cal/claude-home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5bd5e31798
claude-home/networking/CONTEXT.md
Cal Corum 10c9e0d854 CLAUDE: Migrate to technology-first documentation architecture 
Complete restructure from patterns/examples/reference to technology-focused directories:

• Created technology-specific directories with comprehensive documentation:
  - /tdarr/ - Transcoding automation with gaming-aware scheduling
  - /docker/ - Container management with GPU acceleration patterns
  - /vm-management/ - Virtual machine automation and cloud-init
  - /networking/ - SSH infrastructure, reverse proxy, and security
  - /monitoring/ - System health checks and Discord notifications
  - /databases/ - Database patterns and troubleshooting
  - /development/ - Programming language patterns (bash, nodejs, python, vuejs)

• Enhanced CLAUDE.md with intelligent context loading:
  - Technology-first loading rules for automatic context provision
  - Troubleshooting keyword triggers for emergency scenarios
  - Documentation maintenance protocols with automated reminders
  - Context window management for optimal documentation updates

• Preserved valuable content from .claude/tmp/:
  - SSH security improvements and server inventory
  - Tdarr CIFS troubleshooting and Docker iptables solutions
  - Operational scripts with proper technology classification

• Benefits achieved:
  - Self-contained technology directories with complete context
  - Automatic loading of relevant documentation based on keywords
  - Emergency-ready troubleshooting with comprehensive guides
  - Scalable structure for future technology additions
  - Eliminated context bloat through targeted loading

