mikkel/homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: update homelab documentation, CLAUDE.md, and TODOs

Browse source 
- Add updates helper script docs and version checking guidance to CLAUDE.md
- Update container IPs from DHCP to static, add new containers (lisotex, debate-builder)
- Add DragonflyDB stack, NPM proxy entries, DNS records
- Add incident log (Hetzner MAC warning, BSI portmapper)
- Add new TODOs (RustDesk, dns-services helper, mh.datalos.dk)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mikkel Georgsen 2026-02-04 22:10:23 +00:00
parent 2d0d4da992
commit aa5eacf9ce
3 changed files with 139 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
CLAUDE.md
View file

@ -13,7 +13,7 @@ This is the management container (VMID 102) for Mikkel's homelab infrastructure.
- **SSH Keys:** Pre-installed for accessing other containers/VMs
- **User:** mikkel (UID 1000, group georgsen GID 1000)
- **Python venv:** ~/venv (activate with `source ~/venv/bin/activate`)
- **Helper scripts:** ~/bin (pve, npm-api, dns, pbs, beszel, kuma, telegram)
- **Helper scripts:** ~/bin (pve, npm-api, dns, pbs, beszel, kuma, telegram, updates)
- **Git repos:** ~/repos
- **Shared storage:** ~/stuff (ZFS bind mount, shared across containers, SMB accessible)
@ -118,6 +118,18 @@ The `~/bin/kuma` script manages Uptime Kuma monitors:
~/bin/kuma resume <id> # Resume monitor
```
## Service Updates
The `~/bin/updates` script checks for and applies updates across all homelab services:
```bash
~/bin/updates check # Check all services for available updates
~/bin/updates update <name|all> [-y] # Update one or more services
```
**Tracked services:** dragonfly, beszel, uptime-kuma, snappymail, dockge, npm, forgejo, dns, pbs
Checks Docker image versions (Dockge + NPM), LXC service binaries (Forgejo, Technitium DNS), and apt packages (PBS) against GitHub/Codeberg releases.
## Telegram Bot
Two-way interactive bot for homelab management and communication with Claude.
@ -212,6 +224,19 @@ ssh root@10.5.0.254 'pct exec <vmid> -- setcap cap_net_raw+ep /bin/ping'
Note: Must be re-applied after `iputils-ping` package upgrades.
## CRITICAL: Software Versions
**NEVER use version numbers from training data.** Always fetch the latest version dynamically:
```bash
# GitHub releases - get latest tag
curl -s https://api.github.com/repos/OWNER/REPO/releases/latest | jq -r .tag_name
# Or check the project's download page/API
```
Training data is outdated the moment it's created. Hardcoding versions like `v1.27.1` when the latest is `v1.30.0` is unacceptable. Always query the source.
## User Preferences
- Python and Batch for scripting

6
TODO.md
View file

@ -22,6 +22,12 @@
- [ ] **Build Hoodik Android app** - Hoodik is web-only, create a native Android app for it. Rust backend + Vue frontend, E2E encrypted.
- [ ] **Deploy self-hosted RustDesk server** - Run hbbs+hbbr on core.georgsen.dk for reliable NAT traversal and private relay when connecting from outside LAN. Eliminates dependency on public RustDesk relay servers.
- [ ] **Create dns.services helper script** - API works (credentials in ~/homelab/dns-services/credentials), need to create ~/bin/dns-services helper. Endpoint: `POST /service/{service_id}/dns/{zone_id}/records`. service_id=1389, datalos.dk zone_id=15365.
- [ ] **Add mh.datalos.dk DNS record** - CNAME to core.georgsen.dk (for generic-beregner app on general:3002). NPM proxy already configured (ID 18).
