HomelabDesignV5/current-software.md

# Current Software — baobab.band Homelab

A snapshot of deployed software as of April 2026. Purpose: inform design decisions for V5 by documenting what has been proven in service.

All containerised services use Docker Compose. A shared Ansible role (`baobab.container_base`) handles Compose generation and Traefik wiring. Each app has its own role (`baobab.container_<name>`).

---

## fisi — Main Application Server

### Reverse Proxy & DNS
| Software | Notes |
|---|---|
| Traefik | HTTPS reverse proxy for all LAN services; DNS-01 via Cloudflare for `*.baobab.band` |
| Technitium DNS | Authoritative for `baobab.band`; wildcard `*.nyumbani.baobab.band → 10.20.10.17`; ad blocking |

### Media
| Service | URL | Notes |
|---|---|---|
| Jellyfin | `jellyfin.nyumbani.baobab.band` | Video streaming; Intel Quick Sync (GPU passthrough) |
| Audiobookshelf | `abs.nyumbani.baobab.band` | Audiobooks and podcasts |
| Calibre Web | `books.nyumbani.baobab.band` | Ebook library |

### Media Automation
| Service | URL | Notes |
|---|---|---|
| Sonarr | `sonarr.nyumbani.baobab.band` | TV series automation |
| Radarr | `radarr.nyumbani.baobab.band` | Movie automation |
| Lidarr | `lidarr.nyumbani.baobab.band` | Music automation |
| Prowlarr | `prowlarr.nyumbani.baobab.band` | Indexer manager |
| Lazylibrarian | `lazylibrarian.nyumbani.baobab.band` | Book and comic automation |
| qBittorrent | `qbit.nyumbani.baobab.band` | Torrent client; runs inside Gluetun VPN container (NL exit) |
| Gluetun | (internal) | VPN container wrapping qBittorrent; PIA, Netherlands |
| ytdl | `ytdl.nyumbani.baobab.band` | YouTube downloader; integrated with Jellyfin |
| FlareSolverr | port 8191 | Cloudflare bypass for indexers; no Traefik route |
| Recyclarr | (internal, no UI) | Sonarr/Radarr quality profile sync |

### Files & Productivity
| Service | URL | Notes |
|---|---|---|
| Nextcloud | `nextcloud.nyumbani.baobab.band` / `nextcloud.baobab.band` | Files, calendar, contacts; MariaDB backend |
| Nextcloud Exporter | port 9205 | Metrics for Prometheus |
| Vaultwarden | `vaultwarden.baobab.band` | Bitwarden-compatible password manager |

### Communication
| Service | URL | Notes |
|---|---|---|
| conduwuit | (Matrix server, no public web UI) | Matrix homeserver |
| Element Web | `element.matrix.baobab.band` | Matrix web client |
| ntfy | `ntfy.baobab.band` | Push notification broker |
| Poste.io | `mail.baobab.band` | SMTP/IMAP/webmail; DKIM managed post-deploy |

### Development & Admin
| Service | URL | Notes |
|---|---|---|
| Forgejo | `forgejo.nyumbani.baobab.band` | Home Git forge; SSH on port 7577 |
| SnipeIT | `snipeit.nyumbani.baobab.band` | IT asset management; MariaDB backend |
| Homepage | `homepage.nyumbani.baobab.band` | Service dashboard |
| Laser course | `laser.baobab.band` | Static course website |
| Rullemenu | `rullemenu.baobab.band` | Menu display (shared facility context) |
| Minecraft | (port-forwarded) | Java+Bedrock via Geyser + Floodgate plugins |

### Observability
| Software | Notes |
|---|---|
| Grafana Alloy | Docker log forwarding to Loki on tembo; also ships Technitium DNS logs as file source |
| Node Exporter | port 9100; system metrics scraped by Prometheus on tembo |
| rsyslog | Forwards syslog to tembo |

