cal/claude-home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
claude-home/networking/CONTEXT.md
Cal Corum 10c9e0d854 CLAUDE: Migrate to technology-first documentation architecture 
Complete restructure from patterns/examples/reference to technology-focused directories:

• Created technology-specific directories with comprehensive documentation:
  - /tdarr/ - Transcoding automation with gaming-aware scheduling
  - /docker/ - Container management with GPU acceleration patterns
  - /vm-management/ - Virtual machine automation and cloud-init
  - /networking/ - SSH infrastructure, reverse proxy, and security
  - /monitoring/ - System health checks and Discord notifications
  - /databases/ - Database patterns and troubleshooting
  - /development/ - Programming language patterns (bash, nodejs, python, vuejs)

• Enhanced CLAUDE.md with intelligent context loading:
  - Technology-first loading rules for automatic context provision
  - Troubleshooting keyword triggers for emergency scenarios
  - Documentation maintenance protocols with automated reminders
  - Context window management for optimal documentation updates

• Preserved valuable content from .claude/tmp/:
  - SSH security improvements and server inventory
  - Tdarr CIFS troubleshooting and Docker iptables solutions
  - Operational scripts with proper technology classification

• Benefits achieved:
  - Self-contained technology directories with complete context
  - Automatic loading of relevant documentation based on keywords
  - Emergency-ready troubleshooting with comprehensive guides
  - Scalable structure for future technology additions
  - Eliminated context bloat through targeted loading

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-12 23:20:15 -05:00

7.8 KiB
Raw Permalink Blame History

Networking Infrastructure - Technology Context

Overview

Home lab networking infrastructure with focus on reverse proxy configuration, SSL/TLS management, SSH key management, and network security. This context covers service discovery, load balancing, and performance optimization patterns.

Architecture Patterns

Reverse Proxy and Load Balancing

Pattern: Centralized traffic management with SSL termination

# Nginx reverse proxy pattern
upstream backend {
    server 10.10.0.100:3000;
    server 10.10.0.101:3000;
    keepalive 32;
}

server {
    listen 443 ssl http2;
    server_name myapp.homelab.local;
    
    ssl_certificate /etc/ssl/certs/homelab.crt;
    ssl_certificate_key /etc/ssl/private/homelab.key;
    
    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Network Segmentation Strategy

Pattern: VLAN-based isolation with controlled inter-VLAN routing

Management VLAN: 10.10.0.x/24   # VM management, SSH access
Services VLAN:   10.10.1.x/24   # Application services
Storage VLAN:    10.10.2.x/24   # NAS, backup traffic
DMZ VLAN:        10.10.10.x/24  # External-facing services

SSH Key Management

Centralized Key Distribution

Pattern: Automated SSH key deployment with emergency backup

# Primary access key
~/.ssh/homelab_rsa         # Daily operations key

# Emergency access key
~/.ssh/emergency_homelab_rsa  # Backup recovery key

# Automated deployment
for host in $(cat hosts.txt); do
    ssh-copy-id -i ~/.ssh/homelab_rsa.pub user@$host
    ssh-copy-id -i ~/.ssh/emergency_homelab_rsa.pub user@$host
done

Key Lifecycle Management

Pattern: Regular rotation with zero-downtime deployment

  1. Generation: Create new key pairs annually
  2. Distribution: Deploy to all managed systems
  3. Verification: Test connectivity with new keys
  4. Rotation: Remove old keys after verification
  5. Backup: Store keys in secure, recoverable location

Service Discovery and DNS

Local DNS Resolution

Pattern: Internal DNS for service discovery

# Home lab DNS zones
homelab.local.     IN  A   10.10.0.16   # DNS server
proxmox.homelab.local.  IN  A   10.10.0.10   # Hypervisor
nas.homelab.local.      IN  A   10.10.0.20   # Storage
tdarr.homelab.local.    IN  A   10.10.0.43   # Media server

Container Service Discovery

Pattern: Docker network-based service resolution

# Docker Compose service discovery
version: "3.8"
services:
  web:
    networks:
      - frontend
      - backend
  api:
    networks:
      - backend
      - database
  db:
    networks:
      - database

networks:
  frontend:
    driver: bridge
  backend:
    driver: bridge
  database:
    driver: bridge
    internal: true  # No external access

