vish.gg | NetBox | OAuth2/OIDC |
| dash.vish.gg | Homarr | OAuth2/OIDC |
| rx.vish.gg | Reactive Resume | OAuth2/OIDC |
| immich | Immich | OAuth2/OIDC |
| headscale.vish.gg/admin | Headplane | OAuth2/OIDC |
| docs.vish.gg | Paperless-NGX | Forward Auth |
| actual.vish.gg | Actual Budget | Forward Auth |
## 🗺️ Quick Reference
### Locations
- **Concord, CA** (Primary) - Main infrastructure, 25Gbps fiber
- **Concord, CA** (Backup ISP) - Failover connectivity, 2Gbps/500Mbps
- **Tucson, AZ** - Remote NAS (Setillo)
- **Honolulu, HI** - Travel/remote access point
- **Seattle, WA** - Cloud VPS (Contabo)
### Key Infrastructure
- **3 Synology NAS** units (Atlantis, Calypso, Setillo)
- **10GbE backbone** via TP-Link TL-SX1008
- **Tailscale mesh** connecting all locations
- **Proxmox** virtualization for VMs
- **Authentik SSO** protecting 12+ services
- **Nginx Proxy Manager** routing 30+ domains
- **Olares** K8s node for local LLM inference
### Service Counts by Host
| Host | Services | Primary Role |
|------|----------|--------------|
| Atlantis | 59 | Media, downloads, DNS backup, dashboard |
| Calypso | 61 | Auth, Gitea, arr-suite, headscale |
| matrix-ubuntu | 12+ | NPM, Matrix, Mastodon, Mattermost |
| Homelab VM | 38 | Monitoring, tools, DCIM, Ansible UI |
| Concord NUC | 19 | Home Assistant, Plex, edge |
| RPi 5 | 6 | Uptime Kuma, monitoring, DIUN |
| **Total** | **~195** | **Across 5 Portainer endpoints + matrix-ubuntu** |
## 🔄 Diagram Updates
These diagrams should be updated when:
- New hosts are added
- Network topology changes
- Services are added/removed
- Storage configuration changes
- Authentication flows change
## 📝 Viewing Diagrams
These diagrams render automatically on:
- **Gitea** (git.vish.gg) - Native Mermaid support
- **GitHub** - Native Mermaid support
- **VS Code** - With Mermaid extension
For local viewing:
```bash
# Install mermaid-cli
npm install -g @mermaid-js/mermaid-cli
# Generate PNG from markdown
mmdc -i service-architecture.md -o output.png
```
---
*Last updated: 2026-03-20*

240
docs/diagrams/location-overview.md Normal file
View File

@@ -0,0 +1,240 @@
# 🗺️ Geographic Location Overview
## Overview
The homelab infrastructure spans 4 physical locations plus cloud and mobile components, all connected via **Headscale** (self-hosted Tailscale control server at `headscale.vish.gg:8443` on Calypso).
---
## 🌎 Location Map (Mermaid)
```mermaid
graph TB
subgraph USA["🇺🇸 United States"]
subgraph West["West Coast"]
SEA["🌲 Seattle, WA<br/>Cloud VPS"]
CON["🏠 Concord, CA<br/>PRIMARY HQ<br/>25Gbps Fiber"]
end
subgraph Southwest["Southwest"]
TUC["🌵 Tucson, AZ<br/>Remote NAS"]
end
subgraph Pacific["Pacific"]
HON["🌺 Honolulu, HI<br/>Remote Access"]
end
end
subgraph Mobile["✈️ Mobile"]
MSI["💻 MSI Laptop<br/>Travel Workstation"]
end
%% Headscale connections
CON <-->|"Headscale<br/>Primary Hub"| SEA
CON <-->|"Headscale"| TUC
CON <-->|"Headscale"| HON
CON <-->|"Headscale"| MSI
SEA <-->|"Headscale"| TUC
SEA <-->|"Headscale"| HON
TUC <-->|"Headscale"| HON
classDef primary fill:#e74c3c,stroke:#333,stroke-width:3px,color:#fff
classDef secondary fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef remote fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef mobile fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
class CON primary
class SEA secondary
class TUC,HON remote
class MSI mobile
```
---
## 📝 ASCII Location Map
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ HOMELAB GEOGRAPHIC DISTRIBUTION ║
║ 4 Locations + Cloud + Mobile • Headscale Mesh (headscale.vish.gg) ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
🇺🇸 UNITED STATES
═══════════════════════════════════════════════════════════════════════════════════
🌲 SEATTLE, WA
┌─────────────────┐
│ Contabo VM │
│ Cloud VPS │
│ • External │
│ Access │
└────────┬────────┘
│ Tailscale
─────────────────────────┼─────────────────────────────────────────────────────────
🏠 CONCORD, CA ◄──────── PRIMARY HEADQUARTERS
┌─────────────────────────────────────────┐
│ ★ PRIMARY LOCATION │
│ ══════════════════ │
│ │
│ Internet: 25Gbps Sonic Fiber │
│ Backup: 2Gbps/500Mbps │
│ │
│ ┌─────────────────────────────────┐ │
│ │ Main Network (25Gbps) │ │
│ │ • Atlantis (DS1823xs+) 10GbE │ │
│ │ • Calypso (DS723+) 10GbE │ │
│ │ • Guava (TrueNAS Scale) 10GbE │ │
│ │ • Shinku-Ryuu (Desktop) 10GbE │ │
│ │ • Proxmox + Homelab VM │ │
│ │ • matrix-ubuntu (on Atlantis) │ │
│ │ • GL-BE3600 (exit node router) │ │
│ │ • GL-MT3000 (HA subnet router) │ │
│ │ • RPi 5 (Vish) │ │
│ └─────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────┐ │
│ │ Backup Network (2G/500M) │ │
│ │ • Concord NUC │ │
│ │ • RPi 5 Kevin │ │
│ └─────────────────────────────────┘ │
│ │
│ Services: 150+ containers │
│ Storage: 152TB across 3 NAS │
└────────────────────┬────────────────────┘
│ Tailscale (all locations mesh connected)
┌────────────────────┼────────────────────┐
│ │ │
▼ ▼ ▼
🌵 TUCSON, AZ (via Headscale) 🌺 HONOLULU, HI (via Headscale)
┌─────────────────────┐ ┌─────────────────────┐
│ Remote Backup Site │ │ Remote Access │
│ ═══════════════════│ │ ═══════════════════│
│ │ │ │
│ • Setillo DS223j │ │ • bluecrownpf │
│ (Off-site backup)│ │ (Partner's PC) │
│ │ │ • mah-pc │
│ Services: │ │ │
│ • Plex Server │ │ Access to: │
│ • AdGuard Home │ │ • Plex streaming │
│ • HyperBackup │ │ • All services via │
│ │ │ Headscale │
│ Purpose: │ │ │
│ • 3-2-1 backup │ │ │
│ • Geographic │ │ │
│ redundancy │ │ │
└─────────────────────┘ └─────────────────────┘
─────────────────────────────────────────────────────────────────────────────────────
✈️ MOBILE (Anywhere)
┌─────────────────────┐
│ MSI Laptop │
│ ═══════════════════│
│ │
│ • Full Tailscale │
│ access │
│ • Development │
│ • Remote admin │
│ • OpenHands │
│ │
│ Can connect from: │
│ • Hotels │
│ • Airports │
│ • Coffee shops │
│ • Anywhere with │
│ internet │
└─────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ LOCATION SUMMARY ║
╠════════════════════════════════════════════════════════════════════════════════════════╣
║ ║
║ Location │ Type │ Devices │ Bandwidth │ Primary Purpose ║
║ ────────────────┼───────────┼─────────┼──────────────┼─────────────────────────────── ║
║ Concord (Main) │ Primary │ 12+ │ 25Gbps │ Main infrastructure ║
║ Concord (Backup)│ Failover │ 3 │ 2G/500M │ Redundant connectivity + HA ║
║ Tucson │ Remote │ 1 │ ISP │ Off-site backup, Plex ║
║ Honolulu │ Remote │ 2 │ ISP │ Partner access ║
║ Seattle (Cloud) │ Cloud │ 1 │ Unmetered │ Fluxer, LLMs, exit node ║
║ Mobile │ Travel │ 1 │ Variable │ Remote administration ║
║ ║
╠════════════════════════════════════════════════════════════════════════════════════════╣
║ DISTANCES FROM PRIMARY (Concord, CA) ║
║ ───────────────────────────────────── ║
║ • Seattle, WA: ~680 miles (~1,100 km) ║
║ • Tucson, AZ: ~650 miles (~1,050 km) ║
║ • Honolulu, HI: ~2,400 miles (~3,860 km) ║
║ ║
║ Latency (typical Tailscale): ║
║ • Concord ↔ Seattle: ~25ms ║
║ • Concord ↔ Tucson: ~35ms ║
║ • Concord ↔ Honolulu: ~70ms ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 📊 Device Distribution by Location
### 🏠 Concord, CA - Primary (Main Network)
| Device | Type | Connection | Notes |
|--------|------|------------|-------|
| Atlantis | Synology DS1823xs+ | 10GbE | Primary NAS; 51 services |
| Calypso | Synology DS723+ | 10GbE | Secondary NAS; Headscale, Authentik, Gitea, Immich |
| Guava | TrueNAS Scale (Ryzen 5 8600G) | 10GbE | Storage server; 12+ services |
| Shinku-Ryuu | Desktop workstation (i7-14700K) | 10GbE | Primary workstation |
| PVE | Proxmox host | 1GbE | Hypervisor for Homelab VM |
| Homelab VM | Proxmox VM (Ubuntu) | 1GbE | Monitoring hub; 30 services |
| matrix-ubuntu | Atlantis VM (Ubuntu 24.04), 4 vCPU, 16GB RAM, 1TB disk | 1GbE | NPM, Mastodon, Matrix, Mattermost, CrowdSec |
| GL-BE3600 | GL.iNet router | 1GbE | Exit node; subnet `192.168.8.0/24` |
| GL-MT3000 | GL.iNet router | 1GbE | HA subnet router; `192.168.12.0/24` |
| RPi 5 (Vish) | Raspberry Pi 5 16GB | 1GbE | Edge; Pi-5 node |
| Jellyfish | Raspberry Pi 5 4GB | Tailscale | NAS/media; PhotoPrism |
| Anubis | Mac Mini (Late 2014) | 1GbE | Legacy; offline/standby |
### 🏠 Concord, CA - Backup ISP (2Gbps/500Mbps)
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| Concord NUC | Intel NUC6i3SYB | 1GbE | Home Assistant, AdGuard, exit node |
| RPi 5 (Kevin) | Raspberry Pi 5 8GB | 1GbE | Edge services |
| Home Assistant Green | HA Green | 1GbE | Smart home hub (via GL-MT3000 subnet) |
### 🌵 Tucson, AZ
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| Setillo | Synology DS223j | 1GbE | Off-site backup, Plex, AdGuard |
### 🌺 Honolulu, HI
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| bluecrownpassionflower | Partner's PC | Headscale | Remote homelab access |
| mah-pc | Partner's PC | Headscale | Remote homelab access |
### 🌲 Seattle, WA (Cloud)
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| seattle (Contabo VPS) | Cloud VPS (16 vCPU, ~64GB RAM) | Internet | Fluxer, Ollama, BookStack, exit node |
### ✈️ Mobile
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| MSI Prestige 13 AI Plus | Laptop | WiFi/Headscale | Remote administration, development |
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - Detailed network layout
- [Tailscale Mesh](tailscale-mesh.md) - VPN connectivity
- [Storage Topology](storage-topology.md) - Backup locations

265
docs/diagrams/network-topology.md Normal file
View File

@@ -0,0 +1,265 @@
# 🌐 Network Topology
## Overview
This document shows the physical and logical network layout across all homelab locations, connected via Tailscale VPN mesh.