---

## tembo — Monitoring Stack + Kiosk

### Observability Stack
| Software | URL | Notes |
|---|---|---|
| Prometheus | `prometheus.nyumbani.baobab.band` (port 9090) | 15s scrape, 15-day retention; scrapes: node-exporter, traefik, nextcloud, backup-clients, snmp, loki, grafana, prometheus, alloy |
| Grafana | `grafana.nyumbani.baobab.band` | Dashboards; Matrix bot for alerts |
| Loki | port 3100 | Log aggregation for all hosts |
| Grafana Alloy | port 12345 | Syslog hub (UDP relay from EAP610 APs → Alloy TCP → Loki) |
| SNMP Exporter | port 9116 | WiFi APs (tai1/tai2) and Punda switch |
| Node Exporter | port 9100 | |

### Kiosk
| Software | Notes |
|---|---|
| GNOME kiosk | Chromium-based display cycling through: Deezer, Home Assistant, DSB departures, laundry booking, Jellyfin music, Rullebiler.dk car booking, Rullemenu |
| kiosk-control | `kiosk.nyumbani.baobab.band` — web UI to switch kiosk tabs |
| button handler | USB button device input; test mode enabled |

### Photo Management (migrated from fisi)
| Service | Notes |
|---|---|
| PhotoPrism | `photo.nyumbani.baobab.band`; Intel Quick Sync GPU; MariaDB backend |
| MariaDB 11 | PhotoPrism database |

---

## papa — NAS

| Software | Notes |
|---|---|
| NFS server | Exports `/storage/baobab_media` to fisi; subdirectory structure for movies, TV, music, books, audiobooks, downloads |
| Samba | SMB share on `baobab_media`; guest/public access; no auth required |
| Borg (server) | Receives Borg backups from: fisi, tembo, kuku, faru, baobab.band, rullebiler.dk, laptops |
| rclone | Syncs pCloud accounts for 4 family members (EU datacenter); stores clones under `/storage/cloud-clones` |
| ClamAV | Targeted antivirus scan of `/storage/baobab_media/downloads`; alert email via Fastmail SMTP |
| Node Exporter | port 9100 |
| rsyslog | Forwards syslog to tembo |
| HAOS config | Deploys automations to twiga (Home Assistant) |
| Simba/AP/Switch backup | Pull backups of OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` via SSH/SCP into Borg |

---

## kuku — WireGuard VPN Gateway

| Software | Notes |
|---|---|
| WireGuard (server) | Native kernel WireGuard; port 51194/UDP; public hostname `kuku.baobab.band`; hub for laptops + VPS spokes |
| Node Exporter | `--collector.wireguard` enabled; requires `NET_ADMIN` cap |
| rsyslog | Forwards syslog to tembo |

**Peers:** paka, mamba, swala (managed laptops), sjat-phone, tais-work-laptop (non-managed), baobab.band, rullebiler.dk (VPS spokes), ash-linux, ash-phone, ash-windows.

---

## simba — Firewall

| Software | Notes |
|---|---|
| OPNsense | Firewall, router, DHCP, NAT; native os-node_exporter plugin |

---

## faru — Management Pi

| Software | Notes |
|---|---|
| Node Exporter | port 9100 |
| Borg client | Backs up to papa |
| rsyslog | Forwards syslog to tembo |

---

## twiga — Home Automation

| Software | Notes |
|---|---|
| Home Assistant OS | Automation platform; Ansible manages automation config (not the OS) |

---

## kobe — Backup Server

| Software | Notes |
|---|---|
| rsnapshot | Pull-mode backup server; pulls `/home/*` dirs and Docker volumes from mamba |
| ZFS | Backup pool on mirror; compression lz4 |

---

## VPS: baobab.band

| Software | Notes |
|---|---|
| Traefik | HTTPS entry point |
| Uptime Kuma | External uptime monitoring; public at `status.baobab.band` |
| Grafana Alloy | Docker log forwarding to Loki on tembo (via WireGuard) |
| Node Exporter | port 9100 (publicly exposed; scraped from tembo) |
| WireGuard (client) | Spoke to kuku; tunnel IP 10.8.0.10 |

---

## VPS: makerfloss

| Software | URL | Notes |
|---|---|---|
| Traefik | — | Gandi DNS-01 for `makerfloss.eu` |
| Forgejo | `forgejo.makerfloss.eu` | MakerFLOSS community Git forge; SSH on port 7577 |
| SnipeIT | `snipeit.makerfloss.eu` | MakerFLOSS asset management; MariaDB backend |
| Poste.io | `mail.makerfloss.eu` | Mail server for `makerfloss.eu` |
| Node Exporter | port 9100 (publicly exposed) | |

Note: No WireGuard tunnel yet — isolated from homelab network. No Borg backup currently.

