gaia/homelab
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: inicial IaC - estrutura base + Docker Compose + Ansible

Browse Source 
- Estrutura Terraform para ER605/Omada
- Ansible inventory e role base para Dockerino
- Docker Compose files para todos os serviços do Dockerino
- Docker Compose para Media stack (Jellyfin, Sonarr, Radarr, etc)
- Documentação ARCHITECTURE.md e NEXT_STEPS.md (via Héstia)
This commit is contained in:
gaia 2026-04-09 01:06:05 -03:00
parent a8c2f09b42
commit 893e7dba7c
23 changed files with 1644 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
README.md
View File

@ -1,3 +1,132 @@
# homelab # Homelab — Infraestrutura como Código
Infraestrutura como Código do Homelab - Terraform, Ansible, Docker Compose > Guardiã: **Gaia** (Agente Hermes)
> Mantido por: João Paulo Ferreira (jp@iamferreirajp.com)
> Repositório Base: [gaia/homelab](https://gitea.hackerfortress.cc/gaia/homelab)
## Visão Geral
Este repositório contém toda a infraestrutura do homelab em formato de **Infraestrutura como Código (IaC)**. O objetivo é ter todo o ambiente versionado, documentado e reproduzível.
### Hardware do Homelab
| Máquina | IP | Função Principal |
|---------|-----|------------------|
| TrueNAS | 10.0.0.30 | NAS, n8n, Uptime Kuma |
| Proxmox | 10.0.0.20 | Hypervisor (VMs) |
| Dockerino | 10.0.0.50 | Docker Host (NPM, AdGuard, etc) |
| Media | 10.0.0.36 | Jellyfin, Sonarr, Radarr, etc |
| Home Assistant | 10.0.0.100 | Automação residencial |
| ER605 (Omada) | 10.0.0.1 | Router/Gateway |
### Topologia de Rede
- **VLAN1 (Infra):** 10.0.0.0/24 — Servidores
- **VLAN10 (Geral):** 10.0.10.0/24 — Computadores, celulares
- **VLAN20 (IOT):** 10.0.20.0/24 — Dispositivos IoT
- **VLAN30 (Guests):** 10.0.30.0/24 — Visitantes
## Estrutura do Repositório
```
homelab/
├── terraform/ # Terraform para recursos de nuvem/rede
│ ├── er605/ # Router TP-Link ER605 (Omada Controller)
│ ├── truenas/ # TrueNAS
│ ├── proxmox/ # Proxmox
│ └── adguard/ # AdGuard Home
├── ansible/ # Ansible para configuração de VMs
│ ├── roles/ # Roles reutilizáveis
│ └── playbooks/ # Playbooks principais
├── docker/ # Docker Compose files
│ ├── dockerino/ # Stack do Dockerino (10.0.0.50)
│ │ ├── nginx/ # Nginx Proxy Manager
│ │ ├── adguard/ # AdGuard Home
│ │ ├── outline/ # Outline Wiki
│ │ ├── bookstack/ # BookStack
│ │ └── ...
│ └── media/ # Stack de mídia (10.0.0.36)
│ └── docker-compose.yml
└── docs/ # Documentação adicional
├── ARCHITECTURE.md # Arquitetura detalhada
└── NEXT_STEPS.md # Próximos passos
```
## Quick Start
### Clonar o Repositório
```bash
git clone https://gitea.hackerfortress.cc/gaia/homelab.git
cd homelab
```
### Aplicar Terraform
```bash
cd terraform/er605
terraform init
terraform plan
terraform apply
```
### Aplicar Ansible
```bash
cd ansible
ansible-playbook playbooks/setup-dockerino.yml
```
### Subir Docker Stacks
```bash
cd docker/dockerino/nginx
docker compose up -d
```
## Serviços
### Dockerino (10.0.0.50)
| Serviço | Porta | Domínio |
|---------|-------|---------|
| Nginx Proxy Manager | 80, 443 | proxy.hackerfortress.cc |
| AdGuard Home | 3000 | adguard.hackerfortress.cc |
| Outline Wiki | 3001 | outline.hackerfortress.cc |
| BookStack | 8082 | bookstack.hackerfortress.cc |
| Homer | 8090 | (internal) |
| HomeBox | 3100 | homebox.hackerfortress.cc |
| FlatNotes | 8089 | flatnotes.hackerfortress.cc |
| Picsur | 8091 | picsur.hackerfortress.cc |
| Speedtest | 8765 | speedtest.hackerfortress.cc |
| Omada Controller | 8043 | omada.hackerfortress.cc |
| Twingate | - | VPN |
### Media (10.0.0.36)
| Serviço | Porta | Domínio |
|---------|-------|---------|
| Jellyfin | 8096 | jellyfin.hackerfortress.cc |
| Sonarr | 8989 | sonarr.hackerfortress.cc |
| Radarr | 7878 | radarr.hackerfortress.cc |
| Prowlarr | 9696 | prowlarr.hackerfortress.cc |
| Bazarr | 6767 | bazarr.hackerfortress.cc |
| qBittorrent | 5080 | qbittorrent.hackerfortress.cc |
### TrueNAS (10.0.0.30)
| Serviço | Porta |
|---------|-------|
| SSH | 22 |
| WebUI | 443 |
| n8n | 30109 |
| Uptime Kuma | 31050 |
## Mantenedores
- **Gaia** — Guardiã da IaC (este repositório)
- **Héstia** — Documentação e arquitetura original
## Licença
MIT

27
ansible/inventory.yml Normal file
View File

@ -0,0 +1,27 @@
# Ansible Inventory for Homelab
all:
children:
homelab:
children:
infrastructure:
hosts:
truenas:
ansible_host: 10.0.0.30
ansible_user: root
proxmox:
ansible_host: 10.0.0.20
ansible_user: root
dockerino:
ansible_host: 10.0.0.50
ansible_user: root
media:
ansible_host: 10.0.0.36
ansible_user: root
homeassistant:
ansible_host: 10.0.0.100
ansible_user: root
vars:
ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
ansible_python_interpreter: /usr/bin/python3

9
ansible/playbooks/setup-dockerino.yml Normal file
View File

@ -0,0 +1,9 @@
---
# Playbook para setup do Dockerino
- name: Setup Dockerino
hosts: dockerino
become: yes
roles:
- dockerino
vars:
dockerino_ip: 10.0.0.50

61
ansible/roles/dockerino/tasks/main.yml Normal file
View File

@ -0,0 +1,61 @@
---
# Ansible role for Dockerino setup
- name: Ensure Docker is installed
apt:
name:
- docker.io
- docker-compose
state: present
update_cache: yes
- name: Ensure Docker service is running
systemd:
name: docker
state: started
enabled: yes
- name: Create Docker network
community.docker.docker_network:
name: homelab-network
driver: bridge
driver_options:
com.docker.network.bridge.name: br-homelab
ipam_options:
- subnet: 172.20.0.0/16
- name: Create Dockerino directories
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- /root/dockerino
- /root/dockerino/nginx
- /root/dockerino/nginx/data
- /root/dockerino/nginx/letsencrypt
- /root/dockerino/nginx/mysql
- /root/dockerino/adguard
- /root/dockerino/adguard/work
- /root/dockerino/adguard/conf
- /root/dockerino/outline
- /root/dockerino/outline/postgres-data
- /root/dockerino/outline/redis-data
- /root/dockerino/outline/minio-data
- /root/dockerino/bookstack
- /root/dockerino/bookstack/mysql-data
- /root/dockerino/flatnotes
- /root/dockerino/flatnotes/data
- /root/dockerino/flatnotes/notes
- /root/dockerino/homer
- /root/dockerino/homer/assets
- /root/dockerino/homebox
- /root/dockerino/homebox/data
- /root/dockerino/omada-controller
- /root/dockerino/omada-controller/data
- /root/dockerino/omada-controller/logs
- /root/dockerino/picsur
- /root/dockerino/picsur/data
- /root/dockerino/speedtest
- /root/dockerino/speedtest/data
- /root/dockerino/twingate

