From 7e74559d5b15e3d0f01d63c6ad7fce4b59768e45 Mon Sep 17 00:00:00 2001 From: sjat Date: Thu, 30 Apr 2026 08:55:16 +0200 Subject: [PATCH] Add current hardware and software inventory reports Co-Authored-By: Claude Sonnet 4.6 --- current-hardware.md | 117 ++++++++++++++++++++ current-software.md | 264 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 381 insertions(+) create mode 100644 current-hardware.md create mode 100644 current-software.md diff --git a/current-hardware.md b/current-hardware.md new file mode 100644 index 0000000..c9bb0c3 --- /dev/null +++ b/current-hardware.md @@ -0,0 +1,117 @@ +# Current Hardware — baobab.band Homelab + +A snapshot of physical and virtual hardware in operation as of April 2026. Purpose: inform design decisions for V5 by documenting what exists and has been proven in service. + +--- + +## Network Infrastructure + +| Device | Role | IP | Notes | +|---|---|---|---| +| simba | OPNsense firewall/router | 10.20.10.1 | SSH on port 7576 | +| punda | Managed switch | 10.20.1.2 | SNMP-monitored | +| tai1 | TP-Link EAP610 v3 AP | 10.20.1.4 | Floor 3, SNMP-monitored | +| tai2 | TP-Link EAP610 v2 AP | 10.20.1.5 | Floor 2, SNMP-monitored | + +**Subnets in use:** +- `10.20.10.0/24` — main LAN (servers + laptops) +- `10.20.1.0/24` — IoT / network equipment VLAN +- `10.20.2.0/24` — management VLAN +- `10.20.30.0/24` — home automation VLAN +- `10.8.0.0/24` — WireGuard VPN tunnel + +--- + +## Home Servers + +### fisi — 10.20.10.17 +Primary application server. Runs almost all containerised services. + +- **CPU/GPU:** Intel with integrated GPU (Quick Sync capable; render device `/dev/dri/renderD128`) +- **Storage:** + - OS NVMe: `/dev/nvme0n1` + - Data NVMe: `/dev/nvme1n1`, ext4 (label `nvme0n1-data`, 1% reserved, TRIM enabled), mounted at `/mnt/nvme0n1` +- **NFS client:** mounts `/storage/baobab_media` from papa at `/mnt/nfs/papa_media` +- **Public IP:** 91.226.145.80 (behind Cloudflare DNS) + +### tembo — 10.20.10.10 +Monitoring stack and family kiosk display. + +- **CPU/GPU:** Intel with UHD Graphics 630 (Quick Sync capable; render device `/dev/dri/renderD128`) +- **Storage:** + - Data drive: `/dev/sda1`, ext4 (label `sda1-data`, `noatime`), mounted at `/mnt/sda1` + +### papa — 10.20.10.11 +Pure NAS. No containers beyond monitoring agent. + +- **Storage:** + - 2× Seagate 8TB HDD (ST8000DM004) in ZFS mirror + - `ata-ST8000DM004-2U9188_WSC2JY19` + - `ata-ST8000DM004-2U9188_ZR160G0K` + - Pool properties: `ashift=12` (4K sectors), `autoexpand=on`, `compression=lz4`, `atime=off` + - Mounted at `/storage` + - 1× WD 1TB HDD (WD10EARS, `WD-WCAZA9240348`), ext4, mounted at `/mnt/data` + +### kobe — 10.20.10.23 +Dedicated backup target. + +- **Storage:** + - 2× drives (`/dev/sdb`, `/dev/sdc`) in ZFS mirror + - Pool properties: `ashift=12`, `autoexpand=on`, `compression=lz4`, `atime=off` + - Mounted at `/backup` + +--- + +## Raspberry Pis + +| Host | IP | Role | +|---|---|---| +| kuku | 10.20.10.118 | WireGuard VPN gateway (also 10.8.0.1) | +| faru | 10.20.2.2 | Management VLAN node, monitoring agent | + +Both run Debian and are Ansible-managed. kuku requires `NET_ADMIN` cap for WireGuard metrics. + +--- + +## Home Automation + +### twiga — 10.20.30.2 +Home Assistant OS instance on the home automation