Glossary
Definitive reference for hostnames, acronyms, product names, VLANs, and key concepts used throughout the AORXI homelab documentation.
A decoder ring for every term, hostname pattern, product, and acronym on this site. Entries are grouped by category; within each table rows are alphabetical.
Hostname Conventions
Every managed host follows the pattern <site>-<type>-<seq>, where sa = Site A and sb = Site B.
| Suffix | Type | Examples |
|---|---|---|
ap | Access point (UniFi Wi-Fi) | sa-ap-01 |
cmp | Compute node (Proxmox worker) | sa-cmp-01, sb-cmp-03 |
dns | DNS service VM (Technitium) | sa-dns-01, sb-dns-02 |
edge | Edge appliance — hosts Proxmox + OPNsense VM | sa-edge-01, sb-edge-01 |
fw | Firewall VM (OPNsense guest) | sa-fw-01, sb-fw-01 |
gw | Demoted router kept for existing users | sa-gw, sb-gw |
stor | Storage server (ZFS / PBS) | sa-stor-01 |
sw | Managed switch | sa-sw-01, sb-sw-02 |
Proxmox cluster names follow the same site prefix: sa-pve (Site A cluster) and sb-pve (Site B cluster).
Products & Software
| Term | What it is |
|---|---|
| Ansible | Configuration management; drives OS hardening (STIG-mapped) and baseline across all Proxmox hosts (baseline/), plus app-level config for UniFi, OPNsense, and OpenBao (unifi/config/, opnsense/config/, openbao/config/). |
| Ceph | Distributed storage cluster at Site B (20–30 OSDs across sb-cmp-01–sb-cmp-05). Not present at Site A. |
| Cilium | Preferred CNI for Kubernetes; runs in overlay mode with eBPF-based networking and policy enforcement. |
| Cloudflare | DNS registrar and CDN for the public aorxi.io zone; provides the DNS-01 challenge endpoint for Let's Encrypt. |
| Corosync | Cluster heartbeat and quorum daemon underpinning Proxmox HA. Runs on VLAN 25 (no gateway; never routed). |
| MetalLB | Bare-metal load balancer for Kubernetes; allocates VIPs from the VLAN 50 (K8s LB / VIPs) pool. |
| Netgear | Brand of the 10 Gb managed core switches: sa-sw-01 (XS716T, 16-port) at Site A and sb-sw-01 (XS748T, 48-port) at Site B. |
| OpenBao | Open-source secrets manager (Vault fork); one instance per site (sa-bao-01 at 10.10.30.40, sb-bao-01 at 10.20.30.40) on the edge E200s. Runtime secrets live here; consumers fall back to encrypted files if it is unreachable. |
| OPNsense | Open-source firewall and router; runs as a VM (sa-fw-01 / sb-fw-01) on each site's edge host. Acts as the infrastructure router upstream of all UniFi devices. |
| PBS | Proxmox Backup Server — backup appliance providing incremental, deduplicated backups of Proxmox VMs and containers. Abbreviated PBS after first use per page. |
| Proxmox | Proxmox Virtual Environment — the KVM/LXC hypervisor platform running on all bare-metal servers in this homelab. |
| Pulumi | Infrastructure-as-code tool used to provision Proxmox API objects (VMs, storage, networks). Projects: platform/ (host firewall + shared infra), unifi/provision/, opnsense/provision/, openbao/provision/; shared building blocks in core/. |
| Technitium | DNS server software powering the four internal DNS VMs (sa-dns-01, sa-dns-02, sb-dns-01, sb-dns-02). |
| UniFi | Ubiquiti network product line providing the access-layer switches (sb-sw-02) and demoted routers kept for existing Wi-Fi users. |
| UOS | UniFi OS Server — the self-hosted UniFi controller (sa-uos-01, 10.10.10.40 on VLAN 10). One controller for the whole lab; adopts standalone UniFi gear, never the Cloud Gateways. |
| WireGuard | Site-to-site VPN tunnel between sa-fw-01 and sb-fw-01 over the 10.255.0.0/24 transit network. |
| ZFS | Copy-on-write filesystem used on sa-stor-01 for VM storage, PBS data, and databases at Site A. |
VLANs at a Glance
Full subnet tables are on the VLAN Reference page. This table covers purpose only.