---

## VPS: rullebiler.dk

| Software | URL | Notes |
|---|---|---|
| Traefik | — | Cloudflare DNS-01 for `rullebiler.dk` |
| Rullebiler.dk site | `rullebiler.dk` | Static website |
| MRBS | `booking.rullebiler.dk` | Room/resource booking; MariaDB backend; billing enabled |
| Poste.io | `mail.rullebiler.dk` | Mail server for `rullebiler.dk` |
| Uptime Kuma | `status.rullebiler.dk` | Uptime monitoring |
| Grafana Alloy | — | Docker log forwarding to Loki on tembo (via WireGuard) |
| Node Exporter | port 9100 | |
| WireGuard (client) | — | Spoke to kuku; tunnel IP 10.8.0.11 |

---

## Laptops (paka, mamba, swala, mbuzi)

All four run **Debian + XFCE**. Per-user multi-user configuration managed by Ansible.

### Common to all laptops
| Software | Notes |
|---|---|
| XFCE desktop | Ansible-managed config (xfconf, panel, autostart); dark theme (Adwaita-dark) |
| Node Exporter | port 9100 |
| WireGuard client | Automatic endpoint switching (LAN vs. remote) via VPN toggle script; mbuzi excluded |
| Borg backup client | Backs up `/home`, `/etc`, `/srv` to papa; excludes pCloud, caches, Downloads |
| Nextcloud desktop client | Per-user (kine on paka, ash on swala, sarah on mbuzi, sjat on mamba) |
| pCloud | AppImage; auto-started for all 4 family users |
| Thunderbird | Pre-seeded profiles for all family `baobab.band` accounts; CalDAV calendars via Fastmail |
| LibreOffice | Managed by Ansible role |
| VirtualBox | Installed for sjat and kine |
| PIA VPN | Private Internet Access GUI client; sjat install user |
| Claude Code | Latest version |
| Gemini CLI | Via npm |
| Neovim | Config managed via Ansible (lazy.nvim; LSP, treesitter, telescope, git plugins) |
| rsyslog | Forwards syslog to tembo |
| fcitx5 + Pinyin | paka only, for kine |

### Per-user Flatpaks
| App | Users |
|---|---|
| SpeedCrunch | all |
| Joplin Desktop | all |
| Signal | all |
| FreeCAD | all |
| VS Code | sjat only |
| Lunar Client (Minecraft) | mamba (sjat+ash), swala (ash) |
| Riot/Element | mamba |

---

## Cross-cutting: Infrastructure Patterns

### Observability
- **Metrics:** Prometheus on tembo scrapes all hosts via node_exporter, plus Traefik, Nextcloud, Loki, Grafana, Prometheus, Alloy self-metrics, and SNMP for APs/switch.
- **Logs:** rsyslog on all hosts → tembo; Docker logs forwarded via Grafana Alloy → Loki; EAP610 AP syslog → tembo rsyslog UDP relay → Alloy.
- **Dashboards:** Grafana on tembo. Grafana Alloy bot posts alerts to Matrix.
- **External uptime:** Uptime Kuma on baobab.band VPS (public) and rullebiler.dk VPS.

### Backup
- **Borg** (primary, push): all servers and laptops push to papa over SSH. Pre-dump: MariaDB databases (PhotoPrism, Nextcloud) dumped to `/var/backups/borg-prep` before Borg runs. Status reported via node_exporter textfile collector → Prometheus.
- **rsnapshot** (secondary, pull): kobe pulls `/home` dirs + Docker volumes from mamba.
- **Cloud sync:** pCloud (EU) for 4 family members via rclone on papa.
- **Network device configs:** papa pulls OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` into Borg.