VLAN. Accessed via SSH on port 7576. Ansible manages automation config (not the OS itself) via a dedicated `haos_hosts` play. + +--- + +## VPS Hosts + +| Host | Public IP | Provider | +|---|---|---| +| baobab.band | 135.181.111.135 | Hetzner | +| makerfloss | 88.99.32.236 | (unknown) | +| rullebiler.dk | 91.226.145.80 (same as fisi) | Reverse-proxied through fisi | + +All VPS hosts connect back to the homelab via WireGuard (kuku as hub). baobab.band and rullebiler.dk have Borg backup to papa over the tunnel. makerfloss is isolated — no WireGuard tunnel, no backup currently. + +--- + +## Laptops + +All run Debian + XFCE. All have Borg backup clients and WireGuard VPN clients (except mbuzi which has no WireGuard config). + +| Host | IP | Primary users | Notes | +|---|---|---|---| +| paka | 10.20.10.20 | sjat, kine | HiDPI display (144 DPI), Chinese input (fcitx5 Pinyin) | +| mamba | 10.20.10.50 | sjat, sarah, kine, ash | Shared family machine | +| swala | 10.20.10.108 | ash | | +| mbuzi | — | sarah | No WireGuard config in Ansible | + +--- + +## Summary: Storage Approach + +| Location | Type | Capacity | Purpose | +|---|---|---|---| +| fisi NVMe data | ext4 | — | Container data (config, databases, PhotoPrism, Nextcloud, Forgejo) | +| papa ZFS mirror | ZFS | 8 TB | Media library, NFS export to fisi, Borg backup target | +| papa WD 1TB | ext4 | 1 TB | General data, cloud-sync staging | +| tembo sda1 | ext4 | — | Container data on tembo (PhotoPrism copy) | +| kobe ZFS mirror | ZFS | — | rsnapshot backup target | +| pCloud | Cloud | — | Off-site sync for 4 family members (via rclone on papa) | diff --git a/current-software.md b/current-software.md new file mode 100644 index 0000000..86a6da6 --- /dev/null +++ b/current-software.md @@ -0,0 +1,264 @@ +# Current Software — baobab.band Homelab + +A snapshot of deployed software as of April 2026. Purpose: inform design decisions for V5 by documenting what has been proven in service. + +All containerised services use Docker Compose. A shared Ansible role (`baobab.container_base`) handles Compose generation and Traefik wiring. Each app has its own role (`baobab.container_`). + +--- + +## fisi — Main Application Server + +### Reverse Proxy & DNS +| Software | Notes | +|---|---| +| Traefik | HTTPS reverse proxy for all LAN services; DNS-01 via Cloudflare for `*.baobab.band` | +| Technitium DNS | Authoritative for `baobab.band`; wildcard `*.nyumbani.baobab.band → 10.20.10.17`; ad blocking | + +### Media +| Service | URL | Notes | +|---|---|---| +| Jellyfin | `jellyfin.nyumbani.baobab.band` | Video streaming; Intel Quick Sync (GPU passthrough) | +| Audiobookshelf | `abs.nyumbani.baobab.band` | Audiobooks and podcasts | +| Calibre Web | `books.nyumbani.baobab.band` | Ebook library | + +### Media Automation +| Service | URL | Notes | +|---|---|---| +| Sonarr | `sonarr.nyumbani.baobab.band` | TV series automation | +| Radarr | `radarr.nyumbani.baobab.band` | Movie automation | +| Lidarr | `lidarr.nyumbani.baobab.band` | Music automation | +| Prowlarr | `prowlarr.nyumbani.baobab.band` | Indexer manager | +| Lazylibrarian | `lazylibrarian.nyumbani.baobab.band` | Book and comic automation | +| qBittorrent | `qbit.nyumbani.baobab.band` | Torrent client; runs inside Gluetun VPN container (NL exit) | +| Gluetun | (internal) | VPN container wrapping qBittorrent; PIA, Netherlands | +| ytdl | `ytdl.nyumbani.baobab.band` | YouTube downloader; integrated with Jellyfin | +| FlareSolverr | port 8191 | Cloudflare bypass for indexers; no Traefik route | +| Recyclarr | (internal, no UI) | Sonarr/Radarr quality profile sync | + +### Files & Productivity +| Service | URL | Notes | +|---|---|---| +| Nextcloud | `nextcloud.nyumbani.baobab.band` / `nextcloud.baobab.band` | Files, calendar, contacts; MariaDB backend | +| Nextcloud Exporter | port 9205 | Metrics for Prometheus | +| Vaultwarden | `vaultwarden.baobab.band` | Bitwarden-compatible password manager | + +### Communication +| Service | URL | Notes | +|---|---|---| +| conduwuit | (Matrix server, no public web UI) | Matrix homeserver | +| Element Web | `element.matrix.baobab.band` | Matrix web client | +| ntfy | `ntfy.baobab.band` | Push notification broker | +| Poste.io | `mail.baobab.band` | SMTP/IMAP/webmail; DKIM managed post-deploy | + +### Development & Admin +| Service | URL | Notes | +|---|---|---| +| Forgejo | `forgejo.nyumbani.baobab.band` | Home Git forge; SSH on port 7577 | +| SnipeIT | `snipeit.nyumbani.baobab.band` | IT asset management; MariaDB backend | +| Homepage | `homepage.nyumbani.baobab.band` | Service dashboard | +| Laser course | `laser.baobab.band` | Static course website | +| Rullemenu | `rullemenu.baobab.band` | Menu display (shared facility context) | +| Minecraft | (port-forwarded) | Java+Bedrock via Geyser + Floodgate plugins | + +### Observability +| Software | Notes | +|---|---| +| Grafana Alloy | Docker log forwarding to Loki on tembo; also ships Technitium DNS logs as file source | +| Node Exporter | port 9100; system metrics scraped by Prometheus on tembo | +| rsyslog | Forwards syslog to tembo | + +--- + +## tembo — Monitoring Stack + Kiosk + +### Observability Stack +| Software | URL | Notes | +|---|---|---| +| Prometheus | `prometheus.nyumbani.baobab.band` (port 9090) | 15s scrape, 15-day retention; scrapes: node-exporter, traefik, nextcloud, backup-clients, snmp, loki, grafana, prometheus, alloy | +| Grafana | `grafana.nyumbani.baobab.band` | Dashboards; Matrix bot for alerts | +| Loki | port 3100 | Log aggregation for all hosts | +| Grafana Alloy | port 12345 | Syslog hub (UDP relay from EAP610 APs → Alloy TCP → Loki) | +| SNMP Exporter | port 9116 | WiFi APs (tai1/tai2) and Punda switch | +| Node Exporter | port 9100 | | + +### Kiosk +| Software | Notes | +|---|---| +| GNOME kiosk | Chromium-based display cycling through: Deezer, Home Assistant, DSB departures, laundry booking, Jellyfin music, Rullebiler.dk car booking, Rullemenu | +| kiosk-control | `kiosk.nyumbani.baobab.band` — web UI to switch kiosk tabs | +| button handler | USB button device input; test mode enabled | + +### Photo Management (migrated from fisi) +| Service | Notes | +|---|---| +| PhotoPrism | `photo.nyumbani.baobab.band`; Intel Quick Sync GPU; MariaDB backend | +| MariaDB 11 | PhotoPrism database | + +--- + +## papa — NAS + +| Software | Notes | +|---|---| +| NFS server | Exports `/storage/baobab_media` to fisi; subdirectory structure for movies, TV, music, books, audiobooks, downloads | +| Samba | SMB share on `baobab_media`; guest/public