homefoam/homelab.md

# homelab

* OPNsense firewall: https://opnsense.hh.lan:8443
* Proxmox virtualization cluster: https://proxmox1.hh.lan

## services

* HomeAssistant home automation
  * http://homeassistant.local:8123/
  * https://ha.hh.lan
* Frigate NVR (security cameras): https://frigate.local:8971
* Paperless document repository
  * https://paperless.hobbithole.org
  * https://paperless.hh.lan

### Gitea

* https://git.hobbithole.org
* http://gitea.hh.lan:3000
* SSH key stored in bitwarden
* used `docker-compose-template` VM template
* Moved host `sshd` to `tcp:2222` so gitea container can use `tcp:22`

## things to set up

* Network UPS Tool? (NUT)
* Caddy
* Authentik
* Proxmox backup
* CrashPlan (or other backup service)
  * [Proxmox Crashplan](https://nguvu.org/proxmox/proxmox-crashplan-install/)
  * https://github.com/nix-community/terraform-nixos/blob/master/examples/hermetic_config/default.tf
  * https://spacelift.io/blog/terraform-proxmox-provider#5-run-terraform-to-create-the-vm
* Home auth
  * Windows auth
  * SSO access to services
* Bitwarden self-hosted org
  * [Self-host an Organization](https://bitwarden.com/help/self-host-an-organization/)
* OpenBao (Vault fork) - https://openbao.org/docs/install/

## things to research

* Pangolin
* Suricata
* [Wiki.js](https://js.wiki/)
* Komodo
  * https://github.com/moghtech/komodo
  * 🦎 a tool to build and deploy software on many servers 🦎
* headscale / tailscale
  * [GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server](https://github.com/juanfont/headscale)
  * [Tailscale · Best VPN Service for Secure Networks](https://tailscale.com/)

### Home auth

## Hardware

* unnamed switch (TODO)
  * [Mikrotik CSS318-16G-2S+IN](https://mikrotik.com/product/css318_16g_2s_in#fndtn-downloads)
  * SwOS management interface: http://192.168.86.54
  * [manual](https://help.mikrotik.com/docs/spaces/SWOS/pages/76415036/CRS3xx+and+CSS326-24G-2S+series+Manual#CRS3xxandCSS32624G2S+seriesManual-LAG)
* proxmox1
  * Beelink Mini PC EQi12, Intel Core 1220P(Max 4.4GHz 10C/12T), 16GB DDR4 500GB PCle4.0 SSD Mini Computers,Dual LAN/Wifi6/BT5.2,Dual 4K Display,Built-in Power Supply Office PC
* proxmox2
  * Beelink Mini PC EQi12, Intel Core 1220P(Max 4.4GHz 10C/12T), 16GB DDR4 500GB PCle4.0 SSD Mini Computers,Dual LAN/Wifi6/BT5.2,Dual 4K Display,Built-in Power Supply Office PC
* proxmox3
  * Beelink Mini PC EQi12, Intel Core 1220P(Max 4.4GHz 10C/12T), 16GB DDR4 500GB PCle4.0 SSD Mini Computers,Dual LAN/Wifi6/BT5.2,Dual 4K Display,Built-in Power Supply Office PC
* frigate
  * Beelink EQ14 Mini PC, Intel Twin Lake N150(Up to 3.6GHz) 16GB DDR4 500GB NVMe SSD, 2.5G Dual LAN Mini Computer Supports WiFi6, BT5.2, USB3.2, 4K@60Hz Dual HDMI Display, Home-Server/Network Firewall

