# Networking Infrastructure - Technology Context

## Overview
Home lab networking infrastructure with focus on reverse proxy configuration, SSL/TLS management, SSH key management, and network security. This context covers service discovery, load balancing, and performance optimization patterns.

## Architecture Patterns

### Reverse Proxy and Load Balancing
**Pattern**: Centralized traffic management with SSL termination
```nginx
# Nginx reverse proxy pattern
upstream backend {
    server 10.10.0.100:3000;
    server 10.10.0.101:3000;
    keepalive 32;
}

server {
    listen 443 ssl http2;
    server_name myapp.homelab.local;
    
    ssl_certificate /etc/ssl/certs/homelab.crt;
    ssl_certificate_key /etc/ssl/private/homelab.key;
    
    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
```

### Network Segmentation Strategy
**Pattern**: VLAN-based isolation with controlled inter-VLAN routing
```
Management VLAN: 10.10.0.x/24   # VM management, SSH access
Services VLAN:   10.10.1.x/24   # Application services
Storage VLAN:    10.10.2.x/24   # NAS, backup traffic
DMZ VLAN:        10.10.10.x/24  # External-facing services
```

## SSH Key Management

### Centralized Key Distribution
**Pattern**: Automated SSH key deployment with emergency backup
```bash
# Primary access key
~/.ssh/homelab_rsa         # Daily operations key

# Emergency access key
~/.ssh/emergency_homelab_rsa  # Backup recovery key

# Automated deployment
for host in $(cat hosts.txt); do
    ssh-copy-id -i ~/.ssh/homelab_rsa.pub user@$host
    ssh-copy-id -i ~/.ssh/emergency_homelab_rsa.pub user@$host
done
```

### Key Lifecycle Management
**Pattern**: Regular rotation with zero-downtime deployment
1. **Generation**: Create new key pairs annually
2. **Distribution**: Deploy to all managed systems
3. **Verification**: Test connectivity with new keys
4. **Rotation**: Remove old keys after verification
5. **Backup**: Store keys in secure, recoverable location

## Service Discovery and DNS

### Local DNS Resolution
**Pattern**: Internal DNS for service discovery
```bind
# Home lab DNS zones
homelab.local.     IN  A   10.10.0.16   # DNS server
proxmox.homelab.local.  IN  A   10.10.0.10   # Hypervisor
nas.homelab.local.      IN  A   10.10.0.20   # Storage
tdarr.homelab.local.    IN  A   10.10.0.43   # Media server
```

### Container Service Discovery
**Pattern**: Docker network-based service resolution
```yaml
# Docker Compose service discovery
version: "3.8"
services:
  web:
    networks:
      - frontend
      - backend
  api:
    networks:
      - backend
      - database
  db:
    networks:
      - database

networks:
  frontend:
    driver: bridge
  backend:
    driver: bridge
  database:
    driver: bridge
    internal: true  # No external access
```

## Security Patterns

### SSH Security Hardening
**Configuration**: Secure SSH server setup
```sshd_config
# /etc/ssh/sshd_config.d/99-homelab-security.conf
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
AllowUsers cal
Protocol 2
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
X11Forwarding no
```

### Network Access Control
**Pattern**: Firewall-based service protection
```bash
# ufw firewall rules
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow from 10.10.0.0/24 to any port 22
ufw allow from 10.10.0.0/24 to any port 80
ufw allow from 10.10.0.0/24 to any port 443
```

### SSL/TLS Certificate Management
**Pattern**: Automated certificate lifecycle
```bash
# Let's Encrypt automation
certbot certonly --nginx \
    --email admin@homelab.local \
    --agree-tos \
    --domains homelab.local,*.homelab.local

# Certificate renewal automation
0 2 * * * certbot renew --quiet && systemctl reload nginx
```

## Performance Optimization

### Connection Management
**Pattern**: Optimized connection handling
```nginx
# Nginx performance tuning
worker_processes auto;
worker_connections 1024;

keepalive_timeout 65;
keepalive_requests 1000;

gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/javascript;

# Connection pooling
upstream backend {
    server 10.10.0.100:3000 max_fails=3 fail_timeout=30s;
    keepalive 32;
}
```

### Caching Strategies
**Pattern**: Multi-level caching architecture
```nginx
# Static content caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 1y;
    add_header Cache-Control "public, immutable";
}

# Proxy caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=app_cache:10m;
proxy_cache app_cache;
proxy_cache_valid 200 302 10m;
```

## Network Storage Integration

### CIFS/SMB Mount Resilience
**Pattern**: Robust network filesystem mounting
```fstab
//nas.homelab.local/media /mnt/media cifs \
    credentials=/etc/cifs/credentials,\
    uid=1000,gid=1000,\
    file_mode=0644,dir_mode=0755,\
    iocharset=utf8,\
    cache=strict,\
    actimeo=30,\
    _netdev,\
    reconnect,\
    soft,\
    rsize=1048576,\
    wsize=1048576 0 0
```

## Monitoring and Observability

### Network Health Monitoring
**Pattern**: Automated connectivity verification
```bash
#!/bin/bash
# network-health-check.sh
HOSTS="10.10.0.10 10.10.0.20 10.10.0.43"
DNS_SERVERS="10.10.0.16 8.8.8.8"

for host in $HOSTS; do
    if ping -c1 -W5 $host >/dev/null 2>&1; then
        echo "✅ $host: Reachable"
    else
        echo "❌ $host: Unreachable"
    fi
done

for dns in $DNS_SERVERS; do
    if nslookup google.com $dns >/dev/null 2>&1; then
        echo "✅ DNS $dns: Working"
    else
        echo "❌ DNS $dns: Failed"
    fi
done
```

### Service Availability Monitoring
**Pattern**: HTTP/HTTPS endpoint monitoring
```bash
# Service health check
SERVICES="https://homelab.local http://proxmox.homelab.local:8006"

for service in $SERVICES; do
    if curl -sSf --max-time 10 "$service" >/dev/null 2>&1; then
        echo "✅ $service: Available"
    else
        echo "❌ $service: Unavailable"
    fi
done
```

## Common Integration Patterns

### Reverse Proxy with Docker
**Pattern**: Container service exposure
```nginx
# Dynamic service discovery with Docker
location /api/ {
    proxy_pass http://api-container:3000/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}

location /web/ {
    proxy_pass http://web-container:8080/;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";  # WebSocket support
}
```

### VPN Integration
**Pattern**: Secure remote access
```openvpn
# OpenVPN server configuration
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.10.0.0 255.255.0.0"  # Home lab networks
keepalive 10 120
```

## Best Practices

### Security Implementation
1. **SSH Keys Only**: Disable password authentication everywhere
2. **Network Segmentation**: Use VLANs for isolation
3. **Certificate Management**: Automate SSL/TLS certificate lifecycle
4. **Access Control**: Implement least-privilege networking
5. **Monitoring**: Continuous network and service monitoring

### Performance Optimization
1. **Connection Pooling**: Reuse connections for efficiency
2. **Caching**: Implement multi-level caching strategies
3. **Compression**: Enable gzip for reduced bandwidth
4. **Keep-Alives**: Optimize connection persistence
5. **CDN Strategy**: Cache static content effectively

### Operational Excellence
1. **Documentation**: Maintain network topology documentation
2. **Automation**: Script routine network operations
3. **Backup**: Regular configuration backups
4. **Testing**: Regular connectivity and performance testing
5. **Change Management**: Controlled network configuration changes

This technology context provides comprehensive guidance for implementing robust networking infrastructure in home lab environments.