Platform overview

Phase 1 — Complete

OT sensor pipeline live. All nodes on flat LAN. No DMZ yet.

    graph LR
        subgraph OT["OT zone 1 — basement"]
            ESP32["caneast-c1-ot1-esp1\nESP32 :229"]
            MQTT["caneast-c1-mqtt1\nMosquitto :1883"]
        end
        subgraph NODE2["caneast-c1-node2 — caneast-c1-node2"]
            TEL["Telegraf"]
            INFL["InfluxDB\n:8086"]
            GRAF["Grafana\n:3002"]
            BOT["SentinelBot\nTelegram"]
        end
        ESP32 -->|"caneast/ot1/esp1/+"| MQTT
        MQTT -->|subscribe| TEL
        TEL -->|write| INFL
        INFL -->|datasource| GRAF
        GRAF -->|alert| BOT

Phase 2 — In progress

DMZ introduced. Infisical live. Ansible managing nodes. OPNsense rules pending.

    graph TB
        BELL["ISP gateway\n192.168.2.1"]

        subgraph FW["caneast-c1-fw1 — OPNsense KVM on caneast-c1-node3"]
            WAN["WAN\n.224"]
            LAN["LAN\ncaneast-c1-fw1"]
            MGT["MGT\ncaneast-c1-fw1"]
            ICT["ICT\ncaneast-c1-fw1"]
        end

        subgraph DMZ["DMZ zone"]
            JMP["caneast-c1-jmp1\nJump box"]
        end

        subgraph IT["IT layer — LAN"]
            NODE2["caneast-c1-node2\n.149\nDocker/Portainer"]
            NODE3["caneast-c1-node3\n.237\nKVM/Infisical"]
            AW["CanEast AI Node\n.10\nOllama/Qwen3:4b"]
            INF["Infisical\n:8443"]
        end

        subgraph OT["OT zone 1"]
            ESP32["caneast-c1-ot1-esp1\n.229"]
            MQTT1["caneast-c1-mqtt1\n.228"]
        end

        BELL --> WAN
        WAN --> LAN
        WAN --> MGT
        LAN --> JMP
        MGT --> NODE2
        MGT --> NODE3
        NODE3 --> INF
        NODE2 --> INF
        ESP32 -->|MQTT| MQTT1

Phase 3 — Planned

k3s cluster, Terraform, AWX, ArgoCD, full CI/CD pipelines, Conpot honeypot, Wazuh SIEM.

    graph TB
        ADO["Azure DevOps\nCI/CD pipelines"]
        INF["Infisical\ncaneast-c1-node3:8443"]
        TF["Terraform\nAzure + DNS"]
        PERIES["peries.ca\nCloudflare"]
        ARGO["ArgoCD\nGitOps controller"]

        subgraph K3S["k3s cluster"]
            SERVER["caneast-c1-node3\ncontrol plane"]
            AGENT["caneast-c1-node2\nworker"]
            AWX["AWX\narchon-platform ns"]
            WAZUH["Wazuh\nSIEM workload"]
        end

        subgraph DMZ["DMZ zone"]
            JMP["caneast-c1-jmp1\nJump box"]
            CONPOT["Conpot\nICS/OT honeypot\nModbus/S7 PLC sim"]
        end

        subgraph NODES["Bare metal nodes"]
            NODE2["caneast-c1-node2\n.149"]
            NODE3["caneast-c1-node3\n.237"]
            NODE1["caneast-c1-node1\nRPi4"]
        end

        ADO -->|"IT: lint → plan → scan → trigger"| AWX
        ADO -->|run| TF
        AWX -->|provision| K3S
        INF -->|inject secrets| K3S
        TF -->|manage DNS| PERIES
        ARGO -->|watch repos| ADO
        ARGO -->|sync manifests| K3S
        NODE2 -->|logs| WAZUH
        NODE3 -->|logs| WAZUH
        NODE1 -->|logs| WAZUH
        CONPOT -->|attack patterns| WAZUH