giteaadmin
/
HomeLabDocs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First Commit

This commit is contained in:
Christopher Darrigo 2025-07-11 16:45:09 -04:00
commit 46cb1fadb9
16 changed files with 1660 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
README.md Normal file
View File

@ -0,0 +1,40 @@
# Homelab Service Documentation Index
This repository contains Markdown-based documentation for each core service running in the homelab. Each document includes details such as IP address, container ID, ports, platform, backup and monitoring plans, and configuration paths.
## 📄 Service Docs
- [Overview Table](./homelab_services_overview.md)
- [Home Assistant (100)](./home_assistant_doc.md)
- [Pi-hole (103)](./pihole_doc.md)
- [Plex (102)](./plex_doc.md)
- [Sonarr (104)](./sonarr_doc.md)
- [Radarr (105)](./radarr_doc.md)
- [Jackett (106)](./jackett_doc.md)
- [FlareSolverr (107)](./flaresolverr_doc.md)
- [qBittorrent (108)](./qbittorrent_doc.md)
- [Immich (109)](./immich_doc.md)
- [Nextcloud (110)](./nextcloud_doc.md)
## 📦 Format Standard
Each file includes:
- Overview & purpose
- Container ID, IP, ports, domain
- Config paths & storage
- Authentication & credentials
- Backup & restore strategy
- Monitoring/logging details
- Setup method & Docker image
## 🔐 Credentials
All credentials are stored in Bitwarden under the `homelab` folder.
## 🔄 Backup Strategy
ZFS snapshots used for persistent volumes. Daily snapshot rotation is planned for critical services like Nextcloud and Plex.
## 📊 Monitoring
Monitoring stack planned using Uptime Kuma and Prometheus/Grafana.
---
> Managed and maintained by ChatGPT Homelab Project Documentation

82
cloudflare-full.md Normal file
View File

@ -0,0 +1,82 @@
# ☁️ Cloudflare & Tunnel Configuration - Home Lab
This document outlines the Cloudflare account, tunnel configurations, connector deployments, certificate handling, and service exposure details for secure external access to homelab services.
---
## 🌐 Cloudflare Account
| Field | Value |
|---------------------|---------------------------|
| **Email** | chris.darrigo@gmail.com |
| **Domains Managed** | `wtfsolutions.cc`, `whatsolutions.us` |
| **DNS Provider** | Cloudflare (nameservers: `aspen.ns.cloudflare.com`, `jeremy.ns.cloudflare.com`) |
| **Cloudflare Access** | Not in use currently |
---
## 🔒 TLS & Certificate Management
| Field | Value |
|----------------------------|--------------------------------------------|
| **TLS Termination** | Cloudflare Proxy (edge termination) |
| **TLS Mode (`wtfsolutions.cc`)** | Full or Full (Strict) (recommended) |
| **TLS Mode (`whatsolutions.us`)** | Flexible or Full |
| **Home Assistant Cert** | Issued by Google Trust Services (CN=WE1) |
| **Nextcloud Cert** | Issued by Cloudflare Origin CA |
| **Cert Expiry (HA)** | Sep 20, 2025 |
| **Cert Expiry (Nextcloud)**| Sep 19, 2025 |
| **Renewal** | Automatic (Cloudflare-managed) |
---
## 🔁 Tunnels & Service Routing
### Tunnel 1: `nextcloud-tunnel`
| Field | Value |
|---------------------|------------------------------------------------------|
| **Tunnel ID** | `18240cbb-71f2-4767-89e7-f6f18186da3b` |
| **Connector Location** | LXC 111 (Nextcloud container) |
| **Version** | cloudflared 2025.7.0 |
| **Binary Path** | `/usr/bin/cloudflared` |
| **Config File** | `/root/.cloudflared/config.yml` |
| **Tunnel Command** | `cloudflared tunnel --config /root/.cloudflared/config.yml run` |
| **Credentials File** | `/root/.cloudflared/18240cbb-71f2-4767-89e7-f6f18186da3b.json` |
**Ingress Rules**:
```yaml
ingress:
- hostname: drive.whatsolutions.us
service: http://localhost:11000
originRequest:
originServerName: drive.whatsolutions.us
noTLSVerify: true
http2Origin: true
disableChunkedEncoding: true
- service: http_status:404
```
---
### Tunnel 2: `homeassistant`
| Field | Value |
|---------------------|----------------------------------------------------|
| **Tunnel ID** | `8a3cb4ad-4538-4709-bf3c-aa52db05bfc4` |
| **Status** | Created, not actively running |
| **Expected Hostname**| `wtfsolutions.cc` |
| **Connector Location** | LXC 111 (same as Nextcloud + cloudflared) |
| **Config** | Not registered in `config.yml` |
| **Expected Routing** | Home Assistant (`192.168.1.36:8123`) via tunnel |
---
## 🔐 Notes
- `cloudflared` is installed and managed in LXC 111
- The config file `/root/.cloudflared/config.yml` currently runs `nextcloud-tunnel` only
- `homeassistant` tunnel credentials exist but the tunnel is not active (yet)
- No Cloudflare Access (SSO or 2FA policies) is enforced for either subdomain
- All service credentials stored in Bitwarden → folder `homelab`
- Tunnel routing is HTTP-only behind Cloudflare (TLS at edge)

