# Current Software — baobab.band Homelab A snapshot of deployed software as of April 2026. Purpose: inform design decisions for V5 by documenting what has been proven in service. All containerised services use Docker Compose. A shared Ansible role (`baobab.container_base`) handles Compose generation and Traefik wiring. Each app has its own role (`baobab.container_`). --- ## fisi — Main Application Server ### Reverse Proxy & DNS | Software | Notes | |---|---| | Traefik | HTTPS reverse proxy for all LAN services; DNS-01 via Cloudflare for `*.baobab.band` | | Technitium DNS | Authoritative for `baobab.band`; wildcard `*.nyumbani.baobab.band → 10.20.10.17`; ad blocking | ### Media | Service | URL | Notes | |---|---|---| | Jellyfin | `jellyfin.nyumbani.baobab.band` | Video streaming; Intel Quick Sync (GPU passthrough) | | Audiobookshelf | `abs.nyumbani.baobab.band` | Audiobooks and podcasts | | Calibre Web | `books.nyumbani.baobab.band` | Ebook library | ### Media Automation | Service | URL | Notes | |---|---|---| | Sonarr | `sonarr.nyumbani.baobab.band` | TV series automation | | Radarr | `radarr.nyumbani.baobab.band` | Movie automation | | Lidarr | `lidarr.nyumbani.baobab.band` | Music automation | | Prowlarr | `prowlarr.nyumbani.baobab.band` | Indexer manager | | Lazylibrarian | `lazylibrarian.nyumbani.baobab.band` | Book and comic automation | | qBittorrent | `qbit.nyumbani.baobab.band` | Torrent client; runs inside Gluetun VPN container (NL exit) | | Gluetun | (internal) | VPN container wrapping qBittorrent; PIA, Netherlands | | ytdl | `ytdl.nyumbani.baobab.band` | YouTube downloader; integrated with Jellyfin | | FlareSolverr | port 8191 | Cloudflare bypass for indexers; no Traefik route | | Recyclarr | (internal, no UI) | Sonarr/Radarr quality profile sync | ### Files & Productivity | Service | URL | Notes | |---|---|---| | Nextcloud | `nextcloud.nyumbani.baobab.band` / `nextcloud.baobab.band` | Files, calendar, contacts; MariaDB backend | | Nextcloud Exporter | port 9205 | Metrics for Prometheus | | Vaultwarden | `vaultwarden.baobab.band` | Bitwarden-compatible password manager | ### Communication | Service | URL | Notes | |---|---|---| | conduwuit | (Matrix server, no public web UI) | Matrix homeserver | | Element Web | `element.matrix.baobab.band` | Matrix web client | | ntfy | `ntfy.baobab.band` | Push notification broker | | Poste.io | `mail.baobab.band` | SMTP/IMAP/webmail; DKIM managed post-deploy | ### Development & Admin | Service | URL | Notes | |---|---|---| | Forgejo | `forgejo.nyumbani.baobab.band` | Home Git forge; SSH on port 7577 | | SnipeIT | `snipeit.nyumbani.baobab.band` | IT asset management; MariaDB backend | | Homepage | `homepage.nyumbani.baobab.band` | Service dashboard | | Laser course | `laser.baobab.band` | Static course website | | Rullemenu | `rullemenu.baobab.band` | Menu display (shared facility context) | | Minecraft | (port-forwarded) | Java+Bedrock via Geyser + Floodgate plugins | ### Observability | Software | Notes | |---|---| | Grafana Alloy | Docker log forwarding to Loki on tembo; also ships Technitium DNS logs as file source | | Node Exporter | port 9100; system metrics scraped by Prometheus on tembo | | rsyslog | Forwards syslog to tembo | --- ## tembo — Monitoring Stack + Kiosk ### Observability Stack | Software | URL | Notes | |---|---|---| | Prometheus | `prometheus.nyumbani.baobab.band` (port 9090) | 15s scrape, 15-day retention; scrapes: node-exporter, traefik, nextcloud, backup-clients, snmp, loki, grafana, prometheus, alloy | | Grafana | `grafana.nyumbani.baobab.band` | Dashboards; Matrix bot for alerts | | Loki | port 3100 | Log aggregation for all