From aa5eacf9ce8fc4df7e16cd396ca73ffffba4b174 Mon Sep 17 00:00:00 2001 From: Mikkel Georgsen Date: Wed, 4 Feb 2026 22:10:23 +0000 Subject: [PATCH] docs: update homelab documentation, CLAUDE.md, and TODOs - Add updates helper script docs and version checking guidance to CLAUDE.md - Update container IPs from DHCP to static, add new containers (lisotex, debate-builder) - Add DragonflyDB stack, NPM proxy entries, DNS records - Add incident log (Hetzner MAC warning, BSI portmapper) - Add new TODOs (RustDesk, dns-services helper, mh.datalos.dk) Co-Authored-By: Claude Opus 4.5 --- CLAUDE.md | 27 ++++++++- TODO.md | 6 ++ homelab-documentation.md | 120 ++++++++++++++++++++++++++++++++++----- 3 files changed, 139 insertions(+), 14 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 8a35667..f9dc0de 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -13,7 +13,7 @@ This is the management container (VMID 102) for Mikkel's homelab infrastructure. - **SSH Keys:** Pre-installed for accessing other containers/VMs - **User:** mikkel (UID 1000, group georgsen GID 1000) - **Python venv:** ~/venv (activate with `source ~/venv/bin/activate`) -- **Helper scripts:** ~/bin (pve, npm-api, dns, pbs, beszel, kuma, telegram) +- **Helper scripts:** ~/bin (pve, npm-api, dns, pbs, beszel, kuma, telegram, updates) - **Git repos:** ~/repos - **Shared storage:** ~/stuff (ZFS bind mount, shared across containers, SMB accessible) @@ -118,6 +118,18 @@ The `~/bin/kuma` script manages Uptime Kuma monitors: ~/bin/kuma resume # Resume monitor ``` +## Service Updates + +The `~/bin/updates` script checks for and applies updates across all homelab services: +```bash +~/bin/updates check # Check all services for available updates +~/bin/updates update [-y] # Update one or more services +``` + +**Tracked services:** dragonfly, beszel, uptime-kuma, snappymail, dockge, npm, forgejo, dns, pbs + +Checks Docker image versions (Dockge + NPM), LXC service binaries (Forgejo, Technitium DNS), and apt packages (PBS) against GitHub/Codeberg releases. + ## Telegram Bot Two-way interactive bot for homelab management and communication with Claude. @@ -212,6 +224,19 @@ ssh root@10.5.0.254 'pct exec -- setcap cap_net_raw+ep /bin/ping' Note: Must be re-applied after `iputils-ping` package upgrades. +## CRITICAL: Software Versions + +**NEVER use version numbers from training data.** Always fetch the latest version dynamically: + +```bash +# GitHub releases - get latest tag +curl -s https://api.github.com/repos/OWNER/REPO/releases/latest | jq -r .tag_name + +# Or check the project's download page/API +``` + +Training data is outdated the moment it's created. Hardcoding versions like `v1.27.1` when the latest is `v1.30.0` is unacceptable. Always query the source. + ## User Preferences - Python and Batch for scripting diff --git a/TODO.md b/TODO.md index 8ea8f8a..fe39da9 100644 --- a/TODO.md +++ b/TODO.md @@ -22,6 +22,12 @@ - [ ] **Build Hoodik Android app** - Hoodik is web-only, create a native Android app for it. Rust backend + Vue frontend, E2E encrypted. +- [ ] **Deploy self-hosted RustDesk server** - Run hbbs+hbbr on core.georgsen.dk for reliable NAT traversal and private relay when connecting from outside LAN. Eliminates dependency on public RustDesk relay servers. + +- [ ] **Create dns.services helper script** - API works (credentials in ~/homelab/dns-services/credentials), need to create ~/bin/dns-services helper. Endpoint: `POST /service/{service_id}/dns/{zone_id}/records`. service_id=1389, datalos.dk zone_id=15365. + +- [ ] **Add mh.datalos.dk DNS record** - CNAME to core.georgsen.dk (for generic-beregner app on general:3002). NPM proxy already configured (ID 18). + - [ ] **Fix ping on all unprivileged containers** - Run `setcap cap_net_raw+ep /bin/ping` on each container (requires restart or at least root access inside container) - Containers