85
flaresolverr_complete.md Normal file
View File

@ -0,0 +1,85 @@
# 🧠 FlareSolverr - Container 107
## Overview
FlareSolverr is a proxy server built around headless Chromium that solves Cloudflare and JavaScript challenges encountered by scrapers like Jackett. It is stateless and lightweight, serving as an essential tool in bypassing CAPTCHA or anti-bot protections for private torrent indexers.
## Service Details
- **Container ID**: 107
- **Hostname**: flaresolverr
- **IP Address**: 192.168.1.46
- **Port**: 8191
- **Access**: LAN-only or via Tailscale
- **Authentication**: None (no token or login required)
- **Exposed Domain**: ❌ Not exposed publicly
- **Dependencies**: Chromium headless, Node.js
## Hosting & Platform
- **Platform**: Native install in unprivileged Debian LXC container on Proxmox
- **Install Method**: [Community Scripts](https://community-scripts.github.io/ProxmoxVE/scripts?id=flaresolverr)
- **Features Enabled**: `keyctl=1`, `nesting=1`
- **Service Management**: systemd service (`flaresolverr.service`)
- **Runs As**: root
## Configuration
- **API URL**: `http://192.168.1.46:8191/`
- **FlareSolverr URL in Jackett**: `http://192.168.1.46:8191`
- **Protocol**: HTTP only (no SSL layer)
- **Configuration File**: None (stateless service)
- **Startup Behavior**: Starts via systemd on boot
## Integration
| Application | Integration Detail |
|-------------|-----------------------------------------------|
| Jackett | Uses FlareSolverr as CAPTCHA/DDOS bypass backend |
| Radarr/Sonarr | Indirect (via Jackett integration) |
## Backup & Recovery
- **Stateless**: No persistent configuration to back up
- **Restore Strategy**: Recreate the container or re-run the install script
- **Data**: No indexed or stored metadata
## Logs & Monitoring
- **Log Output**: Standard output via systemd journal
- **Optional**: Redirect output to `/var/log/flaresolverr.log` in service unit
- **Monitoring**: Not configured, but eligible for Prometheus exporter if extended
## Update Process
```bash
systemctl stop flaresolverr
curl -Lo /tmp/flaresolverr.tar.gz https://github.com/FlareSolverr/FlareSolverr/releases/latest/download/flaresolverr-linux-amd64.tar.gz
tar -xvzf /tmp/flaresolverr.tar.gz -C /opt/
chmod +x /opt/flaresolverr
systemctl start flaresolverr
```
## Systemd Service File
`/etc/systemd/system/flaresolverr.service`
```ini
[Unit]
Description=FlareSolverr Service
After=network.target
[Service]
ExecStart=/opt/flaresolverr
Restart=always
User=root
Environment=NODE_ENV=production
[Install]
WantedBy=multi-user.target
```
## Notes
- Do not expose to WAN — lacks authentication
- Restart occasionally to refresh Chromium instance
- Must be kept up-to-date to remain compatible with evolving Cloudflare and JavaScript protections

