Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized mirror from private repository - 2026-04-18 11:19:59 UTC
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m14s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gitea Mirror Bot
2026-04-18 11:19:59 +00:00
commit fb00a325d1
1418 changed files with 359990 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

519
archive/joplin/02-Port-Forwarding-Configuration.md Normal file
View File

@@ -0,0 +1,519 @@
# 🔌 Port Forwarding Configuration
**🟡 Intermediate Infrastructure Guide**
This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services with automatic DDNS updates every 5 minutes.
> **🌐 Automatic Domain Updates**
> All domains are automatically updated via Cloudflare DDNS every 5 minutes, eliminating the need for manual IP management.
## 🔧 Current Port Forwarding Rules
Based on the TP-Link Archer BE800 router configuration:
### 📊 Active Port Forwards Summary
| Service Name | Device IP | External Port | Internal Port | Protocol | Domain Access |
|--------------|-----------|---------------|---------------|----------|---------------|
| **jitsi3** | 192.168.0.200 | 4443 | 4443 | TCP | meet.thevish.io:4443 |
| **stun3** | 192.168.0.200 | 5349 | 5349 | All | meet.thevish.io:5349 |
| **stun2** | 192.168.0.200 | 49160-49200 | 49160-49200 | All | meet.thevish.io (RTP) |
| **stun1** | 192.168.0.200 | 3478 | 3478 | All | meet.thevish.io:3478 |
| **gitea** | 192.168.0.250 | 2222 | 2222 | All | git.vish.gg:2222 |
| **portainer2** | 192.168.0.200 | 8000 | 8000 | All | pw.vish.gg:8000 |
| **portainer2** | 192.168.0.200 | 9443 | 9443 | All | pw.vish.gg:9443 |
| **portainer2** | 192.168.0.200 | 10000 | 10000 | All | pw.vish.gg:10000 |
| **Https** | 192.168.0.250 | 443 | 443 | All | vish.gg:443 |
| **HTTP** | 192.168.0.250 | 80 | 80 | All | vish.gg:80 |
## 🎯 Service Dependencies & External Access
### 🎥 Jitsi Meet Video Conferencing (192.168.0.200 - Atlantis)
#### External Access URLs
```
https://meet.thevish.io:4443 # Primary Jitsi Meet web interface
https://meet.vish.gg:4443 # Alternative domain access
```
#### Required Port Configuration
| Port | Protocol | Purpose | Critical |
|------|----------|---------|----------|
| 4443 | TCP | HTTPS web interface | ✅ Essential |
| 5349 | All | TURN server for NAT traversal | ✅ Essential |
| 3478 | All | STUN server for peer discovery | ✅ Essential |
| 49160-49200 | All | RTP media streams (40 port range) | ✅ Essential |
#### Service Dependencies
```
# WebRTC Media Flow
Internet → Router:4443 → Atlantis:5443 → jitsi-web:443
Internet → Router:3478 → Atlantis:3478 → STUN server
Internet → Router:5349 → Atlantis:5349 → TURN server
Internet → Router:49160-49200 → Atlantis:49160-49200 → RTP streams
# All 4 port ranges required for full functionality:
- WebRTC media negotiation depends on STUN/TURN
- RTP port range handles multiple concurrent calls
- HTTPS interface provides web-based meeting access
```
### 📝 Gitea Git Repository (192.168.0.250 - Calypso)
#### External Access URLs
```
# SSH Git Operations
ssh://git@git.vish.gg:2222
# Web Interface
https://git.vish.gg
# Git Commands
git clone ssh://git@git.vish.gg:2222/username/repo.git
git remote add origin ssh://git@git.vish.gg:2222/username/repo.git
git push origin main
```
#### Port Configuration
| Port | Protocol | Purpose | Authentication |
|------|----------|---------|----------------|
| 2222 | All | SSH access for Git operations | SSH Keys Required |
#### Service Dependencies
```
# SSH Git Access Flow
Internet → Router:2222 → Calypso:2222 → gitea:22
# Requirements:
- SSH key authentication required
- Alternative to HTTPS Git access
- Enables Git operations from external networks
- Web interface accessible via reverse proxy on port 443
```
### 🐳 Portainer Container Management (192.168.0.200 - Atlantis)
#### External Access URLs
```
https://pw.vish.gg:9443 # Primary Portainer HTTPS interface
https://vish.gg:9443 # Alternative domain access
https://pw.vish.gg:8000 # Edge Agent communication
https://pw.vish.gg:10000 # Additional services
```
#### Port Configuration
| Port | Protocol | Purpose | Security Level |
|------|----------|---------|----------------|