access; no auth required | +| Borg (server) | Receives Borg backups from: fisi, tembo, kuku, faru, baobab.band, rullebiler.dk, laptops | +| rclone | Syncs pCloud accounts for 4 family members (EU datacenter); stores clones under `/storage/cloud-clones` | +| ClamAV | Targeted antivirus scan of `/storage/baobab_media/downloads`; alert email via Fastmail SMTP | +| Node Exporter | port 9100 | +| rsyslog | Forwards syslog to tembo | +| HAOS config | Deploys automations to twiga (Home Assistant) | +| Simba/AP/Switch backup | Pull backups of OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` via SSH/SCP into Borg | + +--- + +## kuku — WireGuard VPN Gateway + +| Software | Notes | +|---|---| +| WireGuard (server) | Native kernel WireGuard; port 51194/UDP; public hostname `kuku.baobab.band`; hub for laptops + VPS spokes | +| Node Exporter | `--collector.wireguard` enabled; requires `NET_ADMIN` cap | +| rsyslog | Forwards syslog to tembo | + +**Peers:** paka, mamba, swala (managed laptops), sjat-phone, tais-work-laptop (non-managed), baobab.band, rullebiler.dk (VPS spokes), ash-linux, ash-phone, ash-windows. + +--- + +## simba — Firewall + +| Software | Notes | +|---|---| +| OPNsense | Firewall, router, DHCP, NAT; native os-node_exporter plugin | + +--- + +## faru — Management Pi + +| Software | Notes | +|---|---| +| Node Exporter | port 9100 | +| Borg client | Backs up to papa | +| rsyslog | Forwards syslog to tembo | + +--- + +## twiga — Home Automation + +| Software | Notes | +|---|---| +| Home Assistant OS | Automation platform; Ansible manages automation config (not the OS) | + +--- + +## kobe — Backup Server + +| Software | Notes | +|---|---| +| rsnapshot | Pull-mode backup server; pulls `/home/*` dirs and Docker volumes from mamba | +| ZFS | Backup pool on mirror; compression lz4 | + +--- + +## VPS: baobab.band + +| Software | Notes | +|---|---| +| Traefik | HTTPS entry point | +| Uptime Kuma | External uptime monitoring; public at `status.baobab.band` | +| Grafana Alloy | Docker log forwarding to Loki on tembo (via WireGuard) | +| Node Exporter | port 9100 (publicly exposed; scraped from tembo) | +| WireGuard (client) | Spoke to kuku; tunnel IP 10.8.0.10 | + +--- + +## VPS: makerfloss + +| Software | URL | Notes | +|---|---|---| +| Traefik | — | Gandi DNS-01 for `makerfloss.eu` | +| Forgejo | `forgejo.makerfloss.eu` | MakerFLOSS community Git forge; SSH on port 7577 | +| SnipeIT | `snipeit.makerfloss.eu` | MakerFLOSS asset management; MariaDB backend | +| Poste.io | `mail.makerfloss.eu` | Mail server for `makerfloss.eu` | +| Node Exporter | port 9100 (publicly exposed) | | + +Note: No WireGuard tunnel yet — isolated from homelab network. No Borg backup currently. + +--- + +## VPS: rullebiler.dk + +| Software | URL | Notes | +|---|---|---| +| Traefik | — | Cloudflare DNS-01 for `rullebiler.dk` | +| Rullebiler.dk site | `rullebiler.dk` | Static website | +| MRBS | `booking.rullebiler.dk` | Room/resource booking; MariaDB backend; billing enabled | +| Poste.io | `mail.rullebiler.dk` | Mail server for `rullebiler.dk` | +| Uptime Kuma | `status.rullebiler.dk` | Uptime monitoring | +| Grafana Alloy | — | Docker log forwarding to Loki on tembo (via WireGuard) | +| Node Exporter | port 9100 | | +| WireGuard (client) | — | Spoke