From 893e7dba7ccaca83e0f7119c50d63cc4853e6dd5 Mon Sep 17 00:00:00 2001 From: gaia Date: Thu, 9 Apr 2026 01:06:05 -0300 Subject: [PATCH] feat: inicial IaC - estrutura base + Docker Compose + Ansible MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Estrutura Terraform para ER605/Omada - Ansible inventory e role base para Dockerino - Docker Compose files para todos os serviços do Dockerino - Docker Compose para Media stack (Jellyfin, Sonarr, Radarr, etc) - Documentação ARCHITECTURE.md e NEXT_STEPS.md (via Héstia) --- README.md | 133 +++- ansible/inventory.yml | 27 + ansible/playbooks/setup-dockerino.yml | 9 + ansible/roles/dockerino/tasks/main.yml | 61 ++ docker/dockerino/adguard/docker-compose.yml | 16 + docker/dockerino/bookstack/docker-compose.yml | 47 ++ docker/dockerino/flatnotes/docker-compose.yml | 23 + docker/dockerino/homebox/docker-compose.yml | 19 + docker/dockerino/homer/config.yml | 112 ++++ docker/dockerino/homer/docker-compose.yml | 19 + docker/dockerino/nginx/.env.example | 7 + docker/dockerino/nginx/docker-compose.yml | 39 ++ .../omada-controller/docker-compose.yml | 16 + docker/dockerino/outline/docker-compose.yml | 95 +++ docker/dockerino/picsur/docker-compose.yml | 18 + docker/dockerino/speedtest/docker-compose.yml | 23 + docker/dockerino/twingate/docker-compose.yml | 16 + docker/media/docker-compose.yml | 116 ++++ docs/ARCHITECTURE.md | 570 ++++++++++++++++++ docs/NEXT_STEPS.md | 64 ++ terraform/er605/main.tf | 118 ++++ terraform/er605/outputs.tf | 36 ++ terraform/er605/variables.tf | 62 ++ 23 files changed, 1644 insertions(+), 2 deletions(-) create mode 100644 ansible/inventory.yml create mode 100644 ansible/playbooks/setup-dockerino.yml create mode 100644 ansible/roles/dockerino/tasks/main.yml create mode 100644 docker/dockerino/adguard/docker-compose.yml create mode 100644 docker/dockerino/bookstack/docker-compose.yml create mode 100644 docker/dockerino/flatnotes/docker-compose.yml create mode 100644 docker/dockerino/homebox/docker-compose.yml create mode 100644 docker/dockerino/homer/config.yml create mode 100644 docker/dockerino/homer/docker-compose.yml create mode 100644 docker/dockerino/nginx/.env.example create mode 100644 docker/dockerino/nginx/docker-compose.yml create mode 100644 docker/dockerino/omada-controller/docker-compose.yml create mode 100644 docker/dockerino/outline/docker-compose.yml create mode 100644 docker/dockerino/picsur/docker-compose.yml create mode 100644 docker/dockerino/speedtest/docker-compose.yml create mode 100644 docker/dockerino/twingate/docker-compose.yml create mode 100644 docker/media/docker-compose.yml create mode 100644 docs/ARCHITECTURE.md create mode 100644 docs/NEXT_STEPS.md create mode 100644 terraform/er605/main.tf create mode 100644 terraform/er605/outputs.tf create mode 100644 terraform/er605/variables.tf diff --git a/README.md b/README.md index 4e14d82..6cec430 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,132 @@ -# homelab +# Homelab — Infraestrutura como Código -Infraestrutura como Código do Homelab - Terraform, Ansible, Docker Compose \ No newline at end of file +> Guardiã: **Gaia** (Agente Hermes) +> Mantido por: João Paulo Ferreira (jp@iamferreirajp.com) +> Repositório Base: [gaia/homelab](https://gitea.hackerfortress.cc/gaia/homelab) + +## Visão Geral + +Este repositório contém toda a infraestrutura do homelab em formato de **Infraestrutura como Código (IaC)**. O objetivo é ter todo o ambiente versionado, documentado e reproduzível. + +### Hardware do Homelab + +| Máquina | IP | Função Principal | +|---------|-----|------------------| +| TrueNAS | 10.0.0.30 | NAS, n8n, Uptime Kuma | +| Proxmox | 10.0.0.20 | Hypervisor (VMs) | +| Dockerino | 10.0.0.50 | Docker Host (NPM, AdGuard, etc) | +| Media | 10.0.0.36 | Jellyfin, Sonarr, Radarr, etc | +| Home Assistant | 10.0.0.100 | Automação residencial | +| ER605 (Omada) | 10.0.0.1 | Router/Gateway | + +### Topologia de Rede + +- **VLAN1 (Infra):** 10.0.0.0/24 — Servidores +- **VLAN10 (Geral):** 10.0.10.0/24 — Computadores, celulares +- **VLAN20 (IOT):** 10.0.20.0/24 — Dispositivos IoT +- **VLAN30 (Guests):** 10.0.30.0/24 — Visitantes + +## Estrutura do Repositório + +``` +homelab/ +├── terraform/ # Terraform para recursos de nuvem/rede +│ ├── er605/ # Router TP-Link ER605 (Omada Controller) +│ ├── truenas/ # TrueNAS +│ ├── proxmox/ # Proxmox +│ └── adguard/ # AdGuard Home +├── ansible/ # Ansible para configuração de VMs +│ ├── roles/ # Roles reutilizáveis +│ └── playbooks/ # Playbooks principais +├── docker/ # Docker Compose files +│ ├── dockerino/ # Stack do Dockerino (10.0.0.50) +│ │ ├── nginx/ # Nginx Proxy Manager +│ │ ├── adguard/ # AdGuard Home +│ │ ├── outline/ # Outline Wiki +│ │ ├── bookstack/ # BookStack +│ │ └── ... +│ └── media/ # Stack de mídia (10.0.0.36) +│ └── docker-compose.yml +└── docs/ # Documentação adicional + ├── ARCHITECTURE.md # Arquitetura detalhada + └── NEXT_STEPS.md # Próximos passos +``` + +## Quick Start + +### Clonar o Repositório + +```bash +git clone https://gitea.hackerfortress.cc/gaia/homelab.git +cd homelab +``` + +### Aplicar Terraform + +```bash +cd terraform/er605 +terraform init +terraform plan +terraform apply +``` + +### Aplicar Ansible + +```bash +cd ansible +ansible-playbook playbooks/setup-dockerino.yml +``` + +### Subir Docker Stacks + +```bash +cd docker/dockerino/nginx +docker compose up -d +``` + +## Serviços + +### Dockerino (10.0.0.50) + +| Serviço | Porta | Domínio | +|---------|-------|---------| +| Nginx Proxy Manager | 80, 443 | proxy.hackerfortress.cc | +| AdGuard Home | 3000 | adguard.hackerfortress.cc | +| Outline Wiki | 3001 | outline.hackerfortress.cc | +| BookStack | 8082 | bookstack.hackerfortress.cc | +| Homer | 8090 | (internal) | +| HomeBox | 3100 | homebox.hackerfortress.cc | +| FlatNotes | 8089 | flatnotes.hackerfortress.cc | +| Picsur | 8091 | picsur.hackerfortress.cc | +| Speedtest | 8765 | speedtest.hackerfortress.cc | +| Omada Controller | 8043 | omada.hackerfortress.cc | +| Twingate | - | VPN | + +### Media (10.0.0.36) + +| Serviço | Porta | Domínio | +|---------|-------|---------| +| Jellyfin | 8096 | jellyfin.hackerfortress.cc | +| Sonarr | 8989 | sonarr.hackerfortress.cc | +| Radarr | 7878 | radarr.hackerfortress.cc | +| Prowlarr | 9696 | prowlarr.hackerfortress.cc | +| Bazarr | 6767 | bazarr.hackerfortress.cc | +| qBittorrent | 5080 | qbittorrent.hackerfortress.cc | + +### TrueNAS (10.0.0.30) + +| Serviço | Porta | +|---------|-------| +| SSH | 22 | +| WebUI | 443 | +| n8n | 30109 | +| Uptime Kuma | 31050 | + +## Mantenedores + +- **Gaia** — Guardiã da IaC (este repositório) +- **Héstia** — Documentação e arquitetura original + +## Licença + +MIT diff --git a/ansible/inventory.yml b/ansible/inventory.yml new file mode 100644 index 0000000..a8a6402 --- /dev/null +++ b/ansible/inventory.yml @@ -0,0 +1,27 @@ +# Ansible Inventory for Homelab + +all: + children: + homelab: + children: + infrastructure: + hosts: + truenas: + ansible_host: 10.0.0.30 + ansible_user: root + proxmox: + ansible_host: 10.0.0.20 + ansible_user: root + dockerino: + ansible_host: 10.0.0.50 + ansible_user: root + media: + ansible_host: 10.0.0.36 + ansible_user: root + homeassistant: + ansible_host: 10.0.0.100 + ansible_user: root + + vars: + ansible_ssh_common_args: '-o StrictHostKeyChecking=no' + ansible_python_interpreter: /usr/bin/python3 diff --git a/ansible/playbooks/setup-dockerino.yml b/ansible/playbooks/setup-dockerino.yml new file mode 100644 index 0000000..e685631 --- /dev/null +++ b/ansible/playbooks/setup-dockerino.yml @@ -0,0 +1,9 @@ +--- +# Playbook para setup do Dockerino +- name: Setup Dockerino + hosts: dockerino + become: yes + roles: + - dockerino + vars: + dockerino_ip: 10.0.0.50 diff --git a/ansible/roles/dockerino/tasks/main.yml b/ansible/roles/dockerino/tasks/main.yml new file mode 100644 index 0000000..1a942ee --- /dev/null +++ b/ansible/roles/dockerino/tasks/main.yml @@ -0,0 +1,61 @@ +--- +# Ansible role for Dockerino setup + +- name: Ensure Docker is installed + apt: + name: + - docker.io + - docker-compose + state: present + update_cache: yes + +- name: Ensure Docker service is running + systemd: + name: docker + state: started + enabled: yes + +- name: Create Docker network + community.docker.docker_network: + name: homelab-network + driver: bridge + driver_options: + com.docker.network.bridge.name: br-homelab + ipam_options: + - subnet: 172.20.0.0/16 + +- name: Create Dockerino directories + file: + path: "{{ item }}" + state: directory + mode: '0755' + loop: + - /root/dockerino + - /root/dockerino/nginx + - /root/dockerino/nginx/data + - /root/dockerino/nginx/letsencrypt + - /root/dockerino/nginx/mysql + - /root/dockerino/adguard + - /root/dockerino/adguard/work + - /root/dockerino/adguard/conf + - /root/dockerino/outline + - /root/dockerino/outline/postgres-data + - /root/dockerino/outline/redis-data + - /root/dockerino/outline/minio-data + - /root/dockerino/bookstack + - /root/dockerino/bookstack/mysql-data + - /root/dockerino/flatnotes + - /root/dockerino/flatnotes/data + - /root/dockerino/flatnotes/notes + - /root/dockerino/homer + - /root/dockerino/homer/assets + - /root/dockerino/homebox + - /root/dockerino/homebox/data + - /root/dockerino/omada-controller + - /root/dockerino/omada-controller/data + - /root/dockerino/omada-controller/logs + - /root/dockerino/picsur + - /root/dockerino/picsur/data + - /root/dockerino/speedtest + - /root/dockerino/speedtest/data + - /root/dockerino/twingate diff --git a/docker/dockerino/adguard/docker-compose.yml b/docker/dockerino/adguard/docker-compose.yml new file mode 100644 index 0000000..dc16e68 --- /dev/null +++ b/docker/dockerino/adguard/docker-compose.yml @@ -0,0 +1,16 @@ +version: '3.8' + +services: + adguardhome: + image: adguard/adguardhome:latest + container_name: adguardhome + restart: unless-stopped + network_mode: host + volumes: + - ./work:/opt/adguardhome/work + - ./conf:/opt/adguardhome/conf + environment: + - TZ=America/Sao_Paulo + +# NOTA: AdGuard usa network_mode=host para绑定的 porta 53 e 3000 +# Não funciona em networks convenientes diff --git a/docker/dockerino/bookstack/docker-compose.yml b/docker/dockerino/bookstack/docker-compose.yml new file mode 100644 index 0000000..86ba535 --- /dev/null +++ b/docker/dockerino/bookstack/docker-compose.yml @@ -0,0 +1,47 @@ +version: '3.8' + +services: + bookstack-mysql: + image: mysql:8.3 + container_name: bookstack-mysql + restart: unless-stopped + environment: + MYSQL_ROOT_PASSWORD: ${BOOKSTACK_DB_ROOT:-rootpassword} + MYSQL_DATABASE: bookstack + MYSQL_USER: bookstack + MYSQL_PASSWORD: ${BOOKSTACK_DB_PASSWORD:-bookstack123} + volumes: + - ./mysql-data:/var/lib/mysql + healthcheck: + test: ["CMD-SHELL", "mysqladmin ping -h localhost"] + interval: 10s + timeout: 5s + retries: 5 + + bookstack: + image: solidnerd/bookstack:latest + container_name: bookstack + restart: unless-stopped + ports: + - "8082:8080" + depends_on: + bookstack-mysql: + condition: service_healthy + environment: + DB_HOST: bookstack-mysql + DB_DATABASE: bookstack + DB_USERNAME: bookstack + DB_PASSWORD: ${BOOKSTACK_DB_PASSWORD:-bookstack123} + APP_KEY: ${BOOKSTACK_APP_KEY:-base64:CHANGE_ME} + APP_URL: https://bookstack.hackerfortress.cc + TZ: America/Sao_Paulo + healthcheck: + test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:8080 || exit 1"] + interval: 30s + timeout: 10s + retries: 3 + +networks: + default: + name: homelab-network + external: true diff --git a/docker/dockerino/flatnotes/docker-compose.yml b/docker/dockerino/flatnotes/docker-compose.yml new file mode 100644 index 0000000..d0a2f7b --- /dev/null +++ b/docker/dockerino/flatnotes/docker-compose.yml @@ -0,0 +1,23 @@ +version: '3.8' + +services: + flatnotes: + image: dullage/flatnotes:latest + container_name: flatnotes + restart: unless-stopped + ports: + - "8089:8080" + volumes: + - ./data:/data + - ./notes:/notes + environment: + FLATNOTES_AUTH_TYPE: ${FLATNOTES_AUTH_TYPE:-password} + FLATNOTES_PASSWORD: ${FLATNOTES_PASSWORD:-changeme} + FLATNOTES_PORT: 8080 + FLATNOTES_HOST: 0.0.0.0 + TZ: America/Sao_Paulo + +networks: + default: + name: homelab-network + external: true diff --git a/docker/dockerino/homebox/docker-compose.yml b/docker/dockerino/homebox/docker-compose.yml new file mode 100644 index 0000000..0582194 --- /dev/null +++ b/docker/dockerino/homebox/docker-compose.yml @@ -0,0 +1,19 @@ +version: '3.8' + +services: + homebox: + image: ghcr.io/hay-kot/homebox:latest + container_name: homebox + restart: unless-stopped + ports: + - "3100:7745" + volumes: + - ./data:/data + environment: + HBOX_CONFIG: /data/config.yml + TZ: America/Sao_Paulo + +networks: + default: + name: homelab-network + external: true diff --git a/docker/dockerino/homer/config.yml b/docker/dockerino/homer/config.yml new file mode 100644 index 0000000..3b4de72 --- /dev/null +++ b/docker/dockerino/homer/config.yml @@ -0,0 +1,112 @@ +# Homer Dashboard Configuration +# Access: http://homer.hackerfortress.cc (via NPM) + +subtitle: "Homelab Dashboard" +title: "Hacker Fortress" +logo: "https://raw.githubusercontent.com/bastienwirtz/homer/master/public/img/logo.svg" + +# Optional theme +# theme: default (default), dark, light, mono +theme: dark + +# Header decoration +header: true +footer: '