- [ ] **Fix ping on all unprivileged containers** - Run `setcap cap_net_raw+ep /bin/ping` on each container (requires restart or at least root access inside container)
- Containers to fix: 100 (npm), 101 (dockge), 102 (mgmt), 103 (postgresql01), 104 (redis01), 105 (sentry), 107 (pve-scripts-local), 108 (jukebox), 110 (sense), 111 (dev), 112 (dataloes), 114 (forgejo), 115 (dns), 1000 (tailscale)
- Skip: 106 (pbs) - privileged container, 113 (general) - already done

120
homelab-documentation.md
View file

@ -141,19 +141,21 @@ Saved with: `netfilter-persistent save`
| 100 | npm | 10.5.0.1 | Nginx Proxy Manager | Running |
| 101 | dockge | 10.5.0.10 | Docker Compose Manager | Running |
| 102 | mgmt | 10.5.0.108 | Management/Automation (Claude Code) | Running |
| 103 | postgresql01 | DHCP | PostgreSQL (community) | Running |
| 104 | redis01 | DHCP | Redis (community) | Running |
| 105 | sentry | DHCP | Defense Intelligence System | Running |
| 103 | postgresql01 | 10.5.0.109 | PostgreSQL (community) | Running |
| 104 | redis01 | 10.5.0.111 | Redis (community) | Running |
| 105 | sentry | 10.5.0.168 | Defense Intelligence System | Running |
| 106 | pbs | 10.5.0.6 | Proxmox Backup Server | Running |
| 107 | pve-scripts-local | DHCP | Community Scripts Web UI | Running |
| 108 | jukebox | DHCP (→10.5.0.184) | Music Player (custom project) | Running |
| 107 | pve-scripts-local | 10.5.0.110 | Community Scripts Web UI | Running |
| 108 | jukebox | 10.5.0.184 | Music Player (custom project) | Running |
| 110 | sense.microsux.dk | DHCP | CBD Vendor Locator | Stopped |
| 111 | dev | DHCP | Development container | Running |
| 112 | dataloes | 10.5.0.112 | dataloes.dk website | Stopped |
| 113 | general | 10.5.0.113 | Decomissioned | Stopped |
| 111 | dev | 10.5.0.153 | Development container | Running |
| 112 | dataloes | 10.5.0.112 | dataloes.dk website | Running |
| 113 | general | 10.5.0.113 | General purpose container | Running |
| 114 | forgejo | 10.5.0.14 | Git server (Forgejo) | Running |
| 115 | dns | 10.5.0.2 | DNS server (Technitium) | Running |
| 1000 | tailscale | 10.5.0.x + 10.9.1.10 | Tailscale relay | Running |
| 116 | lisotex | 10.5.0.116 | lisotex.dk website | Running |
| 120 | debate-builder | 10.5.0.171 | Debate builder app (KVM) | Running |
| 1000 | tailscale | 10.5.0.134 + 10.9.1.10 | Tailscale relay | Running |
### Container Details
@ -180,6 +182,9 @@ cd /opt/npm && docker compose pull && docker compose up -d
| dockge.georgsen.dk | http://10.5.0.10:5001 | Let's Encrypt |
| git.georgsen.dk | http://10.5.0.14:3000 | Let's Encrypt |
| jukebox.georgsen.dk | http://10.5.0.184:4000 | Let's Encrypt |
| lisotex.dk, *.lisotex.dk | http://10.5.0.116:3000 | Pending |
| lisoflex.lisotex.dk | http://10.5.0.116:4000 | Pending |
| lisotex.datalos.dk | http://10.5.0.116:3000 | Pending |
| pbs.georgsen.dk | https://10.5.0.6:8007 | Let's Encrypt |
| status.georgsen.dk | http://10.5.0.10:3001 | Let's Encrypt |
| webmail.georgsen.dk | http://10.5.0.10:8888 | Let's Encrypt |
@ -190,6 +195,8 @@ cd /opt/npm && docker compose pull && docker compose up -d
- **Purpose:** Docker Compose stack management
- **IP:** 10.5.0.10
- **Port:** 5001
- **LXC extras:** `lxc.prlimit.memlock: unlimited` (required for DragonflyDB ulimits in unprivileged container)
- **SSH:** root key installed for mgmt (102) access
**Running Stacks:**
```yaml
@ -225,6 +232,22 @@ services:
- 8090:8090
volumes:
- ./data:/beszel_data
# DragonflyDB (in-memory datastore, Redis-compatible)
services:
dragonfly:
image: docker.dragonflydb.io/dragonflydb/dragonfly:latest
container_name: dragonfly
restart: unless-stopped
ports:
- 6379:6379
volumes:
- ./data:/data
ulimits:
memlock: -1
command: ["--requirepass", "nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI"]
