Home

graph TD
    subgraph "Externe Welt"
        Internet_User["Internet-Nutzer"]
        Workstation_Remote["Ihr Arbeitsrechner <br><i>(im Café)</i>"]
    end

    subgraph "Cloud-Infrastruktur (IONOS VPS)"
        direction LR
        subgraph "Docker auf VPS"
            WG_Server["WireGuard Server <br><i>Container (network_mode: host)</i>"]
            Traefik_External["Traefik Proxy (Extern) <br><i>Container</i>"]
        end
        VPS_Firewall["IONOS Firewall <br><i>Offen: UDP 51820, TCP 80/443</i>"]
        Internet_User --"[https://auth.ihredomain.de](https://auth.ihredomain.de)"--> VPS_Firewall --> Traefik_External
    end

    subgraph "Homelab-Infrastruktur (Proxmox)"
        direction LR
        subgraph PVE ["Proxmox Host (pve)"]
            subgraph "VM 100: docker-host"
                Traefik_Internal["Traefik Proxy (Intern)"]
                AdGuard["AdGuard Home <br><i>DNS-Rewrites für *.int.domain.de</i>"]
                Authentik["Authentik & OpenLDAP Stack"]
                Portainer["Portainer"]
                Docs["Doku-Website (zukünftig)"]
            end
            subgraph "VM 101: pelican-node"
                Wings["Pelican Wings Daemon"]
            end
            subgraph "VM 103: home-assistant"
                HA["Home Assistant OS"]
            end
            subgraph LXC_Samba ["LXC 104: fileserver"]
                Samba["Samba-Dienst"]
            end
            subgraph "LXC 105: gateway"
                WG_Client["WireGuard Client <br><i>(Site-to-Site Gateway)</i><br>IP: 192.168.10.2"]
            end
        end
    end

    subgraph "Lokale Netzwerk-Geräte (LAN)"
        Workstation_Local["Ihr Arbeitsrechner <br><i>(zu Hause)</i>"]
    end

    %% === Verbindungen ===

    %% WireGuard Tunnel
    WG_Server <== "WireGuard Tunnel\n(UDP 51820)" ==> WG_Client
    Workstation_Remote --"Road Warrior VPN"--> WG_Server

    %% Externer Zugriffspfad
    Traefik_External --"leitet weiter durch Tunnel"--> Authentik

    %% Interner Zugriffspfad (Split-DNS)
    Workstation_Local --"1. DNS-Anfrage"--> AdGuard
    AdGuard --"2. Antwort"--> Workstation_Local
    Workstation_Local --"3. Zugriff"--> Traefik_Internal
    Traefik_Internal --"leitet weiter an"--> Portainer
    Traefik_Internal --"leitet weiter an"--> Docs

    %% Storage Verbindung - KORRIGIERTE VERSION
    LXC_Samba -- "Bind-Mount zu ZFS-Pool" --> PVE

    %% Styling
    classDef vps fill:#cffafe,stroke:#0891b2,stroke-width:2px;
    classDef homelab fill:#e0e7ff,stroke:#4338ca,stroke-width:2px;
    class WG_Server,Traefik_External,VPS_Firewall vps;
    class Traefik_Internal,AdGuard,Authentik,Portainer,Docs,Wings,HA,Samba,WG_Client homelab;