Skip to content

Infrastructure Overview

The live environment was last broadly reconciled against the legacy Docker estate on June 9, 2026. The active recovery architecture moved to OPNsense, Technitium and Caddy, and rootless Podman during the June 2026 restore work. Live Proxmox CT state was rechecked on June 26, 2026.

Purpose

This section describes the current physical, virtual, network, storage, and cloud architecture. It is the source of truth for day-to-day operations; historical systems are listed separately in Retired Systems.

Architecture

flowchart LR
    Internet --> Edge["Starlink / ISP edge"]
    Edge --> FW["OPNsense VM 100 router"]
    FW --> LAN["Client/admin LAN - CIDR to recapture"]
    FW --> DMZ["DMZ 192.168.2.0/24"]
    DMZ --> PVE["Proxmox pve"]
    PVE --> DNS["CT 102: Technitium DNS 192.168.2.2"]
    PVE --> Caddy["CT 103: Caddy ingress 192.168.2.3"]
    PVE --> Apps["CT 101: Rootless Podman apps 192.168.2.20"]
    PVE --> Site["CT 104: khysite 192.168.2.5"]
    PVE --> TSRouter["CT 105: Tailscale subnet router 192.168.2.120"]
    Caddy --> Apps
    Apps --> Data["PostgreSQL / Forgejo / Vaultwarden / Adminer / Dozzle"]
    PVE --> NAS["Synology storage - address to recapture"]

Current office network topology /// caption Existing office network diagram. Validate labels against the current segment table before using it for a change; old 192.168.100.0/24 labels are deprecated. ///

Verified Core

Component Role Operational page
pve Standalone virtualization host Proxmox VE
VM 100 router OPNsense firewall, router, VPN, and WAN failover OPNsense
CT 101 podman-lxc Rootless Podman application and data host Podman Ecosystem Standards
CT 102 technitium-dns Internal DNS resolver at 192.168.2.2 Caddy and Technitium Migration
CT 103 caddy-ingress HTTP/HTTPS ingress, Cloudflare DNS-01, and Google Workspace OIDC target Caddy and Technitium Migration
CT 104 khysite Running site workload needing a current service page LXC Containers
CT 105 ts-router Dedicated Headscale/Tailscale subnet router for 192.168.2.0/24 Tailscale and Headscale Client Onboarding
Synology NAS VM backup and shared media target Synology RS816

Configuration

  • Proxmox network: /etc/network/interfaces
  • Proxmox storage: /etc/pve/storage.cfg
  • Rootless Podman service data: /opt/podman/volumes/<service>/
  • Rootless Podman env files: /opt/podman/env/<service>.env
  • Rootless Podman Quadlets: /home/podsvc/.config/containers/systemd/
  • Caddy config: /opt/caddy/config/Caddyfile on CT 103
  • Technitium backups: /root/technitium-backups on CT 102

Operational Procedures

Use the operations runbooks before changing routing, storage, guests, DNS, or container stacks. Back up the relevant configuration and validate the smallest affected scope after every change.

Troubleshooting

Start at the lowest failed layer:

  1. Check physical and upstream connectivity.
  2. Check OPNsense interfaces and gateways from the OPNsense UI or a verified SSH path; do not assume a local ssh router alias exists.
  3. Check Technitium DNS resolution at 192.168.2.2.
  4. Check the Proxmox VE guest state.
  5. Check Caddy ingress and the CT 101 rootless Podman service logs.

References

  • Runtime inventory captured June 9, 2026
  • OPNsense, CT 101, CT 102, CT 103, and CT 104 state verified June 2026
  • 192.168.100.0/24 removed from the current internal architecture on July 1, 2026 after 192.168.100.1 identified as Starlink from pve; user confirmed Starlink bridge mode caused a conflict with the old internal .100 subnet