diff --git a/10-systems/networks/pfsense-router.md b/10-systems/networks/pfsense-router.md
index 9ee1429..02d4bf2 100644
--- a/10-systems/networks/pfsense-router.md
+++ b/10-systems/networks/pfsense-router.md
@@ -22,4 +22,52 @@
 - Firewall and routing point for internal infrastructure.
 - Part of the path between local infrastructure and services reachable through trusted network paths.
 
-Further details still need to be documented: interfaces, VLANs, firewall rules, port forwards, VPN routes, and DNS behavior.
+## Local Network Topology
+
+The home network currently consists of two local networks implemented through one custom router with multiple network interfaces.
+
+Each local network goes from the router into a switch and then is distributed through the home. The access layer includes wired TVs, PCs, servers, and Wi-Fi access points.
+
+### Home LAN
+
+- Inventory id: `home-lan`.
+- CIDR: `192.168.1.0/24`.
+- Gateway: `192.168.1.1`.
+- Main Wi-Fi SSID: `home`.
+- Wi-Fi mode: access points, not a separate routed Wi-Fi network.
+- Access points: 2 nodes.
+- Mesh mode: enabled for the main Wi-Fi nodes.
+
+### Home IoT LAN
+
+- Inventory id: `home-iot-lan`.
+- CIDR: `192.168.2.0/24`.
+- Gateway: `192.168.2.1`.
+- Purpose: service network for smart-home and IoT devices.
+- Wi-Fi mode: access points.
+- Mesh mode: intentionally disabled.
+- IoT Wi-Fi nodes:
+  - `home_iot_0`
+  - `home_iot_1`
+  - `home_iot_2`
+
+### Current And Planned Policy
+
+Current policy:
+
+- full access between `home-lan` and `home-iot-lan`;
+- IoT internet access is currently allowed.
+
+Possible future policy:
+
+- isolate the two networks from each other;
+- cut off the IoT network from the internet.
+
+## Dual-Homed Smart Home Server
+
+The smart-home server is present in both networks:
+
+- `192.168.1.101` on `home-lan`;
+- `192.168.2.101` on `home-iot-lan`.
+
+Further details still need to be documented: exact router OS/configuration, interface names, firewall rules, port forwards, VPN routes, and DNS behavior.
diff --git a/10-systems/servers/smart-home-server.md b/10-systems/servers/smart-home-server.md
new file mode 100644
index 0000000..a4a299f
--- /dev/null
+++ b/10-systems/servers/smart-home-server.md
@@ -0,0 +1,37 @@
+---
+owner: gmikcon
+status: active
+last_reviewed: 2026-05-10
+review_interval: 90d
+confidence: medium
+source_of_truth: owner-confirmed-and-nmap-observed
+---
+
+# Smart Home Server
+
+The smart-home server is present in both local networks.
+
+## Addresses
+
+- Home LAN: `192.168.1.101`.
+- Home IoT LAN: `192.168.2.101`.
+
+## Observed Services
+
+Observed on `192.168.1.101` during local network discovery:
+
+- SSH on TCP `22`, OpenSSH 9.6p1 Ubuntu.
+- HTTP on TCP `80`, nginx 1.24.0 on Ubuntu.
+- HTTPS on TCP `443`, nginx 1.24.0 on Ubuntu.
+- rpcbind on TCP `111`.
+
+## Network Role
+
+This host bridges the operational smart-home context across:
+
+- `home-lan` (`192.168.1.0/24`);
+- `home-iot-lan` (`192.168.2.0/24`).
+
+The current policy allows full access between the two local networks. A future policy may isolate the IoT LAN from the home LAN and possibly deny IoT internet access.
+
+No raw credentials are documented here.
diff --git a/40-inventory/endpoints.yml b/40-inventory/endpoints.yml
index 8618621..8adcc77 100644
--- a/40-inventory/endpoints.yml
+++ b/40-inventory/endpoints.yml
@@ -77,3 +77,35 @@
   docs: ../10-systems/servers/internal-proxy-vps.md
   last_reviewed: 2026-05-09
   source_of_truth: ssh-host
+
+- id: smart-home-panel-http
+  name: Smart Home Panel HTTP
+  type: smart-home-ui
+  status: active
+  exposure: local
+  url: http://192.168.1.101/
+  protocol: http
+  host: 192.168.1.101
+  port: 80
+  owner_host: smart-home-server
+  purpose: Smart-home server web endpoint on the home LAN.
+  auth: required
+  docs: ../10-systems/servers/smart-home-server.md
+  last_reviewed: 2026-05-10
+  source_of_truth: nmap-observed-and-owner-confirmed
+
+- id: smart-home-panel-https
+  name: Smart Home Panel HTTPS
+  type: smart-home-ui
+  status: active
+  exposure: local
+  url: https://192.168.1.101/
+  protocol: https
+  host: 192.168.1.101
+  port: 443
+  owner_host: smart-home-server
+  purpose: Smart-home server HTTPS endpoint on the home LAN.
+  auth: required
+  docs: ../10-systems/servers/smart-home-server.md
+  last_reviewed: 2026-05-10
+  source_of_truth: nmap-observed-and-owner-confirmed
diff --git a/40-inventory/hosts.yml b/40-inventory/hosts.yml
index 4c5fdf8..6272d66 100644
--- a/40-inventory/hosts.yml
+++ b/40-inventory/hosts.yml
@@ -58,3 +58,23 @@
   docs: ../10-systems/servers/internal-proxy-vps.md
   last_reviewed: 2026-05-09
   source_of_truth: ssh-host-and-owner-confirmed
+
+- id: smart-home-server
+  name: Smart Home Server
+  type: server
+  status: active
+  environment: production
+  provider: local
+  location: home
+  os: Ubuntu
+  addresses:
+    home-lan:
+      - 192.168.1.101
+    home-iot-lan:
+      - 192.168.2.101
+  roles:
+    - smart-home
+    - dual-homed-host
+  docs: ../10-systems/servers/smart-home-server.md
+  last_reviewed: 2026-05-10
+  source_of_truth: owner-confirmed-and-nmap-observed
diff --git a/40-inventory/networks.yml b/40-inventory/networks.yml
index af9a6dc..02a1ae4 100644
--- a/40-inventory/networks.yml
+++ b/40-inventory/networks.yml
@@ -8,6 +8,56 @@
   last_reviewed: 2026-05-09
   source_of_truth: documentation-convention
 