16
docker/dockerino/adguard/docker-compose.yml Normal file
View File

@ -0,0 +1,16 @@
version: '3.8'
services:
adguardhome:
image: adguard/adguardhome:latest
container_name: adguardhome
restart: unless-stopped
network_mode: host
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
environment:
- TZ=America/Sao_Paulo
# NOTA: AdGuard usa network_mode=host para绑定的 porta 53 e 3000
# Não funciona em networks convenientes

47
docker/dockerino/bookstack/docker-compose.yml Normal file
View File

@ -0,0 +1,47 @@
version: '3.8'
services:
bookstack-mysql:
image: mysql:8.3
container_name: bookstack-mysql
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: ${BOOKSTACK_DB_ROOT:-rootpassword}
MYSQL_DATABASE: bookstack
MYSQL_USER: bookstack
MYSQL_PASSWORD: ${BOOKSTACK_DB_PASSWORD:-bookstack123}
volumes:
- ./mysql-data:/var/lib/mysql
healthcheck:
test: ["CMD-SHELL", "mysqladmin ping -h localhost"]
interval: 10s
timeout: 5s
retries: 5
bookstack:
image: solidnerd/bookstack:latest
container_name: bookstack
restart: unless-stopped
ports:
- "8082:8080"
depends_on:
bookstack-mysql:
condition: service_healthy
environment:
DB_HOST: bookstack-mysql
DB_DATABASE: bookstack
DB_USERNAME: bookstack
DB_PASSWORD: ${BOOKSTACK_DB_PASSWORD:-bookstack123}
APP_KEY: ${BOOKSTACK_APP_KEY:-base64:CHANGE_ME}
APP_URL: https://bookstack.hackerfortress.cc
TZ: America/Sao_Paulo
healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:8080 || exit 1"]
interval: 30s
timeout: 10s
retries: 3
networks:
default:
name: homelab-network
external: true

23
docker/dockerino/flatnotes/docker-compose.yml Normal file
View File

@ -0,0 +1,23 @@
version: '3.8'
services:
flatnotes:
image: dullage/flatnotes:latest
container_name: flatnotes
restart: unless-stopped
ports:
- "8089:8080"
volumes:
- ./data:/data
- ./notes:/notes
environment:
FLATNOTES_AUTH_TYPE: ${FLATNOTES_AUTH_TYPE:-password}
FLATNOTES_PASSWORD: ${FLATNOTES_PASSWORD:-changeme}
FLATNOTES_PORT: 8080
FLATNOTES_HOST: 0.0.0.0
TZ: America/Sao_Paulo
networks:
default:
name: homelab-network
external: true

19
docker/dockerino/homebox/docker-compose.yml Normal file
View File

@ -0,0 +1,19 @@
version: '3.8'
services:
homebox:
image: ghcr.io/hay-kot/homebox:latest
container_name: homebox
restart: unless-stopped
ports:
- "3100:7745"
volumes:
- ./data:/data
environment:
HBOX_CONFIG: /data/config.yml
TZ: America/Sao_Paulo
networks:
default:
name: homelab-network
external: true

112
docker/dockerino/homer/config.yml Normal file
View File

@ -0,0 +1,112 @@
# Homer Dashboard Configuration
# Access: http://homer.hackerfortress.cc (via NPM)
subtitle: "Homelab Dashboard"
title: "Hacker Fortress"
logo: "https://raw.githubusercontent.com/bastienwirtz/homer/master/public/img/logo.svg"
# Optional theme
# theme: default (default), dark, light, mono
theme: dark
# Header decoration
header: true
footer: '<p>Hacker Fortress Homelab · Powered by <a href="https://github.com/bastienwirtz/homer">Homer</a></p>'
# Columns
columns: 3
# Services
services:
- name: "Media"
icon: "fas fa-play"
items:
- name: "Jellyfin"
type: "Ping"
logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/images/jellyfin-icon.png"
url: "http://10.0.0.36:8096"
subtitle: "Media Server"
- name: "Sonarr"
type: "Ping"
url: "http://10.0.0.36:8989"
subtitle: "TV Series"
- name: "Radarr"
type: "Ping"
url: "http://10.0.0.36:7878"
subtitle: "Movies"
- name: "Prowlarr"
type: "Ping"
url: "http://10.0.0.36:9696"
subtitle: "Indexer"
- name: "qBittorrent"
type: "Ping"
url: "http://10.0.0.36:5080"
subtitle: "Downloads"
- name: "Infrastructure"
icon: "fas fa-server"
items:
- name: "TrueNAS"
type: "Ping"
url: "https://truenas.hackerfortress.cc"
subtitle: "NAS & Apps"
- name: "Proxmox"
type: "Ping"
url: "https://proxmox.hackerfortress.cc:8006"
subtitle: "Hypervisor"
- name: "Omada Controller"
type: "Ping"
url: "https://omada.hackerfortress.cc"
subtitle: "Router"
- name: "Productivity"
icon: "fas fa-briefcase"
items:
- name: "Outline Wiki"
type: "Ping"
url: "https://outline.hackerfortress.cc"
subtitle: "Documentation"
- name: "BookStack"
type: "Ping"
url: "https://bookstack.hackerfortress.cc"
subtitle: "Wiki"
- name: "n8n"
type: "Ping"
url: "https://n8n.hackerfortress.cc"
subtitle: "Workflows"
- name: "Home Automation"
icon: "fas fa-home"
items:
- name: "Home Assistant"
type: "Ping"
url: "https://homeassistant.hackerfortress.cc"
subtitle: "HA Core"
- name: "Monitoring"
icon: "fas fa-chart-line"
items:
- name: "Uptime Kuma"
type: "Ping"
url: "https://uptime.hackerfortress.cc"
subtitle: "Status"
- name: "Speedtest"
type: "Ping"
url: "https://speedtest.hackerfortress.cc"
subtitle: "Speed"
- name: "Tools"
icon: "fas fa-tools"
items:
- name: "AdGuard"
type: "Ping"
url: "https://adguard.hackerfortress.cc"
subtitle: "DNS"
- name: "HomeBox"
type: "Ping"
url: "https://homebox.hackerfortress.cc"
subtitle: "Inventory"
- name: "Picsur"
type: "Ping"
url: "https://picsur.hackerfortress.cc"
subtitle: "Images"

19
docker/dockerino/homer/docker-compose.yml Normal file
View File

@ -0,0 +1,19 @@
version: '3.8'
services:
homer:
image: b4bz/homer:latest
container_name: homer
restart: unless-stopped
ports:
- "8090:8080"
volumes:
- ./assets:/assets
- ./config.yml:/assets/config.yml:ro
environment:
TZ: America/Sao_Paulo
networks:
default:
name: homelab-network
external: true

