Documentation
Test Documentation.
Status: Active / In Development
Primary Hypervisor: Proxmox
Primary Network Gateway: Netgate Router
Core Switch: Cisco Managed Switch
1. Core Services & Deployment
| Service | Environment | Function | Status / Notes |
|---|---|---|---|
| ARR Stack | Docker | Media Management | [FILL IN LATER: IP/Port] |
| Jellyfin | Baremetal / Docker | Media Streaming | Open port configuration |
| Webserver | Docker | Blog hosting (Supabase backend) | Proxied via Caddy |
| Pterodactyl | Docker / LXC | Game Server Management | Open port configuration |
| Caddy | Docker | Reverse Proxy & SSL | Primary ingress router |
| Authentik | Docker | Authentication | [FILL IN LATER: Auth URLs/Details] |
2. Network Topology & VLANs
The network is segmented to isolate personal devices, management interfaces, and publicly accessible servers.
| VLAN ID | Name | Subnet / Gateway | Description |
|---|---|---|---|
| 10 | Personal | [FILL IN LATER] |
Trusted personal devices. |
| 20 | Servers | 192.168.20.0/24 |
Lab servers and exposed services. |
| 30 | Management | [FILL IN LATER] |
Infrastructure management interfaces. |
| 999 | Hole (Native) | N/A | Blackhole VLAN to prevent VLAN hopping. |
3. Switch Port Allocation
Device: Cisco Switch
Configuration Note: Access ports are configured with spanning-tree portfast.
| Port Range | Assignment | Mode | Status |
|---|---|---|---|
| G1/0/23 | Router Uplink | Trunk (Allowed: 10, 20, 30) | Active |
| G1/0/24 | Switch Downlink | Trunk (Allowed: 10, 20, 30) | Active |
| G1/0/1 - G1/0/12 | VLAN 10 (Personal) | Access | Active |
| G1/0/13 - G1/0/20 | VLAN 20 (Servers) | Access | Active |
| G1/0/21 - G1/0/22 | VLAN 30 (Management) | Access | Active |
| f0, Tel1/0/1-2, G1/0/25-26 | Parking | Shutdown | Disabled |
4. External Access (WireGuard VPS)
A Virtual Private Server (VPS) is used to expose internal services securely. The Proxmox server routes traffic through this tunnel.
| Configuration Item | Value |
|---|---|
| VPS Interface | vtunwg0 |
| Listen Port | 51820 |
| MTU | 1500 (Ensure consistency across peers) |
| VPS Tunnel IP | 10.10.0.1/24 |
| Allowed Internal IPs | 10.10.0.2/32, 192.168.20.0/24 |
5. Caddy Configuration Parameters
Caddy handles internal and external routing and is configured to run on an external Docker network named proxy.
| Parameter | Configuration |
|---|---|
| Exposed Ports | 80 (HTTP), 443 (HTTPS) |
| Network | proxy (External) |
| Config File | [FILL IN LATER: Path to Caddyfile] |
| Data Volumes | [FILL IN LATER: Paths for caddy_data and caddy_config] |
| Cloudflare SSL | [FILL IN LATER: Caddy Cloudflare DNS module / API Token config] |
6. Operational Notes & Environment “Gotchas”
-
Spanning Tree (STP) / BPDU Guard: When the Netgate router reboots, its internal switch briefly acts unmanaged and passes Cisco BPDU packets from the LAN switch out to the WAN. This triggers BPDU Guard and shuts down the port.
- Fix: The trunk port connected to the router requires
spanning-tree bpdufilter enableto prevent sending STP packets during this window.
- Fix: The trunk port connected to the router requires
-
VPS Hardening: Unnecessary services (
ModemManager,upower,multipathd) have been disabled to harden the public-facing VPS. Automatic unattended upgrades are enabled.