scandora.net Infrastructure

Welcome to the private documentation for the scandora.net network infrastructure.

Quick Links

Section	Description
Web Access	All web UIs, dashboards & admin consoles
Network Overview	High-level topology and site connectivity
Hosts Reference	All hosts with IPs and access methods
Emergency Access	SSM/IAP backdoor procedures
Troubleshooting	Common issues and solutions

Network at a Glance

graph TB
    subgraph "Iowa - Owl"
        OWL[Owl Gateway<br/>10.7.0.1]
        OWL_LAN[10.7.0.0/16]
    end

    subgraph "Colorado - Blue"
        BLUE[Blue Gateway<br/>10.15.0.1]
        BLUE_LAN[10.15.0.0/16]
    end

    subgraph "Cloud"
        PLUTO[Pluto<br/>AWS - 10.0.0.10]
        DUMBO[Dumbo<br/>GCE - 10.1.0.110]
        BOGART[Bogart<br/>GCE - 10.10.10.10]
    end

    ZT((ZeroTier<br/>192.168.194.0/24))

    OWL --- ZT
    BLUE --- ZT
    PLUTO --- ZT
    DUMBO --- ZT
    BOGART --- ZT

    OWL --- OWL_LAN
    BLUE --- BLUE_LAN

Sites

Site	Location	Gateway	Subnet	ISP
Owl	Iowa	10.7.0.1	10.7.0.0/16	Metronet (static IP)
Blue	Colorado	10.15.0.1	10.15.0.0/16	Starlink (DHCP)

Cloud Instances

Instance	Provider	Internal IP	Purpose
pluto	AWS	10.0.0.10	Production workloads
dumbo	GCE	10.1.0.110	General workloads
bogart	GCE	10.10.10.10	PowerDNS server
mickey	AWS	10.0.0.20	Dev/IaC (ephemeral)

Getting Started

View Documentation Locally

# Install dependencies (one-time)
pip install -r requirements-docs.txt

# Start local server with hot-reload
mkdocs serve

# Open http://localhost:8000

Common Tasks

• SSH to a host: See SSH Access
• Deploy changes: See Deployment Guide
• Manage secrets: See Secrets Management
• DNS changes: See DNS Architecture

Repository Structure

scandora.net/
├── gateways/           # OPNsense gateway configs
│   ├── owl/            # Iowa gateway
│   └── blue/           # Colorado gateway
├── zerotier/           # Overlay network config
├── cloud/              # Cloud infrastructure
│   ├── terraform/      # Provisioning
│   └── ansible/        # Configuration
├── dns/                # DNS architecture
├── docs/               # This documentation
└── scripts/            # Shared tooling

Key Policies

Static IP Protection

All static/elastic IPs use lifecycle { prevent_destroy = true } in Terraform. These IPs are managed separately and must never be destroyed. See Terraform Patterns for details.

Security

• Never SSH as root - use joe with sudo
• All credentials in 1Password - never commit secrets
• fail2ban enabled on all internet-exposed hosts