docs...

Signed-off-by: Alex A. Naanou <alex.nanou@gmail.com>

README.md

@@ -28,7 +28,8 @@ Ansible version will be implemented next as a direct comparison._
 
 ## Architecture
 
-Goals:
+### Goals
+
 - Separate concerns  
   Preferably one service/role per CT
 - Keep things as light as possible  
@@ -77,12 +78,35 @@ Goals:
   +---------------------------------------------------------------+  
 ```
 
-XXX
+The system defines two networks:
+- LAN  
+  Hosts all the service CT's (`*.srv`)
+- ADMIN  
+  Used for administration (`*.adm`)
 
+The ADMIN network is connected to the admin port.
 
-### Services
+Both networks are provided DNS and DHCP services by the `ns` CT.
 
-XXX
+Services on both networks are connected to the outside world (WAN) via 
+a NAT router implemented by the `gate` CT (`iptables`).
+
+The `gate` CT also implements a reverse proxy ([`traefik`](https://traefik.io/traefik/)), 
+routing requests from the WAN (`$WAN_IP`) to appropriate service CT's on 
+the LAN.
+
+Services expose their administration interfaces only on the ADMIN network
+when possible.
+
+The host Proxmox (`pve.adm`) is only accessible through the ADMIN network.
+
+The `gate` and `ns` CT's are only accessible for administration from the 
+host (i.e. via `lxc-attach ..`).
+
+Three ways of access to the ADMIN network are provided:
+- `ssh` service (CT) via the `gate` reverse proxy
+- `wireguard` VPN (CT) via `gate` reverse proxy
+- `ssh` service (CT) via the direct `$WAN_SSH_IP` (fail-safe)
 
 
 
@@ -92,11 +116,13 @@ XXX
 
 Install Proxmox and connect it to your device/network.
 
+
+#### Notes
+
 This setup will use three IP addresses:
-1. IP address used for setup only, this is the static (usually) IP 
+1. The static (usually) IP initially assigned to Proxmox on install. This 
-  initially assigned to Proxmox on install and it will not be used after 
+  will not be used after setup is done,
-  setup is done,
+2. WAN IP address to be used for the main set of applications, this is 
-2. WAN IP adress to be used for the main set of applications, this is 
   the address that all the requests will be routed from to various 
   services internally,
 3. Fail-safe ssh IP address, this is the connection used for recovery 

config.global.example

@@ -23,8 +23,6 @@
 # Usually this is the default bridge created in Proxmox, so there is no 
 # need to touch this.
 BOOTSTRAP_BRIDGE=0
-# XXX
-#BOOTSTRAP_PORT=none
 
 
 # CT interface bridge configuration.
@@ -43,7 +41,6 @@ BOOTSTRAP_BRIDGE=0
 #	ADMIN_BRIDGE=3
 #	LAN_BRIDGE=10
 #
-# XXX revise numbering...
 ADMIN_BRIDGE=_admin
 WAN_BRIDGE=_wan
 LAN_BRIDGE=_lan

host/make.sh

@@ -38,7 +38,9 @@ SOFTWARE=(
 
 INTERFACES=/etc/network/interfaces
 
-BRIDGES_TPL=bridges.tpl
+BOOTSTRAP_PORT=${BOOTSTRAP_PORT:-none}
+
+BRIDGES_TPL=${BRIDGES_TPL:-bridges.tpl}
 
 # XXX
 #readVars