Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized mirror from private repository - 2026-03-07 08:33:21 UTC
Some checks failed
Documentation / Build Docusaurus (push) Failing after 9s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gitea Mirror Bot
2026-03-07 08:33:21 +00:00
commit 5d4f7d9d45
1159 changed files with 297074 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
docs/diagrams/10gbe-backbone.md Normal file
View File

@@ -0,0 +1,208 @@
# ⚡ 10GbE Backbone Network
## Overview
The Concord primary location features a high-speed 10 Gigabit Ethernet backbone connecting the NAS cluster and primary workstations, enabling fast file transfers, media streaming, and backup operations.
---
## 🔌 10GbE Topology (Mermaid)
```mermaid
graph LR
subgraph Internet["☁️ Internet (25Gbps Fiber)"]
ISP["Sonic Fiber<br/>25Gbps ↑↓"]
end
subgraph Router["🌐 TP-Link Archer BE800"]
TPLINK["TP-Link Archer BE800<br/>Tri-Band WiFi 7<br/>10G + SFP+ + 4x2.5G"]
end
subgraph Switch["⚡ 10GbE Switch"]
TLSX["TP-Link TL-SX1008<br/>8-Port 10GbE<br/>Unmanaged Switch"]
end
subgraph HighSpeed["⚡ 10GbE Devices"]
ATL["🗄️ Atlantis<br/>DS1823xs+<br/>10GbE via E10M20-T1<br/>192.168.0.200"]
CAL["🗄️ Calypso<br/>DS723+<br/>10GbE via E10G22-T1-Mini<br/>192.168.0.250"]
GUA["💻 Guava<br/>TrueNAS Scale<br/>Mellanox ConnectX-5<br/>192.168.0.100"]
DSK["🖥️ Shinku-Ryuu<br/>i7-14700K + RTX 4080<br/>Mellanox ConnectX-5<br/>192.168.0.3"]
end
subgraph GigE["🔌 1GbE Devices"]
PROX["🖥️ Proxmox<br/>VM Host"]
ANUB["🤖 Anubis<br/>Mac Mini"]
PI_V["📡 RPi 5 Vish"]
end
ISP -->|"25Gbps"| TPLINK
TPLINK -->|"10GbE"| TLSX
TLSX -->|"10GbE"| ATL
TLSX -->|"10GbE"| CAL
TLSX -->|"10GbE"| GUA
TLSX -->|"10GbE"| DSK
TPLINK -->|"1GbE"| PROX
TPLINK -->|"1GbE"| ANUB
TPLINK -->|"1GbE"| PI_V
classDef switch fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef nas fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef compute fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef router fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
class TLSX switch
class ATL,CAL nas
class GUA,DSK,PROX,ANUB,PI_V compute
class TPLINK router
```
---
## 📝 ASCII 10GbE Layout
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ 10 GIGABIT ETHERNET BACKBONE ║
║ Concord, CA • 25Gbps Internet • High-Speed LAN ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────┐
│ ☁️ INTERNET │
│ Sonic 25Gbps Fiber │
│ 25,000 Mbps ↑↓ │
└───────────┬─────────────┘
│ 25Gbps
┌─────────────────────────┐
│ 🌐 TP-Link Archer BE800 │
│ ═══════════════════════ │
│ WiFi 7 Tri-Band Router │
│ • 1x 10Gbps RJ45 Port │
│ • 1x 10Gbps SFP+ Port │
│ • 4x 2.5Gbps LAN Ports │
└─────┬─────────┬─────────┘
│ │
10GbE │ │ 2.5GbE
│ │
┌───────────────┘ └───────────────────────────┐
│ │
▼ ▼
┌───────────────────────────────┐ ┌─────────────────────────────────┐
│ ⚡ TP-Link TL-SX1008 │ │ 🔌 1GbE DEVICES │
│ ═══════════════════════════ │ │ ═══════════════════════════ │
│ 8-Port 10GbE Unmanaged │ │ │
│ • All ports 10GBASE-T │ │ ┌─────────┐ ┌─────────┐ │
│ • 160Gbps switching capacity │ │ │ Proxmox │ │ Anubis │ │
│ • Fanless, silent operation │ │ │ VM Host │ │Mac Mini │ │
│ │ │ │ 1GbE │ │ Ubuntu │ │
│ Port Layout: │ │ └─────────┘ └─────────┘ │
│ ┌───┬───┬───┬───┬───┬───┬───┬───┐ │ │ │
│ │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ 7 │ 8 │ │ ┌──────┴──────┐ │
│ └─┬─┴─┬─┴─┬─┴─┬─┴───┴───┴───┴───┘ │ │ RPi 5 Vish │ │
│ │ │ │ │ (unused) │ │ 1GbE │ │
└────┼───┼───┼───┼──────────────────┘ │ └─────────────┘ │
│ │ │ │ └─────────────────────────────────┘
│ │ │ │
10GbE│ │ │ │10GbE
│ │ │ │
▼ ▼ ▼ ▼
┌────────────────────────────────────────────────────────────────────┐
│ ⚡ 10GbE CONNECTED DEVICES │
│ ══════════════════════════════════════════════════════════════ │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ ATLANTIS │ │ CALYPSO │ │ GUAVA │ │
│ │ ═════════════ │ │ ═════════════ │ │ ═════════════ │ │
│ │ 192.168.0.200 │ │ 192.168.0.250 │ │ 192.168.0.100 │ │
│ │ │ │ │ │ │ │
│ │ DS1823xs+ │ │ DS723+ │ │ TrueNAS Scale │ │
│ │ 8-Bay NAS │ │ 2-Bay NAS │ │ Ryzen 5 8600G │ │
│ │ │ │ │ │ │ │
│ │ 8x 16TB HDDs │ │ 2x 12TB HDDs │ │ 2x 4TB SSD │ │
│ │ = 128TB Raw │ │ = 24TB Raw │ │ = 8TB Raw │ │
│ │ │ │ │ │ │ │
│ │ ┌───────────┐ │ │ ┌───────────┐ │ │ ┌───────────┐ │ │
│ │ │ E10M20-T1 │ │ │ │E10G22-T1 │ │ │ │ Mellanox │ │ │
│ │ │ 10GbE+M.2 │ │ │ │ -Mini │ │ │ │ConnectX-5 │ │ │
│ │ │ PCIe │ │ │ │ 10GbE │ │ │ │ 10/25GbE │ │ │
│ │ └───────────┘ │ │ └───────────┘ │ │ └───────────┘ │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
│ ┌─────────────────┐ │
│ │ SHINKU-RYUU │ │
│ │ ═════════════ │ │
│ │ 192.168.0.3 │ │
│ │ │ │
│ │ i7-14700K │ │
│ │ RTX 4080 16GB │ │
│ │ 96GB DDR5 │ │
│ │ ┌───────────┐ │ │
│ │ │ Mellanox │ │ │
│ │ │ConnectX-5 │ │ │
│ │ │ 10/25GbE │ │ │
│ │ └───────────┘ │ │
│ └─────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ PERFORMANCE BENCHMARKS ║
║ ═════════════════════ ║
║ ║
║ • NAS-to-NAS Transfer (Atlantis ↔ Calypso): ~1.1 GB/s (8.8 Gbps) ║
║ • Desktop → Atlantis Sequential Write: ~1.0 GB/s (8.0 Gbps) ║
║ • Atlantis → Desktop Sequential Read: ~1.1 GB/s (8.8 Gbps) ║
║ • 4K Video Stream (single): ~100 Mbps (0.1 Gbps) ║
║ • 4K Video Streams (concurrent, theoretical): ~80 streams ║
║ ║
║ Bottlenecks: ║
║ • None for 10GbE devices - full speed to switch via router's 10G port ║
║ • 2.5GbE devices: Proxmox, Anubis connected via 2.5G ports (still fast!) ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 📊 Hardware Specifications
### TP-Link TL-SX1008 (10GbE Switch)
| Specification | Value |
|---------------|-------|
| Ports | 8x 10GBASE-T (RJ45) |
| Switching Capacity | 160 Gbps |
| Forwarding Rate | 119.04 Mpps |
| Management | Unmanaged |
| Cooling | Fanless (silent) |
| Power | ~15W typical |
### 10GbE Network Cards
| Device | NIC Model | Interface | Notes |
|--------|-----------|-----------|-------|
| Atlantis | Synology E10M20-T1 | PCIe 3.0 x8 | Combo 10GbE + M.2 slot |
| Calypso | Synology E10G22-T1-Mini | PCIe 3.0 | Official Synology 10GbE |
| Guava | TBD | PCIe | 10GBASE-T |
| Desktop | TBD | PCIe | 10GBASE-T |
---
## 🔧 Cable Requirements
All 10GbE connections use **Cat6a or Cat7** cables for reliable 10Gbps performance:
| Connection | Cable Type | Length | Notes |
|------------|------------|--------|-------|
| Switch → Atlantis | Cat6a | ~2m | Shielded recommended |
| Switch → Calypso | Cat6a | ~2m | Shielded recommended |
| Switch → Guava | Cat6a | ~3m | |
| Switch → Desktop | Cat6a | ~5m | |
| Router → Switch | Cat6a | ~1m | 2.5GbE link |
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - Complete network overview
- [Storage Topology](storage-topology.md) - NAS storage configuration

108
docs/diagrams/README.md Normal file
View File

@@ -0,0 +1,108 @@
# 📊 Homelab Infrastructure Diagrams
This directory contains visual documentation of the homelab infrastructure, including network topology, service architecture, and storage layouts. All diagrams use [Mermaid.js](https://mermaid.js.org/) for rendering.