+- id: home-lan
+  name: Home LAN
+  type: physical-lan
+  status: active
+  cidr: 192.168.1.0/24
+  gateway: 192.168.1.1
+  owner_host: pfsense-router
+  access_layer:
+    switches: true
+    wired_devices:
+      - TVs
+      - PCs
+      - servers
+      - Wi-Fi access points
+    wifi:
+      ssid: home
+      mode: access-points
+      mesh: true
+      node_count: 2
+  docs: ../10-systems/networks/pfsense-router.md
+  last_reviewed: 2026-05-10
+  source_of_truth: owner-confirmed
+
+- id: home-iot-lan
+  name: Home IoT LAN
+  type: physical-lan
+  status: active
+  cidr: 192.168.2.0/24
+  gateway: 192.168.2.1
+  owner_host: pfsense-router
+  purpose: Service network for smart-home and other IoT devices.
+  access_layer:
+    switches: true
+    wifi:
+      mode: access-points
+      mesh: false
+      nodes:
+        - home_iot_0
+        - home_iot_1
+        - home_iot_2
+  current_policy:
+    inter_lan_access: full
+    internet_access: allowed
+  planned_policy:
+    inter_lan_access: restricted
+    internet_access: likely-denied
+  docs: ../10-systems/networks/pfsense-router.md
+  last_reviewed: 2026-05-10
+  source_of_truth: owner-confirmed
+
 - id: libvirt-default
   name: default
   type: libvirt-network
diff --git a/90-maintenance/discovery-observations/local-network-scan-2026-05-10.md b/90-maintenance/discovery-observations/local-network-scan-2026-05-10.md
new file mode 100644
index 0000000..decffbf
--- /dev/null
+++ b/90-maintenance/discovery-observations/local-network-scan-2026-05-10.md
@@ -0,0 +1,67 @@
+---
+owner: gmikcon
+status: active
+last_reviewed: 2026-05-10
+review_interval: 30d
+confidence: medium
+source_of_truth: nmap-observed
+---
+
+# Local Network Scan 2026-05-10
+
+This document records observed local network facts. These observations are not automatically canonical inventory records.
+
+Scan scope:
+
+- `192.168.1.0/24`
+
+Scan mode:
+
+- Host discovery: `nmap -sn 192.168.1.0/24`
+- Service sample: `nmap -sV --version-light -T3 --top-ports 50 ...`
+
+## Active Hosts
+
+| Address | Name | Notes |
+| --- | --- | --- |
+| `192.168.1.1` | `pfSense.home.arpa` | Router/firewall. |
+| `192.168.1.2` | unknown | Web UI on `80` and `8443`; likely network device or access point. |
+| `192.168.1.3` | unknown | Web UI on `80` and `8443`; likely network device or access point. |
+| `192.168.1.75` | local workstation | SSH, nginx, MariaDB. |
+| `192.168.1.101` | `panel.smarthome.arp` | Smart-home server, SSH/nginx/rpcbind. |
+| `192.168.1.130` | known server | HP/libvirt host. |
+| `192.168.1.131` | unknown Ubuntu host | SSH/nginx/rpcbind. |
+| `192.168.1.150` | unknown Ubuntu host | SSH/nginx/HTTPS. |
