cal/claude-home
1
0
Fork 0
Code Issues 6 Pull Requests 4 Actions Packages Projects Releases Wiki Activity
50125d8b39
claude-home/networking/CONTEXT.md
Cal Corum 4b7eca8a46
All checks were successful
Reindex Knowledge Base / reindex (push) Successful in 3s
Details
docs: add YAML frontmatter to all 151 markdown files 
Adds title, description, type, domain, and tags frontmatter to every
doc for improved KB semantic search. The description field is prepended
to every search chunk, and domain/type/tags enable filtered queries.

Type values: context, guide, runbook, reference, troubleshooting
Domain values match directory structure (networking, docker, etc.)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 09:00:44 -05:00

317 lines
8.1 KiB
Markdown
Raw Blame History

---
title: "Networking Infrastructure Context"
description: "Architecture patterns and best practices for homelab networking including reverse proxy, SSH key management, DNS, SSL/TLS, network segmentation, and CIFS mounts."
type: context
domain: networking
tags: [nginx, ssh, dns, ssl, vlan, cifs, reverse-proxy, firewall]
---
# Networking Infrastructure - Technology Context
## Overview
Home lab networking infrastructure with focus on reverse proxy configuration, SSL/TLS management, SSH key management, and network security. This context covers service discovery, load balancing, and performance optimization patterns.
## Architecture Patterns
### Reverse Proxy and Load Balancing
**Pattern**: Centralized traffic management with SSL termination
```nginx
# Nginx reverse proxy pattern
upstream backend {
server 10.10.0.100:3000;
server 10.10.0.101:3000;
keepalive 32;
}
server {
listen 443 ssl http2;
server_name myapp.homelab.local;
ssl_certificate /etc/ssl/certs/homelab.crt;
ssl_certificate_key /etc/ssl/private/homelab.key;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
### Network Segmentation Strategy
**Pattern**: VLAN-based isolation with controlled inter-VLAN routing
```
Management VLAN: 10.10.0.x/24 # VM management, SSH access
Services VLAN: 10.10.1.x/24 # Application services
Storage VLAN: 10.10.2.x/24 # NAS, backup traffic
DMZ VLAN: 10.10.10.x/24 # External-facing services
```
## SSH Key Management
### Centralized Key Distribution
**Pattern**: Automated SSH key deployment with emergency backup
```bash
# Primary access key
~/.ssh/homelab_rsa # Daily operations key
# Emergency access key
~/.ssh/emergency_homelab_rsa # Backup recovery key
# Automated deployment
for host in $(cat hosts.txt); do
ssh-copy-id -i ~/.ssh/homelab_rsa.pub user@$host
ssh-copy-id -i ~/.ssh/emergency_homelab_rsa.pub user@$host
done
```
### Key Lifecycle Management
**Pattern**: Regular rotation with zero-downtime deployment
1. **Generation**: Create new key pairs annually
2. **Distribution**: Deploy to all managed systems
3. **Verification**: Test connectivity with new keys
4. **Rotation**: Remove old keys after verification
5. **Backup**: Store keys in secure, recoverable location
## Service Discovery and DNS
### Local DNS Resolution
**Pattern**: Internal DNS for service discovery
```bind
# Home lab DNS zones
homelab.local. IN A 10.10.0.16 # DNS server
proxmox.homelab.local. IN A 10.10.0.10 # Hypervisor
nas.homelab.local. IN A 10.10.0.20 # Storage
tdarr.homelab.local. IN A 10.10.0.43 # Media server
```
### Container Service Discovery
**Pattern**: Docker network-based service resolution
```yaml
# Docker Compose service discovery
version: "3.8"
services:
web:
networks:
- frontend
- backend
api:
networks:
- backend
- database
db:
networks:
- database
networks:
frontend:
driver: bridge
backend:
driver: bridge
database:
driver: bridge
internal: true # No external access
```
## Security Patterns
### SSH Security Hardening
**Configuration**: Secure SSH server setup
```sshd_config
# /etc/ssh/sshd_config.d/99-homelab-security.conf
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
AllowUsers cal
Protocol 2
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
X11Forwarding no
```
### Network Access Control
**Pattern**: Firewall-based service protection
```bash
# ufw firewall rules
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow from 10.10.0.0/24 to any port 22
