Skip to content

Service Dependency Map

Overview

This page shows the major runtime relationships and identifies the systems that can cause broad outages. The June 9, 2026 map was Docker/Traefik/pfSense-centered. The current recovery architecture is OPNsense, Technitium, Caddy, and CT 101 rootless Podman.

Architecture

flowchart TD
    Users --> DNS["Technitium 192.168.2.2"]
    Users --> FW["OPNsense VM 100"]
    FW --> Caddy["Caddy ingress 192.168.2.3"]
    Caddy --> Forgejo
    Caddy --> Vaultwarden
    Caddy --> Adminer
    Caddy --> Dozzle
    Forgejo --> Runner["Forgejo Runner"]
    Vaultwarden --> PostgreSQL
    Adminer --> PostgreSQL
    PVE["Proxmox pve"] --> FW
    PVE --> Podman["CT 101 rootless Podman"]
    PVE --> DNS
    PVE --> Caddy
    PVE --> NAS["Synology NAS"]
    Podman --> PostgreSQL
    Podman --> Forgejo
    Podman --> Vaultwarden
    Podman --> Adminer
    Podman --> Dozzle
    Podman --> Runner

Critical Dependency Table

Dependency Consumers Failure effect
OPNsense LAN, DMZ, WAN, VPN, DNS enforcement, Caddy port forwards Broad loss of routing, internet access, and ingress
Proxmox VE Firewall VM, CT 101, Caddy LXC, Technitium LXC Broad infrastructure outage
Technitium 192.168.2.2 LAN clients, internal names, CT 101 after migration Name resolution failures
Caddy 192.168.2.3 Published web applications HTTPS applications unavailable
Rootless Podman CT 101 Forgejo, Vaultwarden, Adminer, Dozzle, PostgreSQL, Forgejo runner Restored application stack unavailable
PostgreSQL Forgejo and Vaultwarden Dependent applications fail or become read-only
Synology RS816 Proxmox backups and media Backup target and shares unavailable

Network Flow

  1. Clients resolve names through Technitium at 192.168.2.2.
  2. Routed traffic crosses OPNsense.
  3. HTTPS reaches Caddy on the ingress LXC, suggested 192.168.2.3.
  4. Caddy reverse proxies to CT 101 high ports on 192.168.2.20.
  5. Applications reach PostgreSQL on the rootless Podman kh3-backend network.
  6. Admin-only tools such as Adminer and Dozzle must remain blocked or protected until Caddy OIDC/admin policy is configured and validated.

Operational Procedures

During an incident, validate dependencies from the bottom of the diagram upward. Do not restart every layer at once; doing so destroys useful evidence and expands the outage.

Troubleshooting

  • Multiple web applications failing with working DNS: check Caddy first, then CT 101 high ports.
  • Multiple data-backed applications failing while static sites work: check the relevant database.
  • Forgejo Actions unavailable while Forgejo is reachable: check the runner user unit on CT 101; it was failed during the June 26, 2026 check.
  • All DMZ services unreachable: check OPNsense, Proxmox, and LXC state.
  • LAN clients failing by name but working by IP: check Technitium and OPNsense DNS enforcement.

References

  • Docker network membership captured June 9, 2026
  • OPNsense, CT 101, Caddy, and Technitium target architecture updated June 22, 2026