diff --git a/docs/monitoring.md b/docs/monitoring.md
index b58c657..e296a50 100644
--- a/docs/monitoring.md
+++ b/docs/monitoring.md
@@ -2,27 +2,15 @@
## Stack Overview
-```
- ┌─────────────────────────────────────────────────┐
- │ london-a │
- │ (FreeBSD) │
- │ │
- │ ┌────────────┐ ┌──────────┐ │
- │ │ Prometheus │────────►│ Grafana │ │
- │ │ :9090 │ query │ :3000 │ │
- │ └─────┬──────┘ └──────────┘ │
- │ │ scrape │
- └────────┼────────────────────────────────────────┘
- │
- │ Tailscale
- │
- ┌─────┼──────────────────────────────────┐
- │ │ │
- │ ▼ ▼ ▼ │
- │ node_exporter smartctl plex │
- │ (all hosts) exporter exporter │
- │ (london-b) (london-b) │
- └────────────────────────────────────────┘
+```mermaid
+graph TD
+ subgraph "london-a (FreeBSD)"
+ Prometheus[":9090 Prometheus"] -->|query| Grafana[":3000 Grafana"]
+ end
+
+ Prometheus -->|scrape over Tailscale| NE["node_exporter
(all hosts) :9100"]
+ Prometheus -->|scrape over Tailscale| SE["smartctl_exporter
(london-b) :9633"]
+ Prometheus -->|scrape over Tailscale| PE["plex_exporter
(london-b)"]
```
Both Prometheus and Grafana are accessible via:
diff --git a/docs/networking.md b/docs/networking.md
index 1565726..ad8139d 100644
--- a/docs/networking.md
+++ b/docs/networking.md
@@ -25,20 +25,29 @@ All inter-server communication uses Tailscale IPs:
### Mesh Diagram
-```
- helsinki-a ◄──────────────────────────► london-b
- ▲ ▲ ▲ ▲
- │ │ │ │
- │ └──────────► london-a ◄──────────┘ │
- │ ▲ │
- │ │ │
- ▼ │ ▼
- nuremberg-a copenhagen-a ◄────► copenhagen-c
+```mermaid
+graph TD
+ HEL["helsinki-a"] <--> LB["london-b"]
+ HEL <--> LA["london-a"]
+ HEL <--> NA["nuremberg-a"]
+ LB <--> LA
+ LB <--> CA["copenhagen-a"]
+ LA <--> CA
+ CA <--> CC["copenhagen-c"]
+ NA <--> CA
+ HEL <--> CA
+ HEL <--> CC
+ LB <--> CC
+ NA <--> LB
+ NA <--> CC
+ NA <--> LA
+ LA <--> CC
- Every node can reach every other node directly.
- Connections shown are illustrative — the mesh is fully connected.
+ style CC stroke-dasharray: 5 5
```
+> Every node can reach every other node directly. The mesh is fully connected.
+
## Physical Networking
### London
@@ -75,28 +84,20 @@ The domain is registered on Hover.com with nameservers pointed to Cloudflare.
### How a request reaches a service
-```
-1. Browser requests radarr.pez.sh
- │
-2. Cloudflare resolves DNS (proxied record → Cloudflare IP)
- │
-3. Cloudflare terminates external TLS, forwards to helsinki-a
- │
-4. Caddy on helsinki-a receives the request
- │
-5. Caddy checks: does this subdomain require auth?
- │
- ├── YES: forward_auth to Authelia (localhost:9091)
- │ │
- │ ├── Authenticated → proceed to step 6
- │ └── Not authenticated → redirect to auth.pez.sh
- │
- └── NO: proceed to step 6
- │
-6. Caddy reverse-proxies to the backend over Tailscale
- (e.g., london-b:7878 for Radarr)
- │
-7. Response flows back: backend → Caddy → Cloudflare → browser
+```mermaid
+graph TD
+ Browser["1. Browser requests radarr.pez.sh"] --> CF
+ CF["2. Cloudflare resolves DNS
(proxied record)"] --> TLS
+ TLS["3. Cloudflare terminates TLS,
forwards to helsinki-a"] --> Caddy
+ Caddy["4. Caddy receives request"] --> AuthCheck{"5. Requires auth?"}
+
+ AuthCheck -->|YES| Authelia["forward_auth → Authelia
(localhost:9091)"]
+ AuthCheck -->|NO| Proxy
+
+ Authelia -->|Authenticated| Proxy["6. Reverse-proxy to backend
over Tailscale
(e.g. london-b:7878)"]
+ Authelia -->|Not authenticated| Redirect["Redirect to auth.pez.sh"]
+
+ Proxy --> Response["7. Response flows back:
backend → Caddy → Cloudflare → browser"]
```
### Public Subdomains