## Network

```mermaid
graph TD;
  internet((Internet))<-->nest_wifi_pro(Nest Wifi Pro);
  nest_wifi_pro<-->mikrotik;
  mikrotik<==>LACP(LACP/VLAN trunk);
  vlan42("vlan42 (home)");
  vlan86("vlan86 (wifi)");
  vlan60("vlan60 (work)");
  vlan200("vlan200 (services)");
  LACP<-->vlan42;
  LACP<-->vlan60;
  LACP<-->vlan86;
  LACP<-->vlan200;
  vlan42<-->proxmox_eth0[eth0]<-->proxmox;
  vlan42<-->proxmox_eth1[eth1]<-->proxmox;
  vlan60<-->proxmox_eth0[eth0]<-->proxmox;
  vlan60<-->proxmox_eth1[eth1]<-->proxmox;
  vlan86<-->proxmox_eth0[eth0]<-->proxmox;
  vlan86<-->proxmox_eth1[eth1]<-->proxmox;
  vlan200<-->proxmox_eth0[eth0]<-->proxmox;
  vlan200<-->proxmox_eth1[eth1]<-->proxmox;
  proxmox<-->bond0<-->vmbr0<-->VMs;
  vlan200<-->vault_eth3[eth3]<-->vault;
  vlan200<-->vault_eth4[eth4]<-->vault;
```

### DNS

```mermaid
graph LR;
  internet((Internet))<-->porkbun;
  porkbun<-->hobbithole_org(hobbithole.org);
  hobbithole_org<-->opnsense;
  opnsense<-->caddy;
  caddy<-->vault;
  caddy<-->proxmox;
  opnsense<-->hh_lan(hh.lan)<-->bind<-->unbound;
  unbound<-->vault;
  unbound<-->proxmox;
  proxmox[proxmox + VMs];
```

* External domain: `hobbithole.org`
  * Hosted on SquareSpace, about to move over to PorkBun
    * Transfer requested [[2025-06-15]]
  * Email forwarding
    * gandalf@hobbithole.org --> gibsta@gmail.com
    * treasury@hobbithole.org --> hobbitholetreasury@googlegroups.com
  * Records

| Host           | Type  | Priority | TTL   | Data                                                                                                                                                                                                                              |
| -------------- | ----- | -------- | ----- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| @              | A     | N/A      | 4 hrs | 66.186.208.83                                                                                                                                                                                                                     |
| backup         | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| frigate        | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| home           | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| nestmtx        | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| radarr         | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| sab            | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| sonarr         | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| tv             | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| vault          | CNAME | N/A      | 4 hrs | hobbithole.org                                                                                                                                                                                                                    |
| y3t4fz4ttvom   | CNAME | N/A      | 4 hrs | gv-3ccjjbudvp5ki7.dv.googlehosted.com                                                                                                                                                                                             |
| @              | MX    | N/A      | 4 hrs | mxa.mailgun.org                                                                                                                                                                                                                   |
| @              | MX    | N/A      | 4 hrs | mxb.mailgun.org                                                                                                                                                                                                                   |
| @              | TXT   | N/A      | 4 hrs | v=spf1 include:mailgun.org ~all                                                                                                                                                                                                   |
| krs._domainkey | TXT   | N/A      | 4 hrs | k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDjzUREnJNjiTg2oKAUdaFixMkblPmbiQTW2kinGFIFji16qN50L02DyBxanRz9Z2IK/uhLJ0I4angMTuSr338/ZE6xfjuJIqNMIOw0kgPnxo4qj5HxDiygUSbLHuxMnWzlOddzGgHpytPgpk9gYlw3b2Tt0K5Ym20ie7GaAXv+QIDAQAB |

* Internal domain: `hh.lan`
  * Unbound transparent domain --> BIND authoritative domain
    * Hosted on OPNsense
    *

* hobby domains
  * Transferring to Porkbun
    * b3n.ooo
    * benmiller.xyz
    * beepmill.com

### IPAM

* wifi: `192.168.86.0/24`
* home: `192.168.42.0/24`
* services: `192.168.200.0/24`
* work: `172.16.60.0/24`

## Proxmox

### Hosts

* `proxmox1.hh.lan`
  * 192.168.200.101
* `proxmox2.hh.lan`
  * 192.168.200.102
* `proxmox3.hh.lan`
  * 192.168.200.103


[//begin]: # "Autogenerated link references for markdown compatibility"
[2025-06-15]: 2025-06-15.md "2025-06-15"
[//end]: # "Autogenerated link references"