hosts | | Grafana Alloy | port 12345 | Syslog hub (UDP relay from EAP610 APs → Alloy TCP → Loki) | | SNMP Exporter | port 9116 | WiFi APs (tai1/tai2) and Punda switch | | Node Exporter | port 9100 | | ### Kiosk | Software | Notes | |---|---| | GNOME kiosk | Chromium-based display cycling through: Deezer, Home Assistant, DSB departures, laundry booking, Jellyfin music, Rullebiler.dk car booking, Rullemenu | | kiosk-control | `kiosk.nyumbani.baobab.band` — web UI to switch kiosk tabs | | button handler | USB button device input; test mode enabled | ### Photo Management (migrated from fisi) | Service | Notes | |---|---| | PhotoPrism | `photo.nyumbani.baobab.band`; Intel Quick Sync GPU; MariaDB backend | | MariaDB 11 | PhotoPrism database | --- ## papa — NAS | Software | Notes | |---|---| | NFS server | Exports `/storage/baobab_media` to fisi; subdirectory structure for movies, TV, music, books, audiobooks, downloads | | Samba | SMB share on `baobab_media`; guest/public access; no auth required | | Borg (server) | Receives Borg backups from: fisi, tembo, kuku, faru, baobab.band, rullebiler.dk, laptops | | rclone | Syncs pCloud accounts for 4 family members (EU datacenter); stores clones under `/storage/cloud-clones` | | ClamAV | Targeted antivirus scan of `/storage/baobab_media/downloads`; alert email via Fastmail SMTP | | Node Exporter | port 9100 | | rsyslog | Forwards syslog to tembo | | HAOS config | Deploys automations to twiga (Home Assistant) | | Simba/AP/Switch backup | Pull backups of OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` via SSH/SCP into Borg | --- ## kuku — WireGuard VPN Gateway | Software | Notes | |---|---| | WireGuard (server) | Native kernel WireGuard; port 51194/UDP; public hostname `kuku.baobab.band`; hub for laptops + VPS spokes | | Node Exporter | `--collector.wireguard` enabled; requires `NET_ADMIN` cap | | rsyslog | Forwards syslog to tembo | **Peers:** paka, mamba, swala (managed laptops), sjat-phone, tais-work-laptop (non-managed), baobab.band, rullebiler.dk (VPS spokes), ash-linux, ash-phone, ash-windows. --- ## simba — Firewall | Software | Notes | |---|---| | OPNsense | Firewall, router, DHCP, NAT; native os-node_exporter plugin | --- ## faru — Management Pi | Software | Notes | |---|---| | Node Exporter | port 9100 | | Borg client | Backs up to papa | | rsyslog | Forwards syslog to tembo | --- ## twiga — Home Automation | Software | Notes | |---|---| | Home Assistant OS | Automation platform; Ansible manages automation config (not the OS) | --- ## kobe — Backup Server | Software | Notes | |---|---| | rsnapshot | Pull-mode backup server; pulls `/home/*` dirs and Docker volumes from mamba | | ZFS | Backup pool on mirror; compression lz4 | --- ## VPS: baobab.band | Software | Notes | |---|---| | Traefik | HTTPS entry point | | Uptime Kuma | External uptime monitoring; public at `status.baobab.band` | | Grafana Alloy | Docker log forwarding to Loki on tembo (via WireGuard) | | Node Exporter | port 9100 (publicly exposed; scraped from tembo) | | WireGuard (client) | Spoke to kuku; tunnel IP 10.8.0.10 | --- ## VPS: makerfloss | Software | URL | Notes | |---|---|---| | Traefik | — | Gandi DNS-01 for `makerfloss.eu` | | Forgejo | `forgejo.makerfloss.eu` | MakerFLOSS community Git forge; SSH on port 7577 | | SnipeIT | `snipeit.makerfloss.eu` | MakerFLOSS asset management; MariaDB backend | | Poste.io | `mail.makerfloss.eu` | Mail server for `makerfloss.eu` | | Node Exporter | port 9100 (publicly exposed) | | Note: No WireGuard tunnel yet — isolated from homelab network. No Borg backup currently. --- ## VPS: rullebiler.dk | Software | URL | Notes | |---|---|---| | Traefik | — | Cloudflare DNS-01 for `rullebiler.dk` | | Rullebiler.dk site | `rullebiler.dk` | Static website | | MRBS | `booking.rullebiler.dk` | Room/resource booking; MariaDB backend; billing enabled | | Poste.io | `mail.rullebiler.dk` | Mail server for `rullebiler.dk` | | Uptime Kuma | `status.rullebiler.dk` | Uptime monitoring | | Grafana Alloy | — | Docker log forwarding to Loki on tembo (via WireGuard) | | Node Exporter | port 9100 | | | WireGuard (client) | — | Spoke to kuku; tunnel IP 10.8.0.11 | --- ## Laptops (paka, mamba, swala, mbuzi) All four run **Debian + XFCE**. Per-user multi-user configuration managed by Ansible. ### Common to all laptops | Software | Notes | |---|---| | XFCE desktop | Ansible-managed config (xfconf, panel, autostart); dark theme (Adwaita-dark) | | Node Exporter | port 9100 | | WireGuard client | Automatic endpoint switching (LAN vs. remote) via VPN toggle script; mbuzi excluded | | Borg backup client | Backs up `/home`, `/etc`, `/srv` to papa; excludes pCloud, caches, Downloads | | Nextcloud desktop client | Per-user (kine on paka, ash on swala, sarah on mbuzi, sjat on mamba) | | pCloud | AppImage; auto-started for all 4 family users | | Thunderbird | Pre-seeded profiles for all family `baobab.band` accounts; CalDAV calendars via Fastmail | | LibreOffice | Managed by Ansible role | | VirtualBox | Installed for sjat and kine | | PIA VPN | Private Internet Access GUI client; sjat install user | | Claude Code | Latest version | | Gemini CLI | Via npm | | Neovim | Config managed via Ansible (lazy.nvim; LSP, treesitter, telescope, git plugins) | | rsyslog | Forwards syslog to tembo | | fcitx5 + Pinyin | paka only, for kine | ### Per-user Flatpaks | App | Users | |---|---| | SpeedCrunch | all | | Joplin Desktop | all | | Signal | all | | FreeCAD | all | | VS Code | sjat only | | Lunar Client (Minecraft) | mamba (sjat+ash), swala (ash) | | Riot/Element | mamba | --- ## Cross-cutting: Infrastructure Patterns ### Observability - **Metrics:** Prometheus on tembo scrapes all hosts via node_exporter, plus Traefik, Nextcloud, Loki, Grafana, Prometheus, Alloy self-metrics, and SNMP for APs/switch. - **Logs:** rsyslog on all hosts → tembo; Docker logs forwarded via Grafana Alloy → Loki; EAP610 AP syslog → tembo rsyslog UDP relay → Alloy. - **Dashboards:** Grafana on tembo. Grafana Alloy bot posts alerts to Matrix. - **External uptime:** Uptime Kuma on baobab.band VPS (public) and rullebiler.dk VPS. ### Backup - **Borg** (primary, push): all servers and laptops push to papa over SSH. Pre-dump: MariaDB databases (PhotoPrism, Nextcloud) dumped to `/var/backups/borg-prep` before Borg runs. Status reported via node_exporter textfile collector → Prometheus. - **rsnapshot** (secondary, pull): kobe pulls `/home` dirs + Docker volumes from mamba. - **Cloud sync:** pCloud (EU) for 4 family members via rclone on papa. - **Network device configs:** papa pulls OPNsense `config.xml`, EAP610 `/etc`, Punda `system.cfg` into Borg. ### DNS - Technitium on fisi is authoritative for `baobab.band` (LAN-internal split-horizon). - Wildcard `*.nyumbani.baobab.band → 10.20.10.17` (fisi) with explicit overrides for tembo services. - Public DNS (`*.baobab.band`) via Cloudflare; managed declaratively via Ansible Cloudflare role. - `makerfloss.eu` via Gandi DNS, managed by Ansible Gandi role. - `rullebiler.dk` via Cloudflare, managed by Ansible. ### IaC - Ansible (AnsibleBaobabV4); all config in `host_vars/.yml`. - `baobab.container_base` role: Compose template generation + Traefik label wiring. - Secrets in Ansible Vault (`group_vars/all/90-secrets.vault.yml`). - Two inventory environments: `prod` and `lab`.