127
home-assistant-complete.md Normal file
View File

@ -0,0 +1,127 @@
# 🏠 Home Assistant - Proxmox VM 100 (Complete)
Home Assistant is the core of the homelab automation stack. This instance runs as a full virtual machine using Home Assistant OS (HAOS), providing Supervisor support, secure remote access, and local integrations.
---
## 📌 VM Overview
| Field | Value |
|---------------------|----------------------------------------|
| **VM ID** | 100 |
| **Hostname** | homeassistant |
| **IP Address** | 192.168.1.36 |
| **MAC Address** | BC:24:11:53:5B:9D |
| **Bridge Interface**| vmbr0 |
| **Memory** | 8192 MB (8GB) |
| **CPU** | 4 vCPUs (2 sockets × 2 cores) |
| **Disk** | 96GB (ZFS volume on `vm_data`) |
| **On Boot** | Enabled |
| **Cloudflare Tunnel**| Yes — `wtfsolutions.cc` |
| **TLS Termination** | At Cloudflare Edge |
---
## 🧠 System Information
| Field | Value |
|---------------------|----------------------------------------|
| **OS** | Home Assistant OS 16.0 |
| **Architecture** | amd64 |
| **Supervisor** | Installed (2025.07.1) |
| **Core Version** | 2025.7.1 |
| **Docker** | Used internally by HA OS |
| **Default Port** | 8123 |
| **Internal URL** | http://192.168.1.36:8123 |
| **External URL** | https://wtfsolutions.cc |
| **Credentials** | Bitwarden → `homelab/home_assistant` |
| **Admin User** | `cdarrigo` |
---
## 🧩 Integrations & Add-ons
- Zigbee2MQTT (Zigbee device integration)
- ESPHome (DIY microcontrollers)
- Tasmota (flashed IoT devices)
- File Editor
- Terminal & SSH
- HACS (Home Assistant Community Store)
- Cloudflare Tunnel (via external container)
- Add-on store enabled via Supervisor
---
## 🛠️ Configuration Files
| File Path | Purpose |
|-----------------------------|----------------------------------|
| `/config/configuration.yaml` | Core HA configuration |
| `/config/secrets.yaml` | Credentials and tokens |
| `/config/automations.yaml` | Custom automations (if split) |
| `/config/home-assistant.log`| Main log file |
| `/config/.storage/` | JSON-backed UI settings |
---
## 🔐 Remote Access
- **Tunnel Name**: `homeassistant`
- **Tunnel ID**: `8a3cb4ad-4538-4709-bf3c-aa52db05bfc4`
- **Public URL**: `https://wtfsolutions.cc`
- **TLS**: Handled by Cloudflare
- **Cert Issuer**: Google Trust Services - CN=WE1
- **Cert Expiry**: Sep 20, 2025
---
## 🔁 Backup & Recovery
| Method | Notes |
|---------------------|-----------------------------------------------|
| **HA Snapshots** | Create via Supervisor UI (full/partial) |
| **VM Backups** | Manually via vzdump or ZFS snapshot |
| **Restore Strategy**| Restore HA snapshot or Proxmox VM snapshot |
| **Cloud Backups** | Optional via Nabu Casa or rclone |
---
## 🔍 Monitoring & Logging
- **System Health**: Accessible from Web UI → Settings → System
- **HA Log File**: `/config/home-assistant.log`
- **Update Channel**: Stable
- **Telemetry**: Opt-in via UI
---
## 📦 Storage Configuration
| Mount/Volume | Description |
|---------------------|---------------------------------|
| `vm_data` pool | Backing ZFS for full VM disk |
| `/dev/sdX` internal | Managed by HA OS |
| External mounts | Not applicable |
---
## 🔒 Credentials & Access
- **Login User**: `cdarrigo`
- **Stored In**: Bitwarden → `homelab/home_assistant`
- **SSH/Terminal**: Managed via add-on
- **2FA**: Optional via UI settings
- **Mobile App**: Configured to use external domain
---
## 📝 Notes
- USB passthrough is enabled via Proxmox for Zigbee/Z-Wave
- Tunnel traffic is encrypted via Cloudflare (origin does not use TLS)
- No local SSL certs configured; all TLS handled at the edge
- Proxmox VM config:
- `onboot: 1`
- `bios: ovmf`
- `scsihw: virtio-scsi-single`
- `usb0: host=5-1.2`