---
## 🗺️ Geographic Overview (Mermaid)
```mermaid
graph TB
subgraph Internet["☁️ Internet"]
ISP1["Concord Primary<br/>25Gbps Fiber"]
ISP2["Concord Backup<br/>2G↓/500M↑"]
ISP3["Tucson ISP"]
ISP4["Honolulu ISP"]
CONTABO["Contabo Cloud<br/>Seattle"]
end
subgraph Concord_Primary["🏠 Concord, CA - Primary (25Gbps)"]
TPLINK["TP-Link Archer BE800<br/>Tri-Band Router"]
SWITCH["TP-Link TL-SX1008<br/>10GbE Switch"]
subgraph NAS_Cluster["📦 NAS Cluster"]
ATLANTIS["Atlantis<br/>DS1823xs+<br/>8x16TB"]
CALYPSO["Calypso<br/>DS723+<br/>2x12TB"]
end
subgraph Compute["💻 Compute"]
GUAVA["Guava<br/>TrueNAS Scale<br/>Ryzen 5 8600G"]
DESKTOP["Shinku-Ryuu<br/>i7-14700K + RTX 4080<br/>96GB DDR5"]
PROXMOX["Proxmox Host"]
OLARES["Olares<br/>Core Ultra 9 275HX<br/>RTX 5090, 96GB"]
end
subgraph Edge_Primary["📡 Edge Devices"]
PI_VISH["RPi 5<br/>(Vish)"]
GL_MT["GL-MT3000<br/>router<br/>192.168.12.0/24"]
GL_BE["GL-BE3600<br/>router / exit node<br/>192.168.8.0/24"]
end
subgraph VMs["🖥️ Virtual Machines"]
HOMELAB_VM["Homelab VM"]
MATRIX_VM["matrix-ubuntu<br/>(on Atlantis)"]
end
end
subgraph Concord_Backup["🏠 Concord, CA - Backup ISP (2G/500M)"]
NUC["Concord NUC<br/>Intel NUC"]
PI_KEVIN["RPi 5<br/>(Kevin)"]
end
subgraph Tucson["🌵 Tucson, AZ"]
SETILLO["Setillo<br/>DS223j<br/>2x10TB WD Gold"]
end
subgraph Honolulu["🌺 Honolulu, HI"]
BCPF["bluecrownpassionflower<br/>Sibling's PC"]
end
subgraph Mobile["✈️ Mobile/Travel"]
MSI["MSI Laptop<br/>Portable Workstation"]
end
subgraph Seattle["🌲 Seattle, WA (Cloud)"]
CONTABO_VM["Contabo VM<br/>Cloud VPS"]
end
%% Internet connections
ISP1 --> TPLINK
ISP2 --> NUC
ISP3 --> SETILLO
ISP4 --> BCPF
CONTABO --> CONTABO_VM
%% Concord Primary internal
TPLINK --> SWITCH
SWITCH -->|10GbE| ATLANTIS
SWITCH -->|10GbE| CALYPSO
SWITCH -->|10GbE| GUAVA
SWITCH -->|10GbE| DESKTOP
TPLINK -->|2.5GbE| PROXMOX
TPLINK -->|2.5GbE| OLARES
TPLINK -->|1GbE| PI_VISH
TPLINK -->|1GbE| GL_MT
TPLINK -->|1GbE| GL_BE
PROXMOX --> HOMELAB_VM
ATLANTIS -->|VMM| MATRIX_VM
%% Tailscale/Headscale mesh (dashed)
ATLANTIS -.->|Headscale| SETILLO
ATLANTIS -.->|Headscale| NUC
ATLANTIS -.->|Headscale| BCPF
ATLANTIS -.->|Headscale| CONTABO_VM
ATLANTIS -.->|Headscale| MSI
classDef nas fill:#4a9eff,stroke:#333,stroke-width:2px,color:#fff
classDef compute fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef network fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef vm fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef cloud fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef edge fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
class ATLANTIS,CALYPSO,SETILLO nas
class GUAVA,DESKTOP,PROXMOX,OLARES compute
class TPLINK,SWITCH,GL_MT,GL_BE network
class HOMELAB_VM,MATRIX_VM vm
class CONTABO_VM cloud
class NUC,PI_KEVIN,PI_VISH edge
```
---
## 📝 ASCII Network Topology
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ HOMELAB NETWORK TOPOLOGY ║
║ 4 Locations • Tailscale Mesh • 25Gbps Primary ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ ☁️ INTERNET │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ [Concord 25G] [Concord 2G/500M] [Tucson] [Honolulu] [Seattle] │
│ │ │ │ │ │ │
│ ▼ ▼ ▼ ▼ ▼ │
└─────────┼───────────────────┼──────────────────┼──────────────┼──────────────┼───────────┘
│ │ │ │ │
│ │ │ │ │
┌─────────▼───────────────────┼──────────────────┼──────────────┼──────────────┼───────────┐
│ 🏠 CONCORD, CA (PRIMARY) │ │ │ │ │
│ ════════════════════════ │ │ │ │ │
│ │ │ │ │ │
│ ┌──────────────────┐ │ │ │ │ │
│ │ TP-Link Archer BE800 │ │ │ │ │ │
│ │ (Tri-Band WiFi) │ │ │ │ │ │
│ └────────┬─────────┘ │ │ │ │ │
│ │ │ │ │ │ │
│ ▼ │ │ │ │ │
│ ┌──────────────────┐ │ │ │ │ │
│ │ TL-SX1008 10GbE │ │ │ │ │ │
│ │ 8-Port Switch │ │ │ │ │ │
│ └┬───┬───┬───┬─────┘ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ └─────────────┼──────────────────┼──────────────┼──────────────┼───────────┤
│ │ │ │ 10GbE │ │ │ │ │
│ ▼ ▼ ▼ ▼ │ │ │ │ │
│ ┌───┐┌───┐┌───┐┌───┐ │ │ │ │ │
│ │ATL││CAL││GUA││DSK│ │ │ │ │ │
│ │ ││ ││ ││ │ │ │ │ │ │
│ │8x ││2x ││ ││ │ │ │ │ │ │
│ │16T││12T││ ││ │ │ │ │ │ │
│ └───┘└───┘└───┘└───┘ │ │ │ │ │
│ │ │ │ │ │
│ ┌─────────────────┐ │ │ │ │ │
│ │ Proxmox Host │ │ │ │ │ │
│ │ ┌───────────┐ │ │ │ │ │ │
│ │ │ Homelab VM│ │ │ │ │ │ │
│ │ └───────────┘ │ │ │ │ │ │
│ └─────────────────┘ │ │ │ │ │
│ │ │ │ │ │
│ ┌─────────────────┐ │ │ │ │ │
│ │ GL-BE3600 │ │ │ │ │ │
│ │ (exit node) │ │ │ │ │ │
│ └─────────────────┘ │ │ │ │ │
│ ┌─────────────────┐ │ │ │ │ │
│ │ GL-MT3000 │ │ │ │ │ │
│ │ (HA subnet) │ │ │ │ │ │
│ └─────────────────┘ │ │ │ │ │
│ ┌─────────────────┐ │ │ │ │ │
│ │ Olares │ │ │ │ │ │
│ │ (K8s, LLM) │ │ │ │ │ │
│ └─────────────────┘ │ │ │ │ │
│ ┌─────────────────┐ │ │ │ │ │
│ │ RPi 5 (Vish) │ │ │ │ │ │
│ │ (monitoring) │ │ │ │ │ │
│ └─────────────────┘ │ │ │ │ │
│ │ │ │ │ │
└─────────────────────────────┼──────────────────┼──────────────┼──────────────┼───────────┘
│ │ │ │
┌─────────────────────────────▼──────────────────┼──────────────┼──────────────┼───────────┐
│ 🏠 CONCORD BACKUP ISP │ │ │ │
│ ════════════════════════ │ │ │ │
│ ┌─────────┐ ┌─────────┐ │ │ │ │
│ │ Concord │ │ RPi 5 │ │ │ │ │
│ │ NUC │ │ (Kevin) │ │ │ │ │
│ └─────────┘ └─────────┘ │ │ │ │
└────────────────────────────────────────────────┼──────────────┼──────────────┼───────────┘
│ │ │
┌────────────────────────────────────────────────▼──────────────┼──────────────┼───────────┐
│ 🌵 TUCSON, AZ │ │ │
│ ════════════════ │ │ │
│ ┌─────────────┐ │ │ │
│ │ Setillo │◄─ ─ ─ ─ ─ ─ ─ ─ ─Tailscale─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │
│ │ Synology NAS│ │ │ │
│ └─────────────┘ │ │ │
└───────────────────────────────────────────────────────────────┼──────────────┼───────────┘
│ │
┌───────────────────────────────────────────────────────────────▼──────────────┼───────────┐
│ 🌺 HONOLULU, HI │ │
│ ════════════════ │ │
│ ┌──────────────────────┐ │ │
│ │ bluecrownpassionflower│◄─ ─ ─ ─Headscale─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │
│ │ │ │ │
│ └──────────────────────┘ │ │
└──────────────────────────────────────────────────────────────────────────────┼───────────┘
┌──────────────────────────────────────────────────────────────────────────────▼───────────┐
│ 🌲 SEATTLE, WA (CLOUD) │
│ ══════════════════════ │
│ ┌─────────────┐ │
│ │ Contabo VM │◄─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─Tailscale─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤
│ │ Cloud VPS │ │
│ └─────────────┘ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ LEGEND ║
║ ══════ ║
║ ATL = Atlantis (DS1823xs+) CAL = Calypso (DS723+) GUA = Guava (TrueNAS) ║
║ DSK = Shinku-Ryuu Desktop HLB = Homelab VM ─── = Physical Connection ║
║ GL-BE = GL-BE3600 (exit node) GL-MT = GL-MT3000 (HA) ─ ─ = Headscale VPN ║
║ ║
║ 10GbE connections: Atlantis, Calypso, Guava, Desktop ║
║ All other connections: 1GbE or WiFi ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 📊 Connection Summary
### Concord Primary (25Gbps Fiber)
| Device | Connection | Speed | Purpose |
|--------|------------|-------|---------|
| Atlantis | TL-SX1008 | 10GbE | Primary NAS, media, services |
| Calypso | TL-SX1008 | 10GbE | Secondary NAS, development |
| Guava | TL-SX1008 | 10GbE | Physical compute host |
| Desktop | TL-SX1008 | 10GbE | Workstation |
| Proxmox | TP-Link Router | 2.5GbE | VM host |
| Olares | TP-Link Router | 2.5GbE | K8s, LLM inference |
| RPi 5 (Vish) | TP-Link Router | 1GbE | Monitoring, uptime |
### Concord Backup (2Gbps/500Mbps)
| Device | Connection | Speed | Purpose |
|--------|------------|-------|---------|
| Concord NUC | Direct | 1GbE | Edge computing, failover |
| RPi 5 (Kevin) | Direct | 1GbE | Lightweight services |
### Remote Locations
| Location | Device | Connection | Purpose |
|----------|--------|------------|---------|
| Tucson | Setillo (DS223j) | Headscale | Remote NAS, offsite backup |
| Honolulu | bluecrownpassionflower | Headscale | Sibling's PC |
| Seattle | Contabo VPS (seattle) | Headscale | Cloud services, exit node |
---
## 🔗 Related Diagrams
- [Tailscale Mesh](tailscale-mesh.md) - VPN overlay network details
- [10GbE Backbone](10gbe-backbone.md) - High-speed internal network
- [Location Overview](location-overview.md) - Geographic distribution

856
docs/diagrams/service-architecture.md Normal file
View File

@@ -0,0 +1,856 @@
# 🏗️ Service Architecture
## Overview
This document shows how the 157+ Docker services (plus Olares K8s) interact, their dependencies, and the data flows between them.
