NETWORK SERVICES

> systemctl list-units --type=service --state=running

DNS RESOLUTION CHAIN

graph LR
    CLIENT["Any Device\nAll VLANs"] -->|"DNS query"| PIHOLE["Pi-hole\nFilter + Cache"]
    PIHOLE -->|"Allowed"| UNBOUND["Unbound\nRecursive Resolver"]
    UNBOUND -->|"Direct query"| ROOT["Authoritative\nNameservers"]
    PIHOLE -.->|"Blocked"| SINK["Sinkhole\n0.0.0.0"]

    style CLIENT fill:#0B0014,stroke:#E8E8E8,color:#E8E8E8
    style PIHOLE fill:#0B0014,stroke:#39FF14,color:#39FF14
    style UNBOUND fill:#0B0014,stroke:#00FFFF,color:#00FFFF
    style ROOT fill:#0B0014,stroke:#7B2FBE,color:#7B2FBE
    style SINK fill:#0B0014,stroke:#FF0000,color:#FF0000

DNS SOVEREIGNTY

Every DNS query on the network passes through two layers before reaching the internet. Pi-hole handles filtering — ads, trackers, malware domains, and age-inappropriate content are blocked before they ever resolve. Queries that pass the filter go to Unbound, a recursive resolver that talks directly to authoritative nameservers.

The result: no third-party DNS provider ever sees a query. Not Google, not Cloudflare, not the ISP. DNSSEC validation is enforced. Alternate DNS paths (DoH, DoT, direct resolver queries from devices) are blocked at the firewall — there's no way around Pi-hole.

FILTERING

Multiple curated blocklists. Age-appropriate filtering for children's zone.

PRIVACY

Recursive resolution direct to root. No forwarding to public resolvers.

ENFORCEMENT

Firewall blocks alternate DNS. No device can bypass Pi-hole.

SERVICE DEPENDENCY MAP

graph TD
    PI["Infrastructure Node\nAlways On"] --> PIHOLE["Pi-hole\nDNS Filtering"]
    PI --> UNBOUND["Unbound\nRecursive DNS"]
    PI --> VPN["WireGuard\nVPN Server"]
    PI --> ETL["Network ETL\nPython + systemd"]
    PI --> WOL["Wake-on-LAN\nPower Management"]
    PI --> HMI["HMI Dashboard\nStatus Display"]

    PIHOLE --> UNBOUND
    ETL --> DB[("PostgreSQL\nTelemetry Store")]
    ETL --> ALERTS["Email Alerts\nOffline / New Device"]
    WOL -->|"Magic packet"| SRV["Compute Server"]
    SRV --> PLEX["Media Server"]
    SRV --> AUTO["Media Automation"]
    VPN -.->|"Remote access"| PI

    style PI fill:#0B0014,stroke:#39FF14,color:#39FF14
    style PIHOLE fill:#0B0014,stroke:#39FF14,color:#39FF14
    style UNBOUND fill:#0B0014,stroke:#00FFFF,color:#00FFFF
    style VPN fill:#0B0014,stroke:#7B2FBE,color:#7B2FBE
    style ETL fill:#0B0014,stroke:#FF00FF,color:#FF00FF
    style WOL fill:#0B0014,stroke:#FF6B35,color:#FF6B35
    style HMI fill:#0B0014,stroke:#FF6B35,color:#FF6B35
    style DB fill:#0B0014,stroke:#FF00FF,color:#FF00FF
    style ALERTS fill:#0B0014,stroke:#FF00FF,color:#FF00FF
    style SRV fill:#0B0014,stroke:#7B2FBE,color:#7B2FBE
    style PLEX fill:#0B0014,stroke:#7B2FBE,color:#7B2FBE
    style AUTO fill:#0B0014,stroke:#7B2FBE,color:#7B2FBE

VPN — SECURE REMOTE ACCESS

WireGuard provides remote access with VLAN-aware routing. VPN clients are routed into the trusted zone with access to infrastructure, media, and surveillance. DNS queries from VPN clients go through Pi-hole — same filtering and privacy protections as being on the local network.

> Protocol: WireGuard (ChaCha20, Curve25519)

> Access: Trusted zone + infrastructure + media + surveillance

> DNS: Forced through Pi-hole

> Use cases: Remote camera viewing, network management, secure browsing

NETWORK ETL PIPELINE

A Python ETL pipeline runs on a systemd timer every 15 minutes. It pulls data from the network controller API — device state, client connections, traffic statistics, network events — and loads it into a local PostgreSQL instance.

This isn't just monitoring for monitoring's sake. The stored data enables:

ALERTING

Email notifications for offline devices and new client detection.

HISTORICAL ANALYSIS

Traffic trends, device uptime history, daily aggregate statistics.

ANOMALY DETECTION

Identify unexpected devices, unusual traffic patterns, firmware drift.

AUDIT TRAIL

Who connected, when, to which VLAN, and how much bandwidth they used.

POWER MANAGEMENT — WAKE-ON-LAN

The compute server is normally powered off. It draws significant wattage at idle, and media services are used episodically. The infrastructure node manages its power lifecycle:

> Manual trigger via HMI touchscreen dashboard

> Scheduled power-on (e.g., weekday evenings)

> API webhook trigger (future: media request auto-power)

> Remote trigger via VPN

The HMI dashboard — a 10" touchscreen mounted on the infrastructure node — provides at-a-glance status for all services: DNS query stats, active VPN connections, VLAN utilization, and the big red power button for the compute server.