# HESTIA — Homelab Infrastructure Documentation > Guardiã do homelab. Documentação viva e evolutiva. > Última atualização: 2026-04-08 19:50 > Responsável: Héstia (Claude Code via MiniMax-M2.7) --- ## 1. TOPOLOGIA DE REDE ### 1.1 Segmentos VLAN | VLAN | Nome | Range IP | Gateway | Função | |------|------|----------|---------|--------| | 1 (default) | INFRAESTRUTURA | 10.0.0.1/24 | 10.0.0.1 | Servidores, Proxmox, TrueNAS | | 10 | GERAL | 10.0.10.1/24 | 10.0.10.1 | Computadores, celulares | | 20 | IOT | 10.0.20.1/24 | 10.0.20.1 | Dispositivos IoT | | 30 | GUESTS | 10.0.30.1/24 | 10.0.30.1 | Visitantes | ### 1.2 Gateway/Router - **Device:** TP-Link ER605 (controlado via Omada Controller) - **WAN:** Loadbalancer dual ISP (OI + Starlink) - **LAN:** 10.0.0.1 (VLAN1), 10.0.10.1 (VLAN10), 10.0.20.1 (VLAN20), 10.0.30.1 (VLAN30) - **DHCP:** Estático por MAC no Omada Controller ### 1.3 DNS/Proxy - **Adguard Home:** Roteia `*.hackerfortress.cc` internamente para serviços com SSL - **Nginx Proxy Manager:** Terminção SSL dos serviços internos - **Domínio:** hackerfortress.cc ### 1.4 Acesso Externo - **Twingate:** VPN para acessar infraestrutura remotamente (TrueNAS, Proxmox) - **Tailscale:** VPN mesh para VPS externas (não usado no homelab) - **NordVPN:** Expirou — necessidade de migrar para WireGuard (TODO) --- ## 2. MÁQUINAS E HARDWARE ### 2.1 TrueNAS (NAS + Apps) | Atributo | Valor | |----------|-------| | **Hostname** | truenas | | **IP** | 10.0.0.30 | | **Sistema** | TrueNAS SCALE (Debian 12 Bookworm) | | **Kernel** | 6.12.15-production+truenas | | **Uptime** | 3h 54min | | **CPU** | Intel Xeon E5-2650 v4 @ 2.20GHz (24 cores, 48 threads) | | **RAM** | 31 GiB total (5.3 GiB usado, 25 GiB disponível) | | **SSH** | Habilitado (porta 22, usuário root) | **Storage Pools:** | Pool | Size | Used | Free | Health | Mountpoint | |------|------|------|------|--------|------------| | Ikky | 2.72T | 1.32T (48%) | 1.40T | ONLINE | /mnt/Ikky | | Hyoga | 1.81T | 1.09T (60%) | 741G | ONLINE | /mnt/mnt/Hyoga | | boot-pool | 236G | 5.91G (2%) | 230G | ONLINE | - | **Datasets principais:** - `Ikky/data` — 199G usado (compartilhamento SMB) - `Ikky/.system` — configurações do sistema TrueNAS - `Ikky/ix-apps` — apps catalog (contém n8n e uptime-kuma datasets) - `Hyoga/media` — 923G de mídia (backup final 2025-12-05) - `Hyoga/raidfortress` — 192G **Portas abertas:** | Porta | Serviço | |-------|---------| | 22 | SSH | | 80/443 | Nginx (TrueNAS WebUI + reverse proxy) | | 445/139 | Samba | | 3260 | iSCSI | | 5357 | wsdd (Web Services Discovery) | | 6000 | TrueNAS API (middleware) | | 6999 | netdata | **Serviços de App (ix-apps):** - **n8n** — datasets em `/mnt/.ix-apps/app_mounts/n8n/` (múltiplas versões snapshots) - **uptime-kuma** — dataset em `/mnt/.ix-apps/app_mounts/uptime-kuma/` - ✅ **FIXED (2026-04-08):** ix-apps datasets agora montam automaticamente com canmount=on ### 2.2 Proxmox (Hypervisor) | Atributo | Valor | |----------|-------| | **Hostname** | pve | | **IP** | 10.0.0.20 | | **Sistema** | Proxmox VE 8.4.17 | | **Kernel** | 6.8.12-9-pve | | **Uptime** | 3h 54min | | **CPU** | AMD Ryzen 7 2700 Eight-Core (8 cores, 16 threads) | | **RAM** | 32 GiB total (26 GiB usado, 5.0 GiB disponível) | | **Swap** | 8 GiB | | **SSH** | Habilitado (porta 22, usuário root) | | **Interface Web** | Porta 8006 | **Disco:** - `/dev/sda` — 223.6G - sda1: 1M (BIOS boot) - sda2: 1G (/boot/efi) - sda3: 222.6G (LVM) - pve-swap: 8G - pve-root: 65.6G (/) - pve-data: 130.3G (LVM-thin) **Storages:** | Storage | Type | Size | Used | Available | |---------|------|------|------|-----------| | local | dir | 31.2G | - | 64.1G | | local-lvm | lvmthin | 130.3G | 102.8G | 26.7G | **VMs:** | VMID | Nome | Status | vCPUs | RAM | Disk | Uptime | |------|------|--------|-------|-----|------|--------| | 100 | homeassistant | running | 4 | 4 GB | 32 GB | 3h 38min | | 102 | dockerino | running | 8 | 10 GB | 74 GB | 3h 38min | | 103 | media | running | 8 | 16 GB | 64 GB | 3h 37min | ### 2.3 Dockerino (VM Proxmox) | Atributo | Valor | |----------|-------| | **Hostname** | dockerino | | **IP** | 10.0.0.50 | | **Sistema** | Debian (5.10.0-23-amd64) | | **Uptime** | 3h 54min | | **CPU** | 8 vCPUs (Common KVM processor) | | **RAM** | 9.7 GiB (4.5 GiB usado, 4.8 GiB disponível) | | **Disk** | 31G (/dev/sda1) — 90% usado | | **Docker** | Docker version 28.5.0 | | **Compose** | Multi-stack em `/root/dockerino/` | **Docker Stacks em `/root/dockerino/`:** - `nginx/` — Nginx Proxy Manager - `adguard/` — Adguard Home - `bookstack/` — BookStack (com MySQL) - `outline/` — Outline Wiki (PostgreSQL + Redis + MinIO) - `flatnotes/` — FlatNotes - `homer/` — Homer (dashboard) - `homebox/` — HomeBox (inventory) - `omada-controller/` — TP-Link Omada Controller - `picsur/` — Picsur (image hosting) - `speedtest/` — Speedtest Tracker - `twingate/` — Twingate Connector **Containers ativos:** | Container | Status | Ports | Imagem | |-----------|--------|-------|--------| | outline | healthy | 3001 | outlinewiki/outline:latest | | outline-minio | healthy | 9000-9001 | quay.io/minio/minio | | outline-postgres | healthy | 5432 | postgres:15-alpine | | outline-redis | healthy | 6379 | redis:7-alpine | | bookstack | healthy | 8082→80 | solidnerd/bookstack:latest | | picsur | healthy | 8091→8080 | ghcr.io/caramelfur/picsur:latest | | homer | healthy | 8090→8080 | b4bz/homer:latest | | twingate | healthy | - | twingate/connector:latest | | mysql | healthy | 3306 | mysql:8.3 | | speedtest | healthy | 8765→80 | henrywhitaker3/speedtest-tracker:latest | | nginx | healthy | 80-81, 443 | jc21/nginx-proxy-manager:latest | | omada-controller | healthy | network_mode=host | mbentley/omada-controller:latest | | homebox | healthy | 3100→7745 | ghcr.io/hay-kot/homebox:latest | | flatnotes | healthy | 8089→8080 | dullage/flatnotes:latest | | postgres | healthy | 5432 | postgres:14-alpine | | adguardhome | healthy | network_mode=host | adguard/adguardhome:latest | **⚠️ Alertas:** - `twingate` unhealthy — healthcheck não configurado