---
## 🎬 Media Stack Architecture (Mermaid)
```mermaid
graph TB
subgraph Internet["☁️ Internet Sources"]
USENET["Usenet<br/>Providers"]
TORRENT["Torrent<br/>Trackers"]
INDEXERS["Indexers<br/>(NZB/Torrent)"]
end
subgraph Acquisition["📥 Content Acquisition (Atlantis)"]
PROWLARR["Prowlarr<br/>Indexer Manager"]
SONARR["Sonarr<br/>TV Shows"]
RADARR["Radarr<br/>Movies"]
LIDARR["Lidarr<br/>Music"]
READARR["Readarr<br/>Books"]
WHISPARR["Whisparr<br/>Adult"]
BAZARR["Bazarr<br/>Subtitles"]
SAB["SABnzbd<br/>Usenet Client"]
DELUGE["Deluge<br/>Torrent Client<br/>(via Gluetun VPN)"]
end
subgraph Storage["💾 Storage (Atlantis NAS)"]
MEDIA_TV["/volume1/media/tv"]
MEDIA_MOV["/volume1/media/movies"]
MEDIA_MUS["/volume1/media/music"]
MEDIA_BOOK["/volume1/media/books"]
end
subgraph Streaming["📺 Media Streaming"]
PLEX["Plex<br/>Media Server"]
JELLYFIN["Jellyfin<br/>Media Server"]
TAUTULLI["Tautulli<br/>Plex Analytics"]
end
subgraph Clients["📱 Client Devices"]
TV["Smart TVs"]
PHONE["Phones/Tablets"]
WEB["Web Browsers"]
APPS["Desktop Apps"]
end
%% Acquisition flow
INDEXERS --> PROWLARR
PROWLARR --> SONARR & RADARR & LIDARR & READARR & WHISPARR
SONARR --> SAB & DELUGE
RADARR --> SAB & DELUGE
LIDARR --> SAB & DELUGE
READARR --> SAB & DELUGE
WHISPARR --> SAB & DELUGE
USENET --> SAB
TORRENT --> DELUGE
%% Storage flow
SAB --> MEDIA_TV & MEDIA_MOV & MEDIA_MUS & MEDIA_BOOK
DELUGE --> MEDIA_TV & MEDIA_MOV & MEDIA_MUS & MEDIA_BOOK
BAZARR --> MEDIA_TV & MEDIA_MOV
%% Streaming flow
MEDIA_TV & MEDIA_MOV --> PLEX & JELLYFIN
PLEX --> TAUTULLI
%% Client access
PLEX & JELLYFIN --> TV & PHONE & WEB & APPS
classDef acquisition fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef storage fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef streaming fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef client fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
class PROWLARR,SONARR,RADARR,LIDARR,READARR,WHISPARR,BAZARR,SAB,DELUGE acquisition
class MEDIA_TV,MEDIA_MOV,MEDIA_MUS,MEDIA_BOOK storage
class PLEX,JELLYFIN,TAUTULLI streaming
class TV,PHONE,WEB,APPS client
```
---
## 📊 Monitoring Stack Architecture
```mermaid
graph TB
subgraph Targets["🎯 Monitored Targets"]
subgraph Synology["Synology NAS"]
ATL_SNMP["Atlantis<br/>SNMP"]
CAL_SNMP["Calypso<br/>SNMP"]
SET_SNMP["Setillo<br/>SNMP"]
end
subgraph Hosts["Linux Hosts"]
NODE1["Homelab VM<br/>node_exporter"]
NODE2["Guava<br/>node_exporter"]
NODE3["Anubis<br/>node_exporter"]
end
subgraph Containers["Containers"]
CADV["cAdvisor<br/>Container Metrics"]
end
subgraph Network["Network"]
BLACK["Blackbox Exporter<br/>HTTP/ICMP Probes"]
end
end
subgraph Collection["📥 Metric Collection (Homelab VM)"]
PROM["Prometheus<br/>Time Series DB"]
SNMP_EXP["SNMP Exporter"]
end
subgraph Visualization["📈 Visualization"]
GRAFANA["Grafana<br/>Dashboards"]
end
subgraph Alerting["🚨 Alerting"]
ALERTMGR["Alertmanager"]
NTFY["ntfy<br/>Push Notifications"]
UPTIME["Uptime Kuma<br/>Status Page"]
end
%% Collection
ATL_SNMP & CAL_SNMP & SET_SNMP --> SNMP_EXP
SNMP_EXP --> PROM
NODE1 & NODE2 & NODE3 --> PROM
CADV --> PROM
BLACK --> PROM
%% Visualization
PROM --> GRAFANA
PROM --> ALERTMGR
ALERTMGR --> NTFY
%% Uptime Kuma separate
BLACK -.-> UPTIME
classDef target fill:#e67e22,stroke:#333,stroke-width:2px,color:#fff
classDef collection fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef viz fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef alert fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
class ATL_SNMP,CAL_SNMP,SET_SNMP,NODE1,NODE2,NODE3,CADV,BLACK target
class PROM,SNMP_EXP collection
class GRAFANA viz
class ALERTMGR,NTFY,UPTIME alert
```
---
## 🔐 Authentication & Security Stack
### Complete Authentication Architecture
```mermaid
graph TB
subgraph External["🌐 External Access"]
USERS["👤 Users"]
CLOUDFLARE["☁️ Cloudflare<br/>DNS/WAF/DDoS"]
end
subgraph Gateway["🚪 Gateway Layer (matrix-ubuntu)"]
NPM["🔀 Nginx Proxy Manager<br/>matrix-ubuntu :81/:443<br/>Reverse Proxy + SSL"]
CFT["🚇 Cloudflare Tunnel<br/>Zero Trust Access"]
end
subgraph AuthLayer["🔐 Authentication Layer (Calypso)"]
AUTH_SRV["🔐 Authentik Server<br/>:9000"]
AUTH_PROXY["🛡️ Authentik Outpost<br/>:9444<br/>Forward Auth Proxy"]
AUTH_WRK["⚙️ Authentik Worker"]
AUTH_DB["🐘 PostgreSQL"]
AUTH_RED["🔴 Redis"]
end
subgraph VPN["🔒 VPN Layer"]
WIREGUARD["🔒 Wireguard<br/>Atlantis :51820"]
TAILSCALE["🔷 Tailscale<br/>100.x.x.x"]
HEADSCALE["🌐 Headscale<br/>Calypso :8080"]
end
subgraph DNS["🌐 DNS & Ad Blocking"]
ADGUARD1["🛡️ AdGuard<br/>Calypso :53"]
ADGUARD2["🛡️ AdGuard<br/>Atlantis :53"]
ADGUARD3["🛡️ AdGuard<br/>NUC :53"]
end
subgraph SecVault["🔑 Secrets Management"]
VAULT["🔑 Vaultwarden<br/>vault.vish.gg"]
end
subgraph ProtectedServices["🛡️ Protected Services"]
GRAFANA["📊 Grafana"]
PAPERLESS["📄 Paperless"]
IMMICH["📸 Immich"]
ACTUAL["💰 Actual Budget"]
GITEA["🔧 Gitea"]
NETBOX["🔌 NetBox"]
HOMARR["🏠 Homarr"]
RXRESUME["📝 Reactive Resume"]
HEADPLANE["🌐 Headplane"]
end
subgraph PublicServices["🌍 Public/Self-Auth Services"]
PLEX["📺 Plex"]
SEAFILE["☁️ Seafile"]
OST["🚀 OpenSpeedTest"]
NTFY["📣 ntfy"]
end
%% External flow
USERS --> CLOUDFLARE
CLOUDFLARE --> NPM
CLOUDFLARE --> CFT
USERS --> TAILSCALE
%% NPM to Auth
NPM -->|"Forward Auth<br/>Header Check"| AUTH_PROXY
AUTH_PROXY -->|"Validate Session"| AUTH_SRV
%% Auth internal
AUTH_SRV --> AUTH_DB
AUTH_SRV --> AUTH_RED
AUTH_WRK --> AUTH_DB
AUTH_WRK --> AUTH_RED
%% Protected services via NPM + Auth
NPM -->|"✓ Authenticated"| ProtectedServices
%% Public services direct
NPM --> PublicServices
%% VPN access
TAILSCALE --> HEADSCALE
WIREGUARD --> ProtectedServices
TAILSCALE --> ProtectedServices
%% DNS
ADGUARD1 -.-> ProtectedServices
ADGUARD2 -.-> PublicServices
classDef external fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef gateway fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef auth fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef dns fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
classDef protected fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef public fill:#27ae60,stroke:#333,stroke-width:2px,color:#fff
class USERS,CLOUDFLARE external
class NPM,CFT gateway
class AUTH_SRV,AUTH_PROXY,AUTH_WRK,AUTH_DB,AUTH_RED,VAULT auth
class ADGUARD1,ADGUARD2,ADGUARD3 dns
class GRAFANA,PAPERLESS,IMMICH,ACTUAL,GITEA,NETBOX,HOMARR,RXRESUME,HEADPLANE protected
class PLEX,SEAFILE,OST,NTFY public
```
---
### Authentik SSO Flow (Detailed)
```mermaid
sequenceDiagram
autonumber
participant U as 👤 User
participant CF as ☁️ Cloudflare
participant NPM as 🔀 NPM (matrix-ubuntu)
participant OUT as 🛡️ Outpost (Calypso)
participant AUTH as 🔐 Authentik (Calypso)
participant APP as 📱 Application
U->>CF: Request app.vish.gg
CF->>NPM: Forward (HTTPS)
NPM->>OUT: Forward Auth Request<br/>(/outpost.goauthentik.io/auth/nginx)
alt No Valid Session
OUT->>AUTH: Check Session
AUTH-->>OUT: No Session
OUT-->>NPM: 401 Unauthorized
NPM-->>U: Redirect to sso.vish.gg/flows/default-authentication/
U->>AUTH: Login Page
U->>AUTH: Submit Credentials + 2FA
AUTH->>AUTH: Validate
AUTH-->>U: Set Cookie + Redirect to app
U->>NPM: Retry with Session Cookie
NPM->>OUT: Forward Auth (with cookie)
end
OUT->>AUTH: Validate Session
AUTH-->>OUT: Valid ✓
OUT-->>NPM: 200 OK + Headers<br/>(X-authentik-username, X-authentik-email)
NPM->>APP: Proxy Request (with auth headers)
APP-->>U: Response
```
---
### NPM Proxy Host Configuration
```mermaid
graph TB
subgraph NPM["🔀 Nginx Proxy Manager (matrix-ubuntu :81)"]
subgraph ProxyHosts["Proxy Hosts"]
PH1["sso.vish.gg → Calypso:9000"]
PH2["git.vish.gg → Calypso:3052"]
PH3["gf.vish.gg → homelab-vm:3300"]
PH4["nb.vish.gg → homelab-vm:8443"]
PH5["ntfy.vish.gg → homelab-vm:8081"]
PH6["dash.vish.gg → Atlantis:7575"]
PH7["paperless.vish.gg → Calypso:8777"]
PH8["rx.vish.gg → Calypso:4550"]
PH9["actual.vish.gg → Calypso:8304"]
PH10["kuma.vish.gg → RPi5:3001"]
end
subgraph SSL["SSL Certificates"]
WILD["*.vish.gg<br/>Cloudflare DNS Challenge"]
end
subgraph AccessControl["Access Control"]
AUTH_LOC["Authentik Forward Auth<br/>Location: /outpost.goauthentik.io"]
end
end
subgraph Services["Backend Services"]
direction LR
S1["Authentik"]
S2["Gitea"]
S3["Grafana"]
S4["NetBox"]
S5["ntfy"]
S6["Homarr"]
S7["Paperless"]
S8["Reactive Resume"]
S9["Actual"]
S10["Uptime Kuma"]
end
PH1 --> S1
PH2 --> S2
PH3 --> S3
PH4 --> S4
PH5 --> S5
PH6 --> S6
PH7 --> S7
PH8 --> S8
PH9 --> S9
PH10 --> S10
```
---
### Services Protected by Authentik
| Domain | Service | Host | Auth Type | Notes |
|--------|---------|------|-----------|-------|
| `sso.vish.gg` | Authentik | Calypso | - | Identity Provider |
| `git.vish.gg` | Gitea | Calypso | OAuth2/OIDC | Source Control |
| `gf.vish.gg` | Grafana | Homelab VM | OAuth2/OIDC | Monitoring |
| `nb.vish.gg` | NetBox | Homelab VM | OAuth2/OIDC | DCIM/IPAM |
| `dash.vish.gg` | Homarr | Atlantis | OAuth2/OIDC | Dashboard |
| `rx.vish.gg` | Reactive Resume | Calypso | OAuth2/OIDC | Resume Builder |
| `immich` | Immich | Calypso | OAuth2/OIDC | Photos |
| `headscale.vish.gg/admin` | Headplane | Calypso | OAuth2/OIDC | VPN Admin |