+| `192.168.1.151` | unknown Ubuntu host | SSH/Apache. Upstream for `gnexus.space`. |
+| `192.168.1.152` | unknown Ubuntu host | SSH/Apache/rpcbind. Upstream for `cloud.gnexus.space`. |
+| `192.168.1.153` | unknown Ubuntu host | SSH/rpcbind. Upstream for `jellyfin.gnexus.space:8096`. |
+| `192.168.1.154` | unknown Ubuntu host | SSH/rpcbind. Upstream for `transmission.gnexus.space:3000`. |
+| `192.168.1.155` | unknown Ubuntu host | SSH/Apache. Available upstream for `anicusi.gnexus.space`. |
+| `192.168.1.156` | unknown Ubuntu host | SSH/Jetty. Upstream for `git.gnexus.space`. |
+| `192.168.1.157` | unknown Ubuntu host | SSH/Apache/rpcbind. Upstream for `files.gnexus.space`. |
+| `192.168.1.159` | unknown Ubuntu host | SSH/nginx. |
+| `192.168.1.167` | unknown Ubuntu host | SSH/nginx. Upstream for `auth.gnexus.space` and available `lytvak.gnexus.space`. |
+| `192.168.1.168` | unknown Ubuntu host | SSH/nginx/Uvicorn/Gunicorn. Upstream for `navi.gnexus.space:8000`. |
+| `192.168.1.169` | unknown Ubuntu host | SSH/rpcbind. |
+| `192.168.1.174` | unknown Ubuntu host | SSH/nginx/Uvicorn/Gunicorn. |
+| `192.168.1.191` | unknown Ubuntu host | SSH only in sampled ports. |
+| `192.168.1.226` | internal proxy VPS | SSH/nginx. |
+| `192.168.1.245` | likely dynamic/IoT | `49152/tcp` tcpwrapped. |
+| `192.168.1.251` | likely dynamic/IoT | No open top-50 TCP ports in sample. |
+
+## Notes
+
+- TVs, phones, and other household devices should not be promoted to canonical inventory unless they become infrastructure-relevant.
+- Addresses on dynamic household devices may change and should be treated as observations only.
+- Unknown Ubuntu hosts are good candidates for SSH-based identification before being added to `hosts.yml`.
+
+## Candidates For Follow-Up
+
+- `192.168.1.131`
+- `192.168.1.150`
+- `192.168.1.159`
+- `192.168.1.169`
+- `192.168.1.174`
+- `192.168.1.191`
+
+No raw credentials are documented here.
diff --git a/90-maintenance/documentation-rules.md b/90-maintenance/documentation-rules.md
index c66884e..231408c 100644
--- a/90-maintenance/documentation-rules.md
+++ b/90-maintenance/documentation-rules.md
@@ -61,6 +61,8 @@
 
 Do not create a narrowly specialized inventory type until the same shape appears repeatedly and cannot be represented cleanly by existing broad types.
 
+Discovery scans should first be recorded under `90-maintenance/discovery-observations/` unless the entity is already confirmed as infrastructure-relevant. Household, mobile, TV, and other dynamic devices should normally remain observations instead of canonical inventory records.
+
 Run `GET /validate` before applying or committing documentation changes. A clean report means:
 
 - inventory files pass JSON Schema validation;