OxyLab Status Board

System	Role	Services	Ansible Managed	Risk	Notes
ged	DMZ server	Apache (reverse proxy for some services) Mail (Postfix, Dovecot) BIND DNS (Primary) DHCP (Primary) Let's Encrypt cert issuance	Yes	High	Single point of failure for mail and primary DNS.
elrond	Bare metal Docker/KVM host	Docker KVM virtual machines BIND DNS (Secondary) DHCP (Secondary) Log aggregation	Yes	Low	Backup for DNS/DHCP; runs key VMs and containers.
oxy-dns1	Temporary DNS update VM	BIND updates during rebuild	Yes	Low	Will be decommissioned once DNS rebuild is complete.
oxypi	Lightweight Docker host	Pi-hole DNS filter Lightweight containers	Yes	Medium	Provides internal ad-blocking; risk if DNS filter goes down.
oxyvm1	Secure CA operations host	SSH Certificate Authority (planned)	Yes	Low	Intended for short-lived, secure signing sessions.
oxynas2	Synology NAS	File storage Backups (Restic target) Media storage	No	Medium	Central storage point; redundancy planning needed.
external-vps	Public-facing VPS	Web hosting (non-active) Uses SSL cert from lab	No	Medium	Relies on lab cert updates; external exposure.