| `paperless.vish.gg` | Paperless-NGX | Calypso | Forward Auth | Documents |
| `actual.vish.gg` | Actual Budget | Calypso | Forward Auth | Finance |
### Services NOT Protected (Public/Self-Auth)
| Domain | Service | Host | Reason |
|--------|---------|------|--------|
| `plex.vish.gg` | Plex | Atlantis | Has Plex Auth |
| `sf.vish.gg` | Seafile | Calypso | Has built-in auth + share links |
| `ntfy.vish.gg` | ntfy | Homelab | Has built-in auth + public topics |
| `ost.vish.gg` | OpenSpeedTest | Calypso | Public utility |
---
### Authentik Forward Auth Setup (NPM)
To protect a service with Authentik Forward Auth in NPM:
1. **Create Provider in Authentik**:
- Type: Proxy Provider
- External Host: `https://app.vish.gg`
- Mode: Forward auth (single application)
2. **Create Application in Authentik**:
- Link to the provider
- Set policies for access control
3. **Create Outpost in Authentik**:
- Type: Proxy
- Include the application
4. **Configure NPM Proxy Host**:
```nginx
# Custom Nginx Configuration (Advanced tab)
# Authentik Forward Auth
location /outpost.goauthentik.io {
proxy_pass http://calypso.vish.local:9444/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location / {
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# Forward auth headers to application
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-email $authentik_email;
proxy_pass http://backend;
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
```
---
## 📝 ASCII Service Distribution by Host
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ SERVICE DISTRIBUTION BY HOST ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏛️ ATLANTIS (51 Containers) - Media & Communication Hub │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 📺 Media 🔐 Security 🛠️ Infrastructure │
│ ───────────── ───────────── ───────────────── │
│ • Plex • Vaultwarden • Portainer │
│ • Jellyfin • Wireguard • DokuWiki │
│ • Immich • Dozzle │
│ • Tautulli • Watchtower │
│ • Homarr (dash) • IT-Tools │
│ • AdGuard Home (backup DNS) │
│ │
│ 💬 Communication 📝 Productivity 🎮 Other │
│ ───────────── ───────────── ───────────── │
│ • Matrix Synapse • Documenso • Stirling PDF │
│ • Mastodon • Joplin Server • YouTube DL │
│ • Mattermost │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏢 CALYPSO (54 Containers) - Auth, Proxy, Arr Suite & Development │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 🔐 Auth 📥 Arr Suite 💻 Development 📦 Infrastructure │
│ ───────────── ───────────── ───────────── ───────────── │
│ • Authentik • Sonarr • Gitea • Headscale │
│ • Authentik Outpost • Radarr • Reactive Resume • AdGuard Home │
│ • Lidarr • Seafile • Portainer Agent │
│ • Readarr • Wireguard │
│ 💰 Finance • Prowlarr 📝 Productivity │
│ ───────────── • SABnzbd ───────────── │
│ • Actual Budget • Deluge (Gluetun) • Paperless-NGX │
│ • Bazarr • Rustdesk │
│ • Whisparr │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 💻 HOMELAB VM (30 Containers) - Monitoring, Tools & Privacy │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 📊 Monitoring 🔔 Notifications 🔌 DCIM 🔧 Utilities │
│ ───────────── ───────────── ───────────── ───────────── │
│ • Grafana • ntfy • NetBox • Archivebox │
│ • Prometheus • Signal-API • Hoarder │
│ • Alertmanager 🔒 Privacy • Perplexica │
│ • SNMP Exporter 🤖 AI/Dev ───────────── • OpenHands │
│ • node_exporter ───────────── • Redlib │
│ • OpenHands • Binternet │
│ • Perplexica • ProxiTok │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🌐 CONCORD NUC (19 Containers) - Home Automation & Edge │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 🏠 Home Automation 📺 Media 🎵 Music 🔧 Network │
│ ───────────── ───────────── ───────────── ───────────── │
│ • Home Assistant • Plex • Your-Spotify • AdGuard Home │
│ • Matter Server • Invidious • Wireguard │
│ • Whisper (STT) │
│ • Piper (TTS) │
│ • OpenWakeWord │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🍓 RPi 5 (3 Containers) - Monitoring │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 📊 Monitoring │
│ ───────────── │
│ • Uptime Kuma │
│ • Glances │
│ • Portainer Agent │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🤖 OLARES - K8s Node (Core Ultra 9 275HX, RTX 5090, 96GB) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 🧠 AI/ML (Kubernetes, not Docker) │
│ ───────────────────────────────── │
│ • Ollama (LLM serving) │
│ • vLLM (high-throughput inference) │
│ • OpenClaw (robotics foundation model) │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🌵 SETILLO (4 Services) - Tucson Remote │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 📊 Monitoring 🌐 DNS │
│ ───────────── ───────────── │
│ • Prometheus • AdGuard Home │
│ • SNMP Exporter • Syncthing │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ SERVICE COUNT SUMMARY ║
║ ═════════════════════ ║
║ Atlantis: 59 containers │ Calypso: 61 containers ║
║ Homelab VM: 38 containers │ Concord NUC: 19 containers ║
║ RPi 5: 6 containers │ matrix-ubuntu: 12+ containers (NPM, Matrix) ║
║ Olares: K8s (~60 pods, not Portainer) ║
║ ──────────────────────────────────────────────────────────────────────────────────────║
║ TOTAL: ~195 containers across 5 Portainer endpoints + matrix-ubuntu + Olares ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - How hosts connect
- [Storage Topology](storage-topology.md) - Where data lives
- [Tailscale Mesh](tailscale-mesh.md) - Cross-location access
---
## 💬 Communication Stack Architecture
```mermaid
graph TB
subgraph Internet["☁️ Internet / Federation"]
FEDI["Fediverse<br/>(ActivityPub)"]
MATRIX_FED["Matrix<br/>Federation"]
WEBRTC["WebRTC<br/>Voice/Video"]
end
subgraph Cloudflare["🛡️ Cloudflare"]
CF_PROXY["Cloudflare<br/>Proxy/WAF"]
CF_TUNNEL["Cloudflare<br/>Tunnel"]
end
subgraph MatrixUbuntuVM["🐧 Matrix-Ubuntu VM (Atlantis)"]
subgraph Mastodon["🐘 Mastodon Stack"]
MASTO_WEB["Mastodon Web<br/>:3000"]
MASTO_STREAM["Mastodon Streaming<br/>:4000"]
MASTO_SIDEKIQ["Sidekiq<br/>Background Jobs"]
end
subgraph Matrix["🔐 Matrix Stack"]
SYNAPSE["Synapse<br/>:8008 / :8018"]
ELEMENT["Element Web<br/>Client"]
COTURN["Coturn<br/>TURN Server<br/>:3478"]
end
subgraph Mattermost["💬 Mattermost"]
MM_APP["Mattermost<br/>:8065"]
end
subgraph SharedDB["🗄️ Shared Services"]
POSTGRES["PostgreSQL<br/>:5432"]
REDIS["Redis<br/>:6379"]
end
NPM_VM["NPM<br/>Reverse Proxy<br/>(host nginx disabled)"]
end
subgraph Atlantis["🏛️ Atlantis NAS"]
subgraph JitsiStack["📹 Jitsi Meet"]
JITSI_WEB["Jitsi Web"]
JITSI_JVB["Jitsi Video Bridge"]
JITSI_PROSODY["Prosody XMPP"]
end
subgraph Vaultwarden["🔑 Vaultwarden"]
VW["Vaultwarden<br/>Password Manager"]
end
subgraph Joplin["📝 Joplin"]
JOPLIN_SRV["Joplin Server"]
end
end
subgraph Clients["📱 Clients"]
BROWSER["Web Browsers"]
MOBILE["Mobile Apps"]
DESKTOP["Desktop Apps"]
end
%% External connections
FEDI <--> CF_PROXY
MATRIX_FED <--> CF_PROXY
WEBRTC <--> COTURN
%% Cloudflare to services
CF_PROXY --> NPM_VM
CF_TUNNEL --> NPM_VM
%% NPM routing (host nginx disabled, NPM handles all)
NPM_VM --> MASTO_WEB & MASTO_STREAM
NPM_VM --> SYNAPSE & ELEMENT
NPM_VM --> MM_APP
%% Database connections
MASTO_WEB & MASTO_SIDEKIQ --> POSTGRES & REDIS
SYNAPSE --> POSTGRES
MM_APP --> POSTGRES
%% Client access
BROWSER & MOBILE & DESKTOP --> CF_PROXY
BROWSER & MOBILE & DESKTOP --> JITSI_WEB
BROWSER & MOBILE & DESKTOP --> VW
BROWSER & MOBILE & DESKTOP --> JOPLIN_SRV
classDef mastodon fill:#6364FF,stroke:#333,stroke-width:2px,color:#fff
classDef matrix fill:#0DBD8B,stroke:#333,stroke-width:2px,color:#fff
classDef mattermost fill:#0058CC,stroke:#333,stroke-width:2px,color:#fff
classDef infra fill:#e67e22,stroke:#333,stroke-width:2px,color:#fff
class MASTO_WEB,MASTO_STREAM,MASTO_SIDEKIQ mastodon
class SYNAPSE,ELEMENT,COTURN matrix
class MM_APP mattermost
class POSTGRES,REDIS,NPM_VM infra
```
### Communication Services Summary
| Service | Domain | Protocol | Purpose |
|---------|--------|----------|---------|
| **Mastodon** | mastodon.vish.gg | ActivityPub | Fediverse microblogging |
| **Matrix (Primary)** | mx.vish.gg | Matrix | Federated chat |
| **Matrix (Legacy)** | matrix.thevish.io | Matrix | Legacy homeserver |
| **Mattermost** | mm.crista.love | Proprietary | Team collaboration |
| **Jitsi Meet** | meet.vish.gg | WebRTC | Video conferencing |
| **Joplin** | joplin.vish.gg | Joplin Sync | Note synchronization |
| **Vaultwarden** | vault.vish.gg | Bitwarden | Password management |
### Deployment Scripts
| Script | Location | Description |
|--------|----------|-------------|
| Mastodon Install | [mastodon-production/](../mastodon-production/) | Bare metal & Docker deployment |
| Matrix Install | [matrix-element/](../matrix-element/) | Synapse + Element + TURN |
| Mattermost Install | [mattermost-production/](../mattermost-production/) | Docker deployment |
| VM Config | [matrix-ubuntu-vm/](../matrix-ubuntu-vm/) | Complete VM configuration |
---
## 🔄 CI/CD Pipeline Architecture
### Git Repository Mirroring
The homelab repository uses Gitea Actions for automated CI/CD, including sanitized public mirroring.
