sjat/HomelabDesignV5
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add current hardware and software inventory reports

Browse source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
sjat 2026-04-30 08:55:16 +02:00
parent 6634a307b1
commit 7e74559d5b
2 changed files with 381 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

117
current-hardware.md Normal file
View file

@ -0,0 +1,117 @@
# Current Hardware — baobab.band Homelab
A snapshot of physical and virtual hardware in operation as of April 2026. Purpose: inform design decisions for V5 by documenting what exists and has been proven in service.
---
## Network Infrastructure
| Device | Role | IP | Notes |
|---|---|---|---|
| simba | OPNsense firewall/router | 10.20.10.1 | SSH on port 7576 |
| punda | Managed switch | 10.20.1.2 | SNMP-monitored |
| tai1 | TP-Link EAP610 v3 AP | 10.20.1.4 | Floor 3, SNMP-monitored |
| tai2 | TP-Link EAP610 v2 AP | 10.20.1.5 | Floor 2, SNMP-monitored |
**Subnets in use:**
- `10.20.10.0/24` — main LAN (servers + laptops)
- `10.20.1.0/24` — IoT / network equipment VLAN
- `10.20.2.0/24` — management VLAN
- `10.20.30.0/24` — home automation VLAN
- `10.8.0.0/24` — WireGuard VPN tunnel
---
## Home Servers
### fisi — 10.20.10.17
Primary application server. Runs almost all containerised services.
- **CPU/GPU:** Intel with integrated GPU (Quick Sync capable; render device `/dev/dri/renderD128`)
- **Storage:**
- OS NVMe: `/dev/nvme0n1`
- Data NVMe: `/dev/nvme1n1`, ext4 (label `nvme0n1-data`, 1% reserved, TRIM enabled), mounted at `/mnt/nvme0n1`
- **NFS client:** mounts `/storage/baobab_media` from papa at `/mnt/nfs/papa_media`
- **Public IP:** 91.226.145.80 (behind Cloudflare DNS)
### tembo — 10.20.10.10
Monitoring stack and family kiosk display.
- **CPU/GPU:** Intel with UHD Graphics 630 (Quick Sync capable; render device `/dev/dri/renderD128`)
- **Storage:**
- Data drive: `/dev/sda1`, ext4 (label `sda1-data`, `noatime`), mounted at `/mnt/sda1`
### papa — 10.20.10.11
Pure NAS. No containers beyond monitoring agent.
- **Storage:**
- 2× Seagate 8TB HDD (ST8000DM004) in ZFS mirror
- `ata-ST8000DM004-2U9188_WSC2JY19`
- `ata-ST8000DM004-2U9188_ZR160G0K`
- Pool properties: `ashift=12` (4K sectors), `autoexpand=on`, `compression=lz4`, `atime=off`
- Mounted at `/storage`
- 1× WD 1TB HDD (WD10EARS, `WD-WCAZA9240348`), ext4, mounted at `/mnt/data`
### kobe — 10.20.10.23
Dedicated backup target.
- **Storage:**
- 2× drives (`/dev/sdb`, `/dev/sdc`) in ZFS mirror
- Pool properties: `ashift=12`, `autoexpand=on`, `compression=lz4`, `atime=off`
- Mounted at `/backup`
---
## Raspberry Pis
| Host | IP | Role |
|---|---|---|
| kuku | 10.20.10.118 | WireGuard VPN gateway (also 10.8.0.1) |
| faru | 10.20.2.2 | Management VLAN node, monitoring agent |
Both run Debian and are Ansible-managed. kuku requires `NET_ADMIN` cap for WireGuard metrics.
---
## Home Automation
### twiga — 10.20.30.2
Home Assistant OS instance on the home automation VLAN. Accessed via SSH on port 7576. Ansible manages automation config (not the OS itself) via a dedicated `haos_hosts` play.
---
## VPS Hosts
| Host | Public IP | Provider |
|---|---|---|
| baobab.band | 135.181.111.135 | Hetzner |
| makerfloss | 88.99.32.236 | (unknown) |
| rullebiler.dk | 91.226.145.80 (same as fisi) | Reverse-proxied through fisi |
All VPS hosts connect back to the homelab via WireGuard (kuku as hub). baobab.band and rullebiler.dk have Borg backup to papa over the tunnel. makerfloss is isolated — no WireGuard tunnel, no backup currently.
