sjat/HomelabDesignV5
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
HomelabDesignV5/current-software.md
sjat 7e74559d5b Add current hardware and software inventory reports 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-30 08:55:16 +02:00

11 KiB
Raw Permalink Blame History

Current Software — baobab.band Homelab

A snapshot of deployed software as of April 2026. Purpose: inform design decisions for V5 by documenting what has been proven in service.

All containerised services use Docker Compose. A shared Ansible role (baobab.container_base) handles Compose generation and Traefik wiring. Each app has its own role (baobab.container_<name>).

fisi — Main Application Server

Reverse Proxy & DNS

Software Notes
Traefik HTTPS reverse proxy for all LAN services; DNS-01 via Cloudflare for *.baobab.band
Technitium DNS Authoritative for baobab.band; wildcard *.nyumbani.baobab.band → 10.20.10.17; ad blocking

Media

Service URL Notes
Jellyfin jellyfin.nyumbani.baobab.band Video streaming; Intel Quick Sync (GPU passthrough)
Audiobookshelf abs.nyumbani.baobab.band Audiobooks and podcasts
Calibre Web books.nyumbani.baobab.band Ebook library

Media Automation

Service URL Notes
Sonarr sonarr.nyumbani.baobab.band TV series automation
Radarr radarr.nyumbani.baobab.band Movie automation
Lidarr lidarr.nyumbani.baobab.band Music automation
Prowlarr prowlarr.nyumbani.baobab.band Indexer manager
Lazylibrarian lazylibrarian.nyumbani.baobab.band Book and comic automation
qBittorrent qbit.nyumbani.baobab.band Torrent client; runs inside Gluetun VPN container (NL exit)
Gluetun (internal) VPN container wrapping qBittorrent; PIA, Netherlands
ytdl ytdl.nyumbani.baobab.band YouTube downloader; integrated with Jellyfin
FlareSolverr port 8191 Cloudflare bypass for indexers; no Traefik route
Recyclarr (internal, no UI) Sonarr/Radarr quality profile sync

Files & Productivity

Service URL Notes
Nextcloud nextcloud.nyumbani.baobab.band / nextcloud.baobab.band Files, calendar, contacts; MariaDB backend
Nextcloud Exporter port 9205 Metrics for Prometheus
Vaultwarden vaultwarden.baobab.band Bitwarden-compatible password manager

Communication

Service URL Notes
conduwuit (Matrix server, no public web UI) Matrix homeserver
Element Web element.matrix.baobab.band Matrix web client
ntfy ntfy.baobab.band Push notification broker
Poste.io mail.baobab.band SMTP/IMAP/webmail; DKIM managed post-deploy

Development & Admin

Service URL Notes
Forgejo forgejo.nyumbani.baobab.band Home Git forge; SSH on port 7577
SnipeIT snipeit.nyumbani.baobab.band IT asset management; MariaDB backend
Homepage homepage.nyumbani.baobab.band Service dashboard
Laser course laser.baobab.band Static course website
Rullemenu rullemenu.baobab.band Menu display (shared facility context)
Minecraft (port-forwarded) Java+Bedrock via Geyser + Floodgate plugins

Observability

Software Notes
Grafana Alloy Docker log forwarding to Loki on tembo; also ships Technitium DNS logs as file source
Node Exporter port 9100; system metrics scraped by Prometheus on tembo
rsyslog Forwards syslog to tembo

tembo — Monitoring Stack + Kiosk

Observability Stack

Software URL Notes
Prometheus prometheus.nyumbani.baobab.band (port 9090) 15s scrape, 15-day retention; scrapes: node-exporter, traefik, nextcloud, backup-clients, snmp, loki, grafana, prometheus, alloy
Grafana grafana.nyumbani.baobab.band Dashboards; Matrix bot for alerts
Loki port 3100 Log aggregation for all hosts
Grafana Alloy port 12345 Syslog hub (UDP relay from EAP610 APs → Alloy TCP → Loki)
SNMP Exporter port 9116 WiFi APs (tai1/tai2) and Punda switch
Node Exporter port 9100

Kiosk

Software Notes
GNOME kiosk Chromium-based display cycling through: Deezer, Home Assistant, DSB departures, laundry booking, Jellyfin music, Rullebiler.dk car booking, Rullemenu
kiosk-control kiosk.nyumbani.baobab.band — web UI to switch kiosk tabs
button handler USB button device input; test mode enabled

Photo Management (migrated from fisi)

Service Notes
PhotoPrism photo.nyumbani.baobab.band; Intel Quick Sync GPU; MariaDB backend
MariaDB 11 PhotoPrism database

papa — NAS

Software Notes
NFS server Exports /storage/baobab_media to fisi; subdirectory structure for movies, TV, music, books, audiobooks, downloads
Samba SMB share on baobab_media; guest/public access; no auth required
Borg (server) Receives Borg backups from: fisi, tembo, kuku, faru, baobab.band, rullebiler.dk, laptops
rclone Syncs pCloud accounts for 4 family members (EU datacenter); stores clones under /storage/cloud-clones
ClamAV Targeted antivirus scan of /storage/baobab_media/downloads; alert email via Fastmail SMTP
Node Exporter port 9100
rsyslog Forwards syslog to tembo
HAOS config Deploys automations to twiga (Home Assistant)
Simba/AP/Switch backup Pull backups of OPNsense config.xml, EAP610 /etc, Punda system.cfg via SSH/SCP into Borg

kuku — WireGuard VPN Gateway

Software Notes
WireGuard (server) Native kernel WireGuard; port 51194/UDP; public hostname kuku.baobab.band; hub for laptops + VPS spokes
Node Exporter --collector.wireguard enabled; requires NET_ADMIN cap
rsyslog Forwards syslog to tembo