## 📁 Diagram Index
| Diagram | Description | Format |
|---------|-------------|--------|
| [Network Topology](network-topology.md) | Physical and logical network layout across all locations | Mermaid + ASCII |
| [Tailscale Mesh](tailscale-mesh.md) | VPN mesh network connecting all locations | Mermaid + ASCII |
| [10GbE Backbone](10gbe-backbone.md) | High-speed network backbone in Concord | Mermaid + ASCII |
| [Service Architecture](service-architecture.md) | How services interact, auth flows, CI/CD pipeline | Mermaid |
| [Storage Topology](storage-topology.md) | NAS cluster, volumes, and backup flows | Mermaid + ASCII |
| [Location Overview](location-overview.md) | Geographic distribution of infrastructure | Mermaid |
### Service Architecture Sections
- Media Stack (Arr suite, Plex, streaming)
- Monitoring Stack (Prometheus, Grafana)
- **Authentication Stack (Authentik + NPM)** ⭐ NEW
- Communication Stack (Matrix, Mastodon, Mattermost)
- **CI/CD Pipeline (Gitea Actions + Ansible)** ⭐ NEW
## 🔐 Key Architecture Components
### Authentication & Proxy Stack
```
┌─────────────────────────────────────────────────────────────────────┐
│ Internet → Cloudflare → NPM (Atlantis) → Authentik (Calypso) │
│ ↓ │
│ Protected Services │
└─────────────────────────────────────────────────────────────────────┘
```
| Component | Host | Port | Purpose |
|-----------|------|------|---------|
| **Nginx Proxy Manager** | Atlantis | :81/:443 | Reverse proxy, SSL termination |
| **Authentik Server** | Calypso | :9000 | Identity provider, SSO |
| **Authentik Outpost** | Calypso | :9444 | Forward auth proxy |
| **Headscale** | Calypso | :8080 | Self-hosted Tailscale controller |
| **WireGuard** | Atlantis | :51820 | VPN server |
### Service Protection via Authentik
| Domain | Service | Auth Type |
|--------|---------|-----------|
| sso.vish.gg | Authentik | - (IdP) |
| git.vish.gg | Gitea | OAuth2/OIDC |
| gf.vish.gg | Grafana | OAuth2/OIDC |
| docs.vish.gg | Paperless-NGX | Forward Auth |
| photos.vish.gg | Immich | Forward Auth |
| actual.vish.gg | Actual Budget | Forward Auth |
| ff.vish.gg | Firefly III | Forward Auth |
## 🗺️ Quick Reference
### Locations
- **Concord, CA** (Primary) - Main infrastructure, 25Gbps fiber
- **Concord, CA** (Backup ISP) - Failover connectivity, 2Gbps/500Mbps
- **Tucson, AZ** - Remote NAS (Setillo)
- **Honolulu, HI** - Travel/remote access point
- **Seattle, WA** - Cloud VPS (Contabo)
### Key Infrastructure
- **3 Synology NAS** units (Atlantis, Calypso, Setillo)
- **10GbE backbone** via TP-Link TL-SX1008
- **Tailscale mesh** connecting all locations
- **Proxmox** virtualization for VMs
- **Authentik SSO** protecting 8+ services
- **Nginx Proxy Manager** routing 20+ domains
### Service Counts by Host
| Host | Services | Primary Role |
|------|----------|--------------|
| Atlantis | 53 | Media, monitoring, proxy |
| Calypso | 24 | Auth, Gitea, Paperless |
| Homelab VM | 33 | Experiments, tools |
| Concord NUC | 11 | Edge, Home Assistant |
| Other hosts | 43 | Various |
| **Total** | **164** | |
## 🔄 Diagram Updates
These diagrams should be updated when:
- New hosts are added
- Network topology changes
- Services are added/removed
- Storage configuration changes
- Authentication flows change
## 📝 Viewing Diagrams
These diagrams render automatically on:
- **Gitea** (git.vish.gg) - Native Mermaid support
- **GitHub** - Native Mermaid support
- **VS Code** - With Mermaid extension
For local viewing:
```bash
# Install mermaid-cli
npm install -g @mermaid-js/mermaid-cli
# Generate PNG from markdown
mmdc -i service-architecture.md -o output.png
```
---
*Last updated: 2026-02-05*

233
docs/diagrams/location-overview.md Normal file
View File

@@ -0,0 +1,233 @@
# 🗺️ Geographic Location Overview
## Overview
The homelab infrastructure spans 4 physical locations plus cloud and mobile components, all connected via Tailscale mesh VPN.
---
## 🌎 Location Map (Mermaid)
```mermaid
graph TB
subgraph USA["🇺🇸 United States"]
subgraph West["West Coast"]
SEA["🌲 Seattle, WA<br/>Cloud VPS"]
CON["🏠 Concord, CA<br/>PRIMARY HQ<br/>25Gbps Fiber"]
end
subgraph Southwest["Southwest"]
TUC["🌵 Tucson, AZ<br/>Remote NAS"]
end
subgraph Pacific["Pacific"]
HON["🌺 Honolulu, HI<br/>Remote Access"]
end
end
subgraph Mobile["✈️ Mobile"]
MSI["💻 MSI Laptop<br/>Travel Workstation"]
end
%% Tailscale connections
CON <-->|"Tailscale<br/>Primary Hub"| SEA
CON <-->|"Tailscale"| TUC
CON <-->|"Tailscale"| HON
CON <-->|"Tailscale"| MSI
SEA <-->|"Tailscale"| TUC
SEA <-->|"Tailscale"| HON
TUC <-->|"Tailscale"| HON
classDef primary fill:#e74c3c,stroke:#333,stroke-width:3px,color:#fff
classDef secondary fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef remote fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef mobile fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
class CON primary
class SEA secondary
class TUC,HON remote
class MSI mobile
```
---
## 📝 ASCII Location Map
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ HOMELAB GEOGRAPHIC DISTRIBUTION ║
║ 4 Locations + Cloud + Mobile • Tailscale Connected ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
🇺🇸 UNITED STATES
═══════════════════════════════════════════════════════════════════════════════════
🌲 SEATTLE, WA
┌─────────────────┐
│ Contabo VM │
│ Cloud VPS │
│ • External │
│ Access │
└────────┬────────┘
│ Tailscale
─────────────────────────┼─────────────────────────────────────────────────────────
🏠 CONCORD, CA ◄──────── PRIMARY HEADQUARTERS
┌─────────────────────────────────────────┐
│ ★ PRIMARY LOCATION │
│ ══════════════════ │
│ │
│ Internet: 25Gbps Sonic Fiber │
│ Backup: 2Gbps/500Mbps │
│ │
│ ┌─────────────────────────────────┐ │
│ │ Main Network (25Gbps) │ │
│ │ • Atlantis (DS1823xs+) │ │
│ │ • Calypso (DS723+) │ │
│ │ • Guava (Physical Host) │ │
│ │ • Desktop (Workstation) │ │
│ │ • Proxmox (VMs) │ │
│ │ • Anubis (Mac Mini - AI) │ │
│ │ • RPi 5 Vish │ │
│ └─────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────┐ │
│ │ Backup Network (2G/500M) │ │
│ │ • Concord NUC │ │
│ │ • RPi 5 Kevin │ │
│ └─────────────────────────────────┘ │
│ │
│ Services: 150+ containers │
│ Storage: 152TB across 2 NAS │
└────────────────────┬────────────────────┘
│ Tailscale (all locations mesh connected)
┌────────────────────┼────────────────────┐
│ │ │
▼ ▼ ▼
🌵 TUCSON, AZ 🌺 HONOLULU, HI
┌─────────────────────┐ ┌─────────────────────┐
│ Remote Backup Site │ │ Remote Access │
│ ═══════════════════│ │ ═══════════════════│
│ │ │ │
│ • Setillo NAS │ │ • GL.iNet MT3000 │
│ (Off-site backup)│ │ (Travel Router) │
│ │ │ │
│ Services: │ │ • Partner's PC │
│ • Prometheus │ │ (bluecrownpf) │
│ • SNMP Exporter │ │ │
│ • AdGuard Home │ │ Access to: │
│ • Syncthing │ │ • Plex streaming │
│ │ │ • Immich photos │
│ Purpose: │ │ • All services via │
│ • 3-2-1 backup │ │ Tailscale │
│ • Geographic │ │ │
│ redundancy │ │ │
└─────────────────────┘ └─────────────────────┘
─────────────────────────────────────────────────────────────────────────────────────
✈️ MOBILE (Anywhere)
┌─────────────────────┐
│ MSI Laptop │
│ ═══════════════════│
│ │
│ • Full Tailscale │
│ access │
│ • Development │
│ • Remote admin │
│ • OpenHands │
│ │
│ Can connect from: │
│ • Hotels │
│ • Airports │
│ • Coffee shops │
│ • Anywhere with │
│ internet │
└─────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ LOCATION SUMMARY ║
╠════════════════════════════════════════════════════════════════════════════════════════╣
║ ║
║ Location │ Type │ Devices │ Bandwidth │ Primary Purpose ║
║ ────────────────┼───────────┼─────────┼──────────────┼─────────────────────────────── ║
║ Concord (Main) │ Primary │ 10+ │ 25Gbps │ Main infrastructure ║
║ Concord (Backup)│ Failover │ 2 │ 2G/500M │ Redundant connectivity ║
║ Tucson │ Remote │ 1 │ TBD │ Off-site backup ║
║ Honolulu │ Remote │ 2 │ TBD │ Partner access ║
║ Seattle (Cloud) │ Cloud │ 1 │ Shared │ External services ║
║ Mobile │ Travel │ 1 │ Variable │ Remote administration ║
║ ║
╠════════════════════════════════════════════════════════════════════════════════════════╣
║ DISTANCES FROM PRIMARY (Concord, CA) ║
║ ───────────────────────────────────── ║
║ • Seattle, WA: ~680 miles (~1,100 km) ║
║ • Tucson, AZ: ~650 miles (~1,050 km) ║
║ • Honolulu, HI: ~2,400 miles (~3,860 km) ║
║ ║
║ Latency (typical Tailscale): ║
║ • Concord ↔ Seattle: ~25ms ║
║ • Concord ↔ Tucson: ~35ms ║
║ • Concord ↔ Honolulu: ~70ms ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 📊 Device Distribution by Location
### 🏠 Concord, CA - Primary (Main Network)
| Device | Type | Connection | Services |
|--------|------|------------|----------|
| Atlantis | Synology DS1823xs+ | 10GbE | 55 services |
| Calypso | Synology DS723+ | 10GbE | 17 services |
| Guava | Physical Host | 10GbE | 6 services |
| Desktop | Workstation | 10GbE | - |
| Proxmox | VM Host | 1GbE | 3 VMs (56 services) |
| Anubis | Mac Mini (Ubuntu) | 1GbE | 8 services (AI) |
| RPi 5 Vish | Raspberry Pi | 1GbE | 2 services |
### 🏠 Concord, CA - Backup ISP
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| Concord NUC | Intel NUC | 1GbE | 9 services, failover |
| RPi 5 Kevin | Raspberry Pi | 1GbE | Edge services |
### 🌵 Tucson, AZ
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| Setillo | Synology NAS | 1GbE | 4 services, off-site backup |
### 🌺 Honolulu, HI
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| GL.iNet MT3000 | Travel Router | WiFi/LAN | Subnet router for local devices |
| bluecrownpassionflower | Partner's PC | LAN | Remote access to homelab |
### 🌲 Seattle, WA (Cloud)
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| Contabo VM | Cloud VPS | Internet | 1 service, external access |
### ✈️ Mobile
| Device | Type | Connection | Purpose |
|--------|------|------------|---------|
| MSI Laptop | Laptop | WiFi/LAN | Remote administration, development |
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - Detailed network layout
- [Tailscale Mesh](tailscale-mesh.md) - VPN connectivity
- [Storage Topology](storage-topology.md) - Backup locations

248
docs/diagrams/network-topology.md Normal file
View File

@@ -0,0 +1,248 @@
# 🌐 Network Topology
## Overview
This document shows the physical and logical network layout across all homelab locations, connected via Tailscale VPN mesh.