```mermaid
graph LR
subgraph Development["💻 Development"]
DEV["Developer<br/>Pushes Code"]
end
subgraph Gitea["🔧 Gitea (Calypso)"]
PRIVATE["🔒 Private Repo<br/>homelab"]
PUBLIC["🌐 Public Repo<br/>homelab-optimized"]
RUNNER["🏃 Gitea Runners<br/>(homelab, calypso, pi5)"]
end
subgraph Workflow["⚙️ CI/CD Workflow"]
CHECKOUT["📥 Checkout Code"]
SANITIZE["🧹 Sanitize<br/>Remove Secrets"]
PUSH["📤 Force Push<br/>Fresh History"]
end
subgraph Deployment["🚀 Deployment"]
ANSIBLE["📋 Ansible<br/>Multi-host"]
PORTAINER["🐳 Portainer<br/>5 Endpoints"]
end
DEV -->|"git push"| PRIVATE
PRIVATE -->|"Triggers"| RUNNER
RUNNER --> CHECKOUT
CHECKOUT --> SANITIZE
SANITIZE --> PUSH
PUSH --> PUBLIC
PRIVATE --> ANSIBLE
ANSIBLE --> PORTAINER
```
### Sanitization Process
The sanitization script removes sensitive data before public mirroring:
| Removed | Pattern | Example |
|---------|---------|---------|
| Passwords | `password:`, `PASS=` | `password: "REDACTED_PASSWORD" |
| API Keys | `api_key:`, `API_KEY=` | `api_key: REDACTED_API_KEY` |
| Tokens | `token:`, `TOKEN=` | `token: REDACTED_TOKEN` |
| Secrets | `secret:`, `SECRET=` | `secret: REDACTED_SECRET` |
| Private Keys | `-----BEGIN.*KEY-----` | File removed |
| SSH Keys | `id_rsa`, `id_ed25519` | File removed |
| Personal Emails | `*@gmail.com`, `*@*.com` | `REDACTED_EMAIL@example.com` |
| JWT Secrets | `JWT_SECRET=` | `JWT_SECRET=REDACTED` |
### Gitea Runner Setup
```mermaid
graph TB
subgraph Calypso["🌊 Calypso (DS723+)"]
GITEA["🔧 Gitea Server<br/>:3052"]
RUNNER_CAL["🏃 Runner (calypso)"]
end
subgraph HomelabVM["💻 Homelab VM"]
RUNNER_HLB["🏃 Runner (homelab)"]
end
subgraph Pi5["🍓 RPi 5"]
RUNNER_PI["🏃 Runner (pi5)"]
end
GITEA -->|"Workflow Dispatch"| RUNNER_CAL
GITEA -->|"Workflow Dispatch"| RUNNER_HLB
GITEA -->|"Workflow Dispatch"| RUNNER_PI
```
**Runner Configuration:**
- Runner binary: `act_runner` v0.2.6, systemd service (not Docker container)
- Labels: `ubuntu-latest`, `linux`, `python` (all 3 runners)
- Runners: homelab (VM), calypso, pi5
- Trigger: Push to main branch
### Ansible Automation
```mermaid
graph TB
subgraph Control["📋 Ansible Control"]
SITE["site.yml<br/>Master Playbook"]
INV["inventory.yml<br/>13 Hosts"]
ROLES["Roles<br/>docker_stack, directory_setup"]
end
subgraph Hosts["🖥️ Target Hosts"]
SYN["Synology<br/>Atlantis, Calypso, Setillo"]
VMS["VMs<br/>Homelab, matrix-ubuntu"]
PHYS["Physical<br/>Guava, NUC, Shinku-Ryuu"]
EDGE["Edge<br/>RPi5, Jellyfish"]
CLOUD["Cloud<br/>Seattle VPS"]
end
SITE --> INV
INV --> SYN
INV --> VMS
INV --> PHYS
INV --> EDGE
INV --> CLOUD
```
**Ansible Commands:**
```bash
# Deploy everything
ansible-playbook site.yml
# Deploy to specific host
ansible-playbook site.yml --limit atlantis
# Deploy by category
ansible-playbook site.yml --tags synology
# Check status
ansible-playbook playbooks/common/status.yml
```
---
## 🧠 AI/ML Stack Architecture
```mermaid
graph TB
subgraph Olares["🤖 Olares K8s Node (Core Ultra 9 275HX, RTX 5090, 96GB)"]
OLLAMA["🦙 Ollama<br/>LLM Serving<br/>Local Models"]
VLLM["⚡ vLLM<br/>High-Throughput<br/>Inference Engine"]
OPENCLAW["🤖 OpenClaw<br/>Robotics Foundation<br/>Model"]
end
subgraph Clients["📱 AI Consumers"]
ANYTHINGLLM["💬 AnythingLLM<br/>RAG Chat"]
OPENWEBUI["🌐 Open WebUI"]
API_CLIENTS["🔧 API Clients"]
end
OLLAMA -->|"OpenAI-compatible API"| Clients
VLLM -->|"OpenAI-compatible API"| Clients
classDef ai fill:#8e44ad,stroke:#333,stroke-width:2px,color:#fff
classDef client fill:#2980b9,stroke:#333,stroke-width:2px,color:#fff
class OLLAMA,VLLM,OPENCLAW ai
class ANYTHINGLLM,OPENWEBUI,API_CLIENTS client
```
### AI/ML Services Summary
| Service | Host | Type | Purpose |
|---------|------|------|---------|
| **Ollama** | Olares (K8s) | LLM Server | Local model serving (Llama, Mistral, etc.) |
| **vLLM** | Olares (K8s) | Inference Engine | High-throughput batched inference |
| **OpenClaw** | Olares (K8s) | Foundation Model | Robotics/manipulation research |
| **AnythingLLM** | Homelab VM | RAG Client | Document Q&A with local LLMs |
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - How hosts connect
- [Storage Topology](storage-topology.md) - Where data lives
- [Tailscale Mesh](tailscale-mesh.md) - Cross-location access

462
docs/diagrams/storage-topology.md Normal file
View File

@@ -0,0 +1,462 @@
# 💾 Storage Topology
## Overview
This document details the storage architecture across the NAS cluster, including capacity, RAID configurations, and backup flows.
