Add more on network

.gitea/workflows/release.yaml

@@ -32,7 +32,7 @@ jobs:
           password: ${{ secrets.IMAGE_REGISTRY_PASSWORD }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Build docker image
+      - name: Build Docker image
         uses: docker/build-push-action@v6
         with:
           context: .

docs/homelab/index.md

@@ -1,9 +1,29 @@
 ---
 sidebar_position: 1
+title: Homelab
 ---
 
-# What is it?
+## What is it?
 
-This is my project of publicly available documentation of my home servers and services.
+This is my project of publicly available documentation of my home servers and self-hosted services.
 
-Working on it...
+## Network
+
+The gate to my HomeLab is a **UniFi Cloud Gateway Ultra**. It is connected to a **1 Gbps** fiber optic from my ISP and manages **3 static WAN IP** addresses.
+
+The local network is separated into **four VLANs**.
+
+The gateway is also a DNS server for all local network and VPN clients.
+
+WiFi network is delivered by **two UniFi U6+** access points powered with the **Switch Lite 8 PoE**.
+
+[More on network](network.md)
+
+## Servers
+My family home cloud is provided by the **Synology DS423+**. It is for photos and documents hosting and sharing.
+
+I also have a **DIY NAS with TrueNAS Community Edition** on it that hosts most of the services for personal and family use, that are not from Synology.
+
+The third one is the **Asus PN42** min PC with an Intel N100 CPU with the **Proxomox VE** on it. It hosts public services, like this website, my Gitea instance, and others.
+
+I also have a mighty **Home Assistant Blue** with... well **Home Assistant** on it. It does not depend on other servers and has a separate Cloudflare tunnel to it from the outside to be available even when all other servers fail.

docs/homelab/network.md

@@ -0,0 +1,111 @@
+---
+sidebar_position: 2
+title: Network
+---
+The gate to my HomeLab is a **UniFi Cloud Gateway Ultra**. It is connected to a **1 Gbps** fiber optic from my ISP and manages **3 static WAN IP** addresses.
+
+## Hardware
+
+```mermaid
+---
+config:
+  look: handDrawn
+  theme: forest
+---
+flowchart TB
+  gateway(UniFi Cloud Gateway Ultra)
+  poe(UniFi Switch Light 8 PoE)
+  wifi1((UniFi U6+))
+  wifi2((UniFi U6+))
+  ISP <--> gateway
+  gateway <--> lan1[LAN] 
+  gateway <--> poe
+  poe <--> lan2[LAN]
+  poe <-->|PoE| wifi1
+  poe <-->|PoE| wifi2
+```
+
+## WAN
+
+### Port forwarding
+
+```mermaid
+---
+config:
+  look: handDrawn
+  theme: neutral
+---
+flowchart LR
+    W8[WAN IP *8]
+    W9[WAN IP *9]
+    W0[WAN IP *0]
+    montgomery("`Synology NAS
+    _DSM Web UI, Hyper Backup Vault, Drive Server_`")
+    plex(Plex external access)
+    ingress50("`ingress-50
+    _Zoraxy_`")
+    ingress1("`ingress-1
+    _Zoraxy_`")
+    WAN1 --> W8
+    WAN1 --> W9
+    WAN1 --> W0
+    W8 --> montgomery
+    W8 --> plex
+    W8 --> qbt(qBittorrent)
+    W9 --> gitssh(Gitea SSH)
+    W9 --> ingress50 --> pub(Public services)
+    W0 --> ingress1 --> per(Personal services)
+```
+
+### Firewall rules
+In addition to default rules.
+
+| Name                      | Action | Source Zone   | Destination Zone |
+|-------------------------- | ------ | ------------- | ---------------- |
+| Allow UniFi remote access | Allow  | External      | Gateway          |
+
+## Local network
+### VLANs
+| Name        | Subnet            | Description                                                   | Isolate network |
+|------------ | ----------------- | ------------------------------------------------------------- | --------------- |
+| **Default** | _192.168.1.0/24_  | Default local network for laptops, family phones and tablets  | No              |
+| **Pub**     | _192.168.50.0/24_ | An isolated VLAN for public services                          | No              |
+| **Guest**   | _192.168.5.0/24_  | An isolated VLAN for guest WiFi access                        | No              |
+| **IoT**     | _192.168.6.0/24_  | An isolated VLAN for connected home appliance                 | No              |
+
+- Device Isolation is disabled for all networks
+
+### Firewall zones
+| Name            | Built in | Networks / Interfaces                       |
+|---------------- | -------- | ------------------------------------------- |
+| Internal        | ✅       | [`Default`](#vlans)                         |
+| External        | ✅       | [`Primary (WAN1)`](#wan) `Secondary (WAN2)` |
+| Gateway         | ✅       | -                                           |
+| VPN             | ✅       | [`Hearthstone`](#vpn) [`VPS`](#vpn)         |
+| Hotspot         | ✅       | [`Guest`](#vlans)                           |
+| DMZ             | ✅       | -                                           |
+| VLAN 50         | ❌       | [`Pub`](#vlans)                             |
+| VLAN 6          | ❌       | [`IoT`](#vlans)                             |
+
+### Zones access rules
+Additional Firewall rules allowing or blocking zone-to-zone or subnet-to-subnet communications.
+
+| Source Zone   | Destination Zone | Source                | Destination                 | Action             | Description                                                                        | 
+|-------------- | ---------------- | --------------------- | --------------------------- | ------------------ | ---------------------------------------------------------------------------------- |
+| Internal      | VLAN 50          | All                   | All                         | Allow with return  | Allow all traffic from [`Default`](#vlans) network to [`Pub`](#vlans)              |
+| Internal      | VLAN 6           | All                   | All                         | Allow with return  | Allow all traffic from [`Default`](#vlans) network to [`IoT`](#vlans)              |
+| VPN           | Internal         | [VPS subnet](#vpn)    | All                         | Allow only return  | Allow return traffic from [`VPS`](#vpn) subnet to [`Default`](#vlans)              |
+| VPN           | Internal         | [VPS subnet](#vpn)    | All                         | Block              | Block [`VPS`](#vpn) VPN clients from accessing the [`Default`](#vlans) network     |
+| VPN           | Hotspot          | [VPS subnet](#vpn)    | All                         | Block              | Block [`VPS`](#vpn) VPN clients from accessing the [`Guest`](#vlans) network       |
+| VPN           | DMZ              | [VPS subnet](#vpn)    | All                         | Block              | Block [`VPS`](#vpn) VPN clients from accessing the [`DMZ`](#firewall-zones) zone   |
+| VPN           | VLAN 50          | All                   | [Hearthstone](#vpn)         | Allow all          | Allow [`Hearthstone`](#vpn) VPN clients access to [`Pub`](#vlans) network          |
+| VPN           | VLAN 6 (IoT)     | All                   | [Hearthstone](#vpn)         | Allow all          | Block [`Hearthstone`](#vpn) VPN clients access to [`IoT`](#vlans) network          |
+| VLAN 50       | VLAN 50          | All                   | All                         | Allow all          | Allow [`Pub`](#vlans) network clients accessing each other                         |
+
+## VPN
+There are two Wireguard servers configured:
+1. **Hearthstone**. Subnet _192.168.3.0/24_. For external access to all local networks.
+1. **VPS**. Subnet _192.168.4.0/24_. For accessing VPS servers as local network devices.
+
+## DNS Server
+I use my gateway as a local DNS server with additional records for internal services, allowing them to be accessed using domain names like `beszel.int.example.com`, but only from the LAN or VPN. Almost all internal domains are pointing to the `ingress1` (Zoraxy reverse proxy), that also manages SSL termination.