Security Patterns

SSH Security Hardening

Configuration: Secure SSH server setup

# /etc/ssh/sshd_config.d/99-homelab-security.conf
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
AllowUsers cal
Protocol 2
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
X11Forwarding no

Network Access Control

Pattern: Firewall-based service protection

# ufw firewall rules
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow from 10.10.0.0/24 to any port 22
ufw allow from 10.10.0.0/24 to any port 80
ufw allow from 10.10.0.0/24 to any port 443

SSL/TLS Certificate Management

Pattern: Automated certificate lifecycle

# Let's Encrypt automation
certbot certonly --nginx \
    --email admin@homelab.local \
    --agree-tos \
    --domains homelab.local,*.homelab.local

# Certificate renewal automation
0 2 * * * certbot renew --quiet && systemctl reload nginx

Performance Optimization

Connection Management

Pattern: Optimized connection handling

# Nginx performance tuning
worker_processes auto;
worker_connections 1024;

keepalive_timeout 65;
keepalive_requests 1000;

gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/javascript;

# Connection pooling
upstream backend {
    server 10.10.0.100:3000 max_fails=3 fail_timeout=30s;
    keepalive 32;
}

Caching Strategies

Pattern: Multi-level caching architecture

# Static content caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 1y;
    add_header Cache-Control "public, immutable";
}

# Proxy caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=app_cache:10m;
proxy_cache app_cache;
proxy_cache_valid 200 302 10m;

Network Storage Integration

CIFS/SMB Mount Resilience

Pattern: Robust network filesystem mounting

//nas.homelab.local/media /mnt/media cifs \
    credentials=/etc/cifs/credentials,\
    uid=1000,gid=1000,\
    file_mode=0644,dir_mode=0755,\
    iocharset=utf8,\
    cache=strict,\
    actimeo=30,\
    _netdev,\
    reconnect,\
    soft,\
    rsize=1048576,\
    wsize=1048576 0 0

Monitoring and Observability

Network Health Monitoring

Pattern: Automated connectivity verification

#!/bin/bash
# network-health-check.sh
HOSTS="10.10.0.10 10.10.0.20 10.10.0.43"
DNS_SERVERS="10.10.0.16 8.8.8.8"

for host in $HOSTS; do
    if ping -c1 -W5 $host >/dev/null 2>&1; then
        echo "✅ $host: Reachable"
    else
        echo "❌ $host: Unreachable"
    fi
done

for dns in $DNS_SERVERS; do
    if nslookup google.com $dns >/dev/null 2>&1; then
        echo "✅ DNS $dns: Working"
    else
        echo "❌ DNS $dns: Failed"
    fi
done

Service Availability Monitoring

Pattern: HTTP/HTTPS endpoint monitoring

# Service health check
SERVICES="https://homelab.local http://proxmox.homelab.local:8006"

for service in $SERVICES; do
    if curl -sSf --max-time 10 "$service" >/dev/null 2>&1; then
        echo "✅ $service: Available"
    else
        echo "❌ $service: Unavailable"
    fi
done

Common Integration Patterns

Reverse Proxy with Docker

Pattern: Container service exposure

# Dynamic service discovery with Docker
location /api/ {
    proxy_pass http://api-container:3000/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
}

location /web/ {
    proxy_pass http://web-container:8080/;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";  # WebSocket support
}

VPN Integration

Pattern: Secure remote access

# OpenVPN server configuration
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.10.0.0 255.255.0.0"  # Home lab networks
keepalive 10 120

Best Practices

Security Implementation

  1. SSH Keys Only: Disable password authentication everywhere
  2. Network Segmentation: Use VLANs for isolation
  3. Certificate Management: Automate SSL/TLS certificate lifecycle
  4. Access Control: Implement least-privilege networking
  5. Monitoring: Continuous network and service monitoring

Performance Optimization

  1. Connection Pooling: Reuse connections for efficiency
  2. Caching: Implement multi-level caching strategies
  3. Compression: Enable gzip for reduced bandwidth
  4. Keep-Alives: Optimize connection persistence
  5. CDN Strategy: Cache static content effectively

Operational Excellence

  1. Documentation: Maintain network topology documentation
  2. Automation: Script routine network operations
  3. Backup: Regular configuration backups
  4. Testing: Regular connectivity and performance testing
  5. Change Management: Controlled network configuration changes

This technology context provides comprehensive guidance for implementing robust networking infrastructure in home lab environments.