Architecture Overview
| Property | Value |
|---|
| Operating System | Red Hat Enterprise Linux 9.7 (Plow) |
| Container Runtime | Podman 5.6.0 |
| Container Orchestration | Quadlet (systemd integration) |
| Reverse Proxy | nginx |
| Remote Access | Cloudflare Tunnel |
| Monitoring | Zabbix + Prometheus + Grafana |
| DNS | AdGuard Home + dnsmasq (local caching) |
Network Topology
graph TD
Internet --> Cloudflare[Cloudflare CDN]
Cloudflare --> cloudflared[cloudflared<br/>tunnel agent]
cloudflared --> nginx[nginx :80<br/>reverse proxy]
nginx --> AdGuard[AdGuard Home<br/>:53, :3000]
nginx --> qBit[qBittorrent<br/>:8080]
nginx --> AgentDVR[AgentDVR<br/>:8090]
nginx --> Prometheus[Prometheus<br/>:9090]
Prometheus --> Grafana[Grafana<br/>:3000]
Prometheus --> nodeExporter[node-exporter<br/>:9100]
DNS Resolution Flow
graph TD
Client[Client Request] --> AdGuard[AdGuard Home :53]
AdGuard -->|Ad domain| NXDOMAIN[NXDOMAIN blocked]
AdGuard -->|Known domain| Cache[Cache hit → Response]
AdGuard -->|Unknown domain| Upstream[Upstream DNS → Cache → Response]
AdGuard --> dnsmasq[dnsmasq :lo<br/>Local caching only]
Container Networking
Bridge Networks
monitoring — Prometheus, Grafana, node-exporter, podman-exporter
- Internal communication only; only Prometheus/Grafana ports exposed to host
Host Networking
- AdGuard Home — direct port binding (port 53 requires host networking)
- AgentDVR — GPU passthrough + UDP streams
- qBittorrent — BitTorrent peer connections
Monitoring Architecture
Layer 1: Zabbix (Infrastructure)
- Zabbix Server — central monitoring engine
- Zabbix Agent — host metrics collection
- PostgreSQL — time-series database
- Web UI — nginx reverse proxy on port 9080
Layer 2: Prometheus + Grafana (Containers)
- Prometheus — scrapes metrics from exporters
- node-exporter — host-level metrics (CPU, memory, disk, network)
- podman-exporter — container-level metrics
- Grafana — visualization dashboards (port 3000)
- All on a dedicated
monitoring bridge network
Layer 3: Uptime Kuma (Availability)
- HTTP/TCP/DNS/keyword uptime checks
- Status page generation
- Notification integrations (email, webhooks)
Storage Architecture
Tier 1: OS (20G)
- RHEL 9.7 system files
- Package manager cache
- System logs
Tier 2: Container Cache (199G)
- Podman image store
- Container configuration
- Prometheus TSDB
- Grafana database
- Uptime Kuma database
Tier 3: Bulk Storage (932G)
- Security camera recordings
- Torrent downloads
- Obsidian vaults
- Backup images
Security Architecture
Perimeter
- Cloudflare Tunnel — no inbound ports on firewall
- Cloudflare CDN — DDoS protection, WAF rules
- firewalld — host firewall (defense in depth)
Network
- AdGuard Home — DNS-level ad/tracker blocking
- dnsmasq — local DNS caching (reduces external queries)
- Container isolation — each service in its own container
Host
- SELinux — not enforcing (permissive mode)
- systemd — service isolation and resource limits
- Podman — rootless-capable, no Docker daemon
Data
- Volume mounts — read-only where possible
- Socket mounts — read-only (
/run/podman/podman.sock:ro)
- PostgreSQL — local access only