### DNS
- Technitium on fisi is authoritative for `baobab.band` (LAN-internal split-horizon).
- Wildcard `*.nyumbani.baobab.band → 10.20.10.17` (fisi) with explicit overrides for tembo services.
- Public DNS (`*.baobab.band`) via Cloudflare; managed declaratively via Ansible Cloudflare role.
- `makerfloss.eu` via Gandi DNS, managed by Ansible Gandi role.
- `rullebiler.dk` via Cloudflare, managed by Ansible.

### IaC
- Ansible (AnsibleBaobabV4); all config in `host_vars/<host>.yml`.
- `baobab.container_base` role: Compose template generation + Traefik label wiring.
- Secrets in Ansible Vault (`group_vars/all/90-secrets.vault.yml`).
- Two inventory environments: `prod` and `lab`.
Add current hardware and software inventory reports Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-30 08:55:16 +02:00			`# Current Software — baobab.band Homelab`

			`A snapshot of deployed software as of April 2026. Purpose: inform design decisions for V5 by documenting what has been proven in service.`

			All containerised services use Docker Compose. A shared Ansible role (`baobab.container_base`) handles Compose generation and Traefik wiring. Each app has its own role (`baobab.container_<name>`).

			`---`

			`## fisi — Main Application Server`

			`### Reverse Proxy & DNS`
			`\| Software \| Notes \|`
			`\|---\|---\|`
			\| Traefik \| HTTPS reverse proxy for all LAN services; DNS-01 via Cloudflare for `*.baobab.band` \|
			\| Technitium DNS \| Authoritative for `baobab.band`; wildcard `*.nyumbani.baobab.band → 10.20.10.17`; ad blocking \|

			`### Media`
			`\| Service \| URL \| Notes \|`
			`\|---\|---\|---\|`
			\| Jellyfin \| `jellyfin.nyumbani.baobab.band` \| Video streaming; Intel Quick Sync (GPU passthrough) \|
			\| Audiobookshelf \| `abs.nyumbani.baobab.band` \| Audiobooks and podcasts \|
			\| Calibre Web \| `books.nyumbani.baobab.band` \| Ebook library \|

			`### Media Automation`
			`\| Service \| URL \| Notes \|`
			`\|---\|---\|---\|`
			\| Sonarr \| `sonarr.nyumbani.baobab.band` \| TV series automation \|
			\| Radarr \| `radarr.nyumbani.baobab.band` \| Movie automation \|
			\| Lidarr \| `lidarr.nyumbani.baobab.band` \| Music automation \|
			\| Prowlarr \| `prowlarr.nyumbani.baobab.band` \| Indexer manager \|
			\| Lazylibrarian \| `lazylibrarian.nyumbani.baobab.band` \| Book and comic automation \|
			\| qBittorrent \| `qbit.nyumbani.baobab.band` \| Torrent client; runs inside Gluetun VPN container (NL exit) \|
			`\| Gluetun \| (internal) \| VPN container wrapping qBittorrent; PIA, Netherlands \|`
			\| ytdl \| `ytdl.nyumbani.baobab.band` \| YouTube downloader; integrated with Jellyfin \|
			`\| FlareSolverr \| port 8191 \| Cloudflare bypass for indexers; no Traefik route \|`
			`\| Recyclarr \| (internal, no UI) \| Sonarr/Radarr quality profile sync \|`

			`### Files & Productivity`
			`\| Service \| URL \| Notes \|`
			`\|---\|---\|---\|`
			\| Nextcloud \| `nextcloud.nyumbani.baobab.band` / `nextcloud.baobab.band` \| Files, calendar, contacts; MariaDB backend \|
			`\| Nextcloud Exporter \| port 9205 \| Metrics for Prometheus \|`
			\| Vaultwarden \| `vaultwarden.baobab.band` \| Bitwarden-compatible password manager \|

			`### Communication`
			`\| Service \| URL \| Notes \|`
			`\|---\|---\|---\|`
			`\| conduwuit \| (Matrix server, no public web UI) \| Matrix homeserver \|`
			\| Element Web \| `element.matrix.baobab.band` \| Matrix web client \|
			\| ntfy \| `ntfy.baobab.band` \| Push notification broker \|
			\| Poste.io \| `mail.baobab.band` \| SMTP/IMAP/webmail; DKIM managed post-deploy \|