| 9443 | All | Primary HTTPS interface | 🔒 High |
| 8000 | All | Edge Agent communication | ⚠️ Medium |
| 10000 | All | Extended functionality | ⚠️ Medium |
#### Service Dependencies
```
# Container Management Flow
Internet → Router:9443 → Atlantis:9443 → portainer:9443
Internet → Router:8000 → Atlantis:8000 → portainer:8000
Internet → Router:10000 → Atlantis:10000 → portainer:10000
# All three ports required for full Portainer functionality:
- 9443: Primary HTTPS interface for web management
- 8000: Edge Agent enables remote Docker management
- 10000: Extended functionality and additional services
```
### 🌍 Web Services (192.168.0.250 - Calypso)
#### External Access URLs
```
https://vish.gg # Main web services (HTTPS)
https://www.vish.gg # WWW subdomain
http://vish.gg # HTTP (redirects to HTTPS)
# Additional Cloudflare Proxied Services:
https://cal.vish.gg # Calendar service
https://reddit.vish.gg # Reddit alternative
https://matrix.thevish.io # Matrix chat server
https://joplin.thevish.io # Joplin notes
https://www.thevish.io # Alternative main domain
```
#### Port Configuration
| Port | Protocol | Purpose | Redirect |
|------|----------|---------|----------|
| 443 | All | HTTPS web services | Primary |
| 80 | All | HTTP (redirects to HTTPS) | → 443 |
#### Service Dependencies
```
# Web Services Flow
Internet → Router:443 → Calypso:443 → nginx:443
Internet → Router:80 → Calypso:80 → nginx:80 → redirect to 443
# Requirements:
- Reverse proxy (Nginx) on Calypso handles routing
- SSL/TLS certificates for HTTPS (Let's Encrypt)
- Automatic HTTP to HTTPS redirection
- Cloudflare proxy protection for some subdomains
```
## 🏠 Host Mapping & Service Distribution
### 📊 Services by Host
| Host | IP Address | Services | Port Forwards | Primary Function |
|------|------------|----------|---------------|------------------|
| **Atlantis** | 192.168.0.200 | 45 services | 4 forwards | Jitsi Meet, Portainer |
| **Calypso** | 192.168.0.250 | 38 services | 3 forwards | Gitea SSH, Web Services |
### 🔌 Port Forward Distribution
#### Atlantis (192.168.0.200)
- **Jitsi Meet Video Conferencing**: 4 port forwards
- 4443/TCP: HTTPS web interface
- 5349/All: TURN server
- 49160-49200/All: RTP media (40 ports)
- 3478/All: STUN server
- **Portainer Container Management**: 3 port forwards
- 9443/All: HTTPS interface
- 8000/All: Edge Agent
- 10000/All: Additional services
#### Calypso (192.168.0.250)
- **Gitea Git Repository**: 1 port forward
- 2222/All: SSH Git access
- **Web Services**: 2 port forwards
- 443/All: HTTPS web services
- 80/All: HTTP (redirects to HTTPS)
## 🔒 Security Analysis & Risk Assessment
### ✅ High Security Services
| Service | Port | Security Features | Risk Level |
|---------|------|-------------------|------------|
| **HTTPS Web (443)** | 443 | Encrypted traffic, reverse proxy protected | 🟢 Low |
| **Jitsi Meet (4443)** | 4443 | Encrypted video conferencing, HTTPS | 🟢 Low |
| **Portainer HTTPS (9443)** | 9443 | Encrypted container management | 🟢 Low |
### ⚠️ Medium Security Services
| Service | Port | Security Considerations | Recommendations |
|---------|------|------------------------|-----------------|
| **Gitea SSH (2222)** | 2222 | SSH key authentication required | Monitor access logs |
| **Portainer Edge (8000)** | 8000 | Agent communication, should be secured | Implement IP restrictions |
| **HTTP (80)** | 80 | Unencrypted, should redirect to HTTPS | Verify redirect works |
### 🔧 Network Services
| Service | Ports | Protocol Type | Security Notes |
|---------|-------|---------------|----------------|
| **STUN/TURN** | 3478, 5349 | Standard WebRTC protocols | Industry standard, encrypted by Jitsi |
| **RTP Media** | 49160-49200 | Media streams | Encrypted by Jitsi, 40 port range |
### 🛡️ Security Recommendations
#### Authentication & Access Control
```
# 1. Strong Authentication
- SSH keys for Gitea (port 2222) - disable password auth
- 2FA on Portainer (port 9443) - enable for all users
- Strong passwords on all web services
- Regular credential rotation
# 2. Access Monitoring
- Review Nginx/reverse proxy logs regularly
- Monitor failed authentication attempts
- Set up alerts for suspicious activity
- Log SSH access attempts on port 2222