BIN
homelab-graph.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 253 KiB

103
homelab-hardware-full.md Normal file
View File

@ -0,0 +1,103 @@
# 🖥️ Home Lab Hardware Inventory (Complete)
This document provides a comprehensive overview of all physical and supporting hardware components in the home lab, including power, networking, storage, compute, and accessories. The lab is housed in a compact 3D-printed 10" modular rack.
---
## 🗄️ Rack & Mounting
### Lab Rax 10" Modular Server Rack
- **Type**: Fully 3D printable modular 10" rack system
- **Printed From**: [MakerWorld - Lab Rax Collection](https://makerworld.com/en/collections/5813742-lab-rax)
- **Use**: Houses Proxmox host, switch, and other hardware
---
## 🔌 Power, Cables & Cooling
- **Power Supply Cables**:
- Menewstart 6-way SATA Power Splitter — [Amazon](https://www.amazon.com/dp/B0DY5VFZFJ)
- Cable Matters Molex to Dual SATA (3-pack) — [Amazon](https://www.amazon.com/dp/B00VJ9V8NY)
- **Mounting Hardware**:
- M6-1.0 Stainless Steel Hex Nuts (50pcs) — [Amazon](https://www.amazon.com/dp/B0BLBKSZXJ)
- **Cooling**:
- Internal cooling is passive and/or low-RPM fan-based — no rack-level fans documented
---
## 🔌 Networking
### Core Switch
- **Model**: TP-Link TL-SG108
- **Type**: 8-Port Gigabit Unmanaged
- **Features**: Fanless, metal chassis — [Amazon](https://www.amazon.com/dp/B00A121WN6)
- **Location**: Inside the 10" rack
### Network Topology
- **Router Gateway**: 192.168.1.1 (Upstream DHCP/DNS/firewall)
- **Proxmox Host**: Static IP 192.168.1.37 on bridge `vmbr0`
- **Switch Ports**: Proxmox + uplink + container services
- **Internal DNS**: Pi-hole (192.168.1.3)
---
## 🧠 Compute Node: Proxmox Host
| Component | Details |
|------------------|---------------------------------------------------|
| **Hostname** | proxmox04 |
| **Motherboard** | ASRock B550 Phantom Gaming-ITX/AX |
| **CPU** | AMD Ryzen 5 5600G (6 cores / 12 threads) |
| **RAM** | 62 GB DDR4 (non-ECC) |
| **Boot Drive** | Crucial 256GB SATA SSD (Crucial_CT256MX100SSD1) |
| **Case** | Custom 3D-printed mount inside 10" rack |
| **NIC** | `enp4s0` connected to `vmbr0` bridge |
---
## 💾 Storage Devices & ZFS Pools
### Boot Drive
- **Device**: `/dev/sdb`
- **Type**: 256GB SATA SSD
- **Usage**: Proxmox VE OS only
### NVMe SSD (VM Storage)
- **Device**: `/dev/nvme0n1`
- **Size**: 2TB
- **Model**: SPCC M.2 NVMe SSD
- **Usage**: ZFS pool `vm_data` (VMs, LXC containers)
### Torrent SSD
- **Device**: `/dev/sda`
- **Model**: Crucial_CT525MX300SSD1
- **Size**: 525GB SATA SSD
- **Filesystem**: ext4
- **Mount**: `/mnt/torrents`
- **Usage**: Download staging area for qBittorrent
### ZFS Pool: `zfs_pool`
- **RAID Level**: RAIDZ1 (single parity)
- **Usable Capacity**: ~21.7 TB
- **Drives**:
| Device | Model | Size | Serial |
|--------|---------------------------|------|------------------|
| sdc | WDC_WD60EFAX-68SHWN0 | 6TB | WD-WX31D49KSN9R |
| sdd | TOSHIBA_HDWE160 | 6TB | 26T8K0FWF56D |
| sde | WDC_WD60EZAZ-00SF3B0 | 6TB | WD-WX12D90E09ZN |
| sdf | WDC_WD60EFPX-68C5Z0N | 6TB | WD-WX52D940K29C |
| sdg | WDC_WD60EFPX-68C5Z0N | 6TB | WD-WX22D63M0XZZ |
- **Mounts**:
- `/zfs_pool/nc_data` (Nextcloud)
- `/zfs_pool/immich` (photos, videos)
---
## 🗂️ Virtualization Host Roles
- **Platform**: Proxmox VE 8.4.0
- **Kernel**: 6.8.12-9-pve
- **Storage Pools**: `vm_data`, `zfs_pool`
- **Backups**: ZFS snapshots; vzdump planned
- **Tunnels**: Cloudflare (with cloudflared in container 111)
- **Credentials**: Stored in Bitwarden under folder `homelab`