corretamente (o Twingate não tem endpoint HTTP para verificar) ### 2.4 Media (VM Proxmox) | Atributo | Valor | |----------|-------| | **Hostname** | media | | **IP** | 10.0.0.36 | | **Sistema** | Debian (5.10.0-26-amd64) | | **Uptime** | 3h 54min | | **CPU** | 8 vCPUs (Common KVM processor) | | **RAM** | 15 GiB (1.1 GiB usado, 13 GiB disponível) | | **Disk** | 62G (/dev/sda2) — 83% usado | | **Docker** | Docker version 28.4.0 | | **Compose** | `/root/homefortress-media/docker-compose.yml` | **Docker Stack:** Rede customizada `mynetwork` (172.19.0.0/16) | Container | Status | Ports | Imagem | |-----------|--------|-------|--------| | ~~ollama~~ | ~~removed~~ | ~~11434~~ | ~~ollama/ollama:latest~~ | | bazarr | healthy | 6767 | linuxserver/bazarr:latest | | jellyfin | healthy | 8096, 8920, 7359/udp | linuxserver/jellyfin:latest | | prowlarr | healthy | 9696 | linuxserver/prowlarr:latest | | sonarr | healthy | 8989 | linuxserver/sonarr:latest | | radarr | healthy | 7878 | linuxserver/radarr:latest | | qbittorrent | healthy | 5080, 6881 | lscr.io/linuxserver/qbittorrent:latest | **⚠️ Alertas:** - Nenhum — Ollama foi removido (2026-04-08) **Nota sobre Jellyfin:** Tentou usar GPU passthrough (NVIDIA) mas não funcionou. Não há GPU física nesta VM — inference via CPU apenas. ### 2.5 Home Assistant (VM Proxmox) | Atributo | Valor | |----------|-------| | **VMID** | 100 | | **Hostname** | homeassistant | | **IP** | 10.0.0.100 | | **Status** | running | | **Sistema** | Linux (EFI boot, machine q35) | | **vCPUs** | 4 (x86-64-v2-AES) | | **RAM** | 4 GB | | **Disk** | 32 GB (local-lvm) | | **Network** | virtio, bridge vmbr0 | | **Boot** | EFI, startup order=1 | | **Uptime** | 3h 38min | **Acesso:** Via Proxmox (`qm guest exec 100`) --- ## 3. MAPEAMENTO DE SERVIÇOS ### 3.1 Por Máquina **TrueNAS (10.0.0.30):** | Serviço | Porta | Status | Notas | |---------|-------|--------|-------| | SSH | 22 | ✅ | Acesso root | | TrueNAS WebUI | 443 | ✅ | SSL default | | Samba | 445, 139 | ✅ | Compartilhamento Ikky/data | | iSCSI | 3260 | ✅ | SCST target | | netdata | 6999 | ✅ | Monitoramento | | n8n | 30109 | ✅ | Working (2026-04-08) | | Uptime Kuma | 31050 | ✅ | Working (2026-04-08) | **Dockerino (10.0.0.50):** | Serviço | Porta | URL | Status | |---------|-------|-----|--------| | Nginx Proxy Manager | 80, 443 | - | ✅ | | Outline Wiki | 3001 | - | ✅ | | BookStack | 8082 | bookstack.hackerfortress.cc | ✅ | | Omada Controller | host | - | ✅ | | Adguard Home | host | - | ✅ | | HomeBox | 3100 | homebox.hackerfortress.cc | ✅ | | FlatNotes | 8089 | flatnotes.hackerfortress.cc | ✅ | | Homer | 8090 | - | ✅ | | Picsur | 8091 | - | ✅ | | Speedtest | 8765 | - | ✅ | | MySQL | 3306 | - | ✅ | | PostgreSQL | 5432 | - | ✅ | | MinIO | 9000, 9001 | - | ✅ | | Twingate | - | - | ✅ healthy | **Media (10.0.0.36):** | Serviço | Porta | URL | Status | |---------|-------|-----|--------| | Jellyfin | 8096, 8920 | media.hackerfortress.cc | ✅ | | Sonarr | 8989 | - | ✅ | | Radarr | 7878 | - | ✅ | | Prowlarr | 