# 3. Network Security
- Consider IP whitelisting for admin services
- Implement rate limiting on web interfaces
- Use VPN (Tailscale) for administrative access
- Regular security updates for all exposed services
```
#### Service Hardening
```
# 4. Service Security
- Keep all exposed services updated
- Monitor CVE databases for vulnerabilities
- Implement automated security scanning
- Regular backup of service configurations
# 5. Network Segmentation
- Consider moving exposed services to DMZ
- Implement firewall rules between network segments
- Use VLANs to isolate public-facing services
- Monitor inter-service communication
```
## 🌐 External Access Methods & Alternatives
### 🔌 Primary Access (Port Forwarding)
```
# Direct external access via domain names (DDNS updated every 5 minutes)
https://pw.vish.gg:9443 # Portainer
https://meet.thevish.io:4443 # Jitsi Meet (primary)
ssh://git@git.vish.gg:2222 # Gitea SSH
# Alternative domain access
https://vish.gg:9443 # Portainer (main domain)
https://meet.vish.gg:4443 # Jitsi Meet (alt domain)
https://www.vish.gg # Main web services (HTTPS)
https://vish.gg # Main web services (HTTPS)
# Additional service domains (from Cloudflare DNS)
https://cal.vish.gg # Calendar service (proxied)
https://reddit.vish.gg # Reddit alternative (proxied)
https://www.thevish.io # Alternative main domain (proxied)
https://matrix.thevish.io # Matrix chat server (proxied)
https://joplin.thevish.io # Joplin notes (proxied)
```
### 🔗 Alternative Access (Tailscale VPN)
```
# Secure mesh VPN access (recommended for admin)
https://atlantis.tail.vish.gg:9443 # Portainer via Tailscale
https://atlantis.tail.vish.gg:4443 # Jitsi via Tailscale
ssh://git@calypso.tail.vish.gg:2222 # Gitea via Tailscale
# Benefits of Tailscale access:
- No port forwarding required
- End-to-end encryption
- Access control via Tailscale ACLs
- No exposure to internet threats
```
### 🔄 Hybrid Approach (Recommended)
```
# Public Services (External Access)
- Jitsi Meet: External users need direct access
- Web Services: Public content via port forwarding
- Git Repository: Public repositories via HTTPS
# Admin Services (Tailscale Access)
- Portainer: Container management via VPN
- Gitea Admin: Administrative functions via VPN
- Monitoring: Grafana, Prometheus via VPN
```
## 🔄 Dynamic DNS (DDNS) Configuration
### 🌐 Automated DDNS Updates
```
# Cloudflare DDNS Configuration
- Update Frequency: Every 5 minutes
- Domains: vish.gg and thevish.io
- Record Types: IPv4 (A) and IPv6 (AAAA)
- Automation: 4 DDNS services running
# DDNS Services:
- ddns-vish-proxied: Updates proxied A records for vish.gg
- ddns-vish-unproxied: Updates DNS-only A records for vish.gg
- ddns-thevish-proxied: Updates proxied records for thevish.io
- ddns-thevish-unproxied: Updates DNS-only records for thevish.io
```
### 📊 Service Categories
```
# Proxied Services (Cloudflare Protection)
- cal.vish.gg, reddit.vish.gg, www.vish.gg
- matrix.thevish.io, joplin.thevish.io, www.thevish.io
- Benefits: DDoS protection, caching, SSL termination
# DNS-Only Services (Direct Access)
- git.vish.gg, meet.thevish.io, pw.vish.gg
- api.vish.gg, spotify.vish.gg
- Benefits: Direct connection, no proxy overhead
```
## 🚨 Troubleshooting & Diagnostics
### 🔍 Common Issues & Solutions
#### Service Not Accessible Externally
```
# Diagnostic Steps:
1. Verify port forward rule is enabled in router
2. Confirm internal service is running on host
3. Test internal access first (192.168.0.x:port)
4. Check firewall rules on target host
5. Verify router external IP hasn't changed
6. Test DNS resolution: nslookup domain.com
# Commands:
docker-compose ps # Check service status
netstat -tulpn | grep PORT # Verify port binding
nmap -p PORT domain.com # Test external access
curl -I https://domain.com # HTTP connectivity test
```
#### Jitsi Meet Connection Issues
```
# WebRTC requires all ports - test each:
nmap -p 4443 meet.thevish.io # Web interface
nmap -p 3478 meet.thevish.io # STUN server
nmap -p 5349 meet.thevish.io # TURN server
nmap -p 49160-49200 meet.thevish.io # RTP range
# Browser diagnostics:
1. Open browser developer tools
2. Go to Network tab during call
