homefoam/homelab.md

homelab

• OPNsense firewall: https://opnsense.hh.lan:8443
• Proxmox virtualization cluster: https://proxmox1.hh.lan

services

• HomeAssistant home automation
  • http://homeassistant.local:8123/
  • https://ha.hh.lan
• Frigate NVR (security cameras): https://frigate.local:8971
• Paperless document repository
  • https://paperless.hobbithole.org
  • https://paperless.hh.lan

Gitea

• https://git.hobbithole.org
• http://gitea.hh.lan:3000
• SSH key stored in bitwarden
• used docker-compose-template VM template
• Moved host sshd to tcp:2222 so gitea container can use tcp:22

things to set up

• Network UPS Tool? (NUT)
• Caddy
• Authentik
• Proxmox backup
• CrashPlan (or other backup service)
• Home auth
  • Windows auth
  • SSO access to services
• Bitwarden self-hosted org
  • Self-host an Organization
• OpenBao (Vault fork) - https://openbao.org/docs/install/

things to research

• Pangolin
• Suricata
• Wiki.js
• Komodo
  • https://github.com/moghtech/komodo
  • 🦎 a tool to build and deploy software on many servers 🦎
• headscale / tailscale
  • GitHub - juanfont/headscale: An open source, self-hosted implementation of the Tailscale control server
  • Tailscale · Best VPN Service for Secure Networks

Home auth

Hardware

• unnamed switch (TODO)
  • Mikrotik CSS318-16G-2S+IN
  • SwOS management interface: http://192.168.86.54
  • manual
• proxmox1
  • Beelink Mini PC EQi12, Intel Core 1220P(Max 4.4GHz 10C/12T), 16GB DDR4 500GB PCle4.0 SSD Mini Computers,Dual LAN/Wifi6/BT5.2,Dual 4K Display,Built-in Power Supply Office PC
• proxmox2
  • Beelink Mini PC EQi12, Intel Core 1220P(Max 4.4GHz 10C/12T), 16GB DDR4 500GB PCle4.0 SSD Mini Computers,Dual LAN/Wifi6/BT5.2,Dual 4K Display,Built-in Power Supply Office PC
• proxmox3
  • Beelink Mini PC EQi12, Intel Core 1220P(Max 4.4GHz 10C/12T), 16GB DDR4 500GB PCle4.0 SSD Mini Computers,Dual LAN/Wifi6/BT5.2,Dual 4K Display,Built-in Power Supply Office PC
• frigate
  • Beelink EQ14 Mini PC, Intel Twin Lake N150(Up to 3.6GHz) 16GB DDR4 500GB NVMe SSD, 2.5G Dual LAN Mini Computer Supports WiFi6, BT5.2, USB3.2, 4K@60Hz Dual HDMI Display, Home-Server/Network Firewall

Network

graph TD;
  internet((Internet))<-->nest_wifi_pro(Nest Wifi Pro);
  nest_wifi_pro<-->mikrotik;
  mikrotik<==>LACP(LACP/VLAN trunk);
  vlan42("vlan42 (home)");
  vlan86("vlan86 (wifi)");
  vlan60("vlan60 (work)");
  vlan200("vlan200 (services)");
  LACP<-->vlan42;
  LACP<-->vlan60;
  LACP<-->vlan86;
  LACP<-->vlan200;
  vlan42<-->proxmox_eth0[eth0]<-->proxmox;
  vlan42<-->proxmox_eth1[eth1]<-->proxmox;
  vlan60<-->proxmox_eth0[eth0]<-->proxmox;
  vlan60<-->proxmox_eth1[eth1]<-->proxmox;
  vlan86<-->proxmox_eth0[eth0]<-->proxmox;
  vlan86<-->proxmox_eth1[eth1]<-->proxmox;
  vlan200<-->proxmox_eth0[eth0]<-->proxmox;
  vlan200<-->proxmox_eth1[eth1]<-->proxmox;
  proxmox<-->bond0<-->vmbr0<-->VMs;
  vlan200<-->vault_eth3[eth3]<-->vault;
  vlan200<-->vault_eth4[eth4]<-->vault;

DNS

graph LR;
  internet((Internet))<-->porkbun;
  porkbun<-->hobbithole_org(hobbithole.org);
  hobbithole_org<-->opnsense;
  opnsense<-->caddy;
  caddy<-->vault;
  caddy<-->proxmox;
  opnsense<-->hh_lan(hh.lan)<-->bind<-->unbound;
  unbound<-->vault;
  unbound<-->proxmox;
  proxmox[proxmox + VMs];

• External domain: hobbithole.org
  • Hosted on SquareSpace, about to move over to PorkBun
    • Transfer requested [2025-06-15]
  • Email forwarding
    • gandalf@hobbithole.org --> gibsta@gmail.com
    • treasury@hobbithole.org --> hobbitholetreasury@googlegroups.com
  • Records

Host	Type	Priority	TTL	Data
@	A	N/A	4 hrs	66.186.208.83
backup	CNAME	N/A	4 hrs	hobbithole.org
frigate	CNAME	N/A	4 hrs	hobbithole.org
home	CNAME	N/A	4 hrs	hobbithole.org
nestmtx	CNAME	N/A	4 hrs	hobbithole.org
radarr	CNAME	N/A	4 hrs	hobbithole.org
sab	CNAME	N/A	4 hrs	hobbithole.org
sonarr	CNAME	N/A	4 hrs	hobbithole.org
tv	CNAME	N/A	4 hrs	hobbithole.org
vault	CNAME	N/A	4 hrs	hobbithole.org
y3t4fz4ttvom	CNAME	N/A	4 hrs	gv-3ccjjbudvp5ki7.dv.googlehosted.com
@	MX	N/A	4 hrs	mxa.mailgun.org
@	MX	N/A	4 hrs	mxb.mailgun.org
@	TXT	N/A	4 hrs	v=spf1 include:mailgun.org ~all
krs._domainkey	TXT	N/A	4 hrs	k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDjzUREnJNjiTg2oKAUdaFixMkblPmbiQTW2kinGFIFji16qN50L02DyBxanRz9Z2IK/uhLJ0I4angMTuSr338/ZE6xfjuJIqNMIOw0kgPnxo4qj5HxDiygUSbLHuxMnWzlOddzGgHpytPgpk9gYlw3b2Tt0K5Ym20ie7GaAXv+QIDAQAB

• Internal domain: hh.lan
  • Unbound transparent domain --> BIND authoritative domain
    • Hosted on OPNsense

IPAM

• wifi: 192.168.86.0/24
• home: 192.168.42.0/24
• services: 192.168.200.0/24
• work: 172.16.60.0/24

Proxmox

Hosts

• proxmox1.hh.lan
  • 192.168.200.101
• proxmox2.hh.lan
  • 192.168.200.102
• proxmox3.hh.lan
  • 192.168.200.103