to fix: 100 (npm), 101 (dockge), 102 (mgmt), 103 (postgresql01), 104 (redis01), 105 (sentry), 107 (pve-scripts-local), 108 (jukebox), 110 (sense), 111 (dev), 112 (dataloes), 114 (forgejo), 115 (dns), 1000 (tailscale) - Skip: 106 (pbs) - privileged container, 113 (general) - already done diff --git a/homelab-documentation.md b/homelab-documentation.md index 48887d2..45bf38c 100644 --- a/homelab-documentation.md +++ b/homelab-documentation.md @@ -141,19 +141,21 @@ Saved with: `netfilter-persistent save` | 100 | npm | 10.5.0.1 | Nginx Proxy Manager | Running | | 101 | dockge | 10.5.0.10 | Docker Compose Manager | Running | | 102 | mgmt | 10.5.0.108 | Management/Automation (Claude Code) | Running | -| 103 | postgresql01 | DHCP | PostgreSQL (community) | Running | -| 104 | redis01 | DHCP | Redis (community) | Running | -| 105 | sentry | DHCP | Defense Intelligence System | Running | +| 103 | postgresql01 | 10.5.0.109 | PostgreSQL (community) | Running | +| 104 | redis01 | 10.5.0.111 | Redis (community) | Running | +| 105 | sentry | 10.5.0.168 | Defense Intelligence System | Running | | 106 | pbs | 10.5.0.6 | Proxmox Backup Server | Running | -| 107 | pve-scripts-local | DHCP | Community Scripts Web UI | Running | -| 108 | jukebox | DHCP (→10.5.0.184) | Music Player (custom project) | Running | +| 107 | pve-scripts-local | 10.5.0.110 | Community Scripts Web UI | Running | +| 108 | jukebox | 10.5.0.184 | Music Player (custom project) | Running | | 110 | sense.microsux.dk | DHCP | CBD Vendor Locator | Stopped | -| 111 | dev | DHCP | Development container | Running | -| 112 | dataloes | 10.5.0.112 | dataloes.dk website | Stopped | -| 113 | general | 10.5.0.113 | Decomissioned | Stopped | +| 111 | dev | 10.5.0.153 | Development container | Running | +| 112 | dataloes | 10.5.0.112 | dataloes.dk website | Running | +| 113 | general | 10.5.0.113 | General purpose container | Running | | 114 | forgejo | 10.5.0.14 | Git server (Forgejo) | Running | | 115 | dns | 10.5.0.2 | DNS server (Technitium) | Running | -| 1000 | tailscale | 10.5.0.x + 10.9.1.10 | Tailscale relay | Running | +| 116 | lisotex | 10.5.0.116 | lisotex.dk website | Running | +| 120 | debate-builder | 10.5.0.171 | Debate builder app (KVM) | Running | +| 1000 | tailscale | 10.5.0.134 + 10.9.1.10 | Tailscale relay | Running | ### Container Details @@ -180,6 +182,9 @@ cd /opt/npm && docker compose pull && docker compose up -d | dockge.georgsen.dk | http://10.5.0.10:5001 | Let's Encrypt | | git.georgsen.dk | http://10.5.0.14:3000 | Let's Encrypt | | jukebox.georgsen.dk | http://10.5.0.184:4000 | Let's Encrypt | +| lisotex.dk, *.lisotex.dk | http://10.5.0.116:3000 | Pending | +| lisoflex.lisotex.dk | http://10.5.0.116:4000 | Pending | +| lisotex.datalos.dk | http://10.5.0.116:3000 | Pending | | pbs.georgsen.dk | https://10.5.0.6:8007 | Let's Encrypt | | status.georgsen.dk | http://10.5.0.10:3001 | Let's Encrypt | | webmail.georgsen.dk | http://10.5.0.10:8888 | Let's Encrypt | @@ -190,6 +195,8 @@ cd /opt/npm && docker compose pull && docker compose up -d - **Purpose:** Docker Compose stack management - **IP:** 10.5.0.10 - **Port:** 5001 +- **LXC extras:** `lxc.prlimit.memlock: unlimited` (required for DragonflyDB ulimits in unprivileged container) +- **SSH:** root key installed for mgmt (102) access **Running Stacks:** ```yaml @@ -225,6 +232,22 @@ services: - 8090:8090 volumes: - ./data:/beszel_data + +# DragonflyDB (in-memory datastore, Redis-compatible) +services: + dragonfly: + image: docker.dragonflydb.io/dragonflydb/dragonfly:latest + container_name: dragonfly + restart: unless-stopped + ports: + - 6379:6379 + volumes: + - ./data:/data + ulimits: + memlock: -1 + command: ["--requirepass", "nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI"] +# Password: nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI +# Connect: