Diagrammübersicht¶
Stand: 2026-05-26
Die folgenden Diagramme beschreiben den produktiven Stand der Lanstyle AI Suite nach dem VLAN70-Canary. Alte IPs bleiben für Rollback aktiv; die AI-relevanten NPM-Backends nutzen Direct-IP-Upstreams in VLAN70.
High-Level Architecture¶
flowchart TB
subgraph EXT["Externe und Benutzer-Frontends"]
OC["OpenCode\nlokal/extern"]
OWUI["Open WebUI\nhttps://ai.lanstyle.de"]
USER["Browser / Mitarbeiter"]
end
subgraph EDGE["Edge und Control Plane"]
NPM["Nginx Proxy Manager\n10.0.0.5"]
UDNS["UniFi DNS Authority\nUDM Pro"]
VW["Vaultwarden\nSecrets Source of Truth"]
end
subgraph VLAN70["VLAN70 LS_AI_Services\n10.222.70.0/24"]
OWUI70["Open WebUI\n10.222.70.10:8080"]
OLLAMA["Ollama / GB10\n10.222.70.11:11434"]
SEARX["SearXNG\n10.222.70.12:8888"]
OT["Open Terminal\n10.222.70.13:8001-8004"]
subgraph AR["Agent Runtime LXC 259\n10.222.70.20"]
LLM["LiteLLM\n:4000"]
MCPH["MCPHub\n:3000"]
TOOLS["Lanstyle Tools API\n:3010"]
QDRANT["Qdrant\n:6333"]
PG["PostgreSQL\ninternal"]
REDIS["Redis\ninternal"]
RAGD["RAG Collections\nlanstyle_docs\nlanstyle_inventory"]
end
end
subgraph INFRA["Interne Infrastrukturquellen"]
NB["NetBox\nIPAM/DCIM"]
GITEA["Gitea\nGit/Docs/Prompts"]
MKDOCS["MkDocs Wiki"]
end
USER --> NPM
OC --> NPM
NPM --> OWUI70
NPM --> LLM
NPM --> MCPH
NPM --> SEARX
NPM --> OLLAMA
OWUI --> NPM
OWUI70 --> LLM
OWUI70 --> MCPH
OWUI70 --> OT
OWUI70 --> SEARX
LLM --> OLLAMA
LLM --> PG
LLM --> REDIS
MCPH --> TOOLS
TOOLS --> NB
QDRANT --- RAGD
LLM --> QDRANT
TOOLS --> QDRANT
GITEA --> MKDOCS
UDNS -. "DNS Authority" .-> NPM
VW -. "Secrets nur aus Vaultwarden" .-> ARRuntime / Request Flow¶
flowchart LR
subgraph CLIENTS["Clients"]
OC["OpenCode"]
OW["Open WebUI"]
end
subgraph PROXY["Reverse Proxy"]
NPM["NPM\nDirect-IP Upstreams"]
end
subgraph RUNTIME["Agent Runtime"]
LIT["LiteLLM\nModel Router"]
MCP["MCPHub"]
API["Lanstyle Tools API\nOpenAPI facade"]
QD["Qdrant"]
PG["PostgreSQL"]
RS["Redis"]
end
subgraph TOOLS["Tooling"]
ROT["Read-only MCPs\nNetBox/NPM/Proxmox/Gitea"]
POT["Plan-only MCPs\nChange proposals"]
TERM["Open Terminal\nUser containers"]
SEARCH["SearXNG"]
end
subgraph INFER["Inference"]
OLL["Ollama / GB10"]
MODELS["gpt-oss:120b\nqwen3-coder-next\nqwen3.6:35b-a3b\nnomic-embed-text"]
end
OC -- "OpenAI API / streaming" --> NPM --> LIT
OW -- "OpenAI-compatible provider" --> NPM
OW -- "Toolserver / UI tools" --> MCP
OW -- "Terminal sessions" --> TERM
OW -- "Web search" --> SEARCH
NPM --> LIT
LIT -- "chat completions / streaming" --> OLL --> MODELS
LIT -- "embeddings" --> OLL
LIT --> PG
LIT --> RS
MCP --> ROT
MCP --> POT
MCP --> API
API -- "inventory/docs context" --> QD
ROT -- "read-only discovery" --> QDSecurity / Trust Boundaries¶
flowchart TB
subgraph INTERNET["Internet / externe Clients"]
EXTUSER["OpenCode extern\nBrowser Clients"]
end
subgraph EDGE["Edge Trust Boundary"]
NPM["NPM\nTLS + Access Lists"]
end
subgraph INTERNAL["Interne Vertrauenszone"]