7
docker/dockerino/nginx/.env.example Normal file
View File

@ -0,0 +1,7 @@
# Nginx Proxy Manager
NGINX_DB_PASSWORD=npmpassword
NGINX_ROOT_PASSWORD=rootpassword
# Rede
COMPOSE_PROJECT_NAME=homelab
NETWORK_NAME=homelab-network

39
docker/dockerino/nginx/docker-compose.yml Normal file
View File

@ -0,0 +1,39 @@
version: '3.8'
services:
nginx:
image: 'jc21/nginx-proxy-manager:latest'
container_name: nginx
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
environment:
DB_MYSQL_HOST: nginx-db
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: npm
DB_MYSQL_PASSWORD: ${NGINX_DB_PASSWORD:-npmpassword}
DB_MYSQL_NAME: npm
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
depends_on:
- nginx-db
nginx-db:
image: 'jc21/mariadb:latest'
container_name: nginx-db
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: ${NGINX_ROOT_PASSWORD:-rootpassword}
MYSQL_DATABASE: npm
MYSQL_USER: npm
MYSQL_PASSWORD: ${NGINX_DB_PASSWORD:-npmpassword}
volumes:
- ./mysql:/var/lib/mysql
networks:
default:
name: homelab-network
external: true

16
docker/dockerino/omada-controller/docker-compose.yml Normal file
View File

@ -0,0 +1,16 @@
version: '3.8'
services:
omada-controller:
image: mbentley/omada-controller:latest
container_name: omada-controller
restart: unless-stopped
network_mode: host
volumes:
- ./data:/opt/tplink/OMADA/data
- ./logs:/opt/tplink/OMADA/logs
environment:
TZ: America/Sao_Paulo
# NOTA: Usa network_mode=host para acessar portas específicas do Omada Controller
# Porta principal: 8043 (HTTPS), 8088 (HTTP), 29810 (UDP)

95
docker/dockerino/outline/docker-compose.yml Normal file
View File

@ -0,0 +1,95 @@
version: '3.8'
services:
outline-postgres:
image: postgres:15-alpine
container_name: outline-postgres
restart: unless-stopped
environment:
POSTGRES_USER: outline
POSTGRES_PASSWORD: ${OUTLINE_DB_PASSWORD:-outline123}
POSTGRES_DB: outline
volumes:
- ./postgres-data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U outline"]
interval: 10s
timeout: 5s
retries: 5
outline-redis:
image: redis:7-alpine
container_name: outline-redis
restart: unless-stopped
volumes:
- ./redis-data:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
outline-minio:
image: quay.io/minio/minio:latest
container_name: outline-minio
restart: unless-stopped
command: server /data --console-address ":9001"
environment:
MINIO_ROOT_USER: ${MINIO_ROOT_USER:-outline}
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-outline123}
volumes:
- ./minio-data:/data
healthcheck:
test: ["CMD", "mc", "ready", "local"]
interval: 10s
timeout: 5s
retries: 5
outline-minio-init:
image: quay.io/minio/mc:latest
container_name: outline-minio-init
depends_on:
outline-minio:
condition: service_healthy
entrypoint: |
/bin/sh -c "
sleep 5;
mc alias set myminio http://outline-minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD};
mc mb myminio/outline --ignore-existing;
mc anonymous set download myminio/outline;
exit 0;
"
outline:
image: outlinewiki/outline:latest
container_name: outline
restart: unless-stopped
ports:
- "3001:3000"
depends_on:
outline-postgres:
condition: service_healthy
outline-redis:
condition: service_healthy
outline-minio:
condition: service_healthy
environment:
DATABASE_URL: postgres://outline:${OUTLINE_DB_PASSWORD:-outline123}@outline-postgres:5432/outline
REDIS_URL: redis://outline-redis:6379
MINIO_SERVER: http://outline-minio:9000
MINIO_ACCESS_KEY: ${MINIO_ROOT_USER:-outline}
MINIO_SECRET_KEY: ${MINIO_ROOT_PASSWORD:-outline123}
SECRET_KEY: ${OUTLINE_SECRET_KEY:-change-me-in-production}
URL: https://outline.hackerfortress.cc
PORT: 3000
TZ: America/Sao_Paulo
healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:3000 || exit 1"]
interval: 30s
timeout: 10s
retries: 3
networks:
default:
name: homelab-network
external: true

18
docker/dockerino/picsur/docker-compose.yml Normal file
View File

@ -0,0 +1,18 @@
version: '3.8'
services:
picsur:
image: ghcr.io/caramelfur/picsur:latest
container_name: picsur
restart: unless-stopped
ports:
- "8091:8080"
volumes:
- ./data:/data
environment:
TZ: America/Sao_Paulo
networks:
default:
name: homelab-network
external: true

23
docker/dockerino/speedtest/docker-compose.yml Normal file
View File

@ -0,0 +1,23 @@
version: '3.8'
services:
speedtest:
image: henrywhitaker3/speedtest-tracker:latest
container_name: speedtest
restart: unless-stopped
ports:
- "8765:80"
volumes:
- ./data:/data
environment:
TZ: America/Sao_Paulo
healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost || exit 1"]
interval: 30s
timeout: 10s
retries: 3
networks:
default:
name: homelab-network
external: true

16
docker/dockerino/twingate/docker-compose.yml Normal file
View File

@ -0,0 +1,16 @@
version: '3.8'
services:
twingate:
image: twingate/connector:latest
container_name: twingate
restart: unless-stopped
network_mode: host
environment:
TWINGATE_NETWORK: ${TWINGATE_NETWORK:-}
TWINGATE_ACCESS_TOKEN: ${TWINGATE_ACCESS_TOKEN:-}
TWINGATE_REFRESH_TOKEN: ${TWINGATE_REFRESH_TOKEN:-}
# NOTA: healthcheck desabilitado pois Twingate não expõe endpoint HTTP
# O container é considered healthy mesmo sem resposta HTTP
healthcheck:
disable: true

116
docker/media/docker-compose.yml Normal file
View File

@ -0,0 +1,116 @@
version: '3.8'
services:
qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: qbittorrent
restart: unless-stopped
ports:
- "5080:8080"
- "6881:6881"
- "6881:6881/udp"
volumes:
- ./config/qbittorrent:/config
- /mnt/share-media/downloads:/downloads
environment:
PUID: 1000
PGID: 1000
TZ: America/Sao_Paulo
networks:
mynetwork:
ipv4_address: 172.19.0.2
sonarr:
image: linuxserver/sonarr:latest
container_name: sonarr
restart: unless-stopped
ports:
- "8989:8989"
volumes:
- ./config/sonarr:/config
- /mnt/share-media:/media
- /mnt/share-media/downloads:/downloads
environment:
PUID: 1000
PGID: 1000
TZ: America/Sao_Paulo
networks:
mynetwork:
ipv4_address: 172.19.0.3
prowlarr:
image: linuxserver/prowlarr:latest
container_name: prowlarr
restart: unless-stopped
ports:
- "9696:9696"
volumes:
- ./config/prowlarr:/config
environment:
PUID: 1000
PGID: 1000
TZ: America/Sao_Paulo
networks:
mynetwork:
ipv4_address: 172.19.0.4
radarr:
image: linuxserver/radarr:latest
container_name: radarr
restart: unless-stopped
ports:
- "7878:7878"
volumes:
- ./config/radarr:/config
- /mnt/share-media:/media
- /mnt/share-media/downloads:/downloads
environment:
PUID: 1000
PGID: 1000
TZ: America/Sao_Paulo
networks:
mynetwork:
ipv4_address: 172.19.0.5
bazarr:
image: linuxserver/bazarr:latest
container_name: bazarr
restart: unless-stopped
ports:
- "6767:6767"
volumes:
- ./config/bazarr:/config
- /mnt/share-media:/media
environment:
PUID: 1000
PGID: 1000
TZ: America/Sao_Paulo
networks:
mynetwork:
ipv4_address: 172.19.0.6
jellyfin:
image: linuxserver/jellyfin:latest
container_name: jellyfin
restart: unless-stopped
ports:
- "8096:8096"
- "8920:8920"
- "7359:7359/udp"
volumes:
- ./config/jellyfin:/config
- /mnt/share-media:/media
environment:
PUID: 1000
PGID: 1000
TZ: America/Sao_Paulo
networks:
mynetwork:
ipv4_address: 172.19.0.7
networks:
mynetwork:
driver: bridge
ipam:
config:
- subnet: 172.19.0.0/16