redis-cli -h 10.5.0.10 -p 6379 -a 'nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI' ``` #### 105: Sentry (Defense Intelligence) @@ -435,6 +458,15 @@ Requires=mnt-synology.mount | forgejo | 10.5.0.14 | | git | 10.5.0.14 | | mgmt | 10.5.0.108 | +| postgresql01 | 10.5.0.109 | +| pve-scripts | 10.5.0.110 | +| redis01 | 10.5.0.111 | +| lisotex | 10.5.0.116 | +| tailscale | 10.5.0.134 | +| dev | 10.5.0.153 | +| sentry | 10.5.0.168 | +| debate-builder | 10.5.0.171 | +| jukebox | 10.5.0.184 | --- @@ -560,9 +592,7 @@ Personal company website ``` 2. **Containers to evaluate:** - - 110 (sense.microsux.dk) - Consider consolidating - - 112 (dataloes) - Stopped - - 113 (general) - Decomissioned, can remove + - 110 (sense.microsux.dk) - Stopped, consider consolidating 3. **DHCP vs Static IPs:** - Containers .112 and .113 have static IPs inside DHCP range (100-200) @@ -598,6 +628,13 @@ Personal company website | PBS | 10.5.0.6 | | Dockge | 10.5.0.10 | | Forgejo | 10.5.0.14 | +| mgmt | 10.5.0.108 | +| PostgreSQL | 10.5.0.109 | +| redis01 | 10.5.0.111 | +| lisotex | 10.5.0.116 | +| dev | 10.5.0.153 | +| sentry | 10.5.0.168 | +| jukebox | 10.5.0.184 | | Synology (Tailscale) | 100.105.26.130 | | PBS (Tailscale) | 100.115.85.120 | @@ -636,6 +673,13 @@ Personal company website - **Config:** ~/homelab/npm/npm-api.conf (symlinked) - **Helper:** ~/bin/npm-api (--host-list, --host-create, --host-delete, --cert-list) +### DragonflyDB (from mgmt container) + +- **Host:** 10.5.0.10:6379 (Docker in Dockge) +- **Protocol:** Redis-compatible (use redis-cli or any Redis client library) +- **Password:** `nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI` +- **Connect:** `redis-cli -h 10.5.0.10 -p 6379 -a 'nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI'` + ### DNS API (from mgmt container) - **Config:** ~/homelab/dns/credentials (symlinked to ~/.config/dns) @@ -649,4 +693,54 @@ Personal company website --- -*Last updated: 2026-01-14* +## Incident Log + +### 2026-01-12: Hetzner MAC Address Warning (Incident) + +**Ticket:** #2760303 +**Received:** 2026-01-12 +**Investigated:** 2026-01-22 + +**Issue:** Hetzner detected unallowed MAC addresses on the WAN interface (vmbr0). + +**Unallowed MACs:** +- `bc:24:11:0f:6b:7c` +- `bc:24:11:74:1c:72` + +**Allowed MACs:** +- `a8:a1:59:8e:72:c3` (physical NIC enp9s0) +- `00:50:56:00:04:21` (VM 200 mail server) + +**Investigation:** +- All current LXC containers are on vmbr1 (internal), not vmbr0 +- The flagged MACs follow Proxmox LXC naming convention (`bc:24:11`) but don't match any current container +- No `bc:24:11` MACs visible on enp9s0 in live packet capture +- Mail VM (200) has correct MAC, no Docker installed +- DNAT/MASQUERADE properly isolates internal traffic + +**Root cause:** Unknown. Likely from deleted containers during infrastructure rebuild, or brief misconfiguration during setup. + +**Resolution:** Current configuration verified correct. Response sent to Hetzner explaining setup and that flagged MACs are not recognized. + +--- + +### 2026-01-13: BSI Portmapper Warning (Incident) + +**Source:** German Federal Office for Information Security (BSI) via Hetzner + +**Issue:** Port 111 (portmapper/rpcbind) was accessible from the internet, potentially usable for DDoS reflection attacks. + +**Scan timestamp:** 2026-01-13 01:37:40 UTC + +**Timeline:** +- 2026-01-11: Firewall rules file created +- 2026-01-13 01:37:40: BSI scan detected open port 111 +- 2026-01-14 14:58:07: Firewall rules properly configured and saved + +**Resolution:** Port 111 is now blocked on vmbr0 (home IP whitelisted). The scan occurred before the fix was applied. No further action needed - future scans should show port as closed. + +**Current status:** Verified blocked via iptables rules (76 UDP, 462 TCP packets dropped as of 2026-01-22). + +--- + +*Last updated: 2026-01-28*