4b7eca8a46
All checks were successful
Reindex Knowledge Base / reindex (push) Successful in 3s
Adds title, description, type, domain, and tags frontmatter to every doc for improved KB semantic search. The description field is prepended to every search chunk, and domain/type/tags enable filtered queries. Type values: context, guide, runbook, reference, troubleshooting Domain values match directory structure (networking, docker, etc.) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
8.1 KiB
8.1 KiB
| title | description | type | domain | tags | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Networking Infrastructure Context | Architecture patterns and best practices for homelab networking including reverse proxy, SSH key management, DNS, SSL/TLS, network segmentation, and CIFS mounts. | context | networking |
|
Networking Infrastructure - Technology Context
Overview
Home lab networking infrastructure with focus on reverse proxy configuration, SSL/TLS management, SSH key management, and network security. This context covers service discovery, load balancing, and performance optimization patterns.
Architecture Patterns
Reverse Proxy and Load Balancing
Pattern: Centralized traffic management with SSL termination
# Nginx reverse proxy pattern
upstream backend {
server 10.10.0.100:3000;
server 10.10.0.101:3000;
keepalive 32;
}
server {
listen 443 ssl http2;
server_name myapp.homelab.local;
ssl_certificate /etc/ssl/certs/homelab.crt;
ssl_certificate_key /etc/ssl/private/homelab.key;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Network Segmentation Strategy
Pattern: VLAN-based isolation with controlled inter-VLAN routing
Management VLAN: 10.10.0.x/24 # VM management, SSH access
Services VLAN: 10.10.1.x/24 # Application services
Storage VLAN: 10.10.2.x/24 # NAS, backup traffic
DMZ VLAN: 10.10.10.x/24 # External-facing services
SSH Key Management
Centralized Key Distribution
Pattern: Automated SSH key deployment with emergency backup
# Primary access key
~/.ssh/homelab_rsa # Daily operations key
# Emergency access key
~/.ssh/emergency_homelab_rsa # Backup recovery key
# Automated deployment
for host in $(cat hosts.txt); do
ssh-copy-id -i ~/.ssh/homelab_rsa.pub user@$host
ssh-copy-id -i ~/.ssh/emergency_homelab_rsa.pub user@$host
done
Key Lifecycle Management
Pattern: Regular rotation with zero-downtime deployment
- Generation: Create new key pairs annually
- Distribution: Deploy to all managed systems
- Verification: Test connectivity with new keys
- Rotation: Remove old keys after verification
- Backup: Store keys in secure, recoverable location
Service Discovery and DNS
Local DNS Resolution
Pattern: Internal DNS for service discovery
# Home lab DNS zones
homelab.local. IN A 10.10.0.16 # DNS server
proxmox.homelab.local. IN A 10.10.0.10 # Hypervisor
nas.homelab.local. IN A 10.10.0.20 # Storage
tdarr.homelab.local. IN A 10.10.0.43 # Media server
Container Service Discovery
Pattern: Docker network-based service resolution
# Docker Compose service discovery
version: "3.8"
services:
web:
networks:
- frontend
- backend
api:
networks:
- backend
- database
db:
networks:
- database
networks:
frontend:
driver: bridge
backend:
driver: bridge
database:
driver: bridge
internal: true # No external access
Security Patterns
SSH Security Hardening
Configuration: Secure SSH server setup
# /etc/ssh/sshd_config.d/99-homelab-security.conf
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
AllowUsers cal
Protocol 2
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
X11Forwarding no
Network Access Control
Pattern: Firewall-based service protection
# ufw firewall rules
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow from 10.10.0.0/24 to any port 22
ufw allow from 10.10.0.0/24 to any port 80
ufw allow from 10.10.0.0/24 to any port 443
SSL/TLS Certificate Management
Pattern: Automated certificate lifecycle
# Let's Encrypt automation
certbot certonly --nginx \
--email admin@homelab.local \
--agree-tos \
--domains homelab.local,*.homelab.local
# Certificate renewal automation
0 2 * * * certbot renew --quiet && systemctl reload nginx
Performance Optimization
Connection Management
Pattern: Optimized connection handling
# Nginx performance tuning
worker_processes auto;
worker_connections 1024;
keepalive_timeout 65;
keepalive_requests 1000;
gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/javascript;
# Connection pooling
upstream backend {
server 10.10.0.100:3000 max_fails=3 fail_timeout=30s;
keepalive 32;
}
Caching Strategies
Pattern: Multi-level caching architecture
# Static content caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# Proxy caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=app_cache:10m;
proxy_cache app_cache;
proxy_cache_valid 200 302 10m;
Network Storage Integration
CIFS/SMB Mount Resilience
Pattern: Robust network filesystem mounting
//nas.homelab.local/media /mnt/media cifs \
credentials=/etc/cifs/credentials,\
uid=1000,gid=1000,\
file_mode=0644,dir_mode=0755,\
iocharset=utf8,\
cache=strict,\
actimeo=30,\
_netdev,\
reconnect,\
soft,\
rsize=1048576,\
wsize=1048576 0 0
Monitoring and Observability
Network Health Monitoring
Pattern: Automated connectivity verification
#!/bin/bash
# network-health-check.sh
HOSTS="10.10.0.10 10.10.0.20 10.10.0.43"
DNS_SERVERS="10.10.0.16 8.8.8.8"
for host in $HOSTS; do
if ping -c1 -W5 $host >/dev/null 2>&1; then
echo "✅ $host: Reachable"
else
echo "❌ $host: Unreachable"
fi
done
for dns in $DNS_SERVERS; do
if nslookup google.com $dns >/dev/null 2>&1; then
echo "✅ DNS $dns: Working"
else
echo "❌ DNS $dns: Failed"
fi
done
Service Availability Monitoring
Pattern: HTTP/HTTPS endpoint monitoring
# Service health check
SERVICES="https://homelab.local http://proxmox.homelab.local:8006"
for service in $SERVICES; do
if curl -sSf --max-time 10 "$service" >/dev/null 2>&1; then
echo "✅ $service: Available"
else
echo "❌ $service: Unavailable"
fi
done
Common Integration Patterns
Reverse Proxy with Docker
Pattern: Container service exposure
# Dynamic service discovery with Docker
location /api/ {
proxy_pass http://api-container:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /web/ {
proxy_pass http://web-container:8080/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; # WebSocket support
}
VPN Integration
Pattern: Secure remote access
# OpenVPN server configuration
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.10.0.0 255.255.0.0" # Home lab networks
keepalive 10 120
Best Practices
Security Implementation
- SSH Keys Only: Disable password authentication everywhere
- Network Segmentation: Use VLANs for isolation
- Certificate Management: Automate SSL/TLS certificate lifecycle
- Access Control: Implement least-privilege networking
- Monitoring: Continuous network and service monitoring
Performance Optimization
- Connection Pooling: Reuse connections for efficiency
- Caching: Implement multi-level caching strategies
- Compression: Enable gzip for reduced bandwidth
- Keep-Alives: Optimize connection persistence
- CDN Strategy: Cache static content effectively
Operational Excellence
- Documentation: Maintain network topology documentation
- Automation: Script routine network operations
- Backup: Regular configuration backups
- Testing: Regular connectivity and performance testing
- Change Management: Controlled network configuration changes
This technology context provides comprehensive guidance for implementing robust networking infrastructure in home lab environments.