VW["Vaultwarden\nSecrets"]
UDNS["UniFi DNS\nAuthoritative"]
MGMT["Admin/Management\nSSH/API mit Freigabe"]
end
subgraph VLAN70["AI Services Boundary VLAN70"]
OW["Open WebUI"]
LIT["LiteLLM"]
MCP["MCPHub"]
API["Tools API"]
TERM["Open Terminal"]
QD["Qdrant"]
OLL["Ollama/GB10"]
end
subgraph CAP["Tool Capability Boundary"]
RO["Read-only MCPs\nDiscovery only"]
PO["Plan-only MCPs\nNo live writes"]
NEVER["No autonomous writes\nAD/Exchange/Intune/Proxmox/NetBox/NPM"]
end
EXTUSER --> NPM
NPM -- "nur freigegebene FQDNs" --> OW
NPM -- "API-Key / Access List" --> LIT
NPM -- "Access List / Auth" --> MCP
OW --> LIT
OW --> TERM
LIT --> OLL
MCP --> RO
MCP --> PO
PO -. "requires approval_id schema before live writes" .-> NEVER
API --> RO
VW -. "keine Secrets in Git/Wiki" .-> LIT
VW -.-> MCP
UDNS -. "DNS writes only here" .-> NPM
MGMT -. "Changeplan + Backup" .-> VLAN70
QD -. "interne RAG-Daten" .-> APIVLAN70 Migration State¶
flowchart TB
subgraph OLD["Historische Altpfade / Rollback-Kontext"]
OWOLD["Open WebUI\n10.0.0.250:8080"]
OLLOLD["Ollama\n10.222.70.11:11434\n10.0.14.43:11434"]
SXOLD["SearXNG\n10.0.1.240:8888"]
OTOLD["Open Terminal historisch\n10.0.1.253:8001-8004"]
AROLD["Agent Runtime\n10.0.1.243"]
end
subgraph NEW["Aktive VLAN70-Ziele"]
OWNEW["Open WebUI\n10.222.70.10:8080"]
OLLNEW["Ollama/GB10\n10.222.70.11:11434"]
SXNEW["SearXNG\n10.222.70.12:8888"]
OTNEW["Open Terminal\n10.222.70.13:8001-8004"]
ARNEW["Agent Runtime\n10.222.70.20\n3000/3010/4000/6333"]
end
subgraph NPMUP["Aktive NPM Direct-IP-Upstreams"]
AI["ai.lanstyle.de\n-> 10.222.70.10:8080"]
OLLD["ollama.lanstyle.de\n-> 10.222.70.11:11434"]
SEARCH["search.lanstyle.de\n-> 10.222.70.12:8888"]
LLM["litellm.lanstyle.de\n-> 10.222.70.20:4000"]
HUB["mcphub.lanstyle.de\n-> 10.222.70.20:3000"]
end
AI --> OWNEW
OLLD --> OLLNEW
SEARCH --> SXNEW
LLM --> ARNEW
HUB --> ARNEW
OWNEW -. "dual-homed rollback" .-> OWOLD
OLLNEW -. "dual-homed rollback" .-> OLLOLD
SXNEW -. "dual-homed rollback" .-> SXOLD
OTNEW -. "dual-homed rollback" .-> OTOLD
ARNEW -. "dual-homed rollback" .-> AROLD
OBS["Beobachtungsphase\nkeine Alt-IP-Entfernung\nkeine Deny-Regeln"] --> NPMUPLiteLLM / Modellrouting¶
flowchart LR
subgraph FRONT["Frontends"]
OC["OpenCode"]
OW["Open WebUI"]
end
subgraph LIT["LiteLLM Aliase"]
STABLE["lanstyle/agent-stable\nProduktiv-Default"]
FAST["lanstyle/fast\nschnelle Aufgaben"]
ARCH["lanstyle/architect\nPlanung/Review"]
AGENT["lanstyle/agent\nexperimental"]
EMB["lanstyle/embed\nEmbeddings"]
end
subgraph OLL["Ollama / GB10 Modelle"]
QCN["qwen3-coder-next:latest"]
Q35["qwen3.5:latest"]
GPT["gpt-oss:120b"]
Q36["qwen3.6:35b-a3b"]
NOMIC["nomic-embed-text:latest"]
end
OC --> STABLE
OW --> STABLE
OC --> ARCH
OW --> FAST
STABLE --> QCN
FAST --> QCN
ARCH --> GPT
AGENT --> Q36
EMB --> NOMIC
NOTE["Empfehlung:\nagent-stable als Default\nagent experimentell wegen finish=length/Leercontent beobachten"] -.-> AGENT