107
homelab-inventory-map.md Normal file
View File

@ -0,0 +1,107 @@
# 📋 Home Lab Inventory & Service Map
This document summarizes the complete inventory of hosts, containers, virtual machines, services, and tunnels across the home lab as documented in the project. It includes hardware layout, virtualization assignments, storage structure, and public access mappings.
---
## 🏠 Physical Infrastructure
| Component | Details |
|---------------------|-----------------------------------------------------------|
| **Rack** | 10" Modular Lab Rax (3D printed) |
| **Switch** | TP-Link TL-SG108 — 8-port Gigabit unmanaged |
| **Proxmox Host** | `proxmox04` (IP: 192.168.1.37) |
| **CPU** | AMD Ryzen 5 5600G (6c/12t) |
| **RAM** | 62GB DDR4 |
| **Boot Drive** | 256GB SATA SSD (Proxmox OS) |
| **Torrent SSD** | 525GB SATA SSD (ext4 — `/mnt/torrents`) |
| **VM SSD** | 2TB NVMe SSD (ZFS pool: `vm_data`) |
| **ZFS Pool** | 5× 6TB HDDs (RAIDZ1 → ~21.7TB usable, pool: `zfs_pool`) |
---
## 🖥️ Proxmox Host: `proxmox04`
- **OS**: Proxmox VE 8.4.0 (Kernel: 6.8.12-9-pve)
- **Storage Pools**: `vm_data` (NVMe), `zfs_pool` (RAIDZ1 HDDs)
- **Bridge Interface**: `vmbr0`
- **DNS**: 1.1.1.1, 8.8.8.8
- **Firewall**: Enabled
- **Backups**: Manual ZFS snapshots, vzdump planned
- **Credentials**: Bitwarden → `homelab/`
---
## 📦 Virtual Machines (VMs)
| ID | Name | Description | IP | Exposed |
|------|-----------------|---------------------------|----------------|---------|
| 100 | Home Assistant | Home automation (HAOS VM) | 192.168.1.36 | ✅ `wtfsolutions.cc` |
---
## 📦 LXC Containers
| ID | Hostname | Role | IP | Notes |
|------|--------------|-----------------------------------|----------------|----------------------------|
| 103 | pihole | DNS sinkhole & ad blocker | 192.168.1.3 | Docker inside LXC |
| 104 | sonarr | TV media automation | _(TBD)_ | Docker inside LXC |
| 105 | radarr | Movie automation | _(TBD)_ | Docker inside LXC |
| 106 | jackett | Indexer proxy for torrents | _(TBD)_ | Docker inside LXC |
| 107 | flaresolverr | Cloudflare challenge solver | _(TBD)_ | Docker inside LXC |
| 108 | qbittorrent | Torrent client | _(TBD)_ | Docker inside LXC |
| 109 | immich | Photo & video archive | _(TBD)_ | Docker inside LXC |
| 110 | nextcloud | Cloud storage (AIO stack) | localhost:11000| Uses Apache + Collabora |
| 111 | nextcloud | Shared: Nextcloud + cloudflared | localhost | Tunnels for external access|
---
## 🌍 Public Access Map
| Domain | Internal Target | Service | Tunnel Name |
|--------------------------|------------------------|------------------|--------------------|
| `wtfsolutions.cc` | HAOS @ 192.168.1.36:8123 | Home Assistant | `homeassistant` |
| `drive.whatsolutions.us`| LXC 111 → :11000 | Nextcloud AIO | `nextcloud-tunnel` |
---
## 🔐 Tunnel Overview (cloudflared)
| Tunnel Name | ID | Container | Services Routed |
|------------------|--------------------------------------|-----------|---------------------------------|
| `homeassistant` | `8a3cb4ad-...` | 111 | Home Assistant (`wtfsolutions.cc`) |
| `nextcloud-tunnel`| `18240cbb-...` | 111 | Nextcloud (`drive.whatsolutions.us`) |
- **Tunnel Config Path**: `/root/.cloudflared/config.yml`
- **Binary**: `/usr/bin/cloudflared`
- **Version**: 2025.7.0
---
## 🛠️ Service Credential Locations
| Service | Bitwarden Entry |
|------------------|---------------------------|
| Proxmox Host | `proxmox04 - root` |
| Home Assistant | `home_assistant` |
| Pi-hole | `pihole` |
| Cloudflare | `Cloudflare - chris.darrigo@gmail.com` |
---
## 🔄 Backup Summary
- **Proxmox**: Manual ZFS snapshots; vzdump planning in progress
- **Pi-hole**: Snapshots via ZFS + Teleporter UI backup
- **Home Assistant**: Supervisor snapshots + Proxmox backup
- **Nextcloud**: Native app-level backup + AIO config
- **Immich**: (TBD — to be documented)
---
## 📝 Notes & To-Do
- Immich, Sonarr, Radarr, Jackett container IPs still to be captured
- No Cloudflare Access (SSO) policies currently configured
- Consider bundling all markdown docs into a private Git repo or wiki
- DNS is handled by Pi-hole; upstream to Google/OpenDNS/Cloudflare

