πŸ—οΈ Infrastructure Lab: The Urithiru Project

πŸ“œ Executive Summary

The Urithiru Homelab is a virtualized, software-defined data center (SDDC) built on Proxmox VE. This environment is designed to test enterprise-level concepts including Reverse Proxying, ZFS Storage, and Network Security.

By utilizing Nginx Proxy Manager, I have implemented a centralized entry point for all internal services, allowing for secure, domain-based access across the 10.0.0.x subnet.

πŸ› οΈ Compute Resources (The Nodes)

[Physical Host] Urithiru

Role: Type-1 Hypervisor (Proxmox VE)

  • IP: 10.0.0.175
  • Purpose: The hardware foundation. Manages the lifecycle of all virtual machines and Linux Containers (LXC).

[Entry Point] Nginx Proxy Manager (NPM)

Role: The Oathgate (Reverse Proxy)

  • IP: 10.0.0.155
  • Purpose: Manages SSL termination and traffic routing. It translates user-friendly domains (e.g., nas.wardeck.net) into backend service IPs and ports.

[VM] Windrunner

Role: Primary Web/Dev Node (Debian 12)

  • IP: 10.0.0.38
  • Purpose: Host for wardeck.net development. Accessed internally via NPM to simulate a production web-header environment.

[VM] Stoneward (TrueNAS Scale)

Role: Data Integrity & Application Hosting

  • IP: 10.0.0.229
  • Storage Logic: ZFS Raid-Z1 (or your specific setup) for bit-rot protection and snapshots.

Hosted Services (Apps/Datasets):

  • πŸ›‘οΈ VaultWarden: Self-hosted Bitwarden instance for encrypted credential management across the lab. vault.wardeck.net
  • πŸ“Έ Immich: High-performance photo and video backup solution, serving as a self-hosted alternative to Google Photos. photos.wardeck.net
  • πŸ”„ Syncthing: Continuous file synchronization service to bridge data between Windrunner (Dev) and local workstations.
  • 🌐 Tailscale: Mesh-VPN node allowing secure, “Zero-Config” remote access to the Urithiru network from anywhere in the world.

[VM/LXC] Truthwatcher

Role: DNS & Network Privacy (AdGuard Home)

  • IP: 10.0.0.23
  • Purpose: Resolves local DNS queries and provides the primary “DNS Rewrite” logic that points *.wardeck.net traffic toward the NPM “Oathgate.”

[VM] Bondsmith

Role: IoT Orchestration (HomeAssistant)

  • IP: 10.0.0.18
  • Purpose: Centralized automation hub for localized hardware integration.

[External] Pattern

Role: Out-of-Band Monitoring (Raspberry Pi)

  • IP: DHCP Reserved
  • Purpose: External health-check node running Uptime Kuma.

🌐 The Traffic Flow (The Oathgate Logic)

Instead of accessing services via raw IPs, the lab utilizes a Reverse Proxy Pipeline:

  1. Request: User navigates to hugo.wardeck.net.
  2. DNS: Truthwatcher (AdGuard) rewrites the request to the NPM IP.
  3. Proxy: NPM receives the request and forwards it to 10.0.0.38:1313.
  4. Security: NPM handles the SSL handshake, ensuring all internal traffic is encrypted.

πŸš€ Current Roadmap

  • Proxmox Host Configuration
  • Nginx Proxy Manager (SSL/Domain Setup)
  • Integration of Uptime Kuma for real-time latency monitoring.
  • Automated Backup off-site via TrueNAS.