---
## 🗺️ Geographic Overview (Mermaid)
```mermaid
graph TB
subgraph Internet["☁️ Internet"]
ISP1["Concord Primary<br/>25Gbps Fiber"]
ISP2["Concord Backup<br/>2G↓/500M↑"]
ISP3["Tucson ISP"]
ISP4["Honolulu ISP"]
CONTABO["Contabo Cloud<br/>Seattle"]
end
subgraph Concord_Primary["🏠 Concord, CA - Primary (25Gbps)"]
TPLINK["TP-Link Archer BE800<br/>Tri-Band Router"]
SWITCH["TP-Link TL-SX1008<br/>10GbE Switch"]
subgraph NAS_Cluster["📦 NAS Cluster"]
ATLANTIS["Atlantis<br/>DS1823xs+<br/>8x16TB"]
CALYPSO["Calypso<br/>DS723+<br/>2x12TB"]
end
subgraph Compute["💻 Compute"]
GUAVA["Guava<br/>TrueNAS Scale<br/>Ryzen 5 8600G"]
DESKTOP["Shinku-Ryuu<br/>i7-14700K + RTX 4080<br/>96GB DDR5"]
PROXMOX["Proxmox Host"]
ANUBIS["Anubis<br/>Mac Mini (Ubuntu)<br/>AI/HPC"]
end
subgraph Edge_Primary["📡 Edge Devices"]
PI_VISH["RPi 5<br/>(Vish)"]
end
subgraph VMs["🖥️ Virtual Machines"]
HOMELAB_VM["Homelab VM"]
CHICAGO_VM["Chicago VM"]
BULGARIA_VM["Bulgaria VM"]
end
end
subgraph Concord_Backup["🏠 Concord, CA - Backup ISP (2G/500M)"]
NUC["Concord NUC<br/>Intel NUC"]
PI_KEVIN["RPi 5<br/>(Kevin)"]
end
subgraph Tucson["🌵 Tucson, AZ"]
SETILLO["Setillo<br/>DS223j<br/>2x10TB WD Gold"]
end
subgraph Honolulu["🌺 Honolulu, HI"]
GLINET["GL.iNet MT3000<br/>Travel Router"]
BCPF["bluecrownpassionflower<br/>Partner's PC"]
end
subgraph Mobile["✈️ Mobile/Travel"]
MSI["MSI Laptop<br/>Portable Workstation"]
end
subgraph Seattle["🌲 Seattle, WA (Cloud)"]
CONTABO_VM["Contabo VM<br/>Cloud VPS"]
end
%% Internet connections
ISP1 --> TPLINK
ISP2 --> NUC
ISP3 --> SETILLO
ISP4 --> GLINET
CONTABO --> CONTABO_VM
%% Concord Primary internal
TPLINK --> SWITCH
SWITCH -->|10GbE| ATLANTIS
SWITCH -->|10GbE| CALYPSO
SWITCH -->|10GbE| GUAVA
SWITCH -->|10GbE| DESKTOP
TPLINK -->|2.5GbE| PROXMOX
TPLINK -->|2.5GbE| ANUBIS
TPLINK -->|1GbE| PI_VISH
PROXMOX --> HOMELAB_VM
PROXMOX --> CHICAGO_VM
PROXMOX --> BULGARIA_VM
%% Tailscale mesh (dashed)
ATLANTIS -.->|Tailscale| SETILLO
ATLANTIS -.->|Tailscale| NUC
ATLANTIS -.->|Tailscale| GLINET
ATLANTIS -.->|Tailscale| BCPF
ATLANTIS -.->|Tailscale| CONTABO_VM
ATLANTIS -.->|Tailscale| MSI
classDef nas fill:#4a9eff,stroke:#333,stroke-width:2px,color:#fff
classDef compute fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef network fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef vm fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef cloud fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef edge fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
class ATLANTIS,CALYPSO,SETILLO nas
class GUAVA,DESKTOP,PROXMOX compute
class TPLINK,SWITCH,GLINET network
class HOMELAB_VM,CHICAGO_VM,BULGARIA_VM vm
class CONTABO_VM cloud
class NUC,PI_KEVIN edge
```
---
## 📝 ASCII Network Topology
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ HOMELAB NETWORK TOPOLOGY ║
║ 4 Locations • Tailscale Mesh • 25Gbps Primary ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ ☁️ INTERNET │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ [Concord 25G] [Concord 2G/500M] [Tucson] [Honolulu] [Seattle] │
│ │ │ │ │ │ │
│ ▼ ▼ ▼ ▼ ▼ │
└─────────┼───────────────────┼──────────────────┼──────────────┼──────────────┼───────────┘
│ │ │ │ │
│ │ │ │ │
┌─────────▼───────────────────┼──────────────────┼──────────────┼──────────────┼───────────┐
│ 🏠 CONCORD, CA (PRIMARY) │ │ │ │ │
│ ════════════════════════ │ │ │ │ │
│ │ │ │ │ │
│ ┌──────────────────┐ │ │ │ │ │
│ │ TP-Link Archer BE800 │ │ │ │ │ │
│ │ (Tri-Band WiFi) │ │ │ │ │ │
│ └────────┬─────────┘ │ │ │ │ │
│ │ │ │ │ │ │
│ ▼ │ │ │ │ │
│ ┌──────────────────┐ │ │ │ │ │
│ │ TL-SX1008 10GbE │ │ │ │ │ │
│ │ 8-Port Switch │ │ │ │ │ │
│ └┬───┬───┬───┬─────┘ │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ └─────────────┼──────────────────┼──────────────┼──────────────┼───────────┤
│ │ │ │ 10GbE │ │ │ │ │
│ ▼ ▼ ▼ ▼ │ │ │ │ │
│ ┌───┐┌───┐┌───┐┌───┐ │ │ │ │ │
│ │ATL││CAL││GUA││DSK│ │ │ │ │ │
│ │ ││ ││ ││ │ │ │ │ │ │
│ │8x ││2x ││ ││ │ │ │ │ │ │
│ │16T││12T││ ││ │ │ │ │ │ │
│ └───┘└───┘└───┘└───┘ │ │ │ │ │
│ │ │ │ │ │
│ ┌─────────────────┐ │ │ │ │ │
│ │ Proxmox Host │ │ │ │ │ │
│ │ ┌───┬───┬───┐ │ │ │ │ │ │
│ │ │HLB│CHI│BUL│ │ │ │ │ │ │
│ │ │VM │VM │VM │ │ │ │ │ │ │
│ │ └───┴───┴───┘ │ │ │ │ │ │
│ └─────────────────┘ │ │ │ │ │
│ │ │ │ │ │
└─────────────────────────────┼──────────────────┼──────────────┼──────────────┼───────────┘
│ │ │ │
┌─────────────────────────────▼──────────────────┼──────────────┼──────────────┼───────────┐
│ 🏠 CONCORD BACKUP ISP │ │ │ │
│ ════════════════════════ │ │ │ │
│ ┌─────────┐ ┌─────────┐ │ │ │ │
│ │ Concord │ │ RPi 5 │ │ │ │ │
│ │ NUC │ │ (Kevin) │ │ │ │ │
│ └─────────┘ └─────────┘ │ │ │ │
└────────────────────────────────────────────────┼──────────────┼──────────────┼───────────┘
│ │ │
┌────────────────────────────────────────────────▼──────────────┼──────────────┼───────────┐
│ 🌵 TUCSON, AZ │ │ │
│ ════════════════ │ │ │
│ ┌─────────────┐ │ │ │
│ │ Setillo │◄─ ─ ─ ─ ─ ─ ─ ─ ─Tailscale─ ─ ─ ─ ─ ─ ─ ─ ─ ┤ │ │
│ │ Synology NAS│ │ │ │
│ └─────────────┘ │ │ │
└───────────────────────────────────────────────────────────────┼──────────────┼───────────┘
│ │
┌───────────────────────────────────────────────────────────────▼──────────────┼───────────┐
│ 🌺 HONOLULU, HI │ │
│ ════════════════ │ │
│ ┌─────────────┐ ┌──────────────────────┐ │ │
│ │ GL.iNet │ │ bluecrownpassionflower│◄─ ─ ─ ─Tailscale─ ─ ─ ─ ─ ─ ─ ─ ┤ │
│ │ MT3000 │ │ │ │ │
│ └─────────────┘ └──────────────────────┘ │ │
└──────────────────────────────────────────────────────────────────────────────┼───────────┘
┌──────────────────────────────────────────────────────────────────────────────▼───────────┐
│ 🌲 SEATTLE, WA (CLOUD) │
│ ══════════════════════ │
│ ┌─────────────┐ │
│ │ Contabo VM │◄─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─Tailscale─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤
│ │ Cloud VPS │ │
│ └─────────────┘ │
└──────────────────────────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ LEGEND ║
║ ══════ ║
║ ATL = Atlantis (DS1823xs+) CAL = Calypso (DS723+) GUA = Guava ║
║ DSK = Desktop HLB = Homelab VM CHI = Chicago VM ║
║ BUL = Bulgaria VM ─── = Physical Connection ─ ─ = Tailscale VPN ║
║ ║
║ 10GbE connections: Atlantis, Calypso, Guava, Desktop ║
║ All other connections: 1GbE or WiFi ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 📊 Connection Summary
### Concord Primary (25Gbps Fiber)
| Device | Connection | Speed | Purpose |
|--------|------------|-------|---------|
| Atlantis | TL-SX1008 | 10GbE | Primary NAS, media, services |
| Calypso | TL-SX1008 | 10GbE | Secondary NAS, development |
| Guava | TL-SX1008 | 10GbE | Physical compute host |
| Desktop | TL-SX1008 | 10GbE | Workstation |
| Proxmox | TP-Link Router | 1GbE | VM host |
### Concord Backup (2Gbps/500Mbps)
| Device | Connection | Speed | Purpose |
|--------|------------|-------|---------|
| Concord NUC | Direct | 1GbE | Edge computing, failover |
| RPi 5 (Kevin) | Direct | 1GbE | Lightweight services |
### Remote Locations
| Location | Device | Connection | Purpose |
|----------|--------|------------|---------|
| Tucson | Setillo | Tailscale | Remote NAS, monitoring |
| Honolulu | GL.iNet MT3000 | Tailscale | Travel router, remote access |
| Honolulu | bluecrownpassionflower | Tailscale | TBD |
| Seattle | Contabo VM | Tailscale | Cloud services, external access |
---
## 🔗 Related Diagrams
- [Tailscale Mesh](tailscale-mesh.md) - VPN overlay network details
- [10GbE Backbone](10gbe-backbone.md) - High-speed internal network
- [Location Overview](location-overview.md) - Geographic distribution

790
docs/diagrams/service-architecture.md Normal file
View File

@@ -0,0 +1,790 @@
# 🏗️ Service Architecture
## Overview
This document shows how the 176+ Docker services interact, their dependencies, and the data flows between them.