570
docs/ARCHITECTURE.md Normal file
View File

@ -0,0 +1,570 @@
# HESTIA — Homelab Infrastructure Documentation
> Guardiã do homelab. Documentação viva e evolutiva.
> Última atualização: 2026-04-08 19:50
> Responsável: Héstia (Claude Code via MiniMax-M2.7)
---
## 1. TOPOLOGIA DE REDE
### 1.1 Segmentos VLAN
| VLAN | Nome | Range IP | Gateway | Função |
|------|------|----------|---------|--------|
| 1 (default) | INFRAESTRUTURA | 10.0.0.1/24 | 10.0.0.1 | Servidores, Proxmox, TrueNAS |
| 10 | GERAL | 10.0.10.1/24 | 10.0.10.1 | Computadores, celulares |
| 20 | IOT | 10.0.20.1/24 | 10.0.20.1 | Dispositivos IoT |
| 30 | GUESTS | 10.0.30.1/24 | 10.0.30.1 | Visitantes |
### 1.2 Gateway/Router
- **Device:** TP-Link ER605 (controlado via Omada Controller)
- **WAN:** Loadbalancer dual ISP (OI + Starlink)
- **LAN:** 10.0.0.1 (VLAN1), 10.0.10.1 (VLAN10), 10.0.20.1 (VLAN20), 10.0.30.1 (VLAN30)
- **DHCP:** Estático por MAC no Omada Controller
### 1.3 DNS/Proxy
- **Adguard Home:** Roteia `*.hackerfortress.cc` internamente para serviços com SSL
- **Nginx Proxy Manager:** Terminção SSL dos serviços internos
- **Domínio:** hackerfortress.cc
### 1.4 Acesso Externo
- **Twingate:** VPN para acessar infraestrutura remotamente (TrueNAS, Proxmox)
- **Tailscale:** VPN mesh para VPS externas (não usado no homelab)
- **NordVPN:** Expirou — necessidade de migrar para WireGuard (TODO)
---
## 2. MÁQUINAS E HARDWARE
### 2.1 TrueNAS (NAS + Apps)
| Atributo | Valor |
|----------|-------|
| **Hostname** | truenas |
| **IP** | 10.0.0.30 |
| **Sistema** | TrueNAS SCALE (Debian 12 Bookworm) |
| **Kernel** | 6.12.15-production+truenas |
| **Uptime** | 3h 54min |
| **CPU** | Intel Xeon E5-2650 v4 @ 2.20GHz (24 cores, 48 threads) |
| **RAM** | 31 GiB total (5.3 GiB usado, 25 GiB disponível) |
| **SSH** | Habilitado (porta 22, usuário root) |
**Storage Pools:**
| Pool | Size | Used | Free | Health | Mountpoint |
|------|------|------|------|--------|------------|
| Ikky | 2.72T | 1.32T (48%) | 1.40T | ONLINE | /mnt/Ikky |
| Hyoga | 1.81T | 1.09T (60%) | 741G | ONLINE | /mnt/mnt/Hyoga |
| boot-pool | 236G | 5.91G (2%) | 230G | ONLINE | - |
**Datasets principais:**
- `Ikky/data` — 199G usado (compartilhamento SMB)
- `Ikky/.system` — configurações do sistema TrueNAS
- `Ikky/ix-apps` — apps catalog (contém n8n e uptime-kuma datasets)
- `Hyoga/media` — 923G de mídia (backup final 2025-12-05)
- `Hyoga/raidfortress` — 192G
**Portas abertas:**
| Porta | Serviço |
|-------|---------|
| 22 | SSH |
| 80/443 | Nginx (TrueNAS WebUI + reverse proxy) |
| 445/139 | Samba |
| 3260 | iSCSI |
| 5357 | wsdd (Web Services Discovery) |
| 6000 | TrueNAS API (middleware) |
| 6999 | netdata |
**Serviços de App (ix-apps):**
- **n8n** — datasets em `/mnt/.ix-apps/app_mounts/n8n/` (múltiplas versões snapshots)
- **uptime-kuma** — dataset em `/mnt/.ix-apps/app_mounts/uptime-kuma/`
- ✅ **FIXED (2026-04-08):** ix-apps datasets agora montam automaticamente com canmount=on
### 2.2 Proxmox (Hypervisor)
| Atributo | Valor |
|----------|-------|
| **Hostname** | pve |
| **IP** | 10.0.0.20 |
| **Sistema** | Proxmox VE 8.4.17 |
| **Kernel** | 6.8.12-9-pve |
| **Uptime** | 3h 54min |
| **CPU** | AMD Ryzen 7 2700 Eight-Core (8 cores, 16 threads) |
| **RAM** | 32 GiB total (26 GiB usado, 5.0 GiB disponível) |
| **Swap** | 8 GiB |
| **SSH** | Habilitado (porta 22, usuário root) |
| **Interface Web** | Porta 8006 |
**Disco:**
- `/dev/sda` — 223.6G
- sda1: 1M (BIOS boot)
- sda2: 1G (/boot/efi)
- sda3: 222.6G (LVM)
- pve-swap: 8G
- pve-root: 65.6G (/)
- pve-data: 130.3G (LVM-thin)
**Storages:**
| Storage | Type | Size | Used | Available |
|---------|------|------|------|-----------|
| local | dir | 31.2G | - | 64.1G |
| local-lvm | lvmthin | 130.3G | 102.8G | 26.7G |
**VMs:**
| VMID | Nome | Status | vCPUs | RAM | Disk | Uptime |
|------|------|--------|-------|-----|------|--------|
| 100 | homeassistant | running | 4 | 4 GB | 32 GB | 3h 38min |
| 102 | dockerino | running | 8 | 10 GB | 74 GB | 3h 38min |
| 103 | media | running | 8 | 16 GB | 64 GB | 3h 37min |
### 2.3 Dockerino (VM Proxmox)
| Atributo | Valor |
|----------|-------|
| **Hostname** | dockerino |
| **IP** | 10.0.0.50 |
| **Sistema** | Debian (5.10.0-23-amd64) |
| **Uptime** | 3h 54min |
| **CPU** | 8 vCPUs (Common KVM processor) |
| **RAM** | 9.7 GiB (4.5 GiB usado, 4.8 GiB disponível) |
| **Disk** | 31G (/dev/sda1) — 90% usado |
| **Docker** | Docker version 28.5.0 |
| **Compose** | Multi-stack em `/root/dockerino/` |
**Docker Stacks em `/root/dockerino/`:**
- `nginx/` — Nginx Proxy Manager
- `adguard/` — Adguard Home
- `bookstack/` — BookStack (com MySQL)
- `outline/` — Outline Wiki (PostgreSQL + Redis + MinIO)
- `flatnotes/` — FlatNotes
- `homer/` — Homer (dashboard)
- `homebox/` — HomeBox (inventory)
- `omada-controller/` — TP-Link Omada Controller
- `picsur/` — Picsur (image hosting)
- `speedtest/` — Speedtest Tracker
- `twingate/` — Twingate Connector
**Containers ativos:**
| Container | Status | Ports | Imagem |
|-----------|--------|-------|--------|
| outline | healthy | 3001 | outlinewiki/outline:latest |
| outline-minio | healthy | 9000-9001 | quay.io/minio/minio |
| outline-postgres | healthy | 5432 | postgres:15-alpine |
| outline-redis | healthy | 6379 | redis:7-alpine |
| bookstack | healthy | 8082→80 | solidnerd/bookstack:latest |
| picsur | healthy | 8091→8080 | ghcr.io/caramelfur/picsur:latest |
| homer | healthy | 8090→8080 | b4bz/homer:latest |
| twingate | healthy | - | twingate/connector:latest |
| mysql | healthy | 3306 | mysql:8.3 |
| speedtest | healthy | 8765→80 | henrywhitaker3/speedtest-tracker:latest |
| nginx | healthy | 80-81, 443 | jc21/nginx-proxy-manager:latest |
| omada-controller | healthy | network_mode=host | mbentley/omada-controller:latest |
| homebox | healthy | 3100→7745 | ghcr.io/hay-kot/homebox:latest |
| flatnotes | healthy | 8089→8080 | dullage/flatnotes:latest |
| postgres | healthy | 5432 | postgres:14-alpine |
| adguardhome | healthy | network_mode=host | adguard/adguardhome:latest |