Peers: paka, mamba, swala (managed laptops), sjat-phone, tais-work-laptop (non-managed), baobab.band, rullebiler.dk (VPS spokes), ash-linux, ash-phone, ash-windows.

simba — Firewall

Software Notes
OPNsense Firewall, router, DHCP, NAT; native os-node_exporter plugin

faru — Management Pi

Software Notes
Node Exporter port 9100
Borg client Backs up to papa
rsyslog Forwards syslog to tembo

twiga — Home Automation

Software Notes
Home Assistant OS Automation platform; Ansible manages automation config (not the OS)

kobe — Backup Server

Software Notes
rsnapshot Pull-mode backup server; pulls /home/* dirs and Docker volumes from mamba
ZFS Backup pool on mirror; compression lz4

VPS: baobab.band

Software Notes
Traefik HTTPS entry point
Uptime Kuma External uptime monitoring; public at status.baobab.band
Grafana Alloy Docker log forwarding to Loki on tembo (via WireGuard)
Node Exporter port 9100 (publicly exposed; scraped from tembo)
WireGuard (client) Spoke to kuku; tunnel IP 10.8.0.10

VPS: makerfloss

Software URL Notes
Traefik Gandi DNS-01 for makerfloss.eu
Forgejo forgejo.makerfloss.eu MakerFLOSS community Git forge; SSH on port 7577
SnipeIT snipeit.makerfloss.eu MakerFLOSS asset management; MariaDB backend
Poste.io mail.makerfloss.eu Mail server for makerfloss.eu
Node Exporter port 9100 (publicly exposed)

Note: No WireGuard tunnel yet — isolated from homelab network. No Borg backup currently.

VPS: rullebiler.dk

Software URL Notes
Traefik Cloudflare DNS-01 for rullebiler.dk
Rullebiler.dk site rullebiler.dk Static website
MRBS booking.rullebiler.dk Room/resource booking; MariaDB backend; billing enabled
Poste.io mail.rullebiler.dk Mail server for rullebiler.dk
Uptime Kuma status.rullebiler.dk Uptime monitoring
Grafana Alloy Docker log forwarding to Loki on tembo (via WireGuard)
Node Exporter port 9100
WireGuard (client) Spoke to kuku; tunnel IP 10.8.0.11

Laptops (paka, mamba, swala, mbuzi)

All four run Debian + XFCE. Per-user multi-user configuration managed by Ansible.

Common to all laptops

Software Notes
XFCE desktop Ansible-managed config (xfconf, panel, autostart); dark theme (Adwaita-dark)
Node Exporter port 9100
WireGuard client Automatic endpoint switching (LAN vs. remote) via VPN toggle script; mbuzi excluded
Borg backup client Backs up /home, /etc, /srv to papa; excludes pCloud, caches, Downloads
Nextcloud desktop client Per-user (kine on paka, ash on swala, sarah on mbuzi, sjat on mamba)
pCloud AppImage; auto-started for all 4 family users
Thunderbird Pre-seeded profiles for all family baobab.band accounts; CalDAV calendars via Fastmail
LibreOffice Managed by Ansible role
VirtualBox Installed for sjat and kine
PIA VPN Private Internet Access GUI client; sjat install user
Claude Code Latest version
Gemini CLI Via npm
Neovim Config managed via Ansible (lazy.nvim; LSP, treesitter, telescope, git plugins)
rsyslog Forwards syslog to tembo
fcitx5 + Pinyin paka only, for kine

Per-user Flatpaks

App Users
SpeedCrunch all
Joplin Desktop all
Signal all
FreeCAD all
VS Code sjat only
Lunar Client (Minecraft) mamba (sjat+ash), swala (ash)
Riot/Element mamba

Cross-cutting: Infrastructure Patterns

Observability

  • Metrics: Prometheus on tembo scrapes all hosts via node_exporter, plus Traefik, Nextcloud, Loki, Grafana, Prometheus, Alloy self-metrics, and SNMP for APs/switch.
  • Logs: rsyslog on all hosts → tembo; Docker logs forwarded via Grafana Alloy → Loki; EAP610 AP syslog → tembo rsyslog UDP relay → Alloy.
  • Dashboards: Grafana on tembo. Grafana Alloy bot posts alerts to Matrix.
  • External uptime: Uptime Kuma on baobab.band VPS (public) and rullebiler.dk VPS.

Backup

  • Borg (primary, push): all servers and laptops push to papa over SSH. Pre-dump: MariaDB databases (PhotoPrism, Nextcloud) dumped to /var/backups/borg-prep before Borg runs. Status reported via node_exporter textfile collector → Prometheus.
  • rsnapshot (secondary, pull): kobe pulls /home dirs + Docker volumes from mamba.
  • Cloud sync: pCloud (EU) for 4 family members via rclone on papa.
  • Network device configs: papa pulls OPNsense config.xml, EAP610 /etc, Punda system.cfg into Borg.

DNS

  • Technitium on fisi is authoritative for baobab.band (LAN-internal split-horizon).
  • Wildcard *.nyumbani.baobab.band → 10.20.10.17 (fisi) with explicit overrides for tembo services.
  • Public DNS (*.baobab.band) via Cloudflare; managed declaratively via Ansible Cloudflare role.
  • makerfloss.eu via Gandi DNS, managed by Ansible Gandi role.
  • rullebiler.dk via Cloudflare, managed by Ansible.

IaC

  • Ansible (AnsibleBaobabV4); all config in host_vars/<host>.yml.
  • baobab.container_base role: Compose template generation + Traefik label wiring.
  • Secrets in Ansible Vault (group_vars/all/90-secrets.vault.yml).
  • Two inventory environments: prod and lab.