# Password: nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI
# Connect: redis-cli -h 10.5.0.10 -p 6379 -a 'nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI'
```
#### 105: Sentry (Defense Intelligence)
@ -435,6 +458,15 @@ Requires=mnt-synology.mount
| forgejo | 10.5.0.14 |
| git | 10.5.0.14 |
| mgmt | 10.5.0.108 |
| postgresql01 | 10.5.0.109 |
| pve-scripts | 10.5.0.110 |
| redis01 | 10.5.0.111 |
| lisotex | 10.5.0.116 |
| tailscale | 10.5.0.134 |
| dev | 10.5.0.153 |
| sentry | 10.5.0.168 |
| debate-builder | 10.5.0.171 |
| jukebox | 10.5.0.184 |
---
@ -560,9 +592,7 @@ Personal company website
```
2. **Containers to evaluate:**
- 110 (sense.microsux.dk) - Consider consolidating
- 112 (dataloes) - Stopped
- 113 (general) - Decomissioned, can remove
- 110 (sense.microsux.dk) - Stopped, consider consolidating
3. **DHCP vs Static IPs:**
- Containers .112 and .113 have static IPs inside DHCP range (100-200)
@ -598,6 +628,13 @@ Personal company website
| PBS | 10.5.0.6 |
| Dockge | 10.5.0.10 |
| Forgejo | 10.5.0.14 |
| mgmt | 10.5.0.108 |
| PostgreSQL | 10.5.0.109 |
| redis01 | 10.5.0.111 |
| lisotex | 10.5.0.116 |
| dev | 10.5.0.153 |
| sentry | 10.5.0.168 |
| jukebox | 10.5.0.184 |
| Synology (Tailscale) | 100.105.26.130 |
| PBS (Tailscale) | 100.115.85.120 |
@ -636,6 +673,13 @@ Personal company website
- **Config:** ~/homelab/npm/npm-api.conf (symlinked)
- **Helper:** ~/bin/npm-api (--host-list, --host-create, --host-delete, --cert-list)
### DragonflyDB (from mgmt container)
- **Host:** 10.5.0.10:6379 (Docker in Dockge)
- **Protocol:** Redis-compatible (use redis-cli or any Redis client library)
- **Password:** `nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI`
- **Connect:** `redis-cli -h 10.5.0.10 -p 6379 -a 'nUq/IfoIQJf/kouckKHRQOk7vV0NwCuI'`
### DNS API (from mgmt container)
- **Config:** ~/homelab/dns/credentials (symlinked to ~/.config/dns)
@ -649,4 +693,54 @@ Personal company website
---
*Last updated: 2026-01-14*
## Incident Log
### 2026-01-12: Hetzner MAC Address Warning (Incident)
**Ticket:** #2760303
**Received:** 2026-01-12
**Investigated:** 2026-01-22
**Issue:** Hetzner detected unallowed MAC addresses on the WAN interface (vmbr0).
**Unallowed MACs:**
- `bc:24:11:0f:6b:7c`
- `bc:24:11:74:1c:72`
**Allowed MACs:**
- `a8:a1:59:8e:72:c3` (physical NIC enp9s0)
- `00:50:56:00:04:21` (VM 200 mail server)
**Investigation:**
- All current LXC containers are on vmbr1 (internal), not vmbr0
- The flagged MACs follow Proxmox LXC naming convention (`bc:24:11`) but don't match any current container
- No `bc:24:11` MACs visible on enp9s0 in live packet capture
- Mail VM (200) has correct MAC, no Docker installed
- DNAT/MASQUERADE properly isolates internal traffic
**Root cause:** Unknown. Likely from deleted containers during infrastructure rebuild, or brief misconfiguration during setup.
**Resolution:** Current configuration verified correct. Response sent to Hetzner explaining setup and that flagged MACs are not recognized.
---
### 2026-01-13: BSI Portmapper Warning (Incident)
**Source:** German Federal Office for Information Security (BSI) via Hetzner
**Issue:** Port 111 (portmapper/rpcbind) was accessible from the internet, potentially usable for DDoS reflection attacks.
**Scan timestamp:** 2026-01-13 01:37:40 UTC
**Timeline:**
- 2026-01-11: Firewall rules file created
- 2026-01-13 01:37:40: BSI scan detected open port 111
- 2026-01-14 14:58:07: Firewall rules properly configured and saved
**Resolution:** Port 111 is now blocked on vmbr0 (home IP whitelisted). The scan occurred before the fix was applied. No further action needed - future scans should show port as closed.
**Current status:** Verified blocked via iptables rules (76 UDP, 462 TCP packets dropped as of 2026-01-22).
---
*Last updated: 2026-01-28*