---
## 🎬 Media Stack Architecture (Mermaid)
```mermaid
graph TB
subgraph Internet["☁️ Internet Sources"]
USENET["Usenet<br/>Providers"]
TORRENT["Torrent<br/>Trackers"]
INDEXERS["Indexers<br/>(NZB/Torrent)"]
end
subgraph Acquisition["📥 Content Acquisition (Atlantis)"]
PROWLARR["Prowlarr<br/>Indexer Manager"]
SONARR["Sonarr<br/>TV Shows"]
RADARR["Radarr<br/>Movies"]
LIDARR["Lidarr<br/>Music"]
READARR["Readarr<br/>Books"]
BAZARR["Bazarr<br/>Subtitles"]
SAB["SABnzbd<br/>Usenet Client"]
QBIT["qBittorrent<br/>Torrent Client"]
end
subgraph Storage["💾 Storage (Atlantis NAS)"]
MEDIA_TV["/volume1/media/tv"]
MEDIA_MOV["/volume1/media/movies"]
MEDIA_MUS["/volume1/media/music"]
MEDIA_BOOK["/volume1/media/books"]
end
subgraph Streaming["📺 Media Streaming"]
PLEX["Plex<br/>Media Server"]
JELLYFIN["Jellyfin<br/>Media Server"]
NAVIDROME["Navidrome<br/>Music Server"]
TAUTULLI["Tautulli<br/>Plex Analytics"]
end
subgraph Clients["📱 Client Devices"]
TV["Smart TVs"]
PHONE["Phones/Tablets"]
WEB["Web Browsers"]
APPS["Desktop Apps"]
end
%% Acquisition flow
INDEXERS --> PROWLARR
PROWLARR --> SONARR & RADARR & LIDARR & READARR
SONARR --> SAB & QBIT
RADARR --> SAB & QBIT
LIDARR --> SAB & QBIT
READARR --> SAB & QBIT
USENET --> SAB
TORRENT --> QBIT
%% Storage flow
SAB --> MEDIA_TV & MEDIA_MOV & MEDIA_MUS & MEDIA_BOOK
QBIT --> MEDIA_TV & MEDIA_MOV & MEDIA_MUS & MEDIA_BOOK
BAZARR --> MEDIA_TV & MEDIA_MOV
%% Streaming flow
MEDIA_TV & MEDIA_MOV --> PLEX & JELLYFIN
MEDIA_MUS --> NAVIDROME
PLEX --> TAUTULLI
%% Client access
PLEX & JELLYFIN & NAVIDROME --> TV & PHONE & WEB & APPS
classDef acquisition fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef storage fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef streaming fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef client fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
class PROWLARR,SONARR,RADARR,LIDARR,READARR,BAZARR,SAB,QBIT acquisition
class MEDIA_TV,MEDIA_MOV,MEDIA_MUS,MEDIA_BOOK storage
class PLEX,JELLYFIN,NAVIDROME,TAUTULLI streaming
class TV,PHONE,WEB,APPS client
```
---
## 📊 Monitoring Stack Architecture
```mermaid
graph TB
subgraph Targets["🎯 Monitored Targets"]
subgraph Synology["Synology NAS"]
ATL_SNMP["Atlantis<br/>SNMP"]
CAL_SNMP["Calypso<br/>SNMP"]
SET_SNMP["Setillo<br/>SNMP"]
end
subgraph Hosts["Linux Hosts"]
NODE1["Homelab VM<br/>node_exporter"]
NODE2["Guava<br/>node_exporter"]
NODE3["Anubis<br/>node_exporter"]
end
subgraph Containers["Containers"]
CADV["cAdvisor<br/>Container Metrics"]
end
subgraph Network["Network"]
BLACK["Blackbox Exporter<br/>HTTP/ICMP Probes"]
end
end
subgraph Collection["📥 Metric Collection (Homelab VM)"]
PROM["Prometheus<br/>Time Series DB"]
SNMP_EXP["SNMP Exporter"]
end
subgraph Visualization["📈 Visualization"]
GRAFANA["Grafana<br/>Dashboards"]
end
subgraph Alerting["🚨 Alerting"]
ALERTMGR["Alertmanager"]
NTFY["ntfy<br/>Push Notifications"]
UPTIME["Uptime Kuma<br/>Status Page"]
end
%% Collection
ATL_SNMP & CAL_SNMP & SET_SNMP --> SNMP_EXP
SNMP_EXP --> PROM
NODE1 & NODE2 & NODE3 --> PROM
CADV --> PROM
BLACK --> PROM
%% Visualization
PROM --> GRAFANA
PROM --> ALERTMGR
ALERTMGR --> NTFY
%% Uptime Kuma separate
BLACK -.-> UPTIME
classDef target fill:#e67e22,stroke:#333,stroke-width:2px,color:#fff
classDef collection fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef viz fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef alert fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
class ATL_SNMP,CAL_SNMP,SET_SNMP,NODE1,NODE2,NODE3,CADV,BLACK target
class PROM,SNMP_EXP collection
class GRAFANA viz
class ALERTMGR,NTFY,UPTIME alert
```
---
## 🔐 Authentication & Security Stack
### Complete Authentication Architecture
```mermaid
graph TB
subgraph External["🌐 External Access"]
USERS["👤 Users"]
CLOUDFLARE["☁️ Cloudflare<br/>DNS/WAF/DDoS"]
end
subgraph Gateway["🚪 Gateway Layer (Atlantis)"]
NPM["🔀 Nginx Proxy Manager<br/>:81/:443<br/>Reverse Proxy + SSL"]
CFT["🚇 Cloudflare Tunnel<br/>Zero Trust Access"]
end
subgraph AuthLayer["🔐 Authentication Layer (Calypso)"]
AUTH_SRV["🔐 Authentik Server<br/>:9000"]
AUTH_PROXY["🛡️ Authentik Outpost<br/>:9444<br/>Forward Auth Proxy"]
AUTH_WRK["⚙️ Authentik Worker"]
AUTH_DB["🐘 PostgreSQL"]
AUTH_RED["🔴 Redis"]
end
subgraph VPN["🔒 VPN Layer"]
WIREGUARD["🔒 Wireguard<br/>Atlantis :51820"]
TAILSCALE["🔷 Tailscale<br/>100.x.x.x"]
HEADSCALE["🌐 Headscale<br/>Calypso :8080"]
end
subgraph DNS["🌐 DNS & Ad Blocking"]
PIHOLE["🕳️ Pi-hole<br/>Atlantis :53"]
ADGUARD1["🛡️ AdGuard<br/>Calypso :53"]
ADGUARD2["🛡️ AdGuard<br/>Setillo :53"]
end
subgraph SecVault["🔑 Secrets Management"]
VAULT["🔑 Vaultwarden<br/>vault.vish.gg"]
end
subgraph ProtectedServices["🛡️ Protected Services"]
GRAFANA["📊 Grafana"]
PAPERLESS["📄 Paperless"]
IMMICH["📸 Immich"]
FIREFLY["🔥 Firefly III"]
ACTUAL["💰 Actual Budget"]
GITEA["🔧 Gitea"]
end
subgraph PublicServices["🌍 Public/Self-Auth Services"]
PLEX["📺 Plex"]
SEAFILE["☁️ Seafile"]
OST["🚀 OpenSpeedTest"]
NTFY["📣 ntfy"]
end
%% External flow
USERS --> CLOUDFLARE
CLOUDFLARE --> NPM
CLOUDFLARE --> CFT
USERS --> TAILSCALE
%% NPM to Auth
NPM -->|"Forward Auth<br/>Header Check"| AUTH_PROXY
AUTH_PROXY -->|"Validate Session"| AUTH_SRV
%% Auth internal
AUTH_SRV --> AUTH_DB
AUTH_SRV --> AUTH_RED
AUTH_WRK --> AUTH_DB
AUTH_WRK --> AUTH_RED
%% Protected services via NPM + Auth
NPM -->|"✓ Authenticated"| ProtectedServices
%% Public services direct
NPM --> PublicServices
%% VPN access
TAILSCALE --> HEADSCALE
WIREGUARD --> ProtectedServices
TAILSCALE --> ProtectedServices
%% DNS
ADGUARD1 -.-> ProtectedServices
PIHOLE -.-> PublicServices
classDef external fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef gateway fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef auth fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef dns fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
classDef protected fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef public fill:#27ae60,stroke:#333,stroke-width:2px,color:#fff
class USERS,CLOUDFLARE external
class NPM,CFT gateway
class AUTH_SRV,AUTH_PROXY,AUTH_WRK,AUTH_DB,AUTH_RED,VAULT auth
class PIHOLE,ADGUARD1,ADGUARD2 dns
class GRAFANA,PAPERLESS,IMMICH,FIREFLY,ACTUAL,GITEA protected
class PLEX,SEAFILE,OST,NTFY public
```
---
### Authentik SSO Flow (Detailed)
```mermaid
sequenceDiagram
autonumber
participant U as 👤 User
participant CF as ☁️ Cloudflare
participant NPM as 🔀 NPM (Atlantis)
participant OUT as 🛡️ Outpost (Calypso)
participant AUTH as 🔐 Authentik (Calypso)
participant APP as 📱 Application
U->>CF: Request app.vish.gg
CF->>NPM: Forward (HTTPS)
NPM->>OUT: Forward Auth Request<br/>(/outpost.goauthentik.io/auth/nginx)
alt No Valid Session
OUT->>AUTH: Check Session
AUTH-->>OUT: No Session
OUT-->>NPM: 401 Unauthorized
NPM-->>U: Redirect to sso.vish.gg/flows/default-authentication/
U->>AUTH: Login Page
U->>AUTH: Submit Credentials + 2FA
AUTH->>AUTH: Validate
AUTH-->>U: Set Cookie + Redirect to app
U->>NPM: Retry with Session Cookie
NPM->>OUT: Forward Auth (with cookie)
end
OUT->>AUTH: Validate Session
AUTH-->>OUT: Valid ✓
OUT-->>NPM: 200 OK + Headers<br/>(X-authentik-username, X-authentik-email)
NPM->>APP: Proxy Request (with auth headers)
APP-->>U: Response
```
---
### NPM Proxy Host Configuration
```mermaid
graph TB
subgraph NPM["🔀 Nginx Proxy Manager (Atlantis :81)"]
subgraph ProxyHosts["Proxy Hosts"]
PH1["sso.vish.gg → Calypso:9000"]
PH2["git.vish.gg → Calypso:3000"]
PH3["docs.vish.gg → Atlantis:8088"]
PH4["photos.vish.gg → Calypso:2283"]
PH5["gf.vish.gg → Atlantis:3000"]
PH6["actual.vish.gg → Calypso:5006"]
PH7["ff.vish.gg → Calypso:8888"]
PH8["plex.vish.gg → Atlantis:32400"]
PH9["sf.vish.gg → Calypso:8092"]
PH10["ntfy.vish.gg → Homelab:7080"]
PH11["rackula.vish.gg → Calypso:4999"]
end
subgraph SSL["SSL Certificates"]
WILD["*.vish.gg<br/>Cloudflare DNS Challenge"]
end
subgraph AccessControl["Access Control"]
AUTH_LOC["Authentik Forward Auth<br/>Location: /outpost.goauthentik.io"]
end
end
subgraph Services["Backend Services"]
direction LR
S1["Authentik"]
S2["Gitea"]
S3["Paperless"]
S4["Immich"]
S5["Grafana"]
S6["Actual"]
S7["Firefly"]
S8["Plex"]
S9["Seafile"]
S10["ntfy"]
S11["Rackula"]
end
PH1 --> S1
PH2 --> S2
PH3 --> S3
PH4 --> S4
PH5 --> S5
PH6 --> S6
PH7 --> S7
PH8 --> S8
PH9 --> S9
PH10 --> S10
PH11 --> S11
```
---
### Services Protected by Authentik
| Domain | Service | Host | Auth Type | Notes |
|--------|---------|------|-----------|-------|
| `sso.vish.gg` | Authentik | Calypso | - | Identity Provider |
| `git.vish.gg` | Gitea | Calypso | OAuth2/OIDC | Source Control |
| `gf.vish.gg` | Grafana | Atlantis | OAuth2/OIDC | Monitoring |