Hacker Fortress Homelab · Powered by Homer

' + +# Columns +columns: 3 + +# Services +services: + - name: "Media" + icon: "fas fa-play" + items: + - name: "Jellyfin" + type: "Ping" + logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/images/jellyfin-icon.png" + url: "http://10.0.0.36:8096" + subtitle: "Media Server" + - name: "Sonarr" + type: "Ping" + url: "http://10.0.0.36:8989" + subtitle: "TV Series" + - name: "Radarr" + type: "Ping" + url: "http://10.0.0.36:7878" + subtitle: "Movies" + - name: "Prowlarr" + type: "Ping" + url: "http://10.0.0.36:9696" + subtitle: "Indexer" + - name: "qBittorrent" + type: "Ping" + url: "http://10.0.0.36:5080" + subtitle: "Downloads" + + - name: "Infrastructure" + icon: "fas fa-server" + items: + - name: "TrueNAS" + type: "Ping" + url: "https://truenas.hackerfortress.cc" + subtitle: "NAS & Apps" + - name: "Proxmox" + type: "Ping" + url: "https://proxmox.hackerfortress.cc:8006" + subtitle: "Hypervisor" + - name: "Omada Controller" + type: "Ping" + url: "https://omada.hackerfortress.cc" + subtitle: "Router" + + - name: "Productivity" + icon: "fas fa-briefcase" + items: + - name: "Outline Wiki" + type: "Ping" + url: "https://outline.hackerfortress.cc" + subtitle: "Documentation" + - name: "BookStack" + type: "Ping" + url: "https://bookstack.hackerfortress.cc" + subtitle: "Wiki" + - name: "n8n" + type: "Ping" + url: "https://n8n.hackerfortress.cc" + subtitle: "Workflows" + + - name: "Home Automation" + icon: "fas fa-home" + items: + - name: "Home Assistant" + type: "Ping" + url: "https://homeassistant.hackerfortress.cc" + subtitle: "HA Core" + + - name: "Monitoring" + icon: "fas fa-chart-line" + items: + - name: "Uptime Kuma" + type: "Ping" + url: "https://uptime.hackerfortress.cc" + subtitle: "Status" + - name: "Speedtest" + type: "Ping" + url: "https://speedtest.hackerfortress.cc" + subtitle: "Speed" + + - name: "Tools" + icon: "fas fa-tools" + items: + - name: "AdGuard" + type: "Ping" + url: "https://adguard.hackerfortress.cc" + subtitle: "DNS" + - name: "HomeBox" + type: "Ping" + url: "https://homebox.hackerfortress.cc" + subtitle: "Inventory" + - name: "Picsur" + type: "Ping" + url: "https://picsur.hackerfortress.cc" + subtitle: "Images" diff --git a/docker/dockerino/homer/docker-compose.yml b/docker/dockerino/homer/docker-compose.yml new file mode 100644 index 0000000..0320e06 --- /dev/null +++ b/docker/dockerino/homer/docker-compose.yml @@ -0,0 +1,19 @@ +version: '3.8' + +services: + homer: + image: b4bz/homer:latest + container_name: homer + restart: unless-stopped + ports: + - "8090:8080" + volumes: + - ./assets:/assets + - ./config.yml:/assets/config.yml:ro + environment: + TZ: America/Sao_Paulo + +networks: + default: + name: homelab-network + external: true diff --git a/docker/dockerino/nginx/.env.example b/docker/dockerino/nginx/.env.example new file mode 100644 index 0000000..356a66e --- /dev/null +++ b/docker/dockerino/nginx/.env.example @@ -0,0 +1,7 @@ +# Nginx Proxy Manager +NGINX_DB_PASSWORD=npmpassword +NGINX_ROOT_PASSWORD=rootpassword + +# Rede +COMPOSE_PROJECT_NAME=homelab +NETWORK_NAME=homelab-network diff --git a/docker/dockerino/nginx/docker-compose.yml b/docker/dockerino/nginx/docker-compose.yml new file mode 100644 index 0000000..941db4e --- /dev/null +++ b/docker/dockerino/nginx/docker-compose.yml @@ -0,0 +1,39 @@ +version: '3.8' + +services: + nginx: + image: 'jc21/nginx-proxy-manager:latest' + container_name: nginx + restart: unless-stopped + ports: + - '80:80' + - '81:81' + - '443:443' + environment: + DB_MYSQL_HOST: nginx-db + DB_MYSQL_PORT: 3306 + DB_MYSQL_USER: npm + DB_MYSQL_PASSWORD: ${NGINX_DB_PASSWORD:-npmpassword} + DB_MYSQL_NAME: npm + volumes: + - ./data:/data + - ./letsencrypt:/etc/letsencrypt + depends_on: + - nginx-db + + nginx-db: + image: 'jc21/mariadb:latest' + container_name: nginx-db + restart: unless-stopped + environment: + MYSQL_ROOT_PASSWORD: ${NGINX_ROOT_PASSWORD:-rootpassword} + MYSQL_DATABASE: npm + MYSQL_USER: npm + MYSQL_PASSWORD: ${NGINX_DB_PASSWORD:-npmpassword} + volumes: + - ./mysql:/var/lib/mysql + +networks: + default: + name: homelab-network + external: true diff --git a/docker/dockerino/omada-controller/docker-compose.yml b/docker/dockerino/omada-controller/docker-compose.yml new file mode 100644 index 0000000..c85f92d --- /dev/null +++ b/docker/dockerino/omada-controller/docker-compose.yml @@ -0,0 +1,16 @@ +version: '3.8' + +services: + omada-controller: + image: mbentley/omada-controller:latest + container_name: omada-controller + restart: unless-stopped + network_mode: host + volumes: + - ./data:/opt/tplink/OMADA/data + - ./logs:/opt/tplink/OMADA/logs + environment: + TZ: America/Sao_Paulo + +# NOTA: Usa network_mode=host para acessar portas específicas do Omada Controller +# Porta principal: 8043 (HTTPS), 8088 (HTTP), 29810 (UDP) diff --git a/docker/dockerino/outline/docker-compose.yml b/docker/dockerino/outline/docker-compose.yml new file mode 100644 index 0000000..d81491c --- /dev/null +++ b/docker/dockerino/outline/docker-compose.yml @@ -0,0 +1,95 @@ +version: '3.8' + +services: + outline-postgres: + image: postgres:15-alpine + container_name: outline-postgres + restart: unless-stopped + environment: + POSTGRES_USER: outline + POSTGRES_PASSWORD: ${OUTLINE_DB_PASSWORD:-outline123} + POSTGRES_DB: outline + volumes: + - ./postgres-data:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U outline"] + interval: 10s + timeout: 5s + retries: 5 + + outline-redis: + image: redis:7-alpine + container_name: outline-redis + restart: unless-stopped + volumes: + - ./redis-data:/data + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5 + + outline-minio: + image: quay.io/minio/minio:latest + container_name: outline-minio + restart: unless-stopped + command: server /data --console-address ":9001" + environment: + MINIO_ROOT_USER: ${MINIO_ROOT_USER:-outline} + MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-outline123} + volumes: + - ./minio-data:/data + healthcheck: + test: ["CMD", "mc", "ready", "local"] + interval: 10s + timeout: 5s + retries: 5 + + outline-minio-init: + image: quay.io/minio/mc:latest + container_name: outline-minio-init + depends_on: + outline-minio: + condition: service_healthy + entrypoint: | + /bin/sh -c " + sleep 5; + mc alias set myminio http://outline-minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD}; + mc mb myminio/outline --ignore-existing; + mc anonymous set