**⚠️ Alertas:**
- `twingate` unhealthy — healthcheck não configurado corretamente (o Twingate não tem endpoint HTTP para verificar)
### 2.4 Media (VM Proxmox)
| Atributo | Valor |
|----------|-------|
| **Hostname** | media |
| **IP** | 10.0.0.36 |
| **Sistema** | Debian (5.10.0-26-amd64) |
| **Uptime** | 3h 54min |
| **CPU** | 8 vCPUs (Common KVM processor) |
| **RAM** | 15 GiB (1.1 GiB usado, 13 GiB disponível) |
| **Disk** | 62G (/dev/sda2) — 83% usado |
| **Docker** | Docker version 28.4.0 |
| **Compose** | `/root/homefortress-media/docker-compose.yml` |
**Docker Stack:**
Rede customizada `mynetwork` (172.19.0.0/16)
| Container | Status | Ports | Imagem |
|-----------|--------|-------|--------|
| ~~ollama~~ | ~~removed~~ | ~~11434~~ | ~~ollama/ollama:latest~~ |
| bazarr | healthy | 6767 | linuxserver/bazarr:latest |
| jellyfin | healthy | 8096, 8920, 7359/udp | linuxserver/jellyfin:latest |
| prowlarr | healthy | 9696 | linuxserver/prowlarr:latest |
| sonarr | healthy | 8989 | linuxserver/sonarr:latest |
| radarr | healthy | 7878 | linuxserver/radarr:latest |
| qbittorrent | healthy | 5080, 6881 | lscr.io/linuxserver/qbittorrent:latest |
**⚠️ Alertas:**
- Nenhum — Ollama foi removido (2026-04-08)
**Nota sobre Jellyfin:** Tentou usar GPU passthrough (NVIDIA) mas não funcionou. Não há GPU física nesta VM — inference via CPU apenas.
### 2.5 Home Assistant (VM Proxmox)
| Atributo | Valor |
|----------|-------|
| **VMID** | 100 |
| **Hostname** | homeassistant |
| **IP** | 10.0.0.100 |
| **Status** | running |
| **Sistema** | Linux (EFI boot, machine q35) |
| **vCPUs** | 4 (x86-64-v2-AES) |
| **RAM** | 4 GB |
| **Disk** | 32 GB (local-lvm) |
| **Network** | virtio, bridge vmbr0 |
| **Boot** | EFI, startup order=1 |
| **Uptime** | 3h 38min |
**Acesso:** Via Proxmox (`qm guest exec 100`)
---
## 3. MAPEAMENTO DE SERVIÇOS
### 3.1 Por Máquina
**TrueNAS (10.0.0.30):**
| Serviço | Porta | Status | Notas |
|---------|-------|--------|-------|
| SSH | 22 | ✅ | Acesso root |
| TrueNAS WebUI | 443 | ✅ | SSL default |
| Samba | 445, 139 | ✅ | Compartilhamento Ikky/data |
| iSCSI | 3260 | ✅ | SCST target |
| netdata | 6999 | ✅ | Monitoramento |
| n8n | 30109 | ✅ | Working (2026-04-08) |
| Uptime Kuma | 31050 | ✅ | Working (2026-04-08) |
**Dockerino (10.0.0.50):**
| Serviço | Porta | URL | Status |
|---------|-------|-----|--------|
| Nginx Proxy Manager | 80, 443 | - | ✅ |
| Outline Wiki | 3001 | - | ✅ |
| BookStack | 8082 | bookstack.hackerfortress.cc | ✅ |
| Omada Controller | host | - | ✅ |
| Adguard Home | host | - | ✅ |
| HomeBox | 3100 | homebox.hackerfortress.cc | ✅ |
| FlatNotes | 8089 | flatnotes.hackerfortress.cc | ✅ |
| Homer | 8090 | - | ✅ |
| Picsur | 8091 | - | ✅ |
| Speedtest | 8765 | - | ✅ |
| MySQL | 3306 | - | ✅ |
| PostgreSQL | 5432 | - | ✅ |
| MinIO | 9000, 9001 | - | ✅ |
| Twingate | - | - | ✅ healthy |
**Media (10.0.0.36):**
| Serviço | Porta | URL | Status |
|---------|-------|-----|--------|
| Jellyfin | 8096, 8920 | media.hackerfortress.cc | ✅ |
| Sonarr | 8989 | - | ✅ |
| Radarr | 7878 | - | ✅ |
| Prowlarr | 9696 | - | ✅ |
| Bazarr | 6767 | - | ✅ |
| qBittorrent | 5080 | - | ✅ |
| Ollama | 11434 | - | ⚠️ unhealthy (remover) |
**Home Assistant (10.0.0.100):**
| Serviço | Porta | URL | Status |
|---------|-------|-----|--------|
| Home Assistant | 8123 | homeassistant.hackerfortress.cc | ✅ |
### 3.2 Por Domínio (hackerfortress.cc)
**SSL:** Let's Encrypt via Nginx Proxy Manager (cert ID 75: `*.hackerfortress.cc`, expira 2026-05-27)
| Subdomínio | Destino NPM | Observação |
|------------|-------------|------------|
| proxmox.* | 10.0.0.20:8006 | HTTPS, WebUI Proxmox |
| proxy.* | nginx:81 | NPM Admin Interface |
| speedtest.* | speedtest:80 | Speedtest Tracker |
| homeassistant.* | 10.0.0.100:8123 | Home Assistant |
| qbittorrent.* | 10.0.0.36:5080 | qBittorrent |
| prowlarr.* | 10.0.0.36:9696 | Prowlarr |
| radarr.* | 10.0.0.36:7878 | Radarr |
| sonarr.* | 10.0.0.36:8989 | Sonarr |
| jellyfin.* | 10.0.0.36:8096 | Jellyfin |
| homebox.* | homebox:7745 | HomeBox Inventory |
| picsur.* | 10.0.0.50:8091 | Picsur |
| omada.* | 10.0.0.50:8043 | HTTPS, Omada Controller |
| n8n.* | 10.0.0.30:30109 | n8n Workflow |
| adguard.* | 10.0.0.50:3000 | AdGuard Home |
| flatnotes.* | flatnotes:8080 | FlatNotes |
| truenas.* | 10.0.0.30:80 | TrueNAS WebUI |
| uptime.* | 10.0.0.30:31050 | Uptime Kuma |
| bookstack.* | bookstack:8080 | BookStack Wiki |
| bazarr.* | 10.0.0.36:6767 | Bazarr |
| outline.* | 10.0.0.50:3001 | Outline Wiki |
| mcp-outline.* | 10.0.0.50:8080 | MCP Outline |
| ollama.* | 10.0.0.36:11434 | Ollama |
| openclaw.* | 10.0.10.100:18789 | OpenClaw |
| (root) | homer:8080 | Homer Dashboard |
**DNS:** AdGuard Home resolve todos `*.hackerfortress.cc` → 10.0.0.50 (dockerino), exceto `openclaw.*` → 10.0.10.100. O NPM faz o roteamento interno final.
### 3.3 Diagrama de Infraestrutura
```mermaid
graph TB
subgraph INTERNET["🌐 INTERNET"]
OI["ISP OI"]
STARLINK["Starlink"]
end
subgraph ROUTER["📡 ER605 Omada"]
GW["Gateway / Load Balance\n10.0.0.1"]
end
subgraph HESTIA["hestia · 10.0.10.100"]
HERMES["🤖 Hermes Agent\n(Telegram)"]
NPM["🔀 Nginx Proxy Manager\n:81"]
ADGUARD["🛡️ AdGuard Home\n:3053"]
end
subgraph TRUENAS["TrueNAS · 10.0.0.30"]
N8N["⚙️ n8n\n:30109"]
KUMA["📊 Uptime Kuma\n:31050"]
TN_UI["TrueNAS UI\n:443"]
end
subgraph DOCKERINO["dockerino · 10.0.0.50"]
GITEA["📝 Gitea\n:3080/2222"]
POSTGRES["🗄️ PostgreSQL\n:5432"]
OUTLINE["📚 Outline Wiki\n:3001"]
BOOKSTACK["📖 BookStack\n:8082"]
ADGHOME["🛡️ AdGuard\n(network_mode)"]
HOMEBOX["📦 HomeBox\n:3100"]
FLATNOTES["📝 FlatNotes\n:8089"]
HOMER["🏠 Homer\n:8090"]
PICSUR["🖼️ Picsur\n:8091"]
SPEEDTEST["📡 Speedtest\n:8765"]
OMADA["📶 Omada Controller\n:8043"]
end
subgraph MEDIA["media · 10.0.0.36"]
JELLYFIN["🎬 Jellyfin\n:8096/8920"]
SONARR["📺 Sonarr\n:8989"]
RADARR["🎥 Radarr\n:7878"]
PROWLARR["🔍 Prowlarr\n:9696"]
BAZARR["📄 Bazarr\n:6767"]
QBITTORRENT["⬇️ qBittorrent\n:5080"]
end
subgraph HA["homeassistant · 10.0.0.100"]
HOMEASSISTANT["🏠 Home Assistant\n:8123"]
end
OI & STARLINK --> GW
GW --> HESTIA & TRUENAS & DOCKERINO & MEDIA & HA