---
## 📊 Storage Overview (Mermaid)
```mermaid
graph TB
subgraph Concord["🏠 Concord, CA - Primary Storage"]
subgraph Atlantis["🏛️ Atlantis (DS1823xs+)"]
ATL_VOL1["Volume 1 (Encrypted)<br/>128TB Raw / 84TB Usable<br/>8x 16TB IronWolf Pro<br/>RAID 6 - 31TB Used (37%)"]
ATL_VOL2["Volume 2 (NVMe RAID 1)<br/>885GB - 176GB Used<br/>2x NVMe via PCIe E10M20-T1"]
ATL_CACHE["R/W Cache<br/>2x WD Black SN750 SE 500GB<br/>(built-in M.2 slots)"]
ATL_DOCKER["/volume1/docker<br/>Container Data"]
ATL_MEDIA["/volume1/media<br/>Movies, TV, Music"]
ATL_PHOTOS["/volume2/photo<br/>Synology Photos"]
ATL_DOCS["/volume1/documents<br/>Paperless-NGX"]
ATL_BACKUP["/volume1/backups<br/>System Backups"]
end
subgraph Calypso["🏢 Calypso (DS723+)"]
CAL_VOL1["Volume 1 (Encrypted)<br/>24TB Raw / 11TB Usable<br/>2x 12TB IronWolf Pro<br/>RAID 1 - 4.5TB Used (43%)"]
CAL_CACHE["NVMe Cache<br/>2x 500GB Crucial P3 Plus<br/>RAID 1"]
CAL_DOCKER["/volume1/docker<br/>Container Data"]
CAL_DATA["/volume1/data<br/>Dev Files"]
CAL_BACKUP["/volume1/backups<br/>Atlantis Backups"]
end
subgraph Guava["💻 Guava (TrueNAS Scale)"]
GUA_BOOT["boot-pool<br/>464GB NVMe (WD Black SN770)<br/>433GB Avail"]
GUA_DATA["data (ZFS Mirror)<br/>2x 4TB WD Blue SA510 SATA<br/>3.62TB total, 1.53TB Avail<br/>1.69x Dedup, 57% used"]
GUA_JELLY["/mnt/data/jellyfin<br/>204GB Media"]
GUA_PHOTOS["/mnt/data/photos<br/>159GB Photos"]
GUA_LLAMA["/mnt/data/llama<br/>64GB LLM Models"]
GUA_TURQUOISE["/mnt/data/guava_turquoise<br/>3.0TB Personal Data"]
GUA_NFS["/mnt/atlantis_media<br/>NFS from Atlantis (84TB)"]
end
end
subgraph Tucson["🌵 Tucson, AZ - Remote Storage"]
subgraph Setillo["🏛️ Setillo (DS223j)"]
SET_VOL1["Volume 1<br/>20TB Raw / 8.9TB Usable<br/>2x 10TB WD Gold<br/>RAID 1 - 4.0TB Used (46%)"]
SET_DOCKER["/volume1/docker<br/>Container Data"]
SET_SYNC["/volume1/syncthing<br/>Syncthing Replication"]
SET_BACKUP["/volume1/backups<br/>Remote Backup Destination"]
SET_PLEX["/volume1/PlexMediaServer<br/>Plex Media"]
SET_SURV["/volume1/surveillance<br/>Surveillance Station"]
SET_NET["/volume1/NetBackup<br/>Network Backup Storage"]
end
end
subgraph Cloud["☁️ Backblaze B2 (Cloud Backup)"]
B2_ATL["vk-atlantis Bucket<br/>Weekly (Sun 00:00)<br/>Encrypted + Versioned"]
B2_CAL["vk-concord-1 Bucket<br/>Daily (00:00)<br/>Encrypted + Versioned"]
end
%% Backup flows
ATL_MEDIA -->|"Hyper Backup<br/>(Weekly)"| CAL_BACKUP
ATL_PHOTOS -->|"Hyper Backup<br/>(Daily)"| CAL_BACKUP
ATL_DOCS -->|"Hyper Backup<br/>(Daily)"| CAL_BACKUP
ATL_DOCKER -->|"Syncthing<br/>(Real-time)"| SET_SYNC
CAL_DOCKER -->|"Syncthing<br/>(Real-time)"| SET_SYNC
%% Cloud backup flows
ATL_MEDIA -->|"HyperBackup<br/>S3 (Weekly)"| B2_ATL
ATL_PHOTOS -->|"HyperBackup<br/>S3 (Weekly)"| B2_ATL
CAL_DOCKER -->|"HyperBackup<br/>S3 (Daily)"| B2_CAL
%% Cache acceleration
ATL_CACHE -.->|"Accelerates"| ATL_VOL1
CAL_CACHE -.->|"Accelerates"| CAL_VOL1
classDef primary fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef secondary fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef remote fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef cache fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef folder fill:#ecf0f1,stroke:#333,stroke-width:1px,color:#333
class ATL_VOL1 primary
class CAL_VOL1 secondary
class SET_VOL1 remote
class ATL_CACHE,CAL_CACHE cache
class ATL_DOCKER,ATL_MEDIA,ATL_PHOTOS,ATL_DOCS,ATL_BACKUP,CAL_DOCKER,CAL_APT,CAL_BACKUP,SET_SYNC folder
```
---
## 📝 ASCII Storage Layout
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ STORAGE TOPOLOGY ║
║ 3 NAS Units • 152TB Raw • Cross-Location Backup ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏛️ ATLANTIS - Primary Storage (Concord, CA) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ Model: Synology DS1823xs+ (8-Bay Enterprise) │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ STORAGE POOL 1 │ │
│ │ ═══════════════ │ │
│ │ │ │
│ │ Drive Configuration: │ │
│ │ ┌──────┬──────┬──────┬──────┬──────┬──────┬──────┬──────┐ │ │
│ │ │ Bay1 │ Bay2 │ Bay3 │ Bay4 │ Bay5 │ Bay6 │ Bay7 │ Bay8 │ │ │
│ │ │ 16TB │ 16TB │ 16TB │ 16TB │ 16TB │ 16TB │ 16TB │ 16TB │ │ │
│ │ │IronWf│IronWf│IronWf│IronWf│IronWf│IronWf│IronWf│IronWf│ │ │
│ │ │ Pro │ Pro │ Pro │ Pro │ Pro │ Pro │ Pro │ Pro │ │ │
│ │ └──────┴──────┴──────┴──────┴──────┴──────┴──────┴──────┘ │ │
│ │ │ │
│ │ Raw Capacity: 128 TB │ │
│ │ RAID Type: RAID 6 (2-drive fault tolerance) │ │
│ │ Usable: ~96 TB │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ NVMe DRIVES (4x NVMe total) │ │
│ │ ═══════════════════════════ │ │
│ │ │ │
│ │ Built-in M.2 Slots (R/W Cache for Volume 1): │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ M.2 Slot 1 │ │ M.2 Slot 2 │ │ │
│ │ │ WD Black SN750 │ │ WD Black SN750 │ │ │
│ │ │ SE 500GB NVMe │ │ SE 500GB NVMe │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ Cache Type: Read-Write Cache Hit: ~99% │ │
│ │ │ │
│ │ PCIe E10M20-T1 Expansion (Volume 2 — RAID 1): │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ PCIe NVMe 1 │ │ PCIe NVMe 2 │ │ │
│ │ │ 885GB RAID 1 │ │ (mirror) │ │ │
│ │ │ Photos/metadata │ │ │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ Volume 2: 885GB total, 176GB used (20%) │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ FOLDER STRUCTURE │ │
│ │ ════════════════ │ │
│ │ │ │
│ │ /volume1/ │ │
│ │ ├── docker/ (~2 TB) Container persistent data │ │
│ │ │ ├── plex/ Plex metadata & transcodes │ │
│ │ │ ├── immich/ Photo library database │ │
│ │ │ ├── paperless/ Document database │ │
│ │ │ ├── grafana/ Dashboards & config │ │
│ │ │ ├── prometheus/ Metrics database │ │
│ │ │ └── ... (50+ services) │ │
│ │ │ │ │
│ │ ├── media/ (~60 TB) Media library │ │
│ │ │ ├── movies/ 4K & HD movies │ │
│ │ │ ├── tv/ TV series │ │
│ │ │ ├── music/ Music library │ │
│ │ │ └── books/ eBooks & audiobooks │ │
│ │ │ │ │
│ │ ├── photos/ (~5 TB) Immich photo library │ │
│ │ │ ├── library/ Original photos │ │
│ │ │ ├── thumbs/ Thumbnails │ │
│ │ │ └── encoded/ Transcoded videos │ │
│ │ │ │ │
│ │ ├── documents/ (~500 GB) Paperless-NGX documents │ │
│ │ │ ├── consume/ Incoming documents │ │
│ │ │ ├── archive/ Processed documents │ │
│ │ │ └── export/ Exported documents │ │
│ │ │ │ │
│ │ ├── backups/ (~10 TB) Local backup storage │ │
│ │ │ ├── hyper-backup/ Synology backups │ │
│ │ │ ├── time-machine/ Mac backups │ │
│ │ │ └── manual/ Manual backups │ │
│ │ │ │ │
│ │ └── archive/ (~15 TB) Long-term cold storage │ │
│ │ ├── old-projects/ │ │
│ │ └── raw-footage/ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏢 CALYPSO - Secondary Storage (Concord, CA) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ Model: Synology DS723+ (2-Bay Plus) │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ STORAGE POOL 1 │ │
│ │ ═══════════════ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ Bay 1 │ │ Bay 2 │ │ │
│ │ │ Seagate 12TB │ │ Seagate 12TB │ │ │
│ │ │ IronWolf Pro │ │ IronWolf Pro │ │ │
│ │ │ ST12000VN0008 │ │ ST12000VN0008 │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ │ │
│ │ Raw Capacity: 24 TB │ │
│ │ RAID Type: SHR-1 (1-drive fault tolerance) │ │
│ │ Usable: ~10.9 TB │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ NVMe CACHE │ │
│ │ ═══════════ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ Crucial P3 Plus │ │ Crucial P3 Plus │ │ │
│ │ │ 500GB NVMe │ │ 500GB NVMe │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ Cache: 465GB allocated (RAID 1) Hit Rate: 99% │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ FOLDER STRUCTURE │ │
│ │ ════════════════ │ │
│ │ /volume1/ │ │
│ │ ├── docker/ (~500 GB) Container data (17 services) │ │
│ │ ├── apt-cache/ (~50 GB) Debian package cache │ │
│ │ ├── backups/ (~8 TB) Atlantis backup destination │ │
│ │ │ ├── hyper-backup/ Encrypted backups from Atlantis │ │
│ │ │ └── active-backup/ PC/Server backups │ │
│ │ └── dev/ (~200 GB) Development files │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🌵 SETILLO - Remote Storage (Tucson, AZ) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ Model: Synology DS223j (2-Bay Value) │
│ CPU: ARM Cortex-A55 Quad-Core (Realtek RTD1619B) │
│ RAM: 1GB DDR4 │
│ DSM: 7.3.2-86009 Update 1 │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ STORAGE POOL 1 │ │
│ │ ═══════════════ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ Bay 1 │ │ Bay 2 │ │ │
│ │ │ WD Gold 10TB │ │ WD Gold 10TB │ │ │
│ │ │ WD102KRYZ │ │ WD102KRYZ │ │ │
│ │ │ Temp: 38-40°C │ │ Temp: 42-45°C │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ │ │
│ │ Raw Capacity: 20 TB │ │
│ │ RAID Type: SHR-1 (1-drive fault tolerance) │ │
│ │ Usable: ~8.9 TB │ │
│ │ Used: ~4.0 TB (46%) │ │
│ │ Available: ~4.8 TB │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ FOLDER STRUCTURE │ │
│ │ ════════════════ │ │
│ │ /volume1/ │ │
│ │ ├── docker/ Container data │ │
│ │ ├── syncthing/ Syncthing real-time replication │ │
│ │ ├── backups/ Remote backup destination │ │
│ │ ├── PlexMediaServer/ Plex media data │ │
│ │ ├── NetBackup/ Network backup storage │ │
│ │ ├── surveillance/ Surveillance Station recordings │ │