---
## Laptops
All run Debian + XFCE. All have Borg backup clients and WireGuard VPN clients (except mbuzi which has no WireGuard config).
| Host | IP | Primary users | Notes |
|---|---|---|---|
| paka | 10.20.10.20 | sjat, kine | HiDPI display (144 DPI), Chinese input (fcitx5 Pinyin) |
| mamba | 10.20.10.50 | sjat, sarah, kine, ash | Shared family machine |
| swala | 10.20.10.108 | ash | |
| mbuzi | — | sarah | No WireGuard config in Ansible |
---
## Summary: Storage Approach
| Location | Type | Capacity | Purpose |
|---|---|---|---|
| fisi NVMe data | ext4 | — | Container data (config, databases, PhotoPrism, Nextcloud, Forgejo) |
| papa ZFS mirror | ZFS | 8 TB | Media library, NFS export to fisi, Borg backup target |
| papa WD 1TB | ext4 | 1 TB | General data, cloud-sync staging |
| tembo sda1 | ext4 | — | Container data on tembo (PhotoPrism copy) |
| kobe ZFS mirror | ZFS | — | rsnapshot backup target |
| pCloud | Cloud | — | Off-site sync for 4 family members (via rclone on papa) |

264
current-software.md Normal file
View file

@ -0,0 +1,264 @@
# Current Software — baobab.band Homelab
A snapshot of deployed software as of April 2026. Purpose: inform design decisions for V5 by documenting what has been proven in service.
All containerised services use Docker Compose. A shared Ansible role (`baobab.container_base`) handles Compose generation and Traefik wiring. Each app has its own role (`baobab.container_<name>`).
---
## fisi — Main Application Server
### Reverse Proxy & DNS
| Software | Notes |
|---|---|
| Traefik | HTTPS reverse proxy for all LAN services; DNS-01 via Cloudflare for `*.baobab.band` |
| Technitium DNS | Authoritative for `baobab.band`; wildcard `*.nyumbani.baobab.band → 10.20.10.17`; ad blocking |
### Media
| Service | URL | Notes |
|---|---|---|
| Jellyfin | `jellyfin.nyumbani.baobab.band` | Video streaming; Intel Quick Sync (GPU passthrough) |
| Audiobookshelf | `abs.nyumbani.baobab.band` | Audiobooks and podcasts |
| Calibre Web | `books.nyumbani.baobab.band` | Ebook library |
### Media Automation
| Service | URL | Notes |
|---|---|---|
| Sonarr | `sonarr.nyumbani.baobab.band` | TV series automation |
| Radarr | `radarr.nyumbani.baobab.band` | Movie automation |
| Lidarr | `lidarr.nyumbani.baobab.band` | Music automation |
| Prowlarr | `prowlarr.nyumbani.baobab.band` | Indexer manager |
| Lazylibrarian | `lazylibrarian.nyumbani.baobab.band` | Book and comic automation |
| qBittorrent | `qbit.nyumbani.baobab.band` | Torrent client; runs inside Gluetun VPN container (NL exit) |
| Gluetun | (internal) | VPN container wrapping qBittorrent; PIA, Netherlands |
| ytdl | `ytdl.nyumbani.baobab.band` | YouTube downloader; integrated with Jellyfin |
| FlareSolverr | port 8191 | Cloudflare bypass for indexers; no Traefik route |
| Recyclarr | (internal, no UI) | Sonarr/Radarr quality profile sync |
### Files & Productivity
| Service | URL | Notes |
|---|---|---|
| Nextcloud | `nextcloud.nyumbani.baobab.band` / `nextcloud.baobab.band` | Files, calendar, contacts; MariaDB backend |
| Nextcloud Exporter | port 9205 | Metrics for Prometheus |
| Vaultwarden | `vaultwarden.baobab.band` | Bitwarden-compatible password manager |
### Communication
| Service | URL | Notes |
|---|---|---|
| conduwuit | (Matrix server, no public web UI) | Matrix homeserver |
| Element Web | `element.matrix.baobab.band` | Matrix web client |
| ntfy | `ntfy.baobab.band` | Push notification broker |
| Poste.io | `mail.baobab.band` | SMTP/IMAP/webmail; DKIM managed post-deploy |
### Development & Admin
| Service | URL | Notes |
|---|---|---|
| Forgejo | `forgejo.nyumbani.baobab.band` | Home Git forge; SSH on port 7577 |
| SnipeIT | `snipeit.nyumbani.baobab.band` | IT asset management; MariaDB backend |
| Homepage | `homepage.nyumbani.baobab.band` | Service dashboard |
| Laser course | `laser.baobab.band` | Static course website |
| Rullemenu | `rullemenu.baobab.band` | Menu display (shared facility context) |
| Minecraft | (port-forwarded) | Java+Bedrock via Geyser + Floodgate plugins |
### Observability
| Software | Notes |
|---|---|
| Grafana Alloy | Docker log forwarding to Loki on tembo; also ships Technitium DNS logs as file source |