| `docs.vish.gg` | Paperless-NGX | Atlantis | Forward Auth | Documents |
| `photos.vish.gg` | Immich | Calypso | Forward Auth | Photos |
| `actual.vish.gg` | Actual Budget | Calypso | Forward Auth | Finance |
| `ff.vish.gg` | Firefly III | Calypso | Forward Auth | Finance |
| `rackula.vish.gg` | Rackula | Calypso | Forward Auth | Rack Diagram |
### Services NOT Protected (Public/Self-Auth)
| Domain | Service | Host | Reason |
|--------|---------|------|--------|
| `plex.vish.gg` | Plex | Atlantis | Has Plex Auth |
| `sf.vish.gg` | Seafile | Calypso | Has built-in auth + share links |
| `ntfy.vish.gg` | ntfy | Homelab | Has built-in auth + public topics |
| `ost.vish.gg` | OpenSpeedTest | Calypso | Public utility |
---
### Authentik Forward Auth Setup (NPM)
To protect a service with Authentik Forward Auth in NPM:
1. **Create Provider in Authentik**:
- Type: Proxy Provider
- External Host: `https://app.vish.gg`
- Mode: Forward auth (single application)
2. **Create Application in Authentik**:
- Link to the provider
- Set policies for access control
3. **Create Outpost in Authentik**:
- Type: Proxy
- Include the application
4. **Configure NPM Proxy Host**:
```nginx
# Custom Nginx Configuration (Advanced tab)
# Authentik Forward Auth
location /outpost.goauthentik.io {
proxy_pass http://calypso.vish.local:9444/outpost.goauthentik.io;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location / {
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# Forward auth headers to application
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-email $authentik_email;
proxy_pass http://backend;
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
```
---
## 📝 ASCII Service Distribution by Host
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ SERVICE DISTRIBUTION BY HOST ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏛️ ATLANTIS (55 Services) - Primary Hub │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 📺 Media 📊 Monitoring 🔐 Security 🛠️ Infrastructure │
│ ───────────── ───────────── ───────────── ───────────────── │
│ • Plex • Grafana • Vaultwarden • Portainer │
│ • Jellyfin • Prometheus • Wireguard • Nginx Proxy Mgr │
│ • Immich • Uptime Kuma • Pi-hole • DokuWiki │
│ • Tautulli • SNMP Exporter • Dozzle │
│ • Arr Suite (7) • Blackbox Exp • Watchtower │
│ • Navidrome │
│ │
│ 💬 Communication 📝 Productivity 🎮 Other │
│ ───────────── ───────────── ───────────── │
│ • Matrix Synapse • Paperless-NGX • IT-Tools │
│ • Mastodon • Firefly III • Stirling PDF │
│ • Joplin Server • Documenso • YouTube DL │
│ • Netbox │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏢 CALYPSO (17 Services) - Development & Backup │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 💻 Development 💰 Finance 📦 Infrastructure 📸 Media │
│ ───────────── ───────────── ───────────── ───────────── │
│ • Gitea • Firefly III • APT-Cacher-NG • Immich (backup) │
│ • Reactive Resume • Actual Budget • Prometheus • Seafile │
│ • Rustdesk • Wireguard │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 💻 HOMELAB VM (36 Services) - Experimentation │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 🔗 URL Services 🎮 Gaming 📊 Monitoring 🔧 Utilities │
│ ───────────── ───────────── ───────────── ───────────── │
│ • Shlink • Satisfactory • Prometheus Hub • Archivebox │
│ • ntfy • Minecraft • node_exporter • WebCheck │
│ • Hoarder • L4D2 • Redlib │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🌐 CONCORD NUC (9 Services) - Edge/IoT │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 🏠 Home Automation 📺 Media 🎵 Music 🔧 Network │
│ ───────────── ───────────── ───────────── ───────────── │
│ • Home Assistant • Plex • YourSpotify • AdGuard Home │
│ • Matter Server • Invidious • Piped • Wireguard │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🤖 ANUBIS (8 Services) - AI/HPC (Mac Mini Ubuntu) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 🧠 AI/ML 📸 Photo 🔧 Development │
│ ───────────── ───────────── ───────────── │
│ • Ollama • PhotoPrism • Draw.io │
│ • ChatGPT UI • Archivebox • Element Web │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🌵 SETILLO (4 Services) - Tucson Remote │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ 📊 Monitoring 🌐 DNS │
│ ───────────── ───────────── │
│ • Prometheus • AdGuard Home │
│ • SNMP Exporter • Syncthing │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ SERVICE COUNT SUMMARY ║
║ ═════════════════════ ║
║ Atlantis: 55 services │ Calypso: 17 services ║
║ Homelab VM: 36 services │ Chicago VM: 8 services ║
║ Bulgaria VM: 12 services │ Concord NUC: 9 services ║
║ Anubis: 8 services │ Guava: 6 services ║
║ Setillo: 4 services │ RPi nodes: 2 services ║
║ Contabo: 1 service │ ║
║ ──────────────────────────────────────────────────────────────────────────────────────║
║ TOTAL: 176+ services across 13 hosts ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - How hosts connect
- [Storage Topology](storage-topology.md) - Where data lives
- [Tailscale Mesh](tailscale-mesh.md) - Cross-location access
---
## 💬 Communication Stack Architecture
```mermaid
graph TB
subgraph Internet["☁️ Internet / Federation"]
FEDI["Fediverse<br/>(ActivityPub)"]
MATRIX_FED["Matrix<br/>Federation"]
WEBRTC["WebRTC<br/>Voice/Video"]
end
subgraph Cloudflare["🛡️ Cloudflare"]
CF_PROXY["Cloudflare<br/>Proxy/WAF"]
CF_TUNNEL["Cloudflare<br/>Tunnel"]
end
subgraph MatrixUbuntuVM["🐧 Matrix-Ubuntu VM (Atlantis)"]
subgraph Mastodon["🐘 Mastodon Stack"]
MASTO_WEB["Mastodon Web<br/>:3000"]
MASTO_STREAM["Mastodon Streaming<br/>:4000"]
MASTO_SIDEKIQ["Sidekiq<br/>Background Jobs"]
end
subgraph Matrix["🔐 Matrix Stack"]
SYNAPSE["Synapse<br/>:8008 / :8018"]
ELEMENT["Element Web<br/>Client"]
COTURN["Coturn<br/>TURN Server<br/>:3478"]
end
subgraph Mattermost["💬 Mattermost"]
MM_APP["Mattermost<br/>:8065"]
end
subgraph SharedDB["🗄️ Shared Services"]
POSTGRES["PostgreSQL<br/>:5432"]
REDIS["Redis<br/>:6379"]
end
NGINX_VM["Nginx<br/>Reverse Proxy"]
end
subgraph Atlantis["🏛️ Atlantis NAS"]
subgraph JitsiStack["📹 Jitsi Meet"]
JITSI_WEB["Jitsi Web"]
JITSI_JVB["Jitsi Video Bridge"]
JITSI_PROSODY["Prosody XMPP"]
end
subgraph Vaultwarden["🔑 Vaultwarden"]
VW["Vaultwarden<br/>Password Manager"]
end
subgraph Joplin["📝 Joplin"]
JOPLIN_SRV["Joplin Server"]
end
end
subgraph Clients["📱 Clients"]
BROWSER["Web Browsers"]
MOBILE["Mobile Apps"]
DESKTOP["Desktop Apps"]
end
%% External connections
FEDI <--> CF_PROXY
MATRIX_FED <--> CF_PROXY
WEBRTC <--> COTURN
%% Cloudflare to services
CF_PROXY --> NGINX_VM
CF_TUNNEL --> NGINX_VM
%% Nginx routing
NGINX_VM --> MASTO_WEB & MASTO_STREAM
NGINX_VM --> SYNAPSE & ELEMENT
NGINX_VM --> MM_APP
%% Database connections
MASTO_WEB & MASTO_SIDEKIQ --> POSTGRES & REDIS
SYNAPSE --> POSTGRES
MM_APP --> POSTGRES
%% Client access
BROWSER & MOBILE & DESKTOP --> CF_PROXY
BROWSER & MOBILE & DESKTOP --> JITSI_WEB
BROWSER & MOBILE & DESKTOP --> VW
BROWSER & MOBILE & DESKTOP --> JOPLIN_SRV
classDef mastodon fill:#6364FF,stroke:#333,stroke-width:2px,color:#fff
classDef matrix fill:#0DBD8B,stroke:#333,stroke-width:2px,color:#fff
classDef mattermost fill:#0058CC,stroke:#333,stroke-width:2px,color:#fff
classDef infra fill:#e67e22,stroke:#333,stroke-width:2px,color:#fff
class MASTO_WEB,MASTO_STREAM,MASTO_SIDEKIQ mastodon
class SYNAPSE,ELEMENT,COTURN matrix
class MM_APP mattermost
class POSTGRES,REDIS,NGINX_VM infra
```
### Communication Services Summary
| Service | Domain | Protocol | Purpose |
|---------|--------|----------|---------|
| **Mastodon** | mastodon.vish.gg | ActivityPub | Fediverse microblogging |
| **Matrix (Primary)** | mx.vish.gg | Matrix | Federated chat |
| **Matrix (Legacy)** | matrix.thevish.io | Matrix | Legacy homeserver |
| **Mattermost** | mm.crista.love | Proprietary | Team collaboration |
| **Jitsi Meet** | meet.vish.gg | WebRTC | Video conferencing |
| **Joplin** | joplin.vish.gg | Joplin Sync | Note synchronization |
| **Vaultwarden** | vault.vish.gg | Bitwarden | Password management |
### Deployment Scripts
| Script | Location | Description |
|--------|----------|-------------|
| Mastodon Install | [mastodon-production/](../mastodon-production/) | Bare metal & Docker deployment |
| Matrix Install | [matrix-element/](../matrix-element/) | Synapse + Element + TURN |
| Mattermost Install | [mattermost-production/](../mattermost-production/) | Docker deployment |
| VM Config | [matrix-ubuntu-vm/](../matrix-ubuntu-vm/) | Complete VM configuration |
---
## 🔄 CI/CD Pipeline Architecture
### Git Repository Mirroring
The homelab repository uses Gitea Actions for automated CI/CD, including sanitized public mirroring.