			`### Development & Admin`
			`\| Service \| URL \| Notes \|`
			`\|---\|---\|---\|`
			\| Forgejo \| `forgejo.nyumbani.baobab.band` \| Home Git forge; SSH on port 7577 \|
			\| SnipeIT \| `snipeit.nyumbani.baobab.band` \| IT asset management; MariaDB backend \|
			\| Homepage \| `homepage.nyumbani.baobab.band` \| Service dashboard \|
			\| Laser course \| `laser.baobab.band` \| Static course website \|
			\| Rullemenu \| `rullemenu.baobab.band` \| Menu display (shared facility context) \|
			`\| Minecraft \| (port-forwarded) \| Java+Bedrock via Geyser + Floodgate plugins \|`

			`### Observability`
			`\| Software \| Notes \|`
			`\|---\|---\|`
			`\| Grafana Alloy \| Docker log forwarding to Loki on tembo; also ships Technitium DNS logs as file source \|`
			`\| Node Exporter \| port 9100; system metrics scraped by Prometheus on tembo \|`
			`\| rsyslog \| Forwards syslog to tembo \|`

			`---`

			`## tembo — Monitoring Stack + Kiosk`

			`### Observability Stack`
			`\| Software \| URL \| Notes \|`
			`\|---\|---\|---\|`
			\| Prometheus \| `prometheus.nyumbani.baobab.band` (port 9090) \| 15s scrape, 15-day retention; scrapes: node-exporter, traefik, nextcloud, backup-clients, snmp, loki, grafana, prometheus, alloy \|
			\| Grafana \| `grafana.nyumbani.baobab.band` \| Dashboards; Matrix bot for alerts \|
			`\| Loki \| port 3100 \| Log aggregation for all hosts \|`
			`\| Grafana Alloy \| port 12345 \| Syslog hub (UDP relay from EAP610 APs → Alloy TCP → Loki) \|`
			`\| SNMP Exporter \| port 9116 \| WiFi APs (tai1/tai2) and Punda switch \|`
			`\| Node Exporter \| port 9100 \| \|`

			`### Kiosk`
			`\| Software \| Notes \|`
			`\|---\|---\|`
			`\| GNOME kiosk \| Chromium-based display cycling through: Deezer, Home Assistant, DSB departures, laundry booking, Jellyfin music, Rullebiler.dk car booking, Rullemenu \|`
			\| kiosk-control \| `kiosk.nyumbani.baobab.band` — web UI to switch kiosk tabs \|
			`\| button handler \| USB button device input; test mode enabled \|`

			`### Photo Management (migrated from fisi)`
			`\| Service \| Notes \|`
			`\|---\|---\|`
			\| PhotoPrism \| `photo.nyumbani.baobab.band`; Intel Quick Sync GPU; MariaDB backend \|
			`\| MariaDB 11 \| PhotoPrism database \|`

			`---`

			`## papa — NAS`

			`\| Software \| Notes \|`
			`\|---\|---\|`
			\| NFS server \| Exports `/storage/baobab_media` to fisi; subdirectory structure for movies, TV, music, books, audiobooks, downloads \|
			\| Samba \| SMB share on `baobab_media`; guest/public access; no auth required \|
			`\| Borg (server) \| Receives Borg backups from: fisi, tembo, kuku, faru, baobab.band, rullebiler.dk, laptops \|`
			\| rclone \| Syncs pCloud accounts for 4 family members (EU datacenter); stores clones under `/storage/cloud-clones` \|
			\| ClamAV \| Targeted antivirus scan of `/storage/baobab_media/downloads`; alert email via Fastmail SMTP \|
			`\| Node Exporter \| port 9100 \|`
			`\| rsyslog \| Forwards syslog to tembo \|`
			`\| HAOS config \| Deploys automations to twiga (Home Assistant) \|`
			\| Simba/AP/Switch backup \| Pull backups of OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` via SSH/SCP into Borg \|