download myminio/outline; + exit 0; + " + + outline: + image: outlinewiki/outline:latest + container_name: outline + restart: unless-stopped + ports: + - "3001:3000" + depends_on: + outline-postgres: + condition: service_healthy + outline-redis: + condition: service_healthy + outline-minio: + condition: service_healthy + environment: + DATABASE_URL: postgres://outline:${OUTLINE_DB_PASSWORD:-outline123}@outline-postgres:5432/outline + REDIS_URL: redis://outline-redis:6379 + MINIO_SERVER: http://outline-minio:9000 + MINIO_ACCESS_KEY: ${MINIO_ROOT_USER:-outline} + MINIO_SECRET_KEY: ${MINIO_ROOT_PASSWORD:-outline123} + SECRET_KEY: ${OUTLINE_SECRET_KEY:-change-me-in-production} + URL: https://outline.hackerfortress.cc + PORT: 3000 + TZ: America/Sao_Paulo + healthcheck: + test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:3000 || exit 1"] + interval: 30s + timeout: 10s + retries: 3 + +networks: + default: + name: homelab-network + external: true diff --git a/docker/dockerino/picsur/docker-compose.yml b/docker/dockerino/picsur/docker-compose.yml new file mode 100644 index 0000000..e2cf853 --- /dev/null +++ b/docker/dockerino/picsur/docker-compose.yml @@ -0,0 +1,18 @@ +version: '3.8' + +services: + picsur: + image: ghcr.io/caramelfur/picsur:latest + container_name: picsur + restart: unless-stopped + ports: + - "8091:8080" + volumes: + - ./data:/data + environment: + TZ: America/Sao_Paulo + +networks: + default: + name: homelab-network + external: true diff --git a/docker/dockerino/speedtest/docker-compose.yml b/docker/dockerino/speedtest/docker-compose.yml new file mode 100644 index 0000000..3a02580 --- /dev/null +++ b/docker/dockerino/speedtest/docker-compose.yml @@ -0,0 +1,23 @@ +version: '3.8' + +services: + speedtest: + image: henrywhitaker3/speedtest-tracker:latest + container_name: speedtest + restart: unless-stopped + ports: + - "8765:80" + volumes: + - ./data:/data + environment: + TZ: America/Sao_Paulo + healthcheck: + test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost || exit 1"] + interval: 30s + timeout: 10s + retries: 3 + +networks: + default: + name: homelab-network + external: true diff --git a/docker/dockerino/twingate/docker-compose.yml b/docker/dockerino/twingate/docker-compose.yml new file mode 100644 index 0000000..a1600d6 --- /dev/null +++ b/docker/dockerino/twingate/docker-compose.yml @@ -0,0 +1,16 @@ +version: '3.8' + +services: + twingate: + image: twingate/connector:latest + container_name: twingate + restart: unless-stopped + network_mode: host + environment: + TWINGATE_NETWORK: ${TWINGATE_NETWORK:-} + TWINGATE_ACCESS_TOKEN: ${TWINGATE_ACCESS_TOKEN:-} + TWINGATE_REFRESH_TOKEN: ${TWINGATE_REFRESH_TOKEN:-} + # NOTA: healthcheck desabilitado pois Twingate não expõe endpoint HTTP + # O container é considered healthy mesmo sem resposta HTTP + healthcheck: + disable: true diff --git a/docker/media/docker-compose.yml b/docker/media/docker-compose.yml new file mode 100644 index 0000000..f1b2039 --- /dev/null +++ b/docker/media/docker-compose.yml @@ -0,0 +1,116 @@ +version: '3.8' + +services: + qbittorrent: + image: lscr.io/linuxserver/qbittorrent:latest + container_name: qbittorrent + restart: unless-stopped + ports: + - "5080:8080" + - "6881:6881" + - "6881:6881/udp" + volumes: + - ./config/qbittorrent:/config + - /mnt/share-media/downloads:/downloads + environment: + PUID: 1000 + PGID: 1000 + TZ: America/Sao_Paulo + networks: + mynetwork: + ipv4_address: 172.19.0.2 + + sonarr: + image: linuxserver/sonarr:latest + container_name: sonarr + restart: unless-stopped + ports: + - "8989:8989" + volumes: + - ./config/sonarr:/config + - /mnt/share-media:/media + - /mnt/share-media/downloads:/downloads + environment: + PUID: 1000 + PGID: 1000 + TZ: America/Sao_Paulo + networks: + mynetwork: + ipv4_address: 172.19.0.3 + + prowlarr: + image: linuxserver/prowlarr:latest + container_name: prowlarr + restart: unless-stopped + ports: + - "9696:9696" + volumes: + - ./config/prowlarr:/config + environment: + PUID: 1000 + PGID: 1000 + TZ: America/Sao_Paulo + networks: + mynetwork: + ipv4_address: 172.19.0.4 + + radarr: + image: linuxserver/radarr:latest + container_name: radarr + restart: unless-stopped + ports: + - "7878:7878" + volumes: + - ./config/radarr:/config + - /mnt/share-media:/media + - /mnt/share-media/downloads:/downloads + environment: + PUID: 1000 + PGID: 1000 + TZ: America/Sao_Paulo + networks: + mynetwork: + ipv4_address: 172.19.0.5 + + bazarr: + image: linuxserver/bazarr:latest + container_name: bazarr + restart: unless-stopped + ports: + - "6767:6767" + volumes: + - ./config/bazarr:/config + - /mnt/share-media:/media + environment: + PUID: 1000 + PGID: 1000 + TZ: America/Sao_Paulo + networks: + mynetwork: + ipv4_address: 172.19.0.6 + + jellyfin: + image: linuxserver/jellyfin:latest + container_name: jellyfin + restart: unless-stopped + ports: + - "8096:8096" + - "8920:8920" + - "7359:7359/udp" + volumes: + - ./config/jellyfin:/config + - /mnt/share-media:/media + environment: + PUID: 1000 + PGID: 1000 + TZ: America/Sao_Paulo + networks: + mynetwork: + ipv4_address: 172.19.0.7 + +networks: + mynetwork: + driver: bridge + ipam: + config: + - subnet: 172.19.0.0/16 diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md new file mode 100644 index 0000000..6b9ff56 --- /dev/null +++ b/docs/ARCHITECTURE.md @@ -0,0 +1,570 @@ +# HESTIA — Homelab Infrastructure Documentation + +> Guardiã do homelab. Documentação viva e evolutiva. +> Última atualização: 2026-04-08 19:50 +> Responsável: Héstia (Claude Code via MiniMax-M2.7) + +--- + +## 1. TOPOLOGIA DE REDE + +### 1.1 Segmentos VLAN + +| VLAN | Nome | Range IP | Gateway | Função | +|------|------|----------|---------|--------| +| 1 (default) | INFRAESTRUTURA | 10.0.0.1/24 | 10.0.0.1 | Servidores, Proxmox, TrueNAS | +| 10 | GERAL | 10.0.10.1/24 | 10.0.10.1 | Computadores, celulares | +| 20 | IOT | 10.0.20.1/24 | 10.0.20.1 | Dispositivos IoT | +| 30 | GUESTS | 10.0.30.1/24 | 10.0.30.1 | Visitantes | + +### 1.2 Gateway/Router + +- **Device:** TP-Link ER605 (controlado via Omada Controller) +- **WAN:** Loadbalancer dual ISP (OI + Starlink) +- **LAN:** 10.0.0.1 (VLAN1), 10.0.10.1 (VLAN10), 10.0.20.1 (VLAN20), 10.0.30.1 (VLAN30) +- **DHCP:** Estático por MAC no Omada Controller + +### 1.3 DNS/Proxy + +- **Adguard Home:** Roteia `*.hackerfortress.cc` internamente para serviços com SSL +- **Nginx Proxy Manager:** Terminção SSL dos serviços internos +- **Domínio:** hackerfortress.cc + +### 1.4 Acesso Externo + +- **Twingate:** VPN para acessar infraestrutura remotamente (TrueNAS, Proxmox) +- **Tailscale:** VPN mesh para VPS externas (não usado no homelab) +- **NordVPN:** Expirou — necessidade de migrar para WireGuard (TODO) + +--- + +## 2. MÁQUINAS E HARDWARE + +### 2.1 TrueNAS (NAS + Apps) + +| Atributo | Valor | +|----------|-------| +| **Hostname** | truenas | +| **IP** | 10.0.0.30 | +| **Sistema** | TrueNAS SCALE (Debian 12 Bookworm) | +| **Kernel** | 6.12.15-production+truenas | +| **Uptime** | 3h 54min | +| **CPU** | Intel Xeon E5-2650 v4 @ 2.20GHz (24 cores, 48 threads) | +| **RAM** | 31 GiB total (5.3 GiB usado, 25 GiB disponível) | +| **SSH** | Habilitado (porta 22, usuário root) | + +**Storage Pools:** +| Pool | Size | Used | Free | Health | Mountpoint | +|------|------|------|------|--------|------------| +| Ikky | 2.72T | 1.32T (48%) | 1.40T | ONLINE | /mnt/Ikky | +| Hyoga | 1.81T | 1.09T (60%) | 741G | ONLINE | /mnt/mnt/Hyoga | +| boot-pool | 236G | 5.91G (2%) | 230G | ONLINE | - | + +**Datasets principais:** +- `Ikky/data` — 199G usado (compartilhamento SMB) +- `Ikky/.system` — configurações do sistema TrueNAS +- `Ikky/ix-apps` — apps catalog (contém n8n e uptime-kuma datasets) +- `Hyoga/media` — 923G de mídia (backup final 2025-12-05) +- `Hyoga/raidfortress` — 192G + +**Portas abertas:** +| Porta | Serviço | +|-------|---------| +| 22 | SSH | +| 80/443 | Nginx (TrueNAS WebUI + reverse proxy) | +| 445/139 | Samba | +| 3260 | iSCSI | +| 5357 | wsdd (Web Services Discovery) | +| 6000 | TrueNAS API (middleware) | +| 6999 | netdata | + +**Serviços de App (ix-apps):** +- **n8n** — datasets em `/mnt/.ix-apps/app_mounts/n8n/` (múltiplas versões snapshots) +- **uptime-kuma** — dataset em `/mnt/.ix-apps/app_mounts/uptime-kuma/` +- ✅ **FIXED (2026-04-08):** ix-apps datasets agora montam automaticamente com canmount=on + +### 2.2 Proxmox (Hypervisor) + +| Atributo | Valor | +|----------|-------| +| **Hostname** | pve | +| **IP** | 10.0.0.20 | +| **Sistema** | Proxmox VE 8.4.17 | +| **Kernel** | 6.8.12-9-pve | +| **Uptime** | 3h 54min | +| **CPU** | AMD Ryzen 7 2700 Eight-Core (8 cores, 16 threads) | +| **RAM** | 32 GiB total (26 GiB usado, 5.0 GiB disponível) | +| **Swap** | 8 GiB | +| **SSH** | Habilitado (porta 22, usuário root) | +| **Interface Web** | Porta 8006 | + +**Disco:** +- `/dev/sda` — 223.6G + - sda1: 1M (BIOS boot) + - sda2: 1G (/boot/efi) + - sda3: 222.6G (LVM) + - pve-swap: 8G + - pve-root: 65.6G (/) + - pve-data: 130.3G (LVM-thin) + +**Storages:** +| Storage | Type | Size | Used | Available | +|---------|------|------|------|-----------| +| local | dir | 31.2G | - | 64.1G | +| local-lvm | lvmthin | 130.3G | 102.8G | 26.7G | + +**VMs:** +| VMID | Nome | Status | vCPUs | RAM | Disk | Uptime | +|------|------|--------|-------|-----|------|--------| +| 100 | homeassistant | running | 4 | 4 GB | 32 GB | 3h 38min | +| 102 | dockerino | running | 8 | 10 GB | 74 GB | 3h 38min | +| 103 | media | running | 8 | 16 GB | 64 GB | 3h 37min | + +### 2.3 Dockerino (VM Proxmox) + +| Atributo | Valor | +|----------|-------| +| **Hostname** | dockerino | +| **IP** | 10.0.0.50 | +| **Sistema** | Debian (5.10.0-23-amd64) | +| **Uptime** | 3h 54min | +| **CPU** | 8 vCPUs (Common KVM processor) | +| **RAM** | 9.7 GiB (4.5 GiB usado, 4.8 GiB disponível) | +| **Disk** | 31G (/dev/sda1) — 90% usado | +| **Docker** | Docker version 28.5.0 | +| **Compose** | Multi-stack em `/root/dockerino/` | + +**Docker Stacks em `/root/dockerino/`:** +- `nginx/` — Nginx Proxy Manager +- `adguard/` — Adguard Home +- `bookstack/` — BookStack (com MySQL) +- `outline/` — Outline Wiki (PostgreSQL + Redis + MinIO) +- `flatnotes/` — FlatNotes +- `homer/` — Homer (dashboard) +- `homebox/` — HomeBox (inventory) +- `omada-controller/` — TP-Link Omada Controller +- `picsur/` — Picsur (image hosting) +- `speedtest/` — Speedtest Tracker +- `twingate/` — Twingate Connector + +**Containers ativos:** +| Container | Status | Ports | Imagem | +|-----------|--------|-------|--------| +| outline | healthy | 3001 | outlinewiki/outline:latest | +| outline-minio | healthy | 9000-9001 | quay.io/minio/minio | +| outline-postgres | healthy | 5432 | postgres:15-alpine | +| outline-redis | healthy | 6379 | redis:7-alpine | +| bookstack | healthy | 8082→80 | solidnerd/bookstack:latest | +| picsur | healthy | 8091→8080 | ghcr.io/caramelfur/picsur:latest | +| homer | healthy | 8090→8080 | b4bz/homer:latest | +| twingate | healthy | - | twingate/connector:latest | +| mysql | healthy | 3306 | mysql:8.3 | +| speedtest | healthy | 8765→80 | henrywhitaker3/speedtest-tracker:latest | +| nginx | healthy | 80-81, 443 | jc21/nginx-proxy-manager:latest | +| omada-controller | healthy | network_mode=host | mbentley/omada-controller:latest | +| homebox | healthy | 3100→7745 | ghcr.io/hay-kot/homebox:latest | +| flatnotes | healthy | 8089→8080 | dullage/flatnotes:latest | +| postgres | healthy | 5432 | postgres:14-alpine | +| adguardhome | healthy | network_mode=host | adguard/adguardhome:latest | + +**⚠️ Alertas:** +- `twingate` unhealthy — healthcheck não configurado corretamente (o Twingate não tem endpoint HTTP para verificar) + +### 2.4 Media (VM Proxmox) + +| Atributo | Valor | +|----------|-------| +| **Hostname** | media | +| **IP** | 10.0.0.36 | +| **Sistema** | Debian (5.10.0-26-amd64) | +| **Uptime** | 3h 54min | +| **CPU** | 8 vCPUs (Common KVM processor) | +| **RAM** | 15 GiB (1.1 GiB usado, 13 GiB disponível) | +| **Disk** | 62G (/dev/sda2) — 83% usado | +| **Docker** | Docker version 28.4.0 | +| **Compose** | `/root/homefortress-media/docker-compose.yml` | + +**Docker Stack:** +Rede customizada `mynetwork` (172.19.0.0/16) + +| Container | Status | Ports | Imagem | +|-----------|--------|-------|--------| +| ~~ollama~~ | ~~removed~~ | ~~11434~~ | ~~ollama/ollama:latest~~ | +| bazarr | healthy | 6767 | linuxserver/bazarr:latest | +| jellyfin | healthy | 8096, 8920, 7359/udp | linuxserver/jellyfin:latest | +| prowlarr | healthy | 9696 | linuxserver/prowlarr:latest | +| sonarr | healthy | 8989 | linuxserver/sonarr:latest | +| radarr | healthy | 7878 | linuxserver/radarr:latest | +| qbittorrent | healthy | 5080, 6881 | lscr.io/linuxserver/qbittorrent:latest | + +**⚠️ Alertas:** +- Nenhum — Ollama foi removido (2026-04-08) + +**Nota sobre Jellyfin:** Tentou usar GPU passthrough (NVIDIA) mas não funcionou. Não há GPU física nesta VM — inference via CPU apenas. + +### 2.5 Home Assistant (VM Proxmox) + +| Atributo | Valor | +|----------|-------| +| **VMID** | 100 | +| **Hostname** | homeassistant | +| **IP** | 10.0.0.100 | +| **Status** | running | +| **Sistema** | Linux (EFI boot, machine q35) | +| **vCPUs** | 4 (x86-64-v2-AES) | +| **RAM** | 4 GB | +| **Disk** | 32 GB (local-lvm) | +| **Network** | virtio, bridge vmbr0 | +| **Boot** | EFI, startup order=1 | +| **Uptime** | 3h 38min | + +**Acesso:** Via Proxmox (`qm guest exec 100`) + +--- + +## 3. MAPEAMENTO DE SERVIÇOS + +### 3.1 Por Máquina + +**TrueNAS (10.0.0.30):** +| Serviço | Porta | Status | Notas | +|---------|-------|--------|-------| +| SSH | 22 | ✅ | Acesso root | +| TrueNAS WebUI | 443 | ✅ | SSL default | +| Samba | 445, 139 | ✅ | Compartilhamento Ikky/data | +| iSCSI | 3260 | ✅ | SCST target | +| netdata | 6999 | ✅ | Monitoramento | +| n8n | 30109 | ✅ | Working (2026-04-08) | +| Uptime Kuma | 31050 | ✅ | Working (2026-04-08) | + +**Dockerino (10.0.0.50):** +| Serviço | Porta | URL | Status | +|---------|-------|-----|--------| +| Nginx Proxy Manager | 80, 443 | - | ✅ | +| Outline Wiki | 3001 | - | ✅ | +| BookStack | 8082 | bookstack.hackerfortress.cc | ✅ | +| Omada Controller | host | - | ✅ | +| Adguard Home | host | - | ✅ | +| HomeBox | 3100 | homebox.hackerfortress.cc | ✅ | +| FlatNotes | 8089 | flatnotes.hackerfortress.cc | ✅ | +| Homer | 8090 | - | ✅ | +| Picsur | 8091 | - | ✅ | +| Speedtest | 8765 | - | ✅ | +| MySQL | 3306 | - | ✅ | +| PostgreSQL | 5432 | - | ✅ | +| MinIO | 9000, 9001 | - | ✅ | +| Twingate | - | - | ✅ healthy | + +**Media (10.0.0.36):** +| Serviço | Porta | URL | Status | +|---------|-------|-----|--------| +| Jellyfin | 8096, 8920 | media.hackerfortress.cc | ✅ | +| Sonarr | 8989 | - | ✅ | +| Radarr | 7878 | - | ✅ | +| Prowlarr | 9696 | - | ✅ | +| Bazarr | 6767 | - | ✅ | +| qBittorrent | 5080 | - | ✅ | +| Ollama | 11434 | - | ⚠️ unhealthy (remover) | + +**Home Assistant (10.0.0.100):** +| Serviço | Porta | URL | Status | +|---------|-------|-----|--------| +| Home Assistant | 8123 | homeassistant.hackerfortress.cc | ✅ | + +### 3.2 Por Domínio (hackerfortress.cc) + +**SSL:** Let's Encrypt via Nginx Proxy Manager (cert ID 75: `*.hackerfortress.cc`, expira 2026-05-27) + +| Subdomínio | Destino NPM | Observação | +|------------|-------------|------------| +| proxmox.* | 10.0.0.20:8006 | HTTPS, WebUI Proxmox | +| proxy.* | nginx:81 | NPM Admin Interface | +| speedtest.* | speedtest:80 | Speedtest Tracker | +| homeassistant.* | 10.0.0.100:8123 | Home Assistant | +| qbittorrent.* | 10.0.0.36:5080 | qBittorrent | +| prowlarr.* | 10.0.0.36:9696 | Prowlarr | +| radarr.* | 10.0.0.36:7878 | Radarr | +| sonarr.* | 10.0.0.36:8989 | Sonarr | +| jellyfin.* | 10.0.0.36:8096 | Jellyfin | +| homebox.* | homebox:7745 | HomeBox Inventory | +| picsur.* | 10.0.0.50:8091 | Picsur | +| omada.* | 10.0.0.50:8043 | HTTPS, Omada Controller | +| n8n.* | 10.0.0.30:30109 | n8n Workflow | +| adguard.* | 10.0.0.50:3000 | AdGuard Home | +| flatnotes.* | flatnotes:8080 | FlatNotes | +| truenas.* | 10.0.0.30:80 | TrueNAS WebUI | +| uptime.* | 10.0.0.30:31050 | Uptime Kuma | +| bookstack.* | bookstack:8080 | BookStack Wiki | +| bazarr.* | 10.0.0.36:6767 | Bazarr | +| outline.* | 10.0.0.50:3001 | Outline Wiki | +| mcp-outline.* | 10.0.0.50:8080 | MCP Outline | +| ollama.* | 10.0.0.36:11434 | Ollama | +| openclaw.* | 10.0.10.100:18789 | OpenClaw | +| (root) | homer:8080 | Homer Dashboard | + +**DNS:** AdGuard Home resolve todos `*.hackerfortress.cc` → 10.0.0.50 (dockerino), exceto `openclaw.*` → 10.0.10.100. O NPM faz o roteamento interno final. + +### 3.3 Diagrama de Infraestrutura + +```mermaid +graph TB + subgraph INTERNET["🌐 INTERNET"] + OI["ISP OI"] + STARLINK["Starlink"] + end + + subgraph ROUTER["📡 ER605 Omada"] + GW["Gateway / Load Balance\n10.0.0.1"] + end + + subgraph HESTIA["hestia · 10.0.10.100"] + HERMES["🤖 Hermes Agent\n(Telegram)"] + NPM["🔀 Nginx Proxy Manager\n:81"] + ADGUARD["🛡️ AdGuard Home\n:3053"] + end + + subgraph TRUENAS["TrueNAS · 10.0.0.30"] + N8N["⚙️ n8n\n:30109"] + KUMA["📊 Uptime Kuma\n:31050"] + TN_UI["TrueNAS UI\n:443"] + end + + subgraph DOCKERINO["dockerino · 10.0.0.50"] + GITEA["📝 Gitea\n:3080/2222"] + POSTGRES["🗄️ PostgreSQL\n:5432"] + OUTLINE["📚 Outline Wiki\n:3001"] + BOOKSTACK["📖 BookStack\n:8082"] + ADGHOME["🛡️ AdGuard\n(network_mode)"] + HOMEBOX["📦 HomeBox\n:3100"] + FLATNOTES["📝 FlatNotes\n:8089"] + HOMER["🏠 Homer\n:8090"] + PICSUR["🖼️ Picsur\n:8091"] + SPEEDTEST["📡 Speedtest\n:8765"] + OMADA["📶 Omada Controller\n:8043"] + end + + subgraph MEDIA["media · 10.0.0.36"] + JELLYFIN["🎬 Jellyfin\n:8096/8920"] + SONARR["📺 Sonarr\n:8989"] + RADARR["🎥 Radarr\n:7878"] + PROWLARR["🔍 Prowlarr\n:9696"] + BAZARR["📄 Bazarr\n:6767"] + QBITTORRENT["⬇️ qBittorrent\n:5080"] + end + + subgraph HA["homeassistant · 10.0.0.100"] + HOMEASSISTANT["🏠 Home Assistant\n:8123"] + end + + OI & STARLINK --> GW + GW --> HESTIA & TRUENAS & DOCKERINO & MEDIA & HA + + %% NPM routing + NPM -->|SSL Termination| KUMA + NPM -->|SSL Termination| N8N + NPM -->|SSL Termination| GITEA + NPM -->|SSL Termination| JELLYFIN + NPM -->|SSL Termination| HOMEASSISTANT + NPM -->|SSL Termination| OUTLINE + NPM -->|SSL Termination| BOOKSTACK + NPM -->|SSL Termination| HOMEBOX + NPM -->|SSL Termination| FLATNOTES + NPM -->|SSL Termination| PICSUR + NPM -->|SSL Termination| SPEEDTEST + NPM -->|SSL Termination| OMADA + NPM -->|SSL Termination| ADGHOME + NPM -->|SSL Termination| BAZARR + NPM -->|SSL Termination| QBITTORRENT + NPM -->|SSL Termination| SONARR + NPM -->|SSL Termination| RADARR + NPM -->|SSL Termination| PROWLARR + NPM -->|SSL Termination| TN_UI + + %% AdGuard DNS + ADGUARD -.->|DNS *.hackerfortress.cc| NPM + + %% Internal data flows + GITEA --> POSTGRES + OUTLINE --> POSTGRES + JELLYFIN -.