| Node Exporter | port 9100; system metrics scraped by Prometheus on tembo |
| rsyslog | Forwards syslog to tembo |
---
## tembo — Monitoring Stack + Kiosk
### Observability Stack
| Software | URL | Notes |
|---|---|---|
| Prometheus | `prometheus.nyumbani.baobab.band` (port 9090) | 15s scrape, 15-day retention; scrapes: node-exporter, traefik, nextcloud, backup-clients, snmp, loki, grafana, prometheus, alloy |
| Grafana | `grafana.nyumbani.baobab.band` | Dashboards; Matrix bot for alerts |
| Loki | port 3100 | Log aggregation for all hosts |
| Grafana Alloy | port 12345 | Syslog hub (UDP relay from EAP610 APs → Alloy TCP → Loki) |
| SNMP Exporter | port 9116 | WiFi APs (tai1/tai2) and Punda switch |
| Node Exporter | port 9100 | |
### Kiosk
| Software | Notes |
|---|---|
| GNOME kiosk | Chromium-based display cycling through: Deezer, Home Assistant, DSB departures, laundry booking, Jellyfin music, Rullebiler.dk car booking, Rullemenu |
| kiosk-control | `kiosk.nyumbani.baobab.band` — web UI to switch kiosk tabs |
| button handler | USB button device input; test mode enabled |
### Photo Management (migrated from fisi)
| Service | Notes |
|---|---|
| PhotoPrism | `photo.nyumbani.baobab.band`; Intel Quick Sync GPU; MariaDB backend |
| MariaDB 11 | PhotoPrism database |
---
## papa — NAS
| Software | Notes |
|---|---|
| NFS server | Exports `/storage/baobab_media` to fisi; subdirectory structure for movies, TV, music, books, audiobooks, downloads |
| Samba | SMB share on `baobab_media`; guest/public access; no auth required |
| Borg (server) | Receives Borg backups from: fisi, tembo, kuku, faru, baobab.band, rullebiler.dk, laptops |
| rclone | Syncs pCloud accounts for 4 family members (EU datacenter); stores clones under `/storage/cloud-clones` |
| ClamAV | Targeted antivirus scan of `/storage/baobab_media/downloads`; alert email via Fastmail SMTP |
| Node Exporter | port 9100 |
| rsyslog | Forwards syslog to tembo |
| HAOS config | Deploys automations to twiga (Home Assistant) |
| Simba/AP/Switch backup | Pull backups of OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` via SSH/SCP into Borg |
---
## kuku — WireGuard VPN Gateway
| Software | Notes |
|---|---|
| WireGuard (server) | Native kernel WireGuard; port 51194/UDP; public hostname `kuku.baobab.band`; hub for laptops + VPS spokes |
| Node Exporter | `--collector.wireguard` enabled; requires `NET_ADMIN` cap |
| rsyslog | Forwards syslog to tembo |
**Peers:** paka, mamba, swala (managed laptops), sjat-phone, tais-work-laptop (non-managed), baobab.band, rullebiler.dk (VPS spokes), ash-linux, ash-phone, ash-windows.
---
## simba — Firewall
| Software | Notes |
|---|---|
| OPNsense | Firewall, router, DHCP, NAT; native os-node_exporter plugin |
---
## faru — Management Pi
| Software | Notes |
|---|---|
| Node Exporter | port 9100 |
| Borg client | Backs up to papa |
| rsyslog | Forwards syslog to tembo |
---
## twiga — Home Automation
| Software | Notes |
|---|---|
| Home Assistant OS | Automation platform; Ansible manages automation config (not the OS) |
---
## kobe — Backup Server
| Software | Notes |
|---|---|
| rsnapshot | Pull-mode backup server; pulls `/home/*` dirs and Docker volumes from mamba |
| ZFS | Backup pool on mirror; compression lz4 |
---
## VPS: baobab.band
| Software | Notes |
|---|---|
| Traefik | HTTPS entry point |
| Uptime Kuma | External uptime monitoring; public at `status.baobab.band` |
| Grafana Alloy | Docker log forwarding to Loki on tembo (via WireGuard) |
| Node Exporter | port 9100 (publicly exposed; scraped from tembo) |
| WireGuard (client) | Spoke to kuku; tunnel IP 10.8.0.10 |
---
## VPS: makerfloss
| Software | URL | Notes |
|---|---|---|
| Traefik | — | Gandi DNS-01 for `makerfloss.eu` |
| Forgejo | `forgejo.makerfloss.eu` | MakerFLOSS community Git forge; SSH on port 7577 |
| SnipeIT | `snipeit.makerfloss.eu` | MakerFLOSS asset management; MariaDB backend |
| Poste.io | `mail.makerfloss.eu` | Mail server for `makerfloss.eu` |
| Node Exporter | port 9100 (publicly exposed) | |
Note: No WireGuard tunnel yet — isolated from homelab network. No Borg backup currently.