docusaurus.config.js

@@ -36,6 +36,12 @@ const config = {
     locales: ['en'],
   },
 
+  markdown: {
+    mermaid: true,
+  },
+
+  themes: ['@docusaurus/theme-mermaid'],
+
   scripts: [
     {
       src: 'https://plausible.nicelycomposed.codes/js/script.outbound-links.js',
@@ -94,9 +100,9 @@ const config = {
         items: [
           {
             type: 'docSidebar',
-            sidebarId: 'homelabSidebar',
+            sidebarId: 'docsSidebar',
             position: 'left',
-            label: 'HomeLab',
+            label: 'Homelab',
           },
           { to: '/blog', label: 'Blog', position: 'left' },
         ],
@@ -117,11 +123,11 @@ const config = {
               },
               {
                 label: 'Blog RSS feed',
-                to: '/blog/rss.xml',
+                to: 'pathname:///blog/rss.xml',
               },
               {
                 label: 'Blog Atom feed',
-                to: '/blog/atom.xml',
+                to: 'pathname:///blog/atom.xml',
               },
             ],
           },

package.json

@@ -1,6 +1,6 @@
 {
   "name": "yevi-org",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "private": true,
   "scripts": {
     "docusaurus": "docusaurus",
@@ -16,6 +16,7 @@
   "dependencies": {
     "@docusaurus/core": "3.7.0",
     "@docusaurus/preset-classic": "3.7.0",
+    "@docusaurus/theme-mermaid": "^3.7.0",
     "@mdx-js/react": "^3.0.0",
     "clsx": "^2.0.0",
     "prism-react-renderer": "^2.3.0",

sidebars.js

@@ -16,10 +16,9 @@
  */
 const sidebars = {
 
-  homelabSidebar: [{
+  docsSidebar: [{
-    type: 'doc',
+    type: 'autogenerated',
-    id: 'homelab/index',
+    dirName: '.',
-    label: 'HomeLab',
   },],
 
 

src/components/HomepageFeatures/index.js

@@ -14,12 +14,12 @@ const FeatureList = [
     ),
   },
   {
-    title: 'HomeLab Documented',
+    title: 'Homelab Documented',
     link: 'docs/homelab',
     Svg: require('@site/static/img/homelab.svg').default,
     description: (
       <>
-        Here I'm trying my best in documenting my home servers and services.
+        Here I'm trying my best in documenting my home servers and self-hosted services.
       </>
     ),
   },