->|media files| QBITTORRENT + + %% Hermes interaction + HERMES --> NPM +``` + +**Resumo do fluxo:** +1. **Usuário** acessa `servico.hackerfortress.cc` +2. **AdGuard** (10.0.10.100:3053) resolve DNS → 10.0.0.50 (dockerino) +3. **Nginx Proxy Manager** (dockerino:81) recebe a requisição, termina SSL +4. **NPM** faz proxy reverso interno para o serviço correto na porta对应 +5. **Hermes Agent** (Telegram) também se comunica via NPM para monitorar status + +--- + +## 4. ACESSO SSH + +### 4.1 Chave SSH da Héstia + +- **Created:** 2026-04-08 +- **Type:** ED25519 +- **Fingerprint:** SHA256:ieM8FlrvI0ByxVinRa3zfKzP6BYMO2aVGd/IMshTmYU +- **Key file:** `~/.ssh/id_ed25519` +- **Public key:** + ``` + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINEbnDYVvjbDrGuA4SfM8Ex/H/9RVHmkyu7qzCEt27eh hestia-homlelab-20260408 + ``` + +### 4.2 SSH Config ( ~/.ssh/config) + +``` +Host truenas + HostName 10.0.0.30 + User root + Port 22 + IdentityFile ~/.ssh/id_ed25519 + +Host proxmox + HostName 10.0.0.20 + User root + Port 22 + IdentityFile ~/.ssh/id_ed25519 + +Host dockerino + HostName 10.0.0.50 + User root + Port 22 + IdentityFile ~/.ssh/id_ed25519 + +Host media + HostName 10.0.0.36 + User root + Port 22 + IdentityFile ~/.ssh/id_ed25519 + +Host homeassistant + HostName 10.0.0.100 + User root + Port 22 + IdentityFile ~/.ssh/id_ed25519 +``` + +### 4.3 Status Distribuição de Chaves + +| Máquina | Status | +|---------|--------| +| TrueNAS | ✅ Distribuída | +| Proxmox | ✅ Distribuída | +| Dockerino | ✅ Distribuída | +| Media | ✅ Distribuída | +| Home Assistant | ❌ Pendente (via Proxmox) | + +--- + +## 5. DOCKER COMPOSE STACKS + +### 5.1 Dockerino Stacks + +Localização: `/root/dockerino/` + +| Stack | Path | Services | +|-------|------|----------| +| Nginx Proxy Manager | `/root/dockerino/nginx/` | nginx (jpw/nginx-proxy-manager) | +| Adguard Home | `/root/dockerino/adguard/` | adguardhome | +| BookStack | `/root/dockerino/bookstack/` | mysql, bookstack | +| Outline | `/root/dockerino/outline/` | outline-postgres, outline-redis, outline-minio, outline-minio-init, outline | +| FlatNotes | `/root/dockerino/flatnotes/` | flatnotes | +| Homer | `/root/dockerino/homer/` | homer | +| HomeBox | `/root/dockerino/homebox/` | homebox | +| Omada Controller | `/root/dockerino/omada-controller/` | omada-controller | +| Picsur | `/root/dockerino/picsur/` | picsur | +| Speedtest | `/root/dockerino/speedtest/` | speedtest | +| Twingate | `/root/dockerino/twingate/` | twingate | + +### 5.2 Media Stack + +Localização: `/root/homefortress-media/docker-compose.yml` + +Network: `mynetwork` (172.19.0.0/16) + +| Service | IP | Ports | +|---------|-----|-------| +| qbittorrent | 172.19.0.2 | 5080, 6881 | +| sonarr | 172.19.0.3 | 8989 | +| prowlarr | 172.19.0.4 | 9696 | +| radarr | 172.19.0.5 | 7878 | +| ollama | 172.19.0.10 | 11434 | + +Volumes: +- `/mnt/share-media` — dados de mídia (bind mount) + +--- + +## 6. STORAGE E BACKUPS + +### 6.1 TrueNAS Pools + +**Ikky (2.72T):** +- `Ikky/data` — 199G usado, compartilhamento SMB principal +- `Ikky/.system` — configurações TrueNAS +- `Ikky/ix-apps` — apps catalog (n8n, uptime-kuma) + +**Hyoga (1.81T):** +- `Hyoga/media` — 923G (backup final 2025-12-05) +- `Hyoga/raidfortress` — 192G + +### 6.2 Media Mount + +`/mnt/share-media` é o mount point principal para dados de mídia, compartilhado entre Media VM e TrueNAS. + +--- + +## 7. MONITORAMENTO E ALERTAS + +### 7.1 Alertas Ativos + +| Severidade | Máquina | Alerta | Ação Recomendada | +|------------|---------|--------|------------------| +| ~~⚠️ Alta~~ | ~~TrueNAS~~ | ~~n8n/uptime-kuma não sobem após reboot~~ | ~~Investigar bug de pool ix-apps~~ ✅ Resolvido | +| ~~⚠️ Média~~ | ~~Dockerino~~ | ~~Twingate unhealthy~~ | ~~Configurar healthcheck customizado ou aceitar estado~~ ✅ Resolvido | +| ~~⚠️ Média~~ | ~~Media~~ | ~~Ollama unhealthy~~ | ~~Remover container e modelos~~ ✅ Resolvido | +| ~~ℹ️ Info~~ | ~~TrueNAS~~ | ~~ix-apps directory parcialmente populado~~ | ~~Monitorar após fix do bug~~ ✅ Resolvido | + +### 7.2 Serviços de Monitoramento + +- **Uptime Kuma:** Ativo no TrueNAS (10.0.0.30:31050) ✅ +- **netdata:** Ativo no TrueNAS (porta 6999) +- **Speedtest Tracker:** Ativo no Dockerino (porta 8765) + +--- + +## 8. PROBLEMAS CONHECIDOS E TODOS + +### 8.1 Bugs + +- [x] **BUG-TRUENAS-01:** TrueNAS ix-apps pool não monta automaticamente após reboot ✅ (2026-04-08 - aplicado canmount=on nos datasets) +- [x] **BUG-TWINGATE-01:** Twingate connector unhealthy — healthcheck não configurado (sem endpoint HTTP) ✅ (2026-04-08 - healthcheck desabilitado) + +### 8.2 Tasks + +- [x] **TASK-OLLAMA-01:** Remover Ollama e modelos baixados do Media ✅ (2026-04-08) +- [ ] **TASK-VPN-01:** Avaliar WireGuard como替代 NordVPN +- [ ] **TASK-HA-01:** Configurar acesso SSH ao Home Assistant via Proxmox guest agent +- [ ] **TASK-BACKUP-01:** Configurar rotina de backup para configurações das VMs +- [ ] **TASK-DOCS-01:** Documentar credenciais de serviços (usar Vault/Pass) + +--- + +## 9. PRÓXIMOS PASSOS + +1. ~~Corrigir bug da pool do TrueNAS (ix-apps)~~ ✅ (2026-04-08) +2. ~~Remover Ollama do Media~~ ✅ (2026-04-08) +3. ~~Configurar Twingate healthcheck~~ ✅ (2026-04-08) +4. ~~Mapear todos os subdomínios e SSL certificates~~ ✅ (2026-04-08) +5. ~~Configurar Uptime Kuma para monitorar todos os serviços~~ ✅ (2026-04-08) +6. Implementar solução de backup (TrueNAS → ?) +7. Avaliar secrets management (Vault/Pass) + +--- + +*Documento mantido por Héstia — Guardiã do Homelab* +*Atualizado: 2026-04-08 14:55 UTC-3* \ No newline at end of file diff --git a/docs/NEXT_STEPS.md b/docs/NEXT_STEPS.md new file mode 100644 index 0000000..757c1c9 --- /dev/null +++ b/docs/NEXT_STEPS.md @@ -0,0 +1,64 @@ +# Homelab - Próximos Passos (2026-04-08) + +## Contexto Resumido + +**Rede:** 10.0.0.0/24 (VLAN1 infra), 10.0.10.0/24 (VLAN10 geral). Router ER605 Omada. Dual ISP (OI + Starlink). Domain: hackerfortress.cc + +**Máquinas principais:** +- TrueNAS (10.0.0.30): n8n, Uptime Kuma, TrueNAS Core +- Proxmox (10.0.0.20): hosts dockerino, media, homeassistant +- Hestia (10.0.10.100): management node (esta máquina) +- Dockerino (10.0.0.50): Docker host com NPM, AdGuard, e mais + +**Arquitetura docs:** ~/homelab/docs/ARCHITECTURE.md + +--- + +## Tarefas Pendentes + +### 5. Configurar Uptime Kuma para monitorar todos os serviços ✅ +- Todos os 18 serviços monitorados: NPM (10.0.0.50:81), AdGuard (10.0.0.50:3000), Jellyfin (10.0.0.36:8096), Sonarr (10.0.0.36:8989), Radarr (10.0.0.36:7878), Prowlarr (10.0.0.36:9696), Bazarr (10.0.0.36:6767), qBittorrent (10.0.0.36:5080), HomeAssistant (10.0.0.100:8123), Proxmox (10.0.0.20:8006), TrueNAS (10.0.0.30:443), n8n (10.0.0.30:30109), BookStack (10.0.0.50:8082), FlatNotes (10.0.0.50:8089), HomeBox (10.0.0.50:3100), Picsur (10.0.0.50:8091), Outline (10.0.0.50:3001), Omada (10.0.0.50:8043) +- Status atual: 16 UP, 0 DOWN (TrueNAS e AdGuard com uptime parcial em recuperação) +- Credenciais salvas na memória: admin / UptimeKuma@2026#Hestia! + +### 6. Implementar solução de backup (TrueNAS → ?) +- Avaliar opções: rsync para offsite,borgbackup, restic, ou靠在 TrueNAS built-in +- Considerar Restic ou borg para backup incremental offsite +- Avaliar custos de storage + +### 7. WireGuard como alternativa ao NordVPN +- NordVPN ainda não implementou split-tunnel no Linux +- WireGuard seria para conexão externa (road warrior) +- Avaliar configuração no ER605 ou em um container + +### 8. NordVPN split-tunnel no Linux +- NordVPN CLI suporta `--allowlist` ou `exclude` para split-tunnel +- Testar com