ufw allow from 10.10.0.0/24 to any port 80
ufw allow from 10.10.0.0/24 to any port 443
```
### SSL/TLS Certificate Management
**Pattern**: Automated certificate lifecycle
```bash
# Let's Encrypt automation
certbot certonly --nginx \
--email admin@homelab.local \
--agree-tos \
--domains homelab.local,*.homelab.local
# Certificate renewal automation
0 2 * * * certbot renew --quiet && systemctl reload nginx
```
## Performance Optimization
### Connection Management
**Pattern**: Optimized connection handling
```nginx
# Nginx performance tuning
worker_processes auto;
worker_connections 1024;
keepalive_timeout 65;
keepalive_requests 1000;
gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/javascript;
# Connection pooling
upstream backend {
server 10.10.0.100:3000 max_fails=3 fail_timeout=30s;
keepalive 32;
}
```
### Caching Strategies
**Pattern**: Multi-level caching architecture
```nginx
# Static content caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# Proxy caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=app_cache:10m;
proxy_cache app_cache;
proxy_cache_valid 200 302 10m;
```
## Network Storage Integration
### CIFS/SMB Mount Resilience
**Pattern**: Robust network filesystem mounting
```fstab
//nas.homelab.local/media /mnt/media cifs \
credentials=/etc/cifs/credentials,\
uid=1000,gid=1000,\
file_mode=0644,dir_mode=0755,\
iocharset=utf8,\
cache=strict,\
actimeo=30,\
_netdev,\
reconnect,\
soft,\
rsize=1048576,\
wsize=1048576 0 0
```
## Monitoring and Observability
### Network Health Monitoring
**Pattern**: Automated connectivity verification
```bash
#!/bin/bash
# network-health-check.sh
HOSTS="10.10.0.10 10.10.0.20 10.10.0.43"
DNS_SERVERS="10.10.0.16 8.8.8.8"
for host in $HOSTS; do
if ping -c1 -W5 $host >/dev/null 2>&1; then
echo "✅ $host: Reachable"
else
echo "❌ $host: Unreachable"
fi
done
for dns in $DNS_SERVERS; do
if nslookup google.com $dns >/dev/null 2>&1; then
echo "✅ DNS $dns: Working"
else
echo "❌ DNS $dns: Failed"
fi
done
```
### Service Availability Monitoring
**Pattern**: HTTP/HTTPS endpoint monitoring
```bash
# Service health check
SERVICES="https://homelab.local http://proxmox.homelab.local:8006"
for service in $SERVICES; do
if curl -sSf --max-time 10 "$service" >/dev/null 2>&1; then
echo "✅ $service: Available"
else
echo "❌ $service: Unavailable"
fi
done
```
## Common Integration Patterns
### Reverse Proxy with Docker
**Pattern**: Container service exposure
```nginx
# Dynamic service discovery with Docker
location /api/ {
proxy_pass http://api-container:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /web/ {
proxy_pass http://web-container:8080/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; # WebSocket support
}
```
### VPN Integration
**Pattern**: Secure remote access
```openvpn
# OpenVPN server configuration
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.10.0.0 255.255.0.0" # Home lab networks
keepalive 10 120
```
## Best Practices
### Security Implementation
1. **SSH Keys Only**: Disable password authentication everywhere
2. **Network Segmentation**: Use VLANs for isolation
3. **Certificate Management**: Automate SSL/TLS certificate lifecycle
4. **Access Control**: Implement least-privilege networking
5. **Monitoring**: Continuous network and service monitoring
### Performance Optimization
1. **Connection Pooling**: Reuse connections for efficiency
2. **Caching**: Implement multi-level caching strategies
3. **Compression**: Enable gzip for reduced bandwidth
4. **Keep-Alives**: Optimize connection persistence
5. **CDN Strategy**: Cache static content effectively
### Operational Excellence
1. **Documentation**: Maintain network topology documentation
2. **Automation**: Script routine network operations
3. **Backup**: Regular configuration backups
4. **Testing**: Regular connectivity and performance testing
5. **Change Management**: Controlled network configuration changes
This technology context provides comprehensive guidance for implementing robust networking infrastructure in home lab environments.
Reference in New Issue View Git Blame Copy Permalink