%% NPM routing
NPM -->|SSL Termination| KUMA
NPM -->|SSL Termination| N8N
NPM -->|SSL Termination| GITEA
NPM -->|SSL Termination| JELLYFIN
NPM -->|SSL Termination| HOMEASSISTANT
NPM -->|SSL Termination| OUTLINE
NPM -->|SSL Termination| BOOKSTACK
NPM -->|SSL Termination| HOMEBOX
NPM -->|SSL Termination| FLATNOTES
NPM -->|SSL Termination| PICSUR
NPM -->|SSL Termination| SPEEDTEST
NPM -->|SSL Termination| OMADA
NPM -->|SSL Termination| ADGHOME
NPM -->|SSL Termination| BAZARR
NPM -->|SSL Termination| QBITTORRENT
NPM -->|SSL Termination| SONARR
NPM -->|SSL Termination| RADARR
NPM -->|SSL Termination| PROWLARR
NPM -->|SSL Termination| TN_UI
%% AdGuard DNS
ADGUARD -.->|DNS *.hackerfortress.cc| NPM
%% Internal data flows
GITEA --> POSTGRES
OUTLINE --> POSTGRES
JELLYFIN -.->|media files| QBITTORRENT
%% Hermes interaction
HERMES --> NPM
```
**Resumo do fluxo:**
1. **Usuário** acessa `servico.hackerfortress.cc`
2. **AdGuard** (10.0.10.100:3053) resolve DNS → 10.0.0.50 (dockerino)
3. **Nginx Proxy Manager** (dockerino:81) recebe a requisição, termina SSL
4. **NPM** faz proxy reverso interno para o serviço correto na porta对应
5. **Hermes Agent** (Telegram) também se comunica via NPM para monitorar status
---
## 4. ACESSO SSH
### 4.1 Chave SSH da Héstia
- **Created:** 2026-04-08
- **Type:** ED25519
- **Fingerprint:** SHA256:ieM8FlrvI0ByxVinRa3zfKzP6BYMO2aVGd/IMshTmYU
- **Key file:** `~/.ssh/id_ed25519`
- **Public key:**
```
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINEbnDYVvjbDrGuA4SfM8Ex/H/9RVHmkyu7qzCEt27eh hestia-homlelab-20260408
```
### 4.2 SSH Config ( ~/.ssh/config)
```
Host truenas
HostName 10.0.0.30
User root
Port 22
IdentityFile ~/.ssh/id_ed25519
Host proxmox
HostName 10.0.0.20
User root
Port 22
IdentityFile ~/.ssh/id_ed25519
Host dockerino
HostName 10.0.0.50
User root
Port 22
IdentityFile ~/.ssh/id_ed25519
Host media
HostName 10.0.0.36
User root
Port 22
IdentityFile ~/.ssh/id_ed25519
Host homeassistant
HostName 10.0.0.100
User root
Port 22
IdentityFile ~/.ssh/id_ed25519
```
### 4.3 Status Distribuição de Chaves
| Máquina | Status |
|---------|--------|
| TrueNAS | ✅ Distribuída |
| Proxmox | ✅ Distribuída |
| Dockerino | ✅ Distribuída |
| Media | ✅ Distribuída |
| Home Assistant | ❌ Pendente (via Proxmox) |
---
## 5. DOCKER COMPOSE STACKS
### 5.1 Dockerino Stacks
Localização: `/root/dockerino/`
| Stack | Path | Services |
|-------|------|----------|
| Nginx Proxy Manager | `/root/dockerino/nginx/` | nginx (jpw/nginx-proxy-manager) |
| Adguard Home | `/root/dockerino/adguard/` | adguardhome |
| BookStack | `/root/dockerino/bookstack/` | mysql, bookstack |
| Outline | `/root/dockerino/outline/` | outline-postgres, outline-redis, outline-minio, outline-minio-init, outline |
| FlatNotes | `/root/dockerino/flatnotes/` | flatnotes |
| Homer | `/root/dockerino/homer/` | homer |
| HomeBox | `/root/dockerino/homebox/` | homebox |
| Omada Controller | `/root/dockerino/omada-controller/` | omada-controller |
| Picsur | `/root/dockerino/picsur/` | picsur |
| Speedtest | `/root/dockerino/speedtest/` | speedtest |
| Twingate | `/root/dockerino/twingate/` | twingate |
### 5.2 Media Stack
Localização: `/root/homefortress-media/docker-compose.yml`
Network: `mynetwork` (172.19.0.0/16)
| Service | IP | Ports |
|---------|-----|-------|
| qbittorrent | 172.19.0.2 | 5080, 6881 |
| sonarr | 172.19.0.3 | 8989 |
| prowlarr | 172.19.0.4 | 9696 |
| radarr | 172.19.0.5 | 7878 |
| ollama | 172.19.0.10 | 11434 |
Volumes:
- `/mnt/share-media` — dados de mídia (bind mount)
---
## 6. STORAGE E BACKUPS
### 6.1 TrueNAS Pools
**Ikky (2.72T):**
- `Ikky/data` — 199G usado, compartilhamento SMB principal
- `Ikky/.system` — configurações TrueNAS
- `Ikky/ix-apps` — apps catalog (n8n, uptime-kuma)
**Hyoga (1.81T):**
- `Hyoga/media` — 923G (backup final 2025-12-05)
- `Hyoga/raidfortress` — 192G
### 6.2 Media Mount
`/mnt/share-media` é o mount point principal para dados de mídia, compartilhado entre Media VM e TrueNAS.
---
## 7. MONITORAMENTO E ALERTAS
### 7.1 Alertas Ativos
| Severidade | Máquina | Alerta | Ação Recomendada |
|------------|---------|--------|------------------|
| ~~⚠️ Alta~~ | ~~TrueNAS~~ | ~~n8n/uptime-kuma não sobem após reboot~~ | ~~Investigar bug de pool ix-apps~~ ✅ Resolvido |
| ~~⚠️ Média~~ | ~~Dockerino~~ | ~~Twingate unhealthy~~ | ~~Configurar healthcheck customizado ou aceitar estado~~ ✅ Resolvido |
| ~~⚠️ Média~~ | ~~Media~~ | ~~Ollama unhealthy~~ | ~~Remover container e modelos~~ ✅ Resolvido |
| ~~ Info~~ | ~~TrueNAS~~ | ~~ix-apps directory parcialmente populado~~ | ~~Monitorar após fix do bug~~ ✅ Resolvido |
### 7.2 Serviços de Monitoramento
- **Uptime Kuma:** Ativo no TrueNAS (10.0.0.30:31050) ✅
- **netdata:** Ativo no TrueNAS (porta 6999)
- **Speedtest Tracker:** Ativo no Dockerino (porta 8765)
---
## 8. PROBLEMAS CONHECIDOS E TODOS
### 8.1 Bugs
- [x] **BUG-TRUENAS-01:** TrueNAS ix-apps pool não monta automaticamente após reboot ✅ (2026-04-08 - aplicado canmount=on nos datasets)
- [x] **BUG-TWINGATE-01:** Twingate connector unhealthy — healthcheck não configurado (sem endpoint HTTP) ✅ (2026-04-08 - healthcheck desabilitado)
### 8.2 Tasks
- [x] **TASK-OLLAMA-01:** Remover Ollama e modelos baixados do Media ✅ (2026-04-08)
- [ ] **TASK-VPN-01:** Avaliar WireGuard como替代 NordVPN
- [ ] **TASK-HA-01:** Configurar acesso SSH ao Home Assistant via Proxmox guest agent
- [ ] **TASK-BACKUP-01:** Configurar rotina de backup para configurações das VMs
- [ ] **TASK-DOCS-01:** Documentar credenciais de serviços (usar Vault/Pass)
---
## 9. PRÓXIMOS PASSOS
1. ~~Corrigir bug da pool do TrueNAS (ix-apps)~~ ✅ (2026-04-08)
2. ~~Remover Ollama do Media~~ ✅ (2026-04-08)
3. ~~Configurar Twingate healthcheck~~ ✅ (2026-04-08)
4. ~~Mapear todos os subdomínios e SSL certificates~~ ✅ (2026-04-08)
5. ~~Configurar Uptime Kuma para monitorar todos os serviços~~ ✅ (2026-04-08)
6. Implementar solução de backup (TrueNAS → ?)
7. Avaliar secrets management (Vault/Pass)
---
*Documento mantido por Héstia — Guardiã do Homelab*
*Atualizado: 2026-04-08 14:55 UTC-3*