---
## VPS: rullebiler.dk
| Software | URL | Notes |
|---|---|---|
| Traefik | — | Cloudflare DNS-01 for `rullebiler.dk` |
| Rullebiler.dk site | `rullebiler.dk` | Static website |
| MRBS | `booking.rullebiler.dk` | Room/resource booking; MariaDB backend; billing enabled |
| Poste.io | `mail.rullebiler.dk` | Mail server for `rullebiler.dk` |
| Uptime Kuma | `status.rullebiler.dk` | Uptime monitoring |
| Grafana Alloy | — | Docker log forwarding to Loki on tembo (via WireGuard) |
| Node Exporter | port 9100 | |
| WireGuard (client) | — | Spoke to kuku; tunnel IP 10.8.0.11 |
---
## Laptops (paka, mamba, swala, mbuzi)
All four run **Debian + XFCE**. Per-user multi-user configuration managed by Ansible.
### Common to all laptops
| Software | Notes |
|---|---|
| XFCE desktop | Ansible-managed config (xfconf, panel, autostart); dark theme (Adwaita-dark) |
| Node Exporter | port 9100 |
| WireGuard client | Automatic endpoint switching (LAN vs. remote) via VPN toggle script; mbuzi excluded |
| Borg backup client | Backs up `/home`, `/etc`, `/srv` to papa; excludes pCloud, caches, Downloads |
| Nextcloud desktop client | Per-user (kine on paka, ash on swala, sarah on mbuzi, sjat on mamba) |
| pCloud | AppImage; auto-started for all 4 family users |
| Thunderbird | Pre-seeded profiles for all family `baobab.band` accounts; CalDAV calendars via Fastmail |
| LibreOffice | Managed by Ansible role |
| VirtualBox | Installed for sjat and kine |
| PIA VPN | Private Internet Access GUI client; sjat install user |
| Claude Code | Latest version |
| Gemini CLI | Via npm |
| Neovim | Config managed via Ansible (lazy.nvim; LSP, treesitter, telescope, git plugins) |
| rsyslog | Forwards syslog to tembo |
| fcitx5 + Pinyin | paka only, for kine |
### Per-user Flatpaks
| App | Users |
|---|---|
| SpeedCrunch | all |
| Joplin Desktop | all |
| Signal | all |
| FreeCAD | all |
| VS Code | sjat only |
| Lunar Client (Minecraft) | mamba (sjat+ash), swala (ash) |
| Riot/Element | mamba |
---
## Cross-cutting: Infrastructure Patterns
### Observability
- **Metrics:** Prometheus on tembo scrapes all hosts via node_exporter, plus Traefik, Nextcloud, Loki, Grafana, Prometheus, Alloy self-metrics, and SNMP for APs/switch.
- **Logs:** rsyslog on all hosts → tembo; Docker logs forwarded via Grafana Alloy → Loki; EAP610 AP syslog → tembo rsyslog UDP relay → Alloy.
- **Dashboards:** Grafana on tembo. Grafana Alloy bot posts alerts to Matrix.
- **External uptime:** Uptime Kuma on baobab.band VPS (public) and rullebiler.dk VPS.
### Backup
- **Borg** (primary, push): all servers and laptops push to papa over SSH. Pre-dump: MariaDB databases (PhotoPrism, Nextcloud) dumped to `/var/backups/borg-prep` before Borg runs. Status reported via node_exporter textfile collector → Prometheus.
- **rsnapshot** (secondary, pull): kobe pulls `/home` dirs + Docker volumes from mamba.
- **Cloud sync:** pCloud (EU) for 4 family members via rclone on papa.
- **Network device configs:** papa pulls OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` into Borg.
### DNS
- Technitium on fisi is authoritative for `baobab.band` (LAN-internal split-horizon).
- Wildcard `*.nyumbani.baobab.band → 10.20.10.17` (fisi) with explicit overrides for tembo services.
- Public DNS (`*.baobab.band`) via Cloudflare; managed declaratively via Ansible Cloudflare role.
- `makerfloss.eu` via Gandi DNS, managed by Ansible Gandi role.
- `rullebiler.dk` via Cloudflare, managed by Ansible.
### IaC
- Ansible (AnsibleBaobabV4); all config in `host_vars/<host>.yml`.
- `baobab.container_base` role: Compose template generation + Traefik label wiring.
- Secrets in Ansible Vault (`group_vars/all/90-secrets.vault.yml`).
- Two inventory environments: `prod` and `lab`.