			`---`

			`## kuku — WireGuard VPN Gateway`

			`\| Software \| Notes \|`
			`\|---\|---\|`
			\| WireGuard (server) \| Native kernel WireGuard; port 51194/UDP; public hostname `kuku.baobab.band`; hub for laptops + VPS spokes \|
			\| Node Exporter \| `--collector.wireguard` enabled; requires `NET_ADMIN` cap \|
			`\| rsyslog \| Forwards syslog to tembo \|`

			`Peers: paka, mamba, swala (managed laptops), sjat-phone, tais-work-laptop (non-managed), baobab.band, rullebiler.dk (VPS spokes), ash-linux, ash-phone, ash-windows.`

			`---`

			`## simba — Firewall`

			`\| Software \| Notes \|`
			`\|---\|---\|`
			`\| OPNsense \| Firewall, router, DHCP, NAT; native os-node_exporter plugin \|`

			`---`

			`## faru — Management Pi`

			`\| Software \| Notes \|`
			`\|---\|---\|`
			`\| Node Exporter \| port 9100 \|`
			`\| Borg client \| Backs up to papa \|`
			`\| rsyslog \| Forwards syslog to tembo \|`

			`---`

			`## twiga — Home Automation`

			`\| Software \| Notes \|`
			`\|---\|---\|`
			`\| Home Assistant OS \| Automation platform; Ansible manages automation config (not the OS) \|`

			`---`

			`## kobe — Backup Server`

			`\| Software \| Notes \|`
			`\|---\|---\|`
			\| rsnapshot \| Pull-mode backup server; pulls `/home/*` dirs and Docker volumes from mamba \|
			`\| ZFS \| Backup pool on mirror; compression lz4 \|`

			`---`

			`## VPS: baobab.band`

			`\| Software \| Notes \|`
			`\|---\|---\|`
			`\| Traefik \| HTTPS entry point \|`
			\| Uptime Kuma \| External uptime monitoring; public at `status.baobab.band` \|
			`\| Grafana Alloy \| Docker log forwarding to Loki on tembo (via WireGuard) \|`
			`\| Node Exporter \| port 9100 (publicly exposed; scraped from tembo) \|`
			`\| WireGuard (client) \| Spoke to kuku; tunnel IP 10.8.0.10 \|`

			`---`

			`## VPS: makerfloss`

			`\| Software \| URL \| Notes \|`
			`\|---\|---\|---\|`
			\| Traefik \| — \| Gandi DNS-01 for `makerfloss.eu` \|
			\| Forgejo \| `forgejo.makerfloss.eu` \| MakerFLOSS community Git forge; SSH on port 7577 \|
			\| SnipeIT \| `snipeit.makerfloss.eu` \| MakerFLOSS asset management; MariaDB backend \|
			\| Poste.io \| `mail.makerfloss.eu` \| Mail server for `makerfloss.eu` \|
			`\| Node Exporter \| port 9100 (publicly exposed) \| \|`

			`Note: No WireGuard tunnel yet — isolated from homelab network. No Borg backup currently.`

			`---`

			`## VPS: rullebiler.dk`

			`\| Software \| URL \| Notes \|`
			`\|---\|---\|---\|`
			\| Traefik \| — \| Cloudflare DNS-01 for `rullebiler.dk` \|
			\| Rullebiler.dk site \| `rullebiler.dk` \| Static website \|
			\| MRBS \| `booking.rullebiler.dk` \| Room/resource booking; MariaDB backend; billing enabled \|
			\| Poste.io \| `mail.rullebiler.dk` \| Mail server for `rullebiler.dk` \|
			\| Uptime Kuma \| `status.rullebiler.dk` \| Uptime monitoring \|
			`\| Grafana Alloy \| — \| Docker log forwarding to Loki on tembo (via WireGuard) \|`
			`\| Node Exporter \| port 9100 \| \|`
			`\| WireGuard (client) \| — \| Spoke to kuku; tunnel IP 10.8.0.11 \|`

			`---`

			`## Laptops (paka, mamba, swala, mbuzi)`

			`All four run Debian + XFCE. Per-user multi-user configuration managed by Ansible.`