64
docs/NEXT_STEPS.md Normal file
View File

@ -0,0 +1,64 @@
# Homelab - Próximos Passos (2026-04-08)
## Contexto Resumido
**Rede:** 10.0.0.0/24 (VLAN1 infra), 10.0.10.0/24 (VLAN10 geral). Router ER605 Omada. Dual ISP (OI + Starlink). Domain: hackerfortress.cc
**Máquinas principais:**
- TrueNAS (10.0.0.30): n8n, Uptime Kuma, TrueNAS Core
- Proxmox (10.0.0.20): hosts dockerino, media, homeassistant
- Hestia (10.0.10.100): management node (esta máquina)
- Dockerino (10.0.0.50): Docker host com NPM, AdGuard, e mais
**Arquitetura docs:** ~/homelab/docs/ARCHITECTURE.md
---
## Tarefas Pendentes
### 5. Configurar Uptime Kuma para monitorar todos os serviços ✅
- Todos os 18 serviços monitorados: NPM (10.0.0.50:81), AdGuard (10.0.0.50:3000), Jellyfin (10.0.0.36:8096), Sonarr (10.0.0.36:8989), Radarr (10.0.0.36:7878), Prowlarr (10.0.0.36:9696), Bazarr (10.0.0.36:6767), qBittorrent (10.0.0.36:5080), HomeAssistant (10.0.0.100:8123), Proxmox (10.0.0.20:8006), TrueNAS (10.0.0.30:443), n8n (10.0.0.30:30109), BookStack (10.0.0.50:8082), FlatNotes (10.0.0.50:8089), HomeBox (10.0.0.50:3100), Picsur (10.0.0.50:8091), Outline (10.0.0.50:3001), Omada (10.0.0.50:8043)
- Status atual: 16 UP, 0 DOWN (TrueNAS e AdGuard com uptime parcial em recuperação)
- Credenciais salvas na memória: admin / UptimeKuma@2026#Hestia!
### 6. Implementar solução de backup (TrueNAS → ?)
- Avaliar opções: rsync para offsite,borgbackup, restic, ou靠在 TrueNAS built-in
- Considerar Restic ou borg para backup incremental offsite
- Avaliar custos de storage
### 7. WireGuard como alternativa ao NordVPN
- NordVPN ainda não implementou split-tunnel no Linux
- WireGuard seria para conexão externa (road warrior)
- Avaliar configuração no ER605 ou em um container
### 8. NordVPN split-tunnel no Linux
- NordVPN CLI suporta `--allowlist` ou `exclude` para split-tunnel
- Testar com containers que precisam de VPN (qBittorrent, etc.)
- Exemplo: `nordvpn set allowlist add Subnet:192.168.1.0/24`
### 9. Documentar credenciais
- Todas as senhas/documentação do homelab em: ~/homelab/docs/
- Avaliar Password Store (pass) ou Vault para secrets management
---
## Investigações Recentes (2026-04-08)
### TrueNAS ix-apps (n8n, Uptime Kuma)
- Apps existem nos datasets mas middleware não os reconhece (`midclt call app.query` retorna [])
- Causa: datasets com `canmount=noauto` não montados automaticamente
- Fix testado: `zfs mount Ikky/ix-apps/app_configs`
- Próximo passo: WebUI para stop/rollback/start dos apps
### Nginx Proxy Manager - SSL Certificates
- Cert wildcard `*.hackerfortress.cc` expira 2026-05-27 (cert ID 75)
- 23 subdomínios configurados no NPM, todos usando o mesmo cert
- Revisão do ARCHITECTURE.md feita: atualizações no item 4
---
## Notas de Configuração
- Lid switch: `HandleLidSwitch=ignore` + suspend targets masked
- NVIDIA GT 730M: nouveau (driver open-source)
- SSH key: ED25519, fingerprint SHA256:ieM8FlrvI0ByxVinRa3zfKzP6BYMO2aVGd/IMshTmYU