232
immich_complete.md Normal file
View File

@ -0,0 +1,232 @@
# Immich - Container 109
## 📸 Overview
Immich is a self-hosted photo and video backup and management system, designed as a privacy-friendly and high-performance replacement for Google Photos.
- **Purpose**: Central photo archive and backup system
- **Migration**: In progress from Google Photos
- **Source of Truth**: Yes — Immich will become the authoritative media repository
---
## 🧾 Service Details
- **Container ID**: 109
- **Proxmox Host**: proxmox04
- **IP Address**: 192.168.1.48
- **Exposed Domain**: `photos.wtfsolutions.cc` (planned via Cloudflare Tunnel)
- **Authentication**:
- Immich internal login
- Cloudflare Access (planned)
- **Credentials**:
- Stored in Bitwarden under `homelab/immich` (planned)
---
## 🖥️ Hosting & Deployment
- **Environment**: LXC container on Proxmox
- **Provisioning Script**: [community-scripts/immich](https://github.com/community-scripts/ProxmoxVE/blob/main/ct/immich.sh)
- **Deployment Method**: Installed via Git and built from source
- **Service Manager**: systemd
### Systemd Services
- `immich-web.service` Web frontend
- `immich-ml.service` Machine learning (faces, labels)
- PostgreSQL and Redis run inside container
---
## 📂 Storage & Volumes
| Container Path | Host Mount Path | Purpose |
|---------------------------|------------------------------------------|----------------------|
| `/mnt/immich/library` | `/zfs_pool/immich/immich_library` | Photos and videos |
| `/mnt/immich/database` | `/zfs_pool/immich/immich_database` | PostgreSQL DB data |
---
## ⚙️ Configuration
### Environment File
Path: `/opt/immich/.env`
```env
TZ=America/New_York
IMMICH_VERSION=release
NODE_ENV=production
DB_HOSTNAME=127.0.0.1
DB_USERNAME=immich
DB_PASSWORD=REDACTED
DB_DATABASE_NAME=immich
DB_VECTOR_EXTENSION=vectorchord
REDIS_HOSTNAME=127.0.0.1
IMMICH_MACHINE_LEARNING_URL=http://127.0.0.1:3003
MACHINE_LEARNING_CACHE_FOLDER=/opt/immich/cache
IMMICH_MEDIA_LOCATION=/mnt/immich/library
```
Only the `immich` user has read access to this file. DB credentials are vaulted in Bitwarden.
---
## 🔄 Update Procedure
Immich is built from GitHub source. Updates require manual pulls and rebuilds:
```bash
# Inside the container
systemctl stop immich-web.service
systemctl stop immich-ml.service
cd /opt/immich
git pull
npm install --force
npm run build
systemctl start immich-ml.service
systemctl start immich-web.service
```
Optional: snapshot the container before updates (`pct snapshot 109`)
---
## 🔐 Security
- **Public Exposure**: Not yet live — planned behind Cloudflare Tunnel (LXC 111)
- **Access Control**: Will enforce Cloudflare Access for external logins
---
## 🔁 Backup & Recovery
| Data Location | Method | Frequency |
|--------------------------|------------------------|---------------|
| `/mnt/immich/library` | ZFS snapshot or rsync | 🔄 Planned |
| `/mnt/immich/database` | ZFS snapshot or `pg_dump` | 🔄 Planned |
Restore plan: rollback snapshot or import Postgres SQL dump.
---
## 📊 Logs & Monitoring
| Service | Log Path |
|---------------------|------------------------------|
| Web Frontend | `/var/log/immich/web.log` |
| Machine Learning | `/var/log/immich/ml.log` |
| Systemd | `journalctl -u immich-web.service` |