```mermaid
graph LR
subgraph Development["💻 Development"]
DEV["Developer<br/>Pushes Code"]
end
subgraph Gitea["🔧 Gitea (Calypso)"]
PRIVATE["🔒 Private Repo<br/>homelab"]
PUBLIC["🌐 Public Repo<br/>homelab-optimized"]
RUNNER["🏃 Gitea Runner<br/>(Calypso)"]
end
subgraph Workflow["⚙️ CI/CD Workflow"]
CHECKOUT["📥 Checkout Code"]
SANITIZE["🧹 Sanitize<br/>Remove Secrets"]
PUSH["📤 Force Push<br/>Fresh History"]
end
subgraph Deployment["🚀 Deployment"]
ANSIBLE["📋 Ansible<br/>164 Services"]
PORTAINER["🐳 Portainer<br/>5 Endpoints"]
end
DEV -->|"git push"| PRIVATE
PRIVATE -->|"Triggers"| RUNNER
RUNNER --> CHECKOUT
CHECKOUT --> SANITIZE
SANITIZE --> PUSH
PUSH --> PUBLIC
PRIVATE --> ANSIBLE
ANSIBLE --> PORTAINER
```
### Sanitization Process
The sanitization script removes sensitive data before public mirroring:
| Removed | Pattern | Example |
|---------|---------|---------|
| Passwords | `password:`, `PASS=` | `password: "REDACTED_PASSWORD" |
| API Keys | `api_key:`, `API_KEY=` | `api_key: REDACTED_API_KEY` |
| Tokens | `token:`, `TOKEN=` | `token: REDACTED_TOKEN` |
| Secrets | `secret:`, `SECRET=` | `secret: REDACTED_SECRET` |
| Private Keys | `-----BEGIN.*KEY-----` | File removed |
| SSH Keys | `id_rsa`, `id_ed25519` | File removed |
| Personal Emails | `*@gmail.com`, `*@*.com` | `REDACTED_EMAIL@example.com` |
| JWT Secrets | `JWT_SECRET=` | `JWT_SECRET=REDACTED` |
### Gitea Runner Setup
```mermaid
graph TB
subgraph Calypso["🌊 Calypso (DS920+)"]
GITEA["🔧 Gitea Server<br/>:3000"]
RUNNER["🏃 Gitea Runner<br/>act_runner:latest"]
DOCKER["🐳 Docker Socket"]
end
GITEA -->|"Workflow Dispatch"| RUNNER
RUNNER -->|"docker.sock"| DOCKER
DOCKER -->|"Spawn Containers"| RUNNER
```
**Runner Configuration:**
- Image: `gitea/act_runner:latest`
- Labels: `ubuntu-latest`, `ubuntu-22.04`, `python`
- Location: Portainer stack on Calypso
- Trigger: Push to main branch
### Ansible Automation
```mermaid
graph TB
subgraph Control["📋 Ansible Control"]
SITE["site.yml<br/>Master Playbook"]
INV["inventory.yml<br/>13 Hosts"]
ROLES["Roles<br/>docker_stack, directory_setup"]
end
subgraph Hosts["🖥️ Target Hosts"]
SYN["Synology<br/>Atlantis, Calypso, Setillo"]
VMS["VMs<br/>Homelab, Chicago, Bulgaria"]
PHYS["Physical<br/>Guava, NUC, Anubis"]
EDGE["Edge<br/>RPi5"]
end
SITE --> INV
INV --> SYN
INV --> VMS
INV --> PHYS
INV --> EDGE
```
**Ansible Commands:**
```bash
# Deploy everything
ansible-playbook site.yml
# Deploy to specific host
ansible-playbook site.yml --limit atlantis
# Deploy by category
ansible-playbook site.yml --tags synology
# Check status
ansible-playbook playbooks/common/status.yml
```
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - How hosts connect
- [Storage Topology](storage-topology.md) - Where data lives
- [Tailscale Mesh](tailscale-mesh.md) - Cross-location access

302
docs/diagrams/storage-topology.md Normal file
View File

@@ -0,0 +1,302 @@
# 💾 Storage Topology
## Overview
This document details the storage architecture across the NAS cluster, including capacity, RAID configurations, and backup flows.
---
## 📊 Storage Overview (Mermaid)
```mermaid
graph TB
subgraph Concord["🏠 Concord, CA - Primary Storage"]
subgraph Atlantis["🏛️ Atlantis (DS1823xs+)"]
ATL_VOL1["Volume 1 (Encrypted)<br/>128TB Raw / 84TB Usable<br/>8x 16TB IronWolf Pro<br/>RAID 6 - 31TB Used (37%)"]
ATL_VOL2["Volume 2 (NVMe)<br/>885GB - 176GB Used<br/>RAID 1"]
ATL_CACHE["NVMe Cache<br/>4x NVMe SSDs"]
ATL_DOCKER["/volume1/docker<br/>Container Data"]
ATL_MEDIA["/volume1/media<br/>Movies, TV, Music"]
ATL_PHOTOS["/volume2/photo<br/>Synology Photos"]
ATL_DOCS["/volume1/documents<br/>Paperless-NGX"]
ATL_BACKUP["/volume1/backups<br/>System Backups"]
end
subgraph Calypso["🏢 Calypso (DS723+)"]
CAL_VOL1["Volume 1 (Encrypted)<br/>24TB Raw / 11TB Usable<br/>2x 12TB IronWolf Pro<br/>RAID 1 - 4.5TB Used (43%)"]
CAL_CACHE["NVMe Cache<br/>2x 500GB Crucial P3 Plus<br/>RAID 1"]
CAL_DOCKER["/volume1/docker<br/>Container Data"]
CAL_DATA["/volume1/data<br/>Dev Files"]
CAL_BACKUP["/volume1/backups<br/>Atlantis Backups"]
end
subgraph Guava["💻 Guava (TrueNAS Scale)"]
GUA_BOOT["boot-pool<br/>500GB NVMe<br/>447GB Avail"]
GUA_DATA["data (ZFS Mirror)<br/>2x 4TB WD Blue SSD<br/>3.62TB - 1.59TB Avail<br/>1.71x Dedup"]
GUA_JELLY["/mnt/data/jellyfin<br/>145GB Media"]
GUA_PHOTOS["/mnt/data/photos<br/>158GB Photos"]
GUA_LLAMA["/mnt/data/llama<br/>58.7GB LLM Models"]
end
end
subgraph Tucson["🌵 Tucson, AZ - Remote Storage"]
subgraph Setillo["🏛️ Setillo (DS223j)"]
SET_VOL1["Volume 1<br/>20TB Raw / 8.9TB Usable<br/>2x 10TB WD Gold<br/>SHR-1 - 4.0TB Used (46%)"]
SET_DOCKER["/volume1/docker<br/>Container Data"]
SET_SYNC["/volume1/syncthing<br/>Syncthing Data"]
SET_BACKUP["/volume1/backups<br/>Remote Backups"]
SET_PLEX["/volume1/PlexMediaServer<br/>Plex Data"]
end
end
%% Backup flows
ATL_MEDIA -->|"Hyper Backup<br/>(Weekly)"| CAL_BACKUP
ATL_PHOTOS -->|"Hyper Backup<br/>(Daily)"| CAL_BACKUP
ATL_DOCS -->|"Hyper Backup<br/>(Daily)"| CAL_BACKUP
ATL_DOCKER -->|"Syncthing<br/>(Real-time)"| SET_SYNC
CAL_DOCKER -->|"Syncthing<br/>(Real-time)"| SET_SYNC
%% Cache acceleration
ATL_CACHE -.->|"Accelerates"| ATL_VOL1
CAL_CACHE -.->|"Accelerates"| CAL_VOL1
classDef primary fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef secondary fill:#2ecc71,stroke:#333,stroke-width:2px,color:#fff
classDef remote fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef cache fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
classDef folder fill:#ecf0f1,stroke:#333,stroke-width:1px,color:#333
class ATL_VOL1 primary
class CAL_VOL1 secondary
class SET_VOL1 remote
class ATL_CACHE,CAL_CACHE cache
class ATL_DOCKER,ATL_MEDIA,ATL_PHOTOS,ATL_DOCS,ATL_BACKUP,CAL_DOCKER,CAL_APT,CAL_BACKUP,SET_SYNC folder
```
---
## 📝 ASCII Storage Layout
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ STORAGE TOPOLOGY ║
║ 3 NAS Units • 152TB Raw • Cross-Location Backup ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏛️ ATLANTIS - Primary Storage (Concord, CA) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ Model: Synology DS1823xs+ (8-Bay Enterprise) │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ STORAGE POOL 1 │ │
│ │ ═══════════════ │ │
│ │ │ │
│ │ Drive Configuration: │ │
│ │ ┌──────┬──────┬──────┬──────┬──────┬──────┬──────┬──────┐ │ │
│ │ │ Bay1 │ Bay2 │ Bay3 │ Bay4 │ Bay5 │ Bay6 │ Bay7 │ Bay8 │ │ │
│ │ │ 16TB │ 16TB │ 16TB │ 16TB │ 16TB │ 16TB │ 16TB │ 16TB │ │ │
│ │ │IronWf│IronWf│IronWf│IronWf│IronWf│IronWf│IronWf│IronWf│ │ │
│ │ │ Pro │ Pro │ Pro │ Pro │ Pro │ Pro │ Pro │ Pro │ │ │
│ │ └──────┴──────┴──────┴──────┴──────┴──────┴──────┴──────┘ │ │
│ │ │ │
│ │ Raw Capacity: 128 TB │ │
│ │ RAID Type: SHR-2 (2-drive fault tolerance) │ │
│ │ Usable: ~96 TB │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ NVMe CACHE (M.2 Slots) │ │
│ │ ═══════════════════════ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ M.2 Slot 1 │ │ M.2 Slot 2 │ │ │
│ │ │ WD Black SN750 │ │ WD Black SN750 │ │ │
│ │ │ 480GB NVMe │ │ 480GB NVMe │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ Cache Type: Read-Write Cache Hit: ~99% │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ FOLDER STRUCTURE │ │
│ │ ════════════════ │ │
│ │ │ │
│ │ /volume1/ │ │
│ │ ├── docker/ (~2 TB) Container persistent data │ │
│ │ │ ├── plex/ Plex metadata & transcodes │ │
│ │ │ ├── immich/ Photo library database │ │
│ │ │ ├── paperless/ Document database │ │
│ │ │ ├── grafana/ Dashboards & config │ │
│ │ │ ├── prometheus/ Metrics database │ │
│ │ │ └── ... (50+ services) │ │
│ │ │ │ │
│ │ ├── media/ (~60 TB) Media library │ │
│ │ │ ├── movies/ 4K & HD movies │ │
│ │ │ ├── tv/ TV series │ │
│ │ │ ├── music/ Music library │ │
│ │ │ └── books/ eBooks & audiobooks │ │
│ │ │ │ │
│ │ ├── photos/ (~5 TB) Immich photo library │ │
│ │ │ ├── library/ Original photos │ │
│ │ │ ├── thumbs/ Thumbnails │ │
│ │ │ └── encoded/ Transcoded videos │ │
│ │ │ │ │
│ │ ├── documents/ (~500 GB) Paperless-NGX documents │ │
│ │ │ ├── consume/ Incoming documents │ │
│ │ │ ├── archive/ Processed documents │ │
│ │ │ └── export/ Exported documents │ │
│ │ │ │ │
│ │ ├── backups/ (~10 TB) Local backup storage │ │