to kuku; tunnel IP 10.8.0.11 | + +--- + +## Laptops (paka, mamba, swala, mbuzi) + +All four run **Debian + XFCE**. Per-user multi-user configuration managed by Ansible. + +### Common to all laptops +| Software | Notes | +|---|---| +| XFCE desktop | Ansible-managed config (xfconf, panel, autostart); dark theme (Adwaita-dark) | +| Node Exporter | port 9100 | +| WireGuard client | Automatic endpoint switching (LAN vs. remote) via VPN toggle script; mbuzi excluded | +| Borg backup client | Backs up `/home`, `/etc`, `/srv` to papa; excludes pCloud, caches, Downloads | +| Nextcloud desktop client | Per-user (kine on paka, ash on swala, sarah on mbuzi, sjat on mamba) | +| pCloud | AppImage; auto-started for all 4 family users | +| Thunderbird | Pre-seeded profiles for all family `baobab.band` accounts; CalDAV calendars via Fastmail | +| LibreOffice | Managed by Ansible role | +| VirtualBox | Installed for sjat and kine | +| PIA VPN | Private Internet Access GUI client; sjat install user | +| Claude Code | Latest version | +| Gemini CLI | Via npm | +| Neovim | Config managed via Ansible (lazy.nvim; LSP, treesitter, telescope, git plugins) | +| rsyslog | Forwards syslog to tembo | +| fcitx5 + Pinyin | paka only, for kine | + +### Per-user Flatpaks +| App | Users | +|---|---| +| SpeedCrunch | all | +| Joplin Desktop | all | +| Signal | all | +| FreeCAD | all | +| VS Code | sjat only | +| Lunar Client (Minecraft) | mamba (sjat+ash), swala (ash) | +| Riot/Element | mamba | + +--- + +## Cross-cutting: Infrastructure Patterns + +### Observability +- **Metrics:** Prometheus on tembo scrapes all hosts via node_exporter, plus Traefik, Nextcloud, Loki, Grafana, Prometheus, Alloy self-metrics, and SNMP for APs/switch. +- **Logs:** rsyslog on all hosts → tembo; Docker logs forwarded via Grafana Alloy → Loki; EAP610 AP syslog → tembo rsyslog UDP relay → Alloy. +- **Dashboards:** Grafana on tembo. Grafana Alloy bot posts alerts to Matrix. +- **External uptime:** Uptime Kuma on baobab.band VPS (public) and rullebiler.dk VPS. + +### Backup +- **Borg** (primary, push): all servers and laptops push to papa over SSH. Pre-dump: MariaDB databases (PhotoPrism, Nextcloud) dumped to `/var/backups/borg-prep` before Borg runs. Status reported via node_exporter textfile collector → Prometheus. +- **rsnapshot** (secondary, pull): kobe pulls `/home` dirs + Docker volumes from mamba. +- **Cloud sync:** pCloud (EU) for 4 family members via rclone on papa. +- **Network device configs:** papa pulls OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` into Borg. + +### DNS +- Technitium on fisi is authoritative for `baobab.band` (LAN-internal split-horizon). +- Wildcard `*.nyumbani.baobab.band → 10.20.10.17` (fisi) with explicit overrides for tembo services. +- Public DNS (`*.baobab.band`) via Cloudflare; managed declaratively via Ansible Cloudflare role. +- `makerfloss.eu` via Gandi DNS, managed by Ansible Gandi role. +- `rullebiler.dk` via Cloudflare, managed by Ansible. + +### IaC +- Ansible (AnsibleBaobabV4); all config in `host_vars/.yml`. +- `baobab.container_base` role: Compose template generation + Traefik label wiring. +- Secrets in Ansible Vault (`group_vars/all/90-secrets.vault.yml`). +- Two inventory environments: `prod` and `lab`.