Skip to main content

Current Services Inventory

Source: Marc Mercer (SRE Lead) — sre-iac repository, Rev 1.0, 2026-02-24

This document captures services currently running on Proxmox with K3s — the state being migrated to the OpenStack platform. All services listed are operational in the current environment.

Core Infrastructure Services

FreeIPA Domain Controllers (dc-01, dc-02)

AttributeValue
OSAlmaLinux 9 (custom template)
Resources2 vCPU / 2 GB RAM / 32 GB storage each
Hosted Onpmx-01 (dc-02), pmx-02 (dc-01)

Services: DNS (authoritative for anshinhealth.net internal), LDAP, Kerberos (realm: ANSHINHEALTH.NET), FreeIPA CA, NTP.

Redundancy: Active-active replication. Either controller can serve all authentication, DNS, and directory requests independently.

Migration note: FreeIPA continues as identity provider in OpenStack environment. Keystone federates authentication to FreeIPA via LDAP.

Reverse Proxy (rp-01)

AttributeValue
ServiceCaddy v2.6.4+ (EPEL)
Resources2 vCPU / 2 GB RAM / 24 GB storage
IP Address10.10.96.22
Hosted Onpmx-02

Wildcard TLS certificates from ZeroSSL (ECDSA). HTTP→HTTPS redirect (301). Per-service logging and monitoring.

External FQDNBackend
gitlab.anshinhealth.netgitlab-01.anshinhealth.net

Migration note: In OpenStack, replaced by OPNsense HA pair in DMZ zone handling SSL termination, WAF, and reverse proxy via HAProxy.

VPN Gateway (nb-01)

AttributeValue
ServiceNetBird VPN
Resources2 vCPU / 2 GB RAM / 24 GB storage
IP Address10.10.96.21
Hosted Onpmx-02

Secure remote access to internal network. All management interfaces (Proxmox, Grafana, AlertManager, Karma) are VPN-only.

Database Server (db-01)

AttributeValue
ServicePostgreSQL 17
Resources8 vCPU / 96 GB RAM / 6 TB+ storage
IP Address10.10.98.51
Hosted Onpmx-01
Storage Mount/var/lib/pgsql/17/ on hpserver-storage

Centralized relational database serving GitLab, ERPNext, and Infisical.

Migration note: Migrates to OpenStack with Ceph-backed block storage, providing replication and snapshot capabilities.

Kubernetes Cluster (K3s on Proxmox LXC)

Control Plane

NodeIPHosted OnResources
control-0110.10.97.1pmx-022 vCPU / 2 GB RAM
control-0210.10.98.1pmx-012 vCPU / 2 GB RAM

Worker Nodes

NodeIPHosted OnResources
worker-0110.10.97.11pmx-0212 vCPU / 96 GB RAM / 2 TB
worker-0210.10.97.12pmx-0212 vCPU / 96 GB RAM / 2 TB
worker-0310.10.98.11pmx-0112 vCPU / 96 GB RAM / 2 TB
worker-0410.10.98.12pmx-0112 vCPU / 96 GB RAM / 2 TB

Total: 48 vCPU / 384 GB RAM / 8 TB storage. MetalLB VIP: 10.10.98.40.

Platform Services

ServiceNamespacePurpose
external-dnskube-systemAutomatic DNS record creation in FreeIPA via RFC2136
MetalLBmetallb-systemLoadBalancer IP allocation for bare-metal K3s
Docker Hub cachekube-systemPull-through registry cache to avoid Docker Hub rate limits

Application Services

ServiceNamespacePurpose
kube-prometheus-stackmonitoringPrometheus, Grafana, AlertManager, node-exporter, kube-state-metrics
Blackbox ExportermonitoringHTTP/HTTPS/TCP endpoint monitoring
KarmamonitoringAlertManager dashboard and alert aggregation
Cliq TranslatormonitoringAlertManager webhook → Zoho Cliq (currently paused — registry path fix needed)
InfisicalinfisicalSelf-hosted secrets management platform
Infisical Secrets OperatorinfisicalCRD-based secrets injection into K8s workloads

Application Services

GitLab CE (gitlab-01)

AttributeValue
Resources2 vCPU / 16 GB RAM / 24 GB root + 2 TB data
IP Address10.10.96.41
Hosted Onpmx-02
  • Internal: gitlab-01.anshinhealth.net
  • External: gitlab.anshinhealth.net (via reverse proxy)
  • Registry: registry.anshinhealth.net (CNAME to GitLab)
  • Auth: LDAP via FreeIPA (gitlab-binder service account)

MongoDB (mongo-01)

AttributeValue
Resources4 vCPU / 24 GB RAM / 256 GB storage
IP Address10.10.97.82
Hosted Onpmx-02

Shared MongoDB server (SecureDocs, future services). Internal only — no reverse proxy. Formerly erpnext-01.

Synthea Medical Records (synthea-01)

AttributeValue
Resources8 vCPU / 32 GB RAM / 2 TB storage
IP Address10.10.96.81
Hosted Onpmx-02

Synthetic medical record generation (Synthea patient generator). Produces FHIR-compliant fictional patient data for testing healthcare workflows. No real PHI exists in this environment.

DeepSeek AI (deepseek-01)

AttributeValue
TypeVM (not LXC) — required for GPU passthrough
Resources16 vCPU / 24 GB RAM / 128 GB storage
GPUNVIDIA RTX 3090 (PCI passthrough)
IP Address10.10.96.80
Hosted Onpmx-01

ML/AI model execution. GPU passthrough requires full VM rather than LXC container.

Monitoring Stack

Access: mon.anshinhealth.net (VPN-only, not exposed externally)

ComponentPurposeConfig
PrometheusMetrics collection and storage50 GB storage, 30-day retention
GrafanaDashboards and visualizationLDAP auth via FreeIPA (dc-01:636 SSL)
AlertManagerAlert routing and notificationWebhook to Cliq Translator
node-exporterHost-level metricsDaemonSet on all nodes
kube-state-metricsKubernetes object metricsCluster-wide
Blackbox ExporterEndpoint probe monitoringHTTP/HTTPS/TCP probes
KarmaAlert dashboardkarma.mon.anshinhealth.net (VPN-only)

Grafana auth: LDAP via FreeIPA. Currently using gitlab-binder service account; dedicated grafana-binder planned.

Network Storage

QNAP NAS (qnap-01)

AttributeValue
IP Address10.10.96.31
Access1G to network switch

Centralized file storage and backup target. Available to all network services.

LXC Container Template

Custom AlmaLinux 9: hpserver-storage:vztmpl/almalinux-9-default_20240911_amd64.tar.xz

Pre-installed: vim, nano, curl, wget, unzip, htop, tmux, openssh-server, firewalld, freeipa-client, sssd, chrony. Domain-ready with FreeIPA client tools. Automated enrollment immediately after provisioning.

Document Control

RevDateAuthorDescription
1.02026-02-24Marc MercerInitial release