│ │ │ ├── hyper-backup/ Synology backups │ │
│ │ │ ├── time-machine/ Mac backups │ │
│ │ │ └── manual/ Manual backups │ │
│ │ │ │ │
│ │ └── archive/ (~15 TB) Long-term cold storage │ │
│ │ ├── old-projects/ │ │
│ │ └── raw-footage/ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏢 CALYPSO - Secondary Storage (Concord, CA) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ Model: Synology DS723+ (2-Bay Plus) │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ STORAGE POOL 1 │ │
│ │ ═══════════════ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ Bay 1 │ │ Bay 2 │ │ │
│ │ │ Seagate 12TB │ │ Seagate 12TB │ │ │
│ │ │ IronWolf Pro │ │ IronWolf Pro │ │ │
│ │ │ ST12000VN0008 │ │ ST12000VN0008 │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ │ │
│ │ Raw Capacity: 24 TB │ │
│ │ RAID Type: SHR-1 (1-drive fault tolerance) │ │
│ │ Usable: ~10.9 TB │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ NVMe CACHE │ │
│ │ ═══════════ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ Micron P3 │ │ Micron P3 │ │ │
│ │ │ 500GB NVMe │ │ 500GB NVMe │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ Cache: 465GB allocated (RAID 1) Hit Rate: 99% │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ FOLDER STRUCTURE │ │
│ │ ════════════════ │ │
│ │ /volume1/ │ │
│ │ ├── docker/ (~500 GB) Container data (17 services) │ │
│ │ ├── apt-cache/ (~50 GB) Debian package cache │ │
│ │ ├── backups/ (~8 TB) Atlantis backup destination │ │
│ │ │ ├── hyper-backup/ Encrypted backups from Atlantis │ │
│ │ │ └── active-backup/ PC/Server backups │ │
│ │ └── dev/ (~200 GB) Development files │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────────────────────────────┐
│ 🌵 SETILLO - Remote Storage (Tucson, AZ) │
│ ═══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ Model: Synology DS223j (2-Bay Value) │
│ CPU: ARM Cortex-A55 Quad-Core (Realtek RTD1619B) │
│ RAM: 1GB DDR4 │
│ DSM: 7.3.2-86009 Update 1 │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ STORAGE POOL 1 │ │
│ │ ═══════════════ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ │ │
│ │ │ Bay 1 │ │ Bay 2 │ │ │
│ │ │ WD Gold 10TB │ │ WD Gold 10TB │ │ │
│ │ │ WD102KRYZ │ │ WD102KRYZ │ │ │
│ │ │ Temp: 38-40°C │ │ Temp: 42-45°C │ │ │
│ │ └──────────────────┘ └──────────────────┘ │ │
│ │ │ │
│ │ Raw Capacity: 20 TB │ │
│ │ RAID Type: SHR-1 (1-drive fault tolerance) │ │
│ │ Usable: ~8.9 TB │ │
│ │ Used: ~4.0 TB (46%) │ │
│ │ Available: ~4.8 TB │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ FOLDER STRUCTURE │ │
│ │ ════════════════ │ │
│ │ /volume1/ │ │
│ │ ├── docker/ Container data │ │
│ │ ├── syncthing/ Syncthing real-time replication │ │
│ │ ├── backups/ Remote backup destination │ │
│ │ ├── PlexMediaServer/ Plex media data │ │
│ │ ├── NetBackup/ Network backup storage │ │
│ │ ├── surveillance/ Surveillance Station recordings │ │
│ │ └── homes/ User home directories │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Installed Packages: REDACTED_APP_PASSWORD, Syncthing, Tailscale, PlexMediaServer, │
│ HyperBackup, SurveillanceStation, Git, WebDAVServer │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ BACKUP STRATEGY ║
║ ═══════════════ ║
║ ║
║ ┌─────────────────┐ Weekly ┌─────────────────┐ ║
║ │ ATLANTIS │ ───────────────► │ CALYPSO │ (Hyper Backup, encrypted) ║
║ │ (Primary Data) │ │ (Local Backup) │ ║
║ └─────────────────┘ └─────────────────┘ ║
║ │ │ ║
║ │ Real-time (Syncthing) │ ║
║ ▼ ▼ ║
║ ┌─────────────────────────────────────────────────────────────────────────┐ ║
║ │ SETILLO (Tucson - Off-site) │ ║
║ │ Geographic redundancy, 1000+ miles away │ ║
║ └─────────────────────────────────────────────────────────────────────────┘ ║
║ ║
║ 3-2-1 Backup Rule: ║
║ • 3 copies of data (Atlantis + Calypso + Setillo) ║
║ • 2 different storage types (NAS + NAS w/different RAID) ║
║ • 1 off-site location (Tucson) ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 📊 Storage Capacity Summary (Verified Feb 2025)
| System | Raw Capacity | Usable | Used | RAID | Drives | Location |
|--------|--------------|--------|------|------|--------|----------|
| Atlantis Vol1 | 128 TB | ~84 TB | 31TB (37%) | RAID 6 | 8x 16TB IronWolf Pro | Concord |
| Atlantis Vol2 | 0.9 TB | 0.9 TB | 176GB (20%) | RAID 1 | 2x NVMe | Concord |
| Calypso | 24 TB | ~11 TB | 4.5TB (43%) | RAID 1 | 2x 12TB IronWolf Pro | Concord |
| Guava | 8 TB | 3.6 TB | 2.0TB (56%) | ZFS Mirror | 2x 4TB WD Blue SSD | Concord |
| Setillo | 20 TB | ~8.9 TB | 4.0TB (46%) | SHR-1 | 2x 10TB WD Gold | Tucson |
| **Total** | **~181 TB** | **~108 TB** | **~42TB** | - | **16 drives** | - |
---
## 🔗 Related Diagrams
- [10GbE Backbone](10gbe-backbone.md) - High-speed network for storage
- [Service Architecture](service-architecture.md) - What uses this storage
- [Network Topology](network-topology.md) - How storage is accessed

311
docs/diagrams/tailscale-mesh.md Normal file
View File

@@ -0,0 +1,311 @@
# 🔗 Tailscale Mesh Network
## Overview
All homelab locations are connected via Tailscale, creating a secure mesh VPN that allows seamless access between sites regardless of NAT or firewall configurations.
**Total Devices: 31 Tailscale nodes** across 4 physical locations + cloud + mobile devices.
---
## 📊 Complete Device Inventory
### 🟢 Active / Exit Nodes
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **atlantis** | 100.83.230.112 | Synology NAS | Concord | ⚡ Exit node, Primary NAS |
| **calypso** | 100.103.48.78 | Synology NAS | Concord | ⚡ Exit node |
| **setillo** | 100.125.0.20 | Synology NAS | Tucson | ⚡ Exit node, Off-site backup |
| **seattle** | 100.82.197.124 | Cloud VPS | Seattle | ⚡ Exit node, Contabo |
| **vish-concord-nuc** | 100.72.55.21 | Intel NUC | Concord (Backup ISP) | ⚡ Exit node |
| **homeassistant** | 100.112.186.90 | HA Device | Concord | ⚡ Exit node |
### 🖥️ Servers & VMs
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **homelab** | 100.67.40.126 | Proxmox VM | Concord | Main experimentation VM |
| **matrix-ubuntu** | 100.85.21.51 | Atlantis VM | Concord | Mastodon, Matrix, Mattermost |
| **pve** | 100.87.12.28 | Proxmox Host | Concord | VM hypervisor |
| **guava** | 100.75.252.64 | Physical | Concord | 10GbE host |
| **jellyfish** | 100.69.121.120 | Linux | Concord | Server |
| **shinku-ryuu** | 100.98.93.15 | Windows | Concord | Desktop workstation |
### 📡 Network Devices
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **gl-mt3000** | 100.126.243.15 | GL.iNet Router | Honolulu | Travel router |
| **gl-be3600** | 100.105.59.123 | GL.iNet Router | Honolulu | Backup router |
### 🥧 Raspberry Pi
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **pi-5** | 100.77.151.40 | RPi 5 | Concord | Edge device |
| **pi-5-kevin** | 100.123.246.75 | RPi 5 | Concord (Backup ISP) | Edge device |
### 📱 Mobile Devices
| Device | Tailscale IP | Type | Status |
|--------|--------------|------|--------|
| **iphone16** | 100.79.252.108 | iOS | Personal phone |
| **google-pixel-10-pro** | 100.122.119.40 | Android | Pixel phone |
| **ipad-pro-12-9-6th-gen** | 100.68.71.48 | iOS | iPad Pro |
| **samsung-sm-x510** | 100.72.118.117 | Android | Samsung tablet |
### 💻 Laptops & PCs
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **bluecrownpassionflower** | 100.110.25.127 | Linux | Honolulu | Partner's PC |
| **mah-pc** | 100.121.22.51 | Windows | Honolulu | Partner's PC |
| **kevinlaptop** | 100.89.160.65 | Windows | Mobile | Kevin's laptop |
| **uqiyoe** | 100.124.91.52 | Windows | Mobile | Laptop |
### 💤 Offline / Legacy
| Device | Tailscale IP | Type | Last Seen | Notes |
|--------|--------------|------|-----------|-------|
| **mastodon-rocky** | 100.111.200.21 | Linux | 2d ago | Legacy Mastodon |
| **vish-mint** | 100.115.169.43 | Linux | 49d ago | Linux Mint |
| **vishdebian** | 100.86.60.62 | Linux | 55d ago | Debian VM |
| **rocky9-playground** | 100.105.250.128 | Linux | 59d ago | Test VM |
| **nvidia-shield-android-tv** | 100.89.79.99 | Android | 127d ago | Shield TV |
| **sd** | 100.83.141.1 | Linux | 16d ago | Unknown |
| **glkvm** | 100.64.137.1 | Linux | 85d ago | KVM device |
---