containers que precisam de VPN (qBittorrent, etc.) +- Exemplo: `nordvpn set allowlist add Subnet:192.168.1.0/24` + +### 9. Documentar credenciais +- Todas as senhas/documentação do homelab em: ~/homelab/docs/ +- Avaliar Password Store (pass) ou Vault para secrets management + +--- + +## Investigações Recentes (2026-04-08) + +### TrueNAS ix-apps (n8n, Uptime Kuma) +- Apps existem nos datasets mas middleware não os reconhece (`midclt call app.query` retorna []) +- Causa: datasets com `canmount=noauto` não montados automaticamente +- Fix testado: `zfs mount Ikky/ix-apps/app_configs` +- Próximo passo: WebUI para stop/rollback/start dos apps + +### Nginx Proxy Manager - SSL Certificates +- Cert wildcard `*.hackerfortress.cc` expira 2026-05-27 (cert ID 75) +- 23 subdomínios configurados no NPM, todos usando o mesmo cert +- Revisão do ARCHITECTURE.md feita: atualizações no item 4 + +--- + +## Notas de Configuração + +- Lid switch: `HandleLidSwitch=ignore` + suspend targets masked +- NVIDIA GT 730M: nouveau (driver open-source) +- SSH key: ED25519, fingerprint SHA256:ieM8FlrvI0ByxVinRa3zfKzP6BYMO2aVGd/IMshTmYU \ No newline at end of file diff --git a/terraform/er605/main.tf b/terraform/er605/main.tf new file mode 100644 index 0000000..ee092f7 --- /dev/null +++ b/terraform/er605/main.tf @@ -0,0 +1,118 @@ +# Terraform configuration for TP-Link ER605 Router via Omada Controller +# Router: TP-Link ER605 (Omada Controller on dockerino:8043) + +terraform { + required_version = ">= 1.0" + + required_providers { + omada = { + source = "jkbo/RF-omada" + version = "~> 1.0" + } + } +} + +provider "omada" { + omada_url = var.omada_url + omada_username = var.omada_username + omada_password = var.omada_password + ssl_verify = var.ssl_verify +} + +# Data sources to get existing network info +data "omada_networks" "homelab" { + site_name = var.site_name +} + +# VLAN 1 - Infraestrutura (10.0.0.0/24) +resource "omada_network" "vlan1_infra" { + site_name = var.site_name + name = "VLAN1-INFRA" + purpose = "Management" + type = "L3" + subnet = "10.0.0.0/24" + gateway_ip = "10.0.0.1" + vlan_id = 1 + dhcp_relay_enabled = false +} + +# VLAN 10 - Geral (10.0.10.0/24) +resource "omada_network" "vlan10_geral" { + site_name = var.site_name + name = "VLAN10-GERAL" + purpose = "Corporate" + type = "L3" + subnet = "10.0.10.0/24" + gateway_ip = "10.0.10.1" + vlan_id = 10 + dhcp_relay_enabled = false +} + +# VLAN 20 - IOT (10.0.20.0/24) +resource "omada_network" "vlan20_iot" { + site_name = var.site_name + name = "VLAN20-IOT" + purpose = "Corporate" + type = "L3" + subnet = "10.0.20.0/24" + gateway_ip = "10.0.20.1" + vlan_id = 20 + dhcp_relay_enabled = false +} + +# VLAN 30 - Guests (10.0.30.0/24) +resource "omada_network" "vlan30_guests" { + site_name = var.site_name + name = "VLAN30-GUESTS" + purpose = "Guest" + type = "L3" + subnet = "10.0.30.0/24" + gateway_ip = "10.0.30.1" + vlan_id = 30 + dhcp_relay_enabled = false +} + +# DHCP Static Leases (examples) +# Add static DHCP entries for known devices +resource "omada_dhcp_static" "truenas" { + site_name = var.site_name + network_id = omada_network.vlan1_infra.id + mac_address = var.truenas_mac + ip_address = "10.0.0.30" + hostname = "truenas" +} + +resource "omada_dhcp_static" "proxmox" { + site_name = var.site_name + network_id = omada_network.vlan1_infra.id + mac_address = var.proxmox_mac + ip_address = "10.0.0.20" + hostname = "proxmox" +} + +resource "omada_dhcp_static" "dockerino" { + site_name = var.site_name + network_id = omada_network.vlan1_infra.id + mac_address = var.dockerino_mac + ip_address = "10.0.0.50" + hostname = "dockerino" +} + +resource "omada_dhcp_static" "media" { + site_name = var.site_name + network_id = omada_network.vlan1_infra.id + mac_address = var.media_mac + ip_address = "10.0.0.36" + hostname = "media" +} + +resource "omada_dhcp_static" "homeassistant" { + site_name = var.site_name + network_id = omada_network.vlan1_infra.id + mac_address = var.homeassistant_mac + ip_address = "10.0.0.100" + hostname = "homeassistant" +} + +# DNS routes for internal resolution +# *.hackerfortress.cc -> 10.0.0.50 (dockerino/NPM) diff --git a/terraform/er605/outputs.tf b/terraform/er605/outputs.tf new file mode 100644 index 0000000..fdfff27 --- /dev/null +++ b/terraform/er605/outputs.tf @@ -0,0 +1,36 @@ +# Outputs for ER605/Omada Terraform + +output "vlan1_infra_id" { + description = "VLAN1 Infrastructure ID" + value = omada_network.vlan1_infra.id +} + +output "vlan1_infra_subnet" { + description = "VLAN1 Infrastructure Subnet" + value = omada_network.vlan1_infra.subnet +} + +output "vlan10_geral_id" { + description = "VLAN10 General ID" + value = omada_network.vlan10_geral.id +} + +output "vlan10_geral_subnet" { + description = "VLAN10 General Subnet" + value = omada_network.vlan10_geral.subnet +} + +output "vlan20_iot_id" { + description = "VLAN20 IOT ID" + value = omada_network.vlan20_iot.id +} + +output "vlan30_guests_id" { + description = "VLAN30 Guests ID" + value = omada_network.vlan30_guests.id +} + +output "omada_url" { + description = "Omada Controller URL" + value = var.omada_url +} diff --git a/terraform/er605/variables.tf b/terraform/er605/variables.tf new file mode 100644 index 0000000..71108fb --- /dev/null +++ b/terraform/er605/variables.tf @@ -0,0 +1,62 @@ +# Variables for ER605/Omada Terraform + +variable "omada_url" { + description = "Omada Controller URL" + type = string + default = "https://10.0.0.50:8043" +} + +variable "omada_username" { + description = "Omada Controller username" + type = string + default = "admin" +} + +variable "omada_password" { + description = "Omada Controller password" + type = string + sensitive = true +} + +variable "site_name" { + description = "Omada site name" + type = string + default = "Default" +} + +variable "ssl_verify" { + description = "Verify SSL certificates" + type = bool + default = false +} + +# MAC addresses for static DHCP +variable "truenas_mac" { + description = "TrueNAS MAC address" + type = string + default = "" # TODO: Add actual MAC +} + +variable "proxmox_mac" { + description = "Proxmox MAC address" + type = string + default = "" # TODO: Add actual MAC +} + +variable "dockerino_mac" { + description = "Dockerino MAC address" + type = string + default = "" # TODO: Add actual MAC +} + +variable "media_mac" { + description = "Media VM MAC address" + type = string + default = "" # TODO: Add actual MAC +} + +variable "homeassistant_mac" { + description = "Home Assistant VM MAC address" + type = string + default = "" # TODO: Add actual MAC +}