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-12 23:20:15 -05:00

309 lines
7.8 KiB
Markdown
Raw Blame History

# Networking Infrastructure - Technology Context
## Overview
Home lab networking infrastructure with focus on reverse proxy configuration, SSL/TLS management, SSH key management, and network security. This context covers service discovery, load balancing, and performance optimization patterns.
## Architecture Patterns
### Reverse Proxy and Load Balancing
**Pattern**: Centralized traffic management with SSL termination
```nginx
# Nginx reverse proxy pattern
upstream backend {
server 10.10.0.100:3000;
server 10.10.0.101:3000;
keepalive 32;
}
server {
listen 443 ssl http2;
server_name myapp.homelab.local;
ssl_certificate /etc/ssl/certs/homelab.crt;
ssl_certificate_key /etc/ssl/private/homelab.key;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
### Network Segmentation Strategy
**Pattern**: VLAN-based isolation with controlled inter-VLAN routing
```
Management VLAN: 10.10.0.x/24 # VM management, SSH access
Services VLAN: 10.10.1.x/24 # Application services
Storage VLAN: 10.10.2.x/24 # NAS, backup traffic
DMZ VLAN: 10.10.10.x/24 # External-facing services
```
## SSH Key Management
### Centralized Key Distribution
**Pattern**: Automated SSH key deployment with emergency backup
```bash
# Primary access key
~/.ssh/homelab_rsa # Daily operations key
# Emergency access key
~/.ssh/emergency_homelab_rsa # Backup recovery key
# Automated deployment
for host in $(cat hosts.txt); do
ssh-copy-id -i ~/.ssh/homelab_rsa.pub user@$host
ssh-copy-id -i ~/.ssh/emergency_homelab_rsa.pub user@$host
done
```
### Key Lifecycle Management
**Pattern**: Regular rotation with zero-downtime deployment
1. **Generation**: Create new key pairs annually
2. **Distribution**: Deploy to all managed systems
3. **Verification**: Test connectivity with new keys
4. **Rotation**: Remove old keys after verification
5. **Backup**: Store keys in secure, recoverable location
## Service Discovery and DNS
### Local DNS Resolution
**Pattern**: Internal DNS for service discovery
```bind
# Home lab DNS zones
homelab.local. IN A 10.10.0.16 # DNS server
proxmox.homelab.local. IN A 10.10.0.10 # Hypervisor
nas.homelab.local. IN A 10.10.0.20 # Storage
tdarr.homelab.local. IN A 10.10.0.43 # Media server
```
### Container Service Discovery
**Pattern**: Docker network-based service resolution
```yaml
# Docker Compose service discovery
version: "3.8"
services:
web:
networks:
- frontend
- backend
api:
networks:
- backend
- database
db:
networks:
- database
networks:
frontend:
driver: bridge
backend:
driver: bridge
database:
driver: bridge
internal: true # No external access
```
## Security Patterns
### SSH Security Hardening
**Configuration**: Secure SSH server setup
```sshd_config
# /etc/ssh/sshd_config.d/99-homelab-security.conf
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
AllowUsers cal
Protocol 2
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 3
X11Forwarding no
```
### Network Access Control
**Pattern**: Firewall-based service protection
```bash
# ufw firewall rules
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow from 10.10.0.0/24 to any port 22
ufw allow from 10.10.0.0/24 to any port 80
ufw allow from 10.10.0.0/24 to any port 443
```
### SSL/TLS Certificate Management
**Pattern**: Automated certificate lifecycle
```bash
# Let's Encrypt automation
certbot certonly --nginx \
--email admin@homelab.local \
--agree-tos \
--domains homelab.local,*.homelab.local
# Certificate renewal automation
0 2 * * * certbot renew --quiet && systemctl reload nginx
```
## Performance Optimization
### Connection Management
**Pattern**: Optimized connection handling
```nginx
# Nginx performance tuning
worker_processes auto;
worker_connections 1024;
keepalive_timeout 65;
keepalive_requests 1000;
gzip on;
gzip_vary on;
gzip_types text/plain text/css application/json application/javascript;
# Connection pooling
upstream backend {
server 10.10.0.100:3000 max_fails=3 fail_timeout=30s;
keepalive 32;
}
```
### Caching Strategies
**Pattern**: Multi-level caching architecture
```nginx
# Static content caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# Proxy caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=app_cache:10m;
proxy_cache app_cache;
proxy_cache_valid 200 302 10m;
```
## Network Storage Integration
### CIFS/SMB Mount Resilience
**Pattern**: Robust network filesystem mounting
```fstab
//nas.homelab.local/media /mnt/media cifs \
credentials=/etc/cifs/credentials,\
uid=1000,gid=1000,\
file_mode=0644,dir_mode=0755,\
iocharset=utf8,\
cache=strict,\
actimeo=30,\
_netdev,\
reconnect,\
soft,\
rsize=1048576,\
wsize=1048576 0 0
```
## Monitoring and Observability
### Network Health Monitoring
**Pattern**: Automated connectivity verification
```bash
#!/bin/bash
# network-health-check.sh
HOSTS="10.10.0.10 10.10.0.20 10.10.0.43"
DNS_SERVERS="10.10.0.16 8.8.8.8"
for host in $HOSTS; do
if ping -c1 -W5 $host >/dev/null 2>&1; then
echo "✅ $host: Reachable"
else
echo "❌ $host: Unreachable"
fi
done
for dns in $DNS_SERVERS; do
if nslookup google.com $dns >/dev/null 2>&1; then
echo "✅ DNS $dns: Working"
else
echo "❌ DNS $dns: Failed"
fi
done
```
### Service Availability Monitoring
**Pattern**: HTTP/HTTPS endpoint monitoring
```bash
# Service health check
SERVICES="https://homelab.local http://proxmox.homelab.local:8006"
for service in $SERVICES; do
if curl -sSf --max-time 10 "$service" >/dev/null 2>&1; then
echo "✅ $service: Available"
else
echo "❌ $service: Unavailable"
fi
done
```
## Common Integration Patterns
### Reverse Proxy with Docker
**Pattern**: Container service exposure
```nginx
# Dynamic service discovery with Docker
location /api/ {
proxy_pass http://api-container:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /web/ {
proxy_pass http://web-container:8080/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; # WebSocket support
}
```
### VPN Integration
**Pattern**: Secure remote access
```openvpn
# OpenVPN server configuration
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.10.0.0 255.255.0.0" # Home lab networks
keepalive 10 120
```
## Best Practices
### Security Implementation
1. **SSH Keys Only**: Disable password authentication everywhere
2. **Network Segmentation**: Use VLANs for isolation
3. **Certificate Management**: Automate SSL/TLS certificate lifecycle
4. **Access Control**: Implement least-privilege networking
5. **Monitoring**: Continuous network and service monitoring
### Performance Optimization
1. **Connection Pooling**: Reuse connections for efficiency
2. **Caching**: Implement multi-level caching strategies
3. **Compression**: Enable gzip for reduced bandwidth
4. **Keep-Alives**: Optimize connection persistence
5. **CDN Strategy**: Cache static content effectively
### Operational Excellence
1. **Documentation**: Maintain network topology documentation
2. **Automation**: Script routine network operations
3. **Backup**: Regular configuration backups
4. **Testing**: Regular connectivity and performance testing
5. **Change Management**: Controlled network configuration changes
This technology context provides comprehensive guidance for implementing robust networking infrastructure in home lab environments.
Reference in New Issue View Git Blame Copy Permalink