## 🕸️ Mesh Topology (Mermaid)
```mermaid
graph TB
subgraph Tailscale["🔐 Tailscale Mesh Network (31 Devices)"]
subgraph Concord_Primary["🏠 Concord Primary - 25Gbps Fiber"]
subgraph NAS_Cluster["📦 NAS + VMs"]
A_ATL["🗄️ atlantis<br/>100.83.230.112<br/>⚡ EXIT NODE"]
A_MATRIX["🐧 matrix-ubuntu<br/>100.85.21.51<br/>VM on Atlantis"]
end
A_CAL["🗄️ calypso<br/>100.103.48.78<br/>⚡ EXIT NODE"]
A_GUAVA["💻 guava<br/>100.75.252.64"]
A_DESKTOP["🖥️ shinku-ryuu<br/>100.98.93.15"]
A_PVE["🖥️ pve<br/>100.87.12.28"]
A_JELLY["🐟 jellyfish<br/>100.69.121.120"]
A_HA["🏠 homeassistant<br/>100.112.186.90<br/>⚡ EXIT NODE"]
A_PI["🥧 pi-5<br/>100.77.151.40"]
subgraph Proxmox_VMs["Proxmox VMs"]
A_HLB["homelab<br/>100.67.40.126"]
end
end
subgraph Concord_Backup["🏠 Concord Backup - 2Gbps"]
B_NUC["🖥️ vish-concord-nuc<br/>100.72.55.21<br/>⚡ EXIT NODE"]
B_PI_K["🥧 pi-5-kevin<br/>100.123.246.75"]
end
subgraph Tucson["🌵 Tucson, AZ"]
T_SET["🗄️ setillo<br/>100.125.0.20<br/>⚡ EXIT NODE"]
end
subgraph Honolulu["🌺 Honolulu, HI"]
H_GL["📡 gl-mt3000<br/>100.126.243.15"]
H_GL2["📡 gl-be3600<br/>100.105.59.123"]
H_BCPF["💻 bluecrownpassionflower<br/>100.110.25.127"]
H_MAH["💻 mah-pc<br/>100.121.22.51"]
end
subgraph Seattle["🌲 Seattle (Cloud)"]
S_SEA["☁️ seattle<br/>100.82.197.124<br/>⚡ EXIT NODE"]
end
subgraph Mobile["📱 Mobile Devices"]
M_IPHONE["📱 iphone16"]
M_PIXEL["📱 pixel-10-pro"]
M_IPAD["📱 ipad-pro"]
M_TAB["📱 samsung-tablet"]
M_KLAP["💻 kevinlaptop"]
end
end
%% VM relationships
A_ATL -->|"Hosts VM"| A_MATRIX
A_PVE -->|"Hosts VM"| A_HLB
%% Primary mesh connections
A_ATL <-->|"10GbE LAN"| A_CAL
A_ATL <-->|"10GbE LAN"| A_GUAVA
A_ATL <-->|"10GbE LAN"| A_DESKTOP
%% Cross-location Tailscale
A_ATL <-.->|"Tailscale"| T_SET
A_ATL <-.->|"Tailscale"| S_SEA
A_ATL <-.->|"Tailscale"| H_GL
A_ATL <-.->|"Tailscale"| B_NUC
%% Honolulu local
H_GL <-->|"LAN"| H_BCPF
H_GL <-->|"LAN"| H_MAH
classDef nas fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
classDef exit fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
classDef compute fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
classDef mobile fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
classDef network fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
class A_ATL,A_CAL,T_SET nas
class S_SEA,B_NUC,A_HA exit
class A_GUAVA,A_DESKTOP,A_PVE,A_HLB,A_MATRIX,A_JELLY compute
class M_IPHONE,M_PIXEL,M_IPAD,M_TAB,M_KLAP mobile
class H_GL,H_GL2 network
```
---
## 📝 ASCII Tailscale Network Map
```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║ TAILSCALE MESH NETWORK - 31 DEVICES ║
║ 6 Exit Nodes • 4 Locations • Full Mesh Connectivity ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝
┌─────────────────┐
│ TAILSCALE │
│ COORDINATION │
│ (DERP Relays) │
└────────┬────────┘
┌───────────────────────────────────────┼───────────────────────────────────────┐
│ │ │
▼ ▼ ▼
┌────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏠 CONCORD, CA - PRIMARY (25Gbps Fiber) │
│ ══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 10GbE BACKBONE (TP-Link TL-SX1008) │ │
│ │ ────────────────────────────────────────────────────────────────────────────── │ │
│ │ │ │
│ │ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ │
│ │ │ ⚡ ATLANTIS │ │ ⚡ CALYPSO │ │ GUAVA │ │ │
│ │ │ 100.83.230.112 │ │ 100.103.48.78 │ │ 100.75.252.64 │ │ │
│ │ │ DS1823xs+ │ │ DS723+ │ │ Physical Host │ │ │
│ │ │ EXIT NODE │ │ EXIT NODE │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ ┌─────────────┐ │ │ │ │ │ │ │
│ │ │ │matrix-ubuntu│ │ │ │ │ │ │ │
│ │ │ │100.85.21.51 │ │ │ │ │ │ │ │
│ │ │ │Mastodon/ │ │ │ │ │ │ │ │
│ │ │ │Matrix/MM │ │ │ │ │ │ │ │
│ │ │ └─────────────┘ │ │ │ │ │ │ │
│ │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ │
│ │ │ │
│ │ ┌─────────────────┐ │ │
│ │ │ SHINKU-RYUU │ Desktop Workstation │ │
│ │ │ 100.98.93.15 │ │ │
│ │ └─────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 2.5GbE / 1GbE DEVICES │ │
│ │ ────────────────────────────────────────────────────────────────────────────── │ │
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌────────────┐ │ │
│ │ │ PVE │ │ JELLYFISH │ │⚡HOMEASSIST │ │ PI-5 │ │ HOMELAB VM │ │ │
│ │ │100.87.12.28 │ │100.69.121.120│ │100.112.186.90│ │100.77.151.40│ │100.67.40.126│ │ │
│ │ │ Proxmox │ │ Server │ │ EXIT NODE │ │ RPi 5 │ │ (on PVE) │ │ │
│ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────────┐
│ 🏠 CONCORD BACKUP ISP (2Gbps/500Mbps) │
│ ══════════════════════════════════════════════════════════════════════════════════════│
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ ⚡ VISH-CONCORD-NUC │ │ PI-5-KEVIN │ │
│ │ 100.72.55.21 │ │ 100.123.246.75 │ │
│ │ Intel NUC │ │ RPi 5 │ │
│ │ EXIT NODE │ │ │ │
│ └─────────────────────┘ └─────────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────┘
◄─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ TAILSCALE MESH ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─►
┌───────────────────────────┐ ┌───────────────────────────┐ ┌───────────────────────────┐
│ 🌵 TUCSON, AZ │ │ 🌺 HONOLULU, HI │ │ 🌲 SEATTLE (CLOUD) │
│ ═════════════════════════│ │ ═════════════════════════│ │ ═════════════════════════│
│ │ │ │ │ │
│ ┌─────────────────────┐ │ │ ┌─────────────────────┐ │ │ ┌─────────────────────┐ │
│ │ ⚡ SETILLO │ │ │ │ GL-MT3000 │ │ │ │ ⚡ SEATTLE │ │
│ │ 100.125.0.20 │ │ │ │ 100.126.243.15 │ │ │ │ 100.82.197.124 │ │
│ │ Synology NAS │ │ │ │ Travel Router │ │ │ │ Contabo VPS │ │
│ │ EXIT NODE │ │ │ └─────────────────────┘ │ │ │ EXIT NODE │ │
│ │ Off-site Backup │ │ │ ┌─────────────────────┐ │ │ └─────────────────────┘ │
│ └─────────────────────┘ │ │ │ GL-BE3600 │ │ │ │
│ │ │ │ 100.105.59.123 │ │ └───────────────────────────┘
│ │ │ └─────────────────────┘ │
│ │ │ ┌─────────────────────┐ │
│ │ │ │ bluecrownpassion... │ │
│ │ │ │ 100.110.25.127 │ │
│ │ │ │ Partner's PC │ │
│ │ │ └─────────────────────┘ │
│ │ │ ┌─────────────────────┐ │
│ │ │ │ mah-pc │ │
│ │ │ │ 100.121.22.51 │ │
│ │ │ └─────────────────────┘ │
└───────────────────────────┘ └───────────────────────────┘
┌────────────────────────────────────────────────────────────────────────────────────────┐
│ 📱 MOBILE DEVICES │
│ ══════════════════════════════════════════════════════════════════════════════════════│
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ 📱 iphone16 │ │ 📱 pixel-10 │ │ 📱 ipad-pro │ │ 📱 samsung │ │ 💻 kevinlap │ │
│ │100.79.252.108│ │100.122.119.40│ │100.68.71.48 │ │100.72.118.117│ │100.89.160.65 │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
└────────────────────────────────────────────────────────────────────────────────────────┘
╔════════════════════════════════════════════════════════════════════════════════════════╗
║ EXIT NODE SUMMARY (6 Total) ║
║ ══════════════════════════ ║
║ • atlantis (100.83.230.112) - Primary exit, Concord 25Gbps ║
║ • calypso (100.103.48.78) - Secondary exit, Concord 25Gbps ║
║ • setillo (100.125.0.20) - Tucson exit, Off-site ║
║ • seattle (100.82.197.124) - Cloud exit, Contabo Seattle ║
║ • vish-concord-nuc (100.72.55.21)- Backup ISP exit, Concord 2Gbps ║
║ • homeassistant (100.112.186.90) - Home automation exit ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```
---
## 🖥️ Matrix-Ubuntu VM Details
This VM runs on **Atlantis** (Synology DS1823xs+ via Virtual Machine Manager):
| Specification | Value |
|---------------|-------|
| **Hostname** | matrix-ubuntu |
| **Tailscale IP** | 100.85.21.51 |
| **LAN IP** | 192.168.0.154 |
| **OS** | Ubuntu 24.04.3 LTS |
| **CPU** | 4 cores (AMD Ryzen Embedded V1780B) |
| **RAM** | 8GB (7.7GB usable) |
| **Storage** | 100GB (87GB available) |
| **SSH Port** | 65533 |
### Services Running
| Service | Domain | Status |
|---------|--------|--------|
| Mastodon | mastodon.vish.gg | ✅ Running |
| Mattermost | mm.crista.love | ✅ Running |
| Matrix (Synapse) | mx.vish.gg | ✅ Running |
| PostgreSQL | - | ✅ Running |
| Redis | - | ✅ Running |
| TURN (coturn) | mx.vish.gg:3479 | ✅ Running |
---
## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - Physical network layout
- [Service Architecture](service-architecture.md) - How services connect
- [Location Overview](location-overview.md) - Geographic distribution