Infrastructure Overview
The live environment was last broadly reconciled against the legacy Docker estate on June 9, 2026. The active recovery architecture moved to OPNsense, Technitium and Caddy, and rootless Podman during the June 2026 restore work. Live Proxmox CT state was rechecked on June 26, 2026.
Purpose
This section describes the current physical, virtual, network, storage, and cloud architecture. It is the source of truth for day-to-day operations; historical systems are listed separately in Retired Systems.
Architecture
flowchart LR
Internet --> Edge["Starlink / ISP edge"]
Edge --> FW["OPNsense VM 100 router"]
FW --> LAN["Client/admin LAN - CIDR to recapture"]
FW --> DMZ["DMZ 192.168.2.0/24"]
DMZ --> PVE["Proxmox pve"]
PVE --> DNS["CT 102: Technitium DNS 192.168.2.2"]
PVE --> Caddy["CT 103: Caddy ingress 192.168.2.3"]
PVE --> Apps["CT 101: Rootless Podman apps 192.168.2.20"]
PVE --> Site["CT 104: khysite 192.168.2.5"]
PVE --> TSRouter["CT 105: Tailscale subnet router 192.168.2.120"]
Caddy --> Apps
Apps --> Data["PostgreSQL / Forgejo / Vaultwarden / Adminer / Dozzle"]
PVE --> NAS["Synology storage - address to recapture"]
/// caption
Existing office network diagram. Validate labels against the current segment table before using it for a change; old 192.168.100.0/24 labels are deprecated.
///
Verified Core
| Component | Role | Operational page |
|---|---|---|
pve |
Standalone virtualization host | Proxmox VE |
VM 100 router |
OPNsense firewall, router, VPN, and WAN failover | OPNsense |
CT 101 podman-lxc |
Rootless Podman application and data host | Podman Ecosystem Standards |
CT 102 technitium-dns |
Internal DNS resolver at 192.168.2.2 |
Caddy and Technitium Migration |
CT 103 caddy-ingress |
HTTP/HTTPS ingress, Cloudflare DNS-01, and Google Workspace OIDC target | Caddy and Technitium Migration |
CT 104 khysite |
Running site workload needing a current service page | LXC Containers |
CT 105 ts-router |
Dedicated Headscale/Tailscale subnet router for 192.168.2.0/24 |
Tailscale and Headscale Client Onboarding |
| Synology NAS | VM backup and shared media target | Synology RS816 |
Configuration
- Proxmox network:
/etc/network/interfaces - Proxmox storage:
/etc/pve/storage.cfg - Rootless Podman service data:
/opt/podman/volumes/<service>/ - Rootless Podman env files:
/opt/podman/env/<service>.env - Rootless Podman Quadlets:
/home/podsvc/.config/containers/systemd/ - Caddy config:
/opt/caddy/config/Caddyfileon CT103 - Technitium backups:
/root/technitium-backupson CT102
Operational Procedures
Use the operations runbooks before changing routing, storage, guests, DNS, or container stacks. Back up the relevant configuration and validate the smallest affected scope after every change.
Troubleshooting
Start at the lowest failed layer:
- Check physical and upstream connectivity.
- Check OPNsense interfaces and gateways from the OPNsense UI or a verified
SSH path; do not assume a local
ssh routeralias exists. - Check Technitium DNS resolution at
192.168.2.2. - Check the Proxmox VE guest state.
- Check Caddy ingress and the CT
101rootless Podman service logs.
Related Systems
References
- Runtime inventory captured June 9, 2026
- OPNsense, CT
101, CT102, CT103, and CT104state verified June 2026 192.168.100.0/24removed from the current internal architecture on July 1, 2026 after192.168.100.1identified as Starlink frompve; user confirmed Starlink bridge mode caused a conflict with the old internal.100subnet