🏗️ Infrastructure Lab: The Urithiru Project

📜 Executive Summary

The Urithiru Homelab is a virtualized, software-defined data center (SDDC) built on Proxmox VE. This environment is designed to test enterprise-level concepts including Reverse Proxying, ZFS Storage, and Network Security.

By utilizing Nginx Proxy Manager, I have implemented a centralized entry point for all internal services, allowing for secure, domain-based access across the 10.0.0.x subnet.

---

🛠️ Compute Resources (The Nodes)

🏰 Urithiru (Proxmox VE)

Role: Type-1 Hypervisor

• IP: 10.0.0.254
• Port: 8006
• Purpose: The hardware foundation. Manages the lifecycle of all virtual machines and Linux Containers (LXC).

🌀 The Oathgate (Nginx Proxy Manager)

Role: The Oathgate (Reverse Proxy)

• IP: 10.0.0.240
• Port: 81
• Purpose: Manages SSL termination and traffic routing. It translates user-friendly domains (e.g., nas.wardeck.net) into backend service IPs and ports.
• STATUS: REMOVED & REPLACED WITH CADDY

🪶 Windrunner (Terminal Workstation)

• Role: Static Site Development (Hugo)
• IP: 10.0.0.220
• Port: 1313
• Deployment: GitHub -> Cloudflare Pages (CI/CD)
• Cleaning: Automated via Cloudflare’s ephemeral build environment.
• Alias: hugodev (mapped to hugo server -D -p 1313 --bind 0.0.0.0)
• Purpose: Host for wardeck.net development. Accessed internally via NPM to simulate a production web-header environment.

🧱 Stoneward (TrueNAS Scale)

Role: Data Integrity & Application Hosting

• IP: 10.0.0.250
• Port: 8080
• Storage Logic: ZFS Raid-Z1 (or your specific setup) for bit-rot protection and snapshots. Two 1TB HDD’s passed through proxmox for TrueNAS ZFS Pools.

Hosted Services (Apps/Datasets):

• 🛡️ VaultWarden: Self-hosted Bitwarden instance for encrypted credential management across the lab. vault.wardeck.net
• 📸 Immich: High-performance photo and video backup solution, serving as a self-hosted alternative to Google Photos. photos.wardeck.net
• 🔄 Syncthing: Continuous file synchronization service to bridge data between Windrunner (Dev) and local workstations.
• 🌐 Tailscale: Mesh-VPN node allowing secure, “Zero-Config” remote access to the Urithiru network from anywhere in the world.

👁️‍🗨️ Truthwatcher (AdGuard Home)

Role: DNS & Network Privacy

• IP: 10.0.0.230
• Secondary AdGuard Server:10.0.0.235
• Virtual IP Address:10.0.0.231
• Purpose: Resolves local DNS queries and provides the primary “DNS Rewrite” logic that points *.wardeck.net traffic toward the NPM “Oathgate.” Keepalived floats 10.0.0.231. If the proxmox host dies, the other server picks up the slack.

🤝 Bondsmith (HomeAssistant)

Role: IoT Orchestration

• IP: 10.0.0.210
• Purpose: Centralized automation hub for localized hardware integration.

👤 TRUTHLESS | Raspberry Pi Edge Node

• Hardware: Raspberry Pi 4 (Docker Host)
• IP Address: 10.0.0.200
• Role: External health-check node running Uptime Kuma. Hosting IT-Tools.
• 📊 Uptime Kuma | uptime.wardeck.net
  • Role: Monitoring the heartbeat of the Shattered Plains (Home Lab).
• 🛠️ IT-Tools | tools.wardeck.net
  • Role: Swiss Army Knife for Docker/A+ Study (Subnet calcs, hashing, etc.).
• STATUS: REMOVED

---

+++ date = ‘2026-03-22T13:45:00-05:00’ draft = false title = ‘Homelab Master Documentation’ +++

🏗️ Infrastructure Lab: The Urithiru Project (v2.0)

📜 Executive Summary

The Urithiru Homelab is a virtualized, software-defined data center (SDDC) built on Proxmox VE. This environment focuses on Reverse Proxying, Internal CA/SSL, and High-Availability DNS.

The core network utilizes Caddy for internal encryption and Cloudflare Tunneling for secure remote access. DNS is managed by a redundant AdGuard Home cluster to eliminate single points of failure.

---

🛠️ Compute Resources (The Nodes)

[Physical Host] Urithiru

Role: Type-1 Hypervisor (Proxmox VE)

• IP: 10.0.0.254
• Access: Managed via https://10.0.0.254:8006.

[Entry Point] Caddy LXC

Role: The Oathgate (Proxy & Tunnel)

• IP: 10.0.0.241
• Purpose: Manages Internal TLS for local domains and hosts the Cloudflare Tunnel connector.

[VM] Stoneward (TrueNAS Scale)

Role: Data Integrity & Storage

• IP: 10.0.0.250
• Hosted Services: * 📸 Immich: Photo/video backup (photos.wardeck.net) -> 10.0.0.250:2283
  • 📚 Audiobookshelf: Media server (books.wardeck.net) -> 10.0.0.250:30067
  • 🛡️ Vaultwarden: Credential management -> https://10.0.0.250:30033

[LXC] Truthwatcher (Primary DNS)

Role: Primary DNS Resolver

• IP: 10.0.0.230
• Virtual IP (VIP): 10.0.0.231

[Physical] Pattern (Backup DNS)

Role: Failover DNS Node (Raspberry Pi 2B)

• IP: 10.0.0.235
• Logic: Standby mode; assumes the VIP (10.0.0.231) only if .230 becomes unreachable.

[Physical] Spare Node (Planned)

Role: Meshtastic BBS / LoRa Gateway (Raspberry Pi 4)

• Status: Evaluating deployment of Meshtastic BBS.

---

🔄 Network Logic & Traffic Flow

1. The DNS Failover Pipeline

The lab utilizes Keepalived (VRRP) to maintain a “Floating IP” for DNS.

• Primary: Truthwatcher (10.0.0.230)
• Backup: Pattern (10.0.0.235)
• Floating VIP: 10.0.0.231
• Failover: If .230 fails, .235 claims the .231 address, ensuring zero loss of connectivity.

2. Internal Traffic (The “Secure” Lane)

1. Request: User hits books.wardeck.net.
2. DNS: AdGuard (via .231) rewrites the request to Caddy (10.0.0.241).
3. SSL: Caddy handles the handshake via tls internal.
4. Proxy: Traffic is forwarded to 10.0.0.250:30067.

---

🛡️ System Hardening & Maintenance

• Firewall (UFW): Strict rules allowing only SSH (22), HTTP/S (80/443), and Hugo (1313).
• Health Checks: Custom dns-health.sh script monitors VIP status and AdGuard rule counts.
• Sync: adguardhome-sync mirrors configurations from the Primary VM to the Pi every 5 minutes.

---

🚀 Current Roadmap

• Migration from NPM to Caddy
• Cloudflare Tunnel consolidation on Caddy LXC
• Maintain DNS Failover logic (Truthwatcher <-> Pattern)
• Deploy Meshtastic BBS on Raspberry Pi 4
• Implement automated ZFS snapshot replication to off-site storage