│ │ └── homes/ User home directories │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Installed Packages: REDACTED_APP_PASSWORD, Syncthing, Tailscale, PlexMediaServer, │
│ HyperBackup, SurveillanceStation, Git, WebDAVServer │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 💻 GUAVA - TrueNAS Scale (Concord, CA) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ Hardware: ASRock B850I Lightning WiFi, Ryzen 5 8600G, 32GB DDR5 │
│ Network: Mellanox ConnectX-5 10GbE, NFS mount from Atlantis │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ BOOT POOL (ZFS) │ │
│ │ ═══════════════ │ │
│ │ ┌──────────────────┐ │ │
│ │ │ WD Black SN770 │ │ │
│ │ │ 500GB NVMe │ │ │
│ │ │ Used: 17GB (4%) │ │ │
│ │ └──────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ DATA POOL (ZFS Mirror) │ │
│ │ ══════════════════════ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ WD Blue SA510 │ │ WD Blue SA510 │ │ │
│ │ │ 4TB SATA SSD │ │ 4TB SATA SSD │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ │ │
│ │ Raw Capacity: 7.2 TB │ │
│ │ Pool Type: ZFS Mirror (1-drive fault tolerance) │ │
│ │ Usable: ~3.6 TB │ │
│ │ Used: ~2.1 TB (57%) Dedup Ratio: 1.69x │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ FOLDER STRUCTURE │ │
│ │ ════════════════ │ │
│ │ /mnt/data/ │ │
│ │ ├── guava_turquoise/ (~3.0 TB) Personal data archive │ │
│ │ ├── jellyfin/ (~204 GB) Jellyfin media + config │ │
│ │ ├── photos/ (~159 GB) Photo library │ │
│ │ ├── llama/ (~64 GB) LLM models │ │
│ │ ├── cocalc/ (~324 MB) CoCalc data │ │
│ │ ├── website/ (~59 MB) Personal website │ │
│ │ ├── ix-apps/docker/ (~42 GB) TrueNAS Docker storage │ │
│ │ └── tdarr-node/ Tdarr transcoding node │ │
│ │ │ │
│ │ /mnt/atlantis_media/ (NFS) Atlantis media mount (84TB pool, read-only) │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Backup: None (no cloud or offsite backup configured) │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🐠 JELLYFISH - Raspberry Pi 5 Photo Server (Concord, CA) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ Hardware: Raspberry Pi 5, 4GB LPDDR4X, ARM Cortex-A76 │
│ OS: Debian 13 (trixie) │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ BOOT DISK │ │
│ │ ═════════ │ │
│ │ ┌──────────────────┐ │ │
│ │ │ 32GB microSD │ │ │
│ │ │ Used: 8.8GB │ │ │
│ │ │ Avail: 19GB │ │ │
│ │ └──────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ NAS STORAGE (LUKS2 Encrypted NVMe) │ │
│ │ ══════════════════════════════════ │ │
│ │ ┌──────────────────┐ │ │
│ │ │ 4TB ASMedia │ │ │
│ │ │ NVMe Enclosure │ │ │
│ │ │ LUKS2 Encrypted │ │ │
│ │ │ (aes-xts-plain64│ │ │
│ │ │ 512-bit) │ │ │
│ │ └──────────────────┘ │ │
│ │ │ │
│ │ Mount: /srv/nas │ │
│ │ Total: 3.6 TB │ │
│ │ Used: 1.8 TB (53%) │ │
│ │ Available: 1.7 TB │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ SERVICES │ │
│ │ ════════ │ │
│ │ PhotoPrism (arm64) — Photo management │ │
│ │ Samba — SMB share [turquoise] → /srv/nas │ │
│ │ │ │
│ │ Backup: None (no cloud or offsite backup configured) │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ BACKUP STRATEGY ║
║ ═══════════════ ║
║ ║
║ ┌─────────────────┐ Weekly ┌─────────────────┐ ║
║ │ ATLANTIS │ ───────────────► │ CALYPSO │ (Hyper Backup, encrypted) ║
║ │ (Primary Data) │ │ (Local Backup) │ ║
║ └─────────────────┘ └─────────────────┘ ║
║ │ │ ║
║ │ Real-time (Syncthing) │ ║
║ ▼ ▼ ║
║ ┌─────────────────────────────────────────────────────────────────────────┐ ║
║ │ SETILLO (Tucson - Off-site) │ ║
║ │ Geographic redundancy, 1000+ miles away │ ║
║ └─────────────────────────────────────────────────────────────────────────┘ ║
║ ║
║ 3-2-1 Backup Rule: ║
║ • 3 copies of data (Atlantis + Calypso + Setillo) ║
║ • 2 different storage types (NAS + NAS w/different RAID) ║
║ • 1 off-site location (Tucson) ║
║ • PLUS cloud backup to Backblaze B2 ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ CLOUD BACKUP — BACKBLAZE B2 ║
║ ═══════════════════════════ ║
║ ║
║ Atlantis → Backblaze B2 (Weekly, Sundays 00:00) ║
║ Bucket: vk-atlantis ║
║ Endpoint: s3.us-west-004.backblazeb2.com ║
║ Folders: /archive, /documents, /downloads, /photo, /homes/vish/Photos ║
║ Apps: SynologyPhotos, SynologyDrive, FileStation, HyperBackup ║
║ Encrypted: Yes Versioned: Yes (Smart Recycle) ║
║ Task: "Backblaze b2" (ID 20, enabled) ║
║ ║
║ Calypso → Backblaze B2 (Daily, 00:00) ║
║ Bucket: vk-concord-1 ║
║ Endpoint: s3.us-west-004.backblazeb2.com ║
║ Folders: /docker/authentik, /docker/gitea, /docker/headscale, ║
║ /docker/immich, /docker/paperlessngx, /docker/seafile, ║
║ /data/media/misc, /data/media/music, /data/media/photos ║
║ Apps: Gitea, MariaDB10, CloudSync, Authentik, Immich, Paperless ║
║ Encrypted: Yes Versioned: Yes (Smart Recycle) ║
║ Task: "Backblaze S3" (ID 3, enabled) ║
║ ║
║ Note: Also an old disabled task "Backblaze S3 Atlantis" (ID 12) — weekly Sun 03:00 ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 📊 Storage Capacity Summary (Verified Feb 2025)
| System | Raw Capacity | Usable | Used | RAID | Drives | Location |
|--------|--------------|--------|------|------|--------|----------|
| Atlantis Vol1 | 128 TB | ~84 TB | 39TB (46%) | RAID 6 | 8x 16TB IronWolf Pro | Concord |
| Atlantis Vol2 | 0.9 TB | 0.9 TB | 176GB (20%) | RAID 1 | 2x NVMe (PCIe) | Concord |
| Atlantis Cache | 1 TB | N/A | N/A | R/W Cache | 2x 500GB WD Black SN750 SE (M.2) | Concord |
| Calypso Vol1 | 24 TB | ~11 TB | 4.5TB (43%) | SHR-1 | 2x 12TB IronWolf Pro | Concord |
| Calypso Cache | 1 TB | N/A | N/A | RAID 1 | 2x 500GB Crucial P3 Plus (M.2) | Concord |
| Guava boot-pool | 0.5 TB | 433 GB | 17GB (4%) | Single | 1x 500GB WD Black SN770 NVMe | Concord |
| Guava data | 7.2 TB | 3.6 TB | 2.1TB (57%) | ZFS Mirror | 2x 4TB WD Blue SA510 SATA | Concord |
| Setillo | 20 TB | ~8.9 TB | 4.0TB (46%) | RAID 1 | 2x 10TB WD Gold | Tucson |
| **Total** | **~183 TB** | **~113 TB** | **~50TB** | - | **19 drives** | - |
### Cloud Backup
| Source | Destination | Bucket | Schedule | Encrypted |
|--------|------------|--------|----------|-----------|
| Atlantis | Backblaze B2 | vk-atlantis | Weekly (Sun 00:00) | Yes |
| Calypso | Backblaze B2 | vk-concord-1 | Daily (00:00) | Yes |
| Guava | None | — | — | — |
| Setillo | None (receives backups) | — | — | — |
---
## 🔗 Related Diagrams
- [10GbE Backbone](10gbe-backbone.md) - High-speed network for storage
- [Service Architecture](service-architecture.md) - What uses this storage
- [Network Topology](network-topology.md) - How storage is accessed

306
docs/diagrams/tailscale-mesh.md Normal file
View File

@@ -0,0 +1,306 @@
# 🔗 Tailscale Mesh Network
## Overview
All homelab locations are connected via Tailscale, creating a secure mesh VPN that allows seamless access between sites regardless of NAT or firewall configurations.
**Total Devices: 24 Headscale nodes** across 4 physical locations + cloud + mobile devices.
**Control Server:** Headscale (self-hosted) on Calypso — `headscale.vish.gg`
**MagicDNS:** `*.tail.vish.gg` (resolved by AdGuard, not native MagicDNS)
**DERP Relays:** Home (Calypso), Atlantis, Seattle VPS
---
## 📊 Complete Device Inventory
### 🟢 Online Nodes (verified 2026-03-21 from Headscale)
#### Exit Nodes
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **atlantis** | 100.83.230.112 | Synology NAS | Concord | Exit node, Primary NAS |
| **calypso** | 100.103.48.78 | Synology NAS | Concord | Exit node, Headscale host |
| **setillo** | 100.125.0.20 | Synology NAS | Tucson | Exit node, off-site backup |
| **seattle** | 100.82.197.124 | Cloud VPS | Seattle | Exit node, Contabo |
| **vish-concord-nuc** | 100.72.55.21 | Intel NUC | Concord (Backup ISP) | Exit node |
| **homeassistant** | 100.112.186.90 | HA Green | Concord | Exit node (via GL-MT3000) |
| **gl-be3600** | 100.105.59.123 | GL.iNet Router | Concord | Exit node, subnet 192.168.8.0/24 |
#### Servers & VMs
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **homelab** | 100.67.40.126 | Proxmox VM | Concord | Primary VM — monitoring, tools, NetBox, Semaphore |
| **matrix-ubuntu** | 100.85.21.51 | Atlantis VM | Concord | NPM, Mastodon, Matrix, Mattermost |
| **pve** | 100.87.12.28 | Proxmox Host | Concord | VM hypervisor |
| **truenas-scale** | 100.75.252.64 | TrueNAS Scale | Concord | Guava, 10GbE, ZFS |
| **jellyfish** | 100.69.121.120 | RPi 5 | Concord | PhotoPrism, 4TB LUKS NVMe |
| **shinku-ryuu** | 100.98.93.15 | Windows | Concord | Desktop workstation, 10GbE |
| **moon** | 100.64.0.6 | Linux | Honolulu | Sibling's PC (aka bluecrownpassionflower) |
| **pi-5** | 100.77.151.40 | RPi 5 | Concord | Uptime Kuma, monitoring |
#### Network Devices
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **gl-mt3000** | 100.126.243.15 | GL.iNet Router | Concord | HA subnet 192.168.12.0/24 |
| **headscale-test** | 100.64.0.1 | Linux | Concord | Headscale test node |
#### Mobile
| Device | Tailscale IP | Type | Status |
|--------|--------------|------|--------|
| **iphone16-pro-max** | 100.79.252.108 | iOS | Online |
### 💤 Offline Nodes
| Device | Tailscale IP | Type | Notes |
