Service Dependency Map
Overview
This page shows the major runtime relationships and identifies the systems that
can cause broad outages. The June 9, 2026 map was
Docker/Traefik/pfSense-centered. The current recovery architecture is
OPNsense, Technitium, Caddy, and CT 101 rootless Podman.
Architecture
flowchart TD
Users --> DNS["Technitium 192.168.2.2"]
Users --> FW["OPNsense VM 100"]
FW --> Caddy["Caddy ingress 192.168.2.3"]
Caddy --> Forgejo
Caddy --> Vaultwarden
Caddy --> Adminer
Caddy --> Dozzle
Forgejo --> Runner["Forgejo Runner"]
Vaultwarden --> PostgreSQL
Adminer --> PostgreSQL
PVE["Proxmox pve"] --> FW
PVE --> Podman["CT 101 rootless Podman"]
PVE --> DNS
PVE --> Caddy
PVE --> NAS["Synology NAS"]
Podman --> PostgreSQL
Podman --> Forgejo
Podman --> Vaultwarden
Podman --> Adminer
Podman --> Dozzle
Podman --> Runner
Critical Dependency Table
| Dependency | Consumers | Failure effect |
|---|---|---|
| OPNsense | LAN, DMZ, WAN, VPN, DNS enforcement, Caddy port forwards | Broad loss of routing, internet access, and ingress |
| Proxmox VE | Firewall VM, CT 101, Caddy LXC, Technitium LXC |
Broad infrastructure outage |
Technitium 192.168.2.2 |
LAN clients, internal names, CT 101 after migration |
Name resolution failures |
Caddy 192.168.2.3 |
Published web applications | HTTPS applications unavailable |
Rootless Podman CT 101 |
Forgejo, Vaultwarden, Adminer, Dozzle, PostgreSQL, Forgejo runner | Restored application stack unavailable |
| PostgreSQL | Forgejo and Vaultwarden | Dependent applications fail or become read-only |
| Synology RS816 | Proxmox backups and media | Backup target and shares unavailable |
Network Flow
- Clients resolve names through Technitium at
192.168.2.2. - Routed traffic crosses OPNsense.
- HTTPS reaches Caddy on the ingress LXC, suggested
192.168.2.3. - Caddy reverse proxies to CT
101high ports on192.168.2.20. - Applications reach PostgreSQL on the rootless Podman
kh3-backendnetwork. - Admin-only tools such as Adminer and Dozzle must remain blocked or protected until Caddy OIDC/admin policy is configured and validated.
Operational Procedures
During an incident, validate dependencies from the bottom of the diagram upward. Do not restart every layer at once; doing so destroys useful evidence and expands the outage.
Troubleshooting
- Multiple web applications failing with working DNS: check Caddy first, then CT
101high ports. - Multiple data-backed applications failing while static sites work: check the relevant database.
- Forgejo Actions unavailable while Forgejo is reachable: check the
runneruser unit on CT101; it was failed during the June 26, 2026 check. - All DMZ services unreachable: check OPNsense, Proxmox, and LXC state.
- LAN clients failing by name but working by IP: check Technitium and OPNsense DNS enforcement.
Related Systems
References
- Docker network membership captured June 9, 2026
- OPNsense, CT
101, Caddy, and Technitium target architecture updated June 22, 2026