3. Look for STUN/TURN connection attempts
4. Check for WebRTC errors in console
5. Test with different networks/devices
```
#### Gitea SSH Access Problems
```
# SSH troubleshooting steps:
ssh -p 2222 git@git.vish.gg # Test SSH connection
ssh-add -l # Check loaded SSH keys
cat ~/.ssh/id_rsa.pub # Verify public key
nmap -p 2222 git.vish.gg # Test port accessibility
# Gitea-specific checks:
docker-compose logs gitea | grep ssh
# Check Gitea SSH configuration in admin panel
# Verify SSH key is added to Gitea user account
```
#### Portainer Access Issues
```
# Test all Portainer ports:
curl -I https://pw.vish.gg:9443 # Main interface
curl -I https://pw.vish.gg:8000 # Edge Agent
curl -I https://pw.vish.gg:10000 # Additional services
# Container diagnostics:
docker-compose logs portainer
docker stats portainer
# Check Portainer logs for authentication errors
```
### 🔧 Performance Optimization
#### Network Performance
```
# Monitor bandwidth usage:
iftop -i eth0 # Real-time bandwidth
vnstat -i eth0 # Historical usage
speedtest-cli # Internet speed test
# Optimize for concurrent users:
# Jitsi: Increase JVB memory allocation
# Gitea: Configure Git LFS for large files
# Portainer: Increase container resources
```
#### Service Performance
```
# Resource monitoring:
docker stats # Container resource usage
htop # System resource usage
df -h # Disk space usage
# Service-specific optimization:
# Jitsi: Configure for expected concurrent meetings
# Nginx: Enable gzip compression and caching
# Database: Optimize PostgreSQL settings
```
## 📋 Maintenance & Configuration Management
### 🔄 Regular Maintenance Tasks
#### Monthly Tasks
```
# Security and monitoring:
□ Review access logs for all forwarded services
□ Test external access to all forwarded ports
□ Update service passwords and SSH keys
□ Backup router configuration
□ Verify DDNS updates are working
□ Check SSL certificate expiration dates
```
#### Quarterly Tasks
```
# Comprehensive review:
□ Security audit of exposed services
□ Update all forwarded services to latest versions
□ Review and optimize port forwarding rules
□ Test disaster recovery procedures
□ Audit user accounts and permissions
□ Review and update documentation
```
#### Annual Tasks
```
# Major maintenance:
□ Complete security assessment
□ Review and update network architecture
□ Evaluate need for additional security measures
□ Plan for service migrations or updates
□ Review and update disaster recovery plans
□ Comprehensive backup and restore testing
```
### 📊 Configuration Backup & Documentation
#### Router Configuration
```
# TP-Link Archer BE800 backup:
- Export configuration monthly
- Document all port forward changes
- Maintain change log with dates and reasons
- Store backup files securely
- Test configuration restoration procedures
```
#### Service Health Monitoring
```
# Automated monitoring setup:
- Uptime monitoring for each forwarded port
- Health checks for critical services
- Alerts for service failures
- Performance metrics collection
- Log aggregation and analysis
```
## 🔗 Integration with Homelab Infrastructure
### 🌐 Tailscale Mesh Integration
```
# Secure internal access alternatives:
https://atlantis.tail.vish.gg:9443 # Portainer
https://atlantis.tail.vish.gg:4443 # Jitsi Meet
ssh://git@calypso.tail.vish.gg:2222 # Gitea SSH
# Benefits:
- No port forwarding required for admin access
- End-to-end encryption via WireGuard
- Access control via Tailscale ACLs
- Works from anywhere with internet
```
### 📊 Monitoring Integration
```
# Service monitoring via Grafana/Prometheus:
- External service availability monitoring
- Response time tracking
- Error rate monitoring
- Resource usage correlation
- Alert integration with notification services
```
### 🔄 Backup Integration
```
# Service data backup:
- Gitea repositories: automated Git backups
- Portainer configurations: volume backups
- Jitsi recordings: cloud storage sync
- Web service data: regular file system backups
```
---
*Last Updated: 2025-11-17*
*Active Port Forwards: 10 rules across 2 hosts*
*External Domains: 12 with automatic DDNS updates*
*DDNS Update Frequency: Every 5 minutes via Cloudflare*
*Security Status: All services monitored and hardened*