| VLAN | Name | Notes |
|---|---|---|
| 10 | Network Mgmt / IPMI | Switch management, IPMI BMC access; out-of-band |
| 20 | Proxmox Management | Proxmox web UI, SSH, cluster sync address |
| 25 | Corosync heartbeat | Dedicated cluster heartbeat; no GW — never routed |
| 30 | VM Services | Pinned service VMs: PBS, DNS appliances |
| 40 | Kubernetes Nodes | K8s machine network (/22 blocks per cluster) |
| 50 | K8s LB / VIPs | MetalLB address pool; API and ingress VIPs |
| 60 | Storage / Ceph public | Client-facing Ceph I/O; ZFS replication targets |
| 65 | Ceph cluster | Internal Ceph OSD replication; no GW — Site A reserved |
| 70 | DMZ | Internet-exposed services |
| 80 | Monitoring | Metrics collection and dashboards |
| 90 | Backup / Replication | PBS backup traffic and cross-site replication |
| 100 | Lab / Trusted Client | Lab endpoints and OpenShift machine networks |
| 110 | IoT | IoT devices; isolated from management networks |
| 120 | Guest WiFi | Guest wireless clients; no access to infrastructure |
| 253 | UniFi WAN transit | OPNsense-to-UniFi WAN link; .1 = OPNsense, .2 = UniFi WAN |
Key Concepts & Acronyms
| Term | Definition |
|---|---|
/22 machine network | A /22 IP block (1022 usable addresses) allocated to a single Kubernetes or OpenShift cluster's node IPs. Multiple clusters each receive their own /22 carved from the VLAN 100 / Lab range. |
aorxi.io | Public-facing domain registered on Cloudflare. Used for external DNS records and as the DNS-01 domain for Let's Encrypt certificates. |
core.aorxi.io | Internal DNS zone served by Technitium DNS VMs; resolves all internal hostnames to private IPs without touching public DNS. |
| AXFR | DNS zone-transfer protocol. sa-dns-01 is the primary authoritative server; sa-dns-02, sb-dns-01, and sb-dns-02 receive zone updates via AXFR. |
| DNS-01 | ACME challenge type that proves domain ownership via a DNS TXT record rather than an HTTP endpoint. Used with the Cloudflare API for Let's Encrypt wildcard certificates — no public port 80/443 exposure required. |
| Double-NAT | Traffic from UniFi Wi-Fi clients is NATed by the UniFi router and again by OPNsense before reaching the internet. Intentional and accepted in this design. |
| IPMI | Intelligent Platform Management Interface — out-of-band management built into Supermicro BMCs. Provides console, power, and virtual media access independent of the host OS. |
| iKVM | IP-based KVM-over-IP console delivered through IPMI. Available as an HTML5 web client or a legacy Java applet; HTML5 does not support virtual ISO mount on older Supermicro boards. |
| Jumbo frames | Ethernet frames with MTU larger than 1500 bytes. Policy: default MTU of 1500 everywhere; 9000-byte jumbo frames only on storage VLANs 60, 65, and 90. Corosync (VLAN 25) is never jumbo. |
| LACP | Link Aggregation Control Protocol. Not used in this design — all inter-switch and host uplinks are single copper or SFP+ links (no bonding). |
| MTU | Maximum Transmission Unit — maximum Ethernet frame payload in bytes. See "Jumbo frames" above for the per-VLAN policy. |
| Stretched cluster | A single Proxmox or Ceph cluster whose nodes span two physical sites over WAN or VPN. Prohibited — one cluster per site only; PBS replication handles cross-site DR instead. |
| WireGuard transit | The 10.255.0.0/24 subnet used for the inter-site VPN tunnel. sa-fw-01 holds .1; sb-fw-01 holds .2. Neither site's L2 is extended across this link. |
Related Pages
- How It Fits Together — topology overview that puts these terms in context
- VLAN Reference — full VLAN table with subnets, gateways, and which switches carry each VLAN
- IP Tables — per-host and per-service address reference for both sites
How It All Fits Together
End-to-end narrative overview of the AORXI homelab: two Proxmox sites, OPNsense edge routing, 10 Gb core switching, WireGuard VPN, VLAN segmentation, storage strategy, and how the build phases connect all the pieces.
Design Principles & Hard Rules
Non-negotiable architecture rules and guiding principles every operator must understand before making any change to this homelab.