			`### Common to all laptops`
			`\| Software \| Notes \|`
			`\|---\|---\|`
			`\| XFCE desktop \| Ansible-managed config (xfconf, panel, autostart); dark theme (Adwaita-dark) \|`
			`\| Node Exporter \| port 9100 \|`
			`\| WireGuard client \| Automatic endpoint switching (LAN vs. remote) via VPN toggle script; mbuzi excluded \|`
			\| Borg backup client \| Backs up `/home`, `/etc`, `/srv` to papa; excludes pCloud, caches, Downloads \|
			`\| Nextcloud desktop client \| Per-user (kine on paka, ash on swala, sarah on mbuzi, sjat on mamba) \|`
			`\| pCloud \| AppImage; auto-started for all 4 family users \|`
			\| Thunderbird \| Pre-seeded profiles for all family `baobab.band` accounts; CalDAV calendars via Fastmail \|
			`\| LibreOffice \| Managed by Ansible role \|`
			`\| VirtualBox \| Installed for sjat and kine \|`
			`\| PIA VPN \| Private Internet Access GUI client; sjat install user \|`
			`\| Claude Code \| Latest version \|`
			`\| Gemini CLI \| Via npm \|`
			`\| Neovim \| Config managed via Ansible (lazy.nvim; LSP, treesitter, telescope, git plugins) \|`
			`\| rsyslog \| Forwards syslog to tembo \|`
			`\| fcitx5 + Pinyin \| paka only, for kine \|`

			`### Per-user Flatpaks`
			`\| App \| Users \|`
			`\|---\|---\|`
			`\| SpeedCrunch \| all \|`
			`\| Joplin Desktop \| all \|`
			`\| Signal \| all \|`
			`\| FreeCAD \| all \|`
			`\| VS Code \| sjat only \|`
			`\| Lunar Client (Minecraft) \| mamba (sjat+ash), swala (ash) \|`
			`\| Riot/Element \| mamba \|`

			`---`

			`## Cross-cutting: Infrastructure Patterns`

			`### Observability`
			`- Metrics: Prometheus on tembo scrapes all hosts via node_exporter, plus Traefik, Nextcloud, Loki, Grafana, Prometheus, Alloy self-metrics, and SNMP for APs/switch.`
			`- Logs: rsyslog on all hosts → tembo; Docker logs forwarded via Grafana Alloy → Loki; EAP610 AP syslog → tembo rsyslog UDP relay → Alloy.`
			`- Dashboards: Grafana on tembo. Grafana Alloy bot posts alerts to Matrix.`
			`- External uptime: Uptime Kuma on baobab.band VPS (public) and rullebiler.dk VPS.`

			`### Backup`
			- Borg (primary, push): all servers and laptops push to papa over SSH. Pre-dump: MariaDB databases (PhotoPrism, Nextcloud) dumped to `/var/backups/borg-prep` before Borg runs. Status reported via node_exporter textfile collector → Prometheus.
			- rsnapshot (secondary, pull): kobe pulls `/home` dirs + Docker volumes from mamba.
			`- Cloud sync: pCloud (EU) for 4 family members via rclone on papa.`
			- Network device configs: papa pulls OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` into Borg.

			`### DNS`
			- Technitium on fisi is authoritative for `baobab.band` (LAN-internal split-horizon).
			- Wildcard `*.nyumbani.baobab.band → 10.20.10.17` (fisi) with explicit overrides for tembo services.
			- Public DNS (`*.baobab.band`) via Cloudflare; managed declaratively via Ansible Cloudflare role.
			- `makerfloss.eu` via Gandi DNS, managed by Ansible Gandi role.
			- `rullebiler.dk` via Cloudflare, managed by Ansible.

			`### IaC`
			- Ansible (AnsibleBaobabV4); all config in `host_vars/<host>.yml`.
			- `baobab.container_base` role: Compose template generation + Traefik label wiring.
			- Secrets in Ansible Vault (`group_vars/all/90-secrets.vault.yml`).
			- Two inventory environments: `prod` and `lab`.