9696 | - | ✅ | | Bazarr | 6767 | - | ✅ | | qBittorrent | 5080 | - | ✅ | | Ollama | 11434 | - | ⚠️ unhealthy (remover) | **Home Assistant (10.0.0.100):** | Serviço | Porta | URL | Status | |---------|-------|-----|--------| | Home Assistant | 8123 | homeassistant.hackerfortress.cc | ✅ | ### 3.2 Por Domínio (hackerfortress.cc) **SSL:** Let's Encrypt via Nginx Proxy Manager (cert ID 75: `*.hackerfortress.cc`, expira 2026-05-27) | Subdomínio | Destino NPM | Observação | |------------|-------------|------------| | proxmox.* | 10.0.0.20:8006 | HTTPS, WebUI Proxmox | | proxy.* | nginx:81 | NPM Admin Interface | | speedtest.* | speedtest:80 | Speedtest Tracker | | homeassistant.* | 10.0.0.100:8123 | Home Assistant | | qbittorrent.* | 10.0.0.36:5080 | qBittorrent | | prowlarr.* | 10.0.0.36:9696 | Prowlarr | | radarr.* | 10.0.0.36:7878 | Radarr | | sonarr.* | 10.0.0.36:8989 | Sonarr | | jellyfin.* | 10.0.0.36:8096 | Jellyfin | | homebox.* | homebox:7745 | HomeBox Inventory | | picsur.* | 10.0.0.50:8091 | Picsur | | omada.* | 10.0.0.50:8043 | HTTPS, Omada Controller | | n8n.* | 10.0.0.30:30109 | n8n Workflow | | adguard.* | 10.0.0.50:3000 | AdGuard Home | | flatnotes.* | flatnotes:8080 | FlatNotes | | truenas.* | 10.0.0.30:80 | TrueNAS WebUI | | uptime.* | 10.0.0.30:31050 | Uptime Kuma | | bookstack.* | bookstack:8080 | BookStack Wiki | | bazarr.* | 10.0.0.36:6767 | Bazarr | | outline.* | 10.0.0.50:3001 | Outline Wiki | | mcp-outline.* | 10.0.0.50:8080 | MCP Outline | | ollama.* | 10.0.0.36:11434 | Ollama | | openclaw.* | 10.0.10.100:18789 | OpenClaw | | (root) | homer:8080 | Homer Dashboard | **DNS:** AdGuard Home resolve todos `*.hackerfortress.cc` → 10.0.0.50 (dockerino), exceto `openclaw.*` → 10.0.10.100. O NPM faz o roteamento interno final. ### 3.3 Diagrama de Infraestrutura ```mermaid graph TB subgraph INTERNET["🌐 INTERNET"] OI["ISP OI"] STARLINK["Starlink"] end subgraph ROUTER["📡 ER605 Omada"] GW["Gateway / Load Balance\n10.0.0.1"] end subgraph HESTIA["hestia · 10.0.10.100"] HERMES["🤖 Hermes Agent\n(Telegram)"] NPM["🔀 Nginx Proxy Manager\n:81"] ADGUARD["🛡️ AdGuard Home\n:3053"] end subgraph TRUENAS["TrueNAS · 10.0.0.30"] N8N["⚙️ n8n\n:30109"] KUMA["📊 Uptime Kuma\n:31050"] TN_UI["TrueNAS UI\n:443"] end subgraph DOCKERINO["dockerino · 10.0.0.50"] GITEA["📝 Gitea\n:3080/2222"] POSTGRES["🗄️ PostgreSQL\n:5432"] OUTLINE["📚 Outline Wiki\n:3001"] BOOKSTACK["📖 BookStack\n:8082"] ADGHOME["🛡️ AdGuard\n(network_mode)"] HOMEBOX["📦 HomeBox\n:3100"] FLATNOTES["📝 FlatNotes\n:8089"] HOMER["🏠 Homer\n:8090"] PICSUR["🖼️ Picsur\n:8091"] SPEEDTEST["📡 Speedtest\n:8765"] OMADA["📶 Omada Controller\n:8043"] end subgraph MEDIA["media · 10.0.0.36"] JELLYFIN["🎬 Jellyfin\n:8096/8920"] SONARR["📺 Sonarr\n:8989"] RADARR["🎥 Radarr\n:7878"] PROWLARR["🔍 Prowlarr\n:9696"] BAZARR["📄 Bazarr\n:6767"] QBITTORRENT["⬇️ qBittorrent\n:5080"] end subgraph HA["homeassistant · 10.0.0.100"] HOMEASSISTANT["🏠 Home Assistant\n:8123"] end OI & STARLINK --> GW GW --> HESTIA & TRUENAS & DOCKERINO & MEDIA & HA %% NPM