|--------|--------------|------|-------|
| **gl-be3600** | 100.105.59.123 | GL.iNet Router | Frequently offline |
| **ipad-pro** | 100.68.71.48 | iOS | iPad Pro |
| **mah-pc** | 100.64.0.4 | Windows | Concord (Backup ISP), sibling's PC |
| **mastodon-rocky** | 100.64.0.3 | Linux | Legacy, decommissioned |
| **olares** | 100.64.0.5 | Linux | Olares K8s node (host Tailscale conflicts with K8s pod) |
| **uqiyoe** | 100.124.91.52 | Windows | Laptop |
| **vishdebian** | 100.64.0.2 | Linux | Legacy Debian VM |
---
## 🕸️ Mesh Topology (Mermaid)
```mermaid
graph TB
subgraph Tailscale["🔐 Headscale Mesh Network (24 Nodes)"]
subgraph Concord_Primary["🏠 Concord Primary - 25Gbps Fiber"]
subgraph NAS_Cluster["📦 NAS + VMs"]
A_ATL["🗄️ atlantis<br/>100.83.230.112<br/>⚡ EXIT NODE"]
A_MATRIX["🐧 matrix-ubuntu<br/>100.85.21.51<br/>VM on Atlantis"]
end
A_CAL["🗄️ calypso<br/>100.103.48.78<br/>⚡ EXIT NODE<br/>Headscale host"]
A_GUAVA["💻 guava<br/>100.75.252.64<br/>TrueNAS Scale"]
A_DESKTOP["🖥️ shinku-ryuu<br/>100.98.93.15"]
A_PVE["🖥️ pve<br/>100.87.12.28"]
A_JELLY["🐟 jellyfish<br/>100.69.121.120"]
A_HA["🏠 homeassistant<br/>100.112.186.90<br/>⚡ EXIT NODE<br/>(via GL-MT3000)"]
A_PI["🥧 pi-5<br/>100.77.151.40"]
A_GL_MT["📡 gl-mt3000<br/>100.126.243.15<br/>subnet 192.168.12.0/24"]
A_GL_BE["📡 gl-be3600<br/>100.105.59.123<br/>⚡ EXIT NODE<br/>subnet 192.168.8.0/24"]
subgraph Proxmox_VMs["Proxmox VMs"]
A_HLB["homelab<br/>100.67.40.126"]
end
end
subgraph Concord_Backup["🏠 Concord Backup - 2Gbps"]
B_NUC["🖥️ vish-concord-nuc<br/>100.72.55.21<br/>⚡ EXIT NODE"]
B_PI_K["🥧 pi-5-kevin<br/>100.123.246.75"]
B_MAH["💻 mah-pc<br/>100.64.0.4"]
end
subgraph Tucson["🌵 Tucson, AZ"]
T_SET["🗄️ setillo<br/>100.125.0.20<br/>⚡ EXIT NODE"]
end
subgraph Honolulu["🌺 Honolulu, HI"]
H_MOON["💻 moon<br/>100.64.0.6<br/>(aka bluecrownpassionflower)"]
end
subgraph Seattle["🌲 Seattle (Cloud)"]
S_SEA["☁️ seattle<br/>100.82.197.124<br/>⚡ EXIT NODE"]
end
subgraph Mobile["📱 Mobile Devices"]
M_IPHONE["📱 iphone16"]
M_PIXEL["📱 pixel-10-pro"]
M_IPAD["📱 ipad-pro"]
M_TAB["📱 samsung-tablet"]
M_KLAP["💻 kevinlaptop"]
end
end
%% VM relationships
A_ATL -->|"Hosts VM"| A_MATRIX
A_PVE -->|"Hosts VM"| A_HLB
%% Primary mesh connections
A_ATL <-->|"10GbE LAN"| A_CAL
A_ATL <-->|"10GbE LAN"| A_GUAVA
A_ATL <-->|"10GbE LAN"| A_DESKTOP
%% Cross-location Tailscale
A_ATL <-.->|"Tailscale"| T_SET
A_ATL <-.->|"Tailscale"| S_SEA
A_ATL <-.->|"Tailscale"| B_NUC
%% GL router subnets
A_GL_MT -->|"subnet route"| A_HA
%% Honolulu local
H_MOON <-.->|"Tailscale"| A_ATL
classDef nas fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef exit fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef compute fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef mobile fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
classDef network fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
class A_ATL,A_CAL,T_SET nas
class S_SEA,B_NUC,A_HA exit
class A_GUAVA,A_DESKTOP,A_PVE,A_HLB,A_MATRIX,A_JELLY compute
class M_IPHONE,M_PIXEL,M_IPAD,M_TAB,M_KLAP mobile
class A_GL_MT,A_GL_BE network
```
---
## 📝 ASCII Tailscale Network Map
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ HEADSCALE MESH NETWORK (self-hosted Tailscale control server) ║
║ 24 Nodes • 7 Exit Nodes • 4 Locations • Full Mesh ║
║ Control: headscale.vish.gg (Calypso) ║
║ DERP Relays: Home (Calypso), Atlantis, Seattle VPS ║
║ DNS: AdGuard resolves *.tail.vish.gg → Tailscale IPs ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────┐
│ TAILSCALE │
│ COORDINATION │
│ (DERP Relays) │
└────────┬────────┘
┌───────────────────────────────────────┼───────────────────────────────────────┐
│ │ │
▼ ▼ ▼
┌────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏠 CONCORD, CA - PRIMARY (25Gbps Fiber) │
│ ══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 10GbE BACKBONE (TP-Link TL-SX1008) │ │
│ │ ────────────────────────────────────────────────────────────────────────────── │ │
│ │ │ │
│ │ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ │
│ │ │ ⚡ ATLANTIS │ │ ⚡ CALYPSO │ │ GUAVA │ │ │
│ │ │ 100.83.230.112 │ │ 100.103.48.78 │ │ 100.75.252.64 │ │ │
│ │ │ DS1823xs+ │ │ DS723+ │ │ Physical Host │ │ │
│ │ │ EXIT NODE │ │ EXIT NODE │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ ┌─────────────┐ │ │ │ │ │ │ │
│ │ │ │matrix-ubuntu│ │ │ │ │ │ │ │
│ │ │ │100.85.21.51 │ │ │ │ │ │ │ │
│ │ │ │Mastodon/ │ │ │ │ │ │ │ │
│ │ │ │Matrix/MM │ │ │ │ │ │ │ │
│ │ │ └─────────────┘ │ │ │ │ │ │ │
│ │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ │
│ │ │ │
│ │ ┌─────────────────┐ │ │
│ │ │ SHINKU-RYUU │ Desktop Workstation │ │
│ │ │ 100.98.93.15 │ │ │
│ │ └─────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 2.5GbE / 1GbE DEVICES │ │
│ │ ────────────────────────────────────────────────────────────────────────────── │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌────────────┐ │ │
│ │ │ PVE │ │ JELLYFISH │ │⚡HOMEASSIST │ │ PI-5 │ │ HOMELAB VM │ │ │
│ │ │100.87.12.28 │ │100.69.121.120│ │100.112.186.90│ │100.77.151.40│ │100.67.40.126│ │ │
│ │ │ Proxmox │ │ Server │ │ EXIT NODE │ │ RPi 5 │ │ (on PVE) │ │ │
│ │ │ │ │ │ │via GL-MT3000│ │ │ │ │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └────────────┘ │ │
│ │ ┌─────────────────────┐ ┌─────────────────────┐ │ │
│ │ │ ⚡ GL-BE3600 │ │ GL-MT3000 │ │ │
│ │ │ 100.105.59.123 │ │ 100.126.243.15 │ │ │
│ │ │ EXIT NODE │ │ HA subnet router │ │ │
│ │ │ 192.168.8.0/24 │ │ 192.168.12.0/24 │ │ │
│ │ └─────────────────────┘ └─────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏠 CONCORD BACKUP ISP (2Gbps/500Mbps) │
│ ══════════════════════════════════════════════════════════════════════════════════════│
│ ┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ ⚡ VISH-CONCORD-NUC │ │ PI-5-KEVIN │ │ MAH-PC │ │
│ │ 100.72.55.21 │ │ 100.123.246.75 │ │ 100.64.0.4 │ │
│ │ Intel NUC │ │ RPi 5 │ │ Windows PC │ │
│ │ EXIT NODE │ │ │ │ Sibling's PC │ │
│ └─────────────────────┘ └─────────────────────┘ └─────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────┘
◄─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ TAILSCALE MESH ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─►
┌───────────────────────────┐ ┌───────────────────────────┐ ┌───────────────────────────┐
│ 🌵 TUCSON, AZ │ │ 🌺 HONOLULU, HI │ │ 🌲 SEATTLE (CLOUD) │
│ ═════════════════════════│ │ ═════════════════════════│ │ ═════════════════════════│
│ │ │ │ │ │
│ ┌─────────────────────┐ │ │ ┌─────────────────────┐ │ │ ┌─────────────────────┐ │
│ │ ⚡ SETILLO │ │ │ │ MOON (bluecrownpassion) │ │ │ │ ⚡ SEATTLE │ │
│ │ 100.125.0.20 │ │ │ │ 100.64.0.6 — online │ │ │ │ 100.82.197.124 │ │
│ │ DS223j NAS │ │ │ │ │ │ │ │ Contabo VPS │ │
│ │ EXIT NODE │ │ │ └─────────────────────┘ │ │ │ EXIT NODE │ │
│ │ Off-site Backup │ │ │ │ │ └─────────────────────┘ │
│ └─────────────────────┘ │ │ │ │ │
│ │ │ │ └───────────────────────────┘
└───────────────────────────┘ └───────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────────┐
│ 📱 MOBILE DEVICES │
│ ══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ 📱 iphone16 │ │ 📱 pixel-10 │ │ 📱 ipad-pro │ │ 📱 samsung │ │ 💻 kevinlap │ │
│ │100.79.252.108│ │100.122.119.40│ │100.68.71.48 │ │100.72.118.117│ │100.89.160.65 │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
└────────────────────────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ EXIT NODE SUMMARY (6 Total) ║
║ ══════════════════════════ ║
║ • atlantis (100.83.230.112) - Primary exit, Concord 25Gbps ║
║ • calypso (100.103.48.78) - Secondary exit, Concord 25Gbps (Headscale host) ║
║ • setillo (100.125.0.20) - Tucson exit, DS223j off-site NAS ║
║ • seattle (100.82.197.124) - Cloud exit, Contabo VPS Seattle ║
║ • vish-concord-nuc (100.72.55.21) - Backup ISP exit, Concord 2Gbps ║
║ • homeassistant (100.112.186.90) - Home automation exit (via GL-MT3000 subnet) ║
║ • gl-be3600 (100.105.59.123) - GL.iNet router exit, subnet 192.168.8.0/24 ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 🖥️ Matrix-Ubuntu VM Details
This VM runs on **Atlantis** (Synology DS1823xs+ via Virtual Machine Manager):
| Specification | Value |
|---------------|-------|
| **Hostname** | matrix-ubuntu |
| **Tailscale IP** | 100.85.21.51 |
| **LAN IP** | 192.168.0.154 |
| **OS** | Ubuntu 24.04.3 LTS |
| **CPU** | 4 cores (AMD Ryzen Embedded V1780B) |
| **RAM** | 8GB (7.7GB usable) |
| **Storage** | 100GB (87GB available) |
| **SSH Port** | 65533 |
### Services Running
| Service | Domain | Status |
|---------|--------|--------|
| **Nginx Proxy Manager** | npm.vish.gg (:81) | ✅ Running (reverse proxy for all domains) |
| Mastodon | mastodon.vish.gg | ✅ Running |
| Mattermost | mm.crista.love | ✅ Running |
| Matrix (Synapse) | mx.vish.gg | ✅ Running |
| LiveKit | livekit.mx.vish.gg | ✅ Running |
| PostgreSQL | - | ✅ Running |
| Redis | - | ✅ Running |
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - Physical network layout
- [Service Architecture](service-architecture.md) - How services connect
- [Location Overview](location-overview.md) - Geographic distribution