118
terraform/er605/main.tf Normal file
View File

@ -0,0 +1,118 @@
# Terraform configuration for TP-Link ER605 Router via Omada Controller
# Router: TP-Link ER605 (Omada Controller on dockerino:8043)
terraform {
required_version = ">= 1.0"
required_providers {
omada = {
source = "jkbo/RF-omada"
version = "~> 1.0"
}
}
}
provider "omada" {
omada_url = var.omada_url
omada_username = var.omada_username
omada_password = var.omada_password
ssl_verify = var.ssl_verify
}
# Data sources to get existing network info
data "omada_networks" "homelab" {
site_name = var.site_name
}
# VLAN 1 - Infraestrutura (10.0.0.0/24)
resource "omada_network" "vlan1_infra" {
site_name = var.site_name
name = "VLAN1-INFRA"
purpose = "Management"
type = "L3"
subnet = "10.0.0.0/24"
gateway_ip = "10.0.0.1"
vlan_id = 1
dhcp_relay_enabled = false
}
# VLAN 10 - Geral (10.0.10.0/24)
resource "omada_network" "vlan10_geral" {
site_name = var.site_name
name = "VLAN10-GERAL"
purpose = "Corporate"
type = "L3"
subnet = "10.0.10.0/24"
gateway_ip = "10.0.10.1"
vlan_id = 10
dhcp_relay_enabled = false
}
# VLAN 20 - IOT (10.0.20.0/24)
resource "omada_network" "vlan20_iot" {
site_name = var.site_name
name = "VLAN20-IOT"
purpose = "Corporate"
type = "L3"
subnet = "10.0.20.0/24"
gateway_ip = "10.0.20.1"
vlan_id = 20
dhcp_relay_enabled = false
}
# VLAN 30 - Guests (10.0.30.0/24)
resource "omada_network" "vlan30_guests" {
site_name = var.site_name
name = "VLAN30-GUESTS"
purpose = "Guest"
type = "L3"
subnet = "10.0.30.0/24"
gateway_ip = "10.0.30.1"
vlan_id = 30
dhcp_relay_enabled = false
}
# DHCP Static Leases (examples)
# Add static DHCP entries for known devices
resource "omada_dhcp_static" "truenas" {
site_name = var.site_name
network_id = omada_network.vlan1_infra.id
mac_address = var.truenas_mac
ip_address = "10.0.0.30"
hostname = "truenas"
}
resource "omada_dhcp_static" "proxmox" {
site_name = var.site_name
network_id = omada_network.vlan1_infra.id
mac_address = var.proxmox_mac
ip_address = "10.0.0.20"
hostname = "proxmox"
}
resource "omada_dhcp_static" "dockerino" {
site_name = var.site_name
network_id = omada_network.vlan1_infra.id
mac_address = var.dockerino_mac
ip_address = "10.0.0.50"
hostname = "dockerino"
}
resource "omada_dhcp_static" "media" {
site_name = var.site_name
network_id = omada_network.vlan1_infra.id
mac_address = var.media_mac
ip_address = "10.0.0.36"
hostname = "media"
}
resource "omada_dhcp_static" "homeassistant" {
site_name = var.site_name
network_id = omada_network.vlan1_infra.id
mac_address = var.homeassistant_mac
ip_address = "10.0.0.100"
hostname = "homeassistant"
}
# DNS routes for internal resolution
# *.hackerfortress.cc -> 10.0.0.50 (dockerino/NPM)

36
terraform/er605/outputs.tf Normal file
View File

@ -0,0 +1,36 @@
# Outputs for ER605/Omada Terraform
output "vlan1_infra_id" {
description = "VLAN1 Infrastructure ID"
value = omada_network.vlan1_infra.id
}
output "vlan1_infra_subnet" {
description = "VLAN1 Infrastructure Subnet"
value = omada_network.vlan1_infra.subnet
}
output "vlan10_geral_id" {
description = "VLAN10 General ID"
value = omada_network.vlan10_geral.id
}
output "vlan10_geral_subnet" {
description = "VLAN10 General Subnet"
value = omada_network.vlan10_geral.subnet
}
output "vlan20_iot_id" {
description = "VLAN20 IOT ID"
value = omada_network.vlan20_iot.id
}
output "vlan30_guests_id" {
description = "VLAN30 Guests ID"
value = omada_network.vlan30_guests.id
}
output "omada_url" {
description = "Omada Controller URL"
value = var.omada_url
}

62
terraform/er605/variables.tf Normal file
View File

@ -0,0 +1,62 @@
# Variables for ER605/Omada Terraform
variable "omada_url" {
description = "Omada Controller URL"
type = string
default = "https://10.0.0.50:8043"
}
variable "omada_username" {
description = "Omada Controller username"
type = string
default = "admin"
}
variable "omada_password" {
description = "Omada Controller password"
type = string
sensitive = true
}
variable "site_name" {
description = "Omada site name"
type = string
default = "Default"
}
variable "ssl_verify" {
description = "Verify SSL certificates"
type = bool
default = false
}
# MAC addresses for static DHCP
variable "truenas_mac" {
description = "TrueNAS MAC address"
type = string
default = "" # TODO: Add actual MAC
}
variable "proxmox_mac" {
description = "Proxmox MAC address"
type = string
default = "" # TODO: Add actual MAC
}
variable "dockerino_mac" {
description = "Dockerino MAC address"
type = string
default = "" # TODO: Add actual MAC
}
variable "media_mac" {
description = "Media VM MAC address"
type = string
default = "" # TODO: Add actual MAC
}
variable "homeassistant_mac" {
description = "Home Assistant VM MAC address"
type = string
default = "" # TODO: Add actual MAC
}