routing NPM -->|SSL Termination| KUMA NPM -->|SSL Termination| N8N NPM -->|SSL Termination| GITEA NPM -->|SSL Termination| JELLYFIN NPM -->|SSL Termination| HOMEASSISTANT NPM -->|SSL Termination| OUTLINE NPM -->|SSL Termination| BOOKSTACK NPM -->|SSL Termination| HOMEBOX NPM -->|SSL Termination| FLATNOTES NPM -->|SSL Termination| PICSUR NPM -->|SSL Termination| SPEEDTEST NPM -->|SSL Termination| OMADA NPM -->|SSL Termination| ADGHOME NPM -->|SSL Termination| BAZARR NPM -->|SSL Termination| QBITTORRENT NPM -->|SSL Termination| SONARR NPM -->|SSL Termination| RADARR NPM -->|SSL Termination| PROWLARR NPM -->|SSL Termination| TN_UI %% AdGuard DNS ADGUARD -.->|DNS *.hackerfortress.cc| NPM %% Internal data flows GITEA --> POSTGRES OUTLINE --> POSTGRES JELLYFIN -.->|media files| QBITTORRENT %% Hermes interaction HERMES --> NPM ``` **Resumo do fluxo:** 1. **Usuário** acessa `servico.hackerfortress.cc` 2. **AdGuard** (10.0.10.100:3053) resolve DNS → 10.0.0.50 (dockerino) 3. **Nginx Proxy Manager** (dockerino:81) recebe a requisição, termina SSL 4. **NPM** faz proxy reverso interno para o serviço correto na porta对应 5. **Hermes Agent** (Telegram) também se comunica via NPM para monitorar status --- ## 4. ACESSO SSH ### 4.1 Chave SSH da Héstia - **Created:** 2026-04-08 - **Type:** ED25519 - **Fingerprint:** SHA256:ieM8FlrvI0ByxVinRa3zfKzP6BYMO2aVGd/IMshTmYU - **Key file:** `~/.ssh/id_ed25519` - **Public key:** ``` ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINEbnDYVvjbDrGuA4SfM8Ex/H/9RVHmkyu7qzCEt27eh hestia-homlelab-20260408 ``` ### 4.2 SSH Config ( ~/.ssh/config) ``` Host truenas HostName 10.0.0.30 User root Port 22 IdentityFile ~/.ssh/id_ed25519 Host proxmox HostName 10.0.0.20 User root Port 22 IdentityFile ~/.ssh/id_ed25519 Host dockerino HostName 10.0.0.50 User root Port 22 IdentityFile ~/.ssh/id_ed25519 Host media HostName 10.0.0.36 User root Port 22 IdentityFile ~/.ssh/id_ed25519 Host homeassistant HostName 10.0.0.100 User root Port 22 IdentityFile ~/.ssh/id_ed25519 ``` ### 4.3 Status Distribuição de Chaves | Máquina | Status | |---------|--------| | TrueNAS | ✅ Distribuída | | Proxmox | ✅ Distribuída | | Dockerino | ✅ Distribuída | | Media | ✅ Distribuída | | Home Assistant | ❌ Pendente (via Proxmox) | --- ## 5. DOCKER COMPOSE STACKS ### 5.1 Dockerino Stacks Localização: `/root/dockerino/` | Stack | Path | Services | |-------|------|----------| | Nginx Proxy Manager | `/root/dockerino/nginx/` | nginx (jpw/nginx-proxy-manager) | | Adguard Home | `/root/dockerino/adguard/` | adguardhome | | BookStack | `/root/dockerino/bookstack/` | mysql, bookstack | | Outline | `/root/dockerino/outline/` | outline-postgres, outline-redis, outline-minio, outline-minio-init, outline | | FlatNotes | `/root/dockerino/flatnotes/` | flatnotes | | Homer | `/root/dockerino/homer/` | homer | | HomeBox | `/root/dockerino/homebox/` | homebox | | Omada Controller | `/root/dockerino/omada-controller/` | omada-controller | | Picsur | `/root/dockerino/picsur/` | picsur | | Speedtest | `/root/dockerino/speedtest/` | speedtest | | Twingate | `/root/dockerino/twingate/` | twingate | ### 5.2 Media Stack Localização: `/root/homefortress-media/docker-compose.yml` Network: `mynetwork` (172.19.0.0/16) | Service | IP | Ports | |---------|-----|-------| | qbittorrent | 172.19.0.2 | 5080, 6881 | | sonarr | 172.19.0.3 | 8989 | | prowlarr | 172.19.0.4 | 9696 | | radarr | 172.19.0.5 | 7878 | | ollama | 172.19.0.10 | 11434 | Volumes: - `/mnt/share-media` — dados de mídia (bind mount) --- ## 6. STORAGE E BACKUPS ### 6.1 TrueNAS Pools **Ikky (2.72T):** - `Ikky/data` — 199G usado, compartilhamento SMB principal - `Ikky/.system` — configurações TrueNAS - `Ikky/ix-apps` — apps catalog (n8n, uptime-kuma) **Hyoga (1.81T):** - `Hyoga/media` — 923G (backup final 2025-12-05) - `Hyoga/raidfortress` — 192G ### 6.2 Media Mount `/mnt/share-media` é o mount point principal para dados de mídia, compartilhado entre Media VM e TrueNAS. --- ## 7. MONITORAMENTO E ALERTAS ### 7.1 Alertas Ativos | Severidade | Máquina | Alerta | Ação Recomendada | |------------|---------|--------|------------------| | ~~⚠️ Alta~~ | ~~TrueNAS~~ | ~~n8n/uptime-kuma não sobem após reboot~~ | ~~Investigar bug de pool ix-apps~~ ✅ Resolvido | | ~~⚠️ Média~~ | ~~Dockerino~~ | ~~Twingate unhealthy~~ | ~~Configurar healthcheck customizado ou aceitar estado~~ ✅ Resolvido | | ~~⚠️ Média~~ | ~~Media~~ | ~~Ollama unhealthy~~ | ~~Remover container e modelos~~ ✅ Resolvido | | ~~ℹ️ Info~~ | ~~TrueNAS~~ | ~~ix-apps directory parcialmente populado~~ | ~~Monitorar após fix do bug~~ ✅ Resolvido | ### 7.2 Serviços de Monitoramento - **Uptime Kuma:** Ativo no TrueNAS (10.0.0.30:31050) ✅ - **netdata:** Ativo no TrueNAS (porta 6999) - **Speedtest Tracker:** Ativo no Dockerino (porta 8765) --- ## 8. PROBLEMAS CONHECIDOS E TODOS ### 8.1 Bugs - [x] **BUG-TRUENAS-01:** TrueNAS ix-apps pool não monta automaticamente após reboot ✅ (2026-04-08 - aplicado canmount=on nos datasets) - [x] **BUG-TWINGATE-01:** Twingate connector unhealthy — healthcheck não configurado (sem endpoint HTTP) ✅ (2026-04-08 - healthcheck desabilitado) ### 8.2 Tasks - [x] **TASK-OLLAMA-01:** Remover Ollama e modelos baixados do Media ✅ (2026-04-08) - [ ] **TASK-VPN-01:** Avaliar WireGuard como替代 NordVPN - [ ] **TASK-HA-01:** Configurar acesso SSH ao Home Assistant via Proxmox guest agent - [ ] **TASK-BACKUP-01:** Configurar rotina de backup para configurações das VMs - [ ] **TASK-DOCS-01:** Documentar credenciais de serviços (usar Vault/Pass) --- ## 9. PRÓXIMOS PASSOS 1. ~~Corrigir bug da pool do TrueNAS (ix-apps)~~ ✅ (2026-04-08) 2. ~~Remover Ollama do Media~~ ✅ (2026-04-08) 3. ~~Configurar Twingate healthcheck~~ ✅ (2026-04-08) 4. ~~Mapear todos os subdomínios e SSL certificates~~ ✅ (2026-04-08) 5. ~~Configurar Uptime Kuma para monitorar todos os serviços~~ ✅ (2026-04-08) 6. Implementar solução de backup (TrueNAS → ?) 7. Avaliar secrets management (Vault/Pass) --- *Documento mantido por Héstia — Guardiã do Homelab* *Atualizado: 2026-04-08 14:55 UTC-3*