---
## 📝 Notes & To-Do
- [ ] Complete Google Photos migration
- [ ] Expose Immich at `photos.wtfsolutions.cc`
- [ ] Enforce Cloudflare Access
- [ ] Configure off-site backup or replication
- [ ] Enable monitoring (e.g., Healthchecks or Prometheus)
---
## 🌐 Network & Integration
- Immich runs in **LXC container 109** on `proxmox04`, with local IP `192.168.1.48`.
- Public access is planned through **Cloudflare Tunnel** using LXC 111 (`cloudflared`).
- Tunnel domain: `photos.wtfsolutions.cc` (not yet live)
- DNS and access control will be managed via **Cloudflare Zero Trust**.
- Immich will follow a pattern similar to existing services (Nextcloud, Collabora).
---
## 🔐 Security Practices
- **Credentials** (DB password, Immich admin login) are stored in **Bitwarden** under `homelab/immich`.
- Once public, Immich will be protected via:
- Cloudflare Access (email/domain-restricted auth)
- Immich internal login (admin account)
- `.env` and secrets are only readable by the `immich` system user.
---
## 📱 Mobile Sync Strategy
- Mobile apps (iOS and Android) will be configured to auto-upload once public access is enabled.
- Sync will occur through `photos.wtfsolutions.cc` without needing a VPN.
- Immich will fully replace Google Photos for ongoing uploads.
---
## 🗂️ Media Management
- All media is stored in `/mnt/immich/library`, backed by ZFS.
- Immich ML service provides face and object recognition.
- Map view and clustering will be enabled to support timeline and geo search.
- Immich is the **single source of truth** for all photo and video content going forward.
---
## 🛠️ Roadmap / To-Dos
- [ ] Finalize migration from Google Photos
- [ ] Set up Cloudflare DNS for `photos.wtfsolutions.cc`
- [ ] Enable Cloudflare Access policies
- [ ] Configure mobile app auto-uploads
- [ ] Enable map-based search and facial clustering
- [ ] Add ZFS snapshot + `pg_dump` automation
- [ ] Evaluate long-term off-site backup (e.g., S3, B2)
- [ ] Consider exposing read-only album for family/guests
---
## ⚙️ Container Configuration
Immich runs in LXC container `109` with the following Proxmox configuration:
| Setting | Value |
|------------------|------------------------------------------|
| Cores | 4 |
| Memory | 8192 MB |
| Swap | 512 MB |
| Arch | amd64 |
| Root Filesystem | `vm_data:subvol-109-disk-0` (64GB) |
| On Boot | ✅ Yes (`onboot: 1`) |
| Nesting Enabled | ✅ Yes (`nesting=1`) |
| Keyctl Enabled | ✅ Yes (`keyctl=1`) |
| Unprivileged | ✅ Yes |
| Hostname | `immich` |
| Bridge | `vmbr0` |
| IP Address | `192.168.1.48/24` |
| Gateway | `192.168.1.1` |
| Tags | `community-script;photos` |
---
## 🧠 Machine Learning & GPU Access
Immich ML service uses GPU acceleration inside the container:
- GPU Devices passed through:
- `/dev/dri/card1` (group ID 44)
- `/dev/dri/renderD128` (group ID 104)
- Facial recognition and object detection performance are enhanced by this setup
- ML service runs under `immich-ml.service` with logs at `/var/log/immich/ml.log`
---
## ⚙️ PostgreSQL Status
Although the container includes PostgreSQL as a dependency:
- `postgresql.service` is loaded but **inactive** (`ExecStart=/bin/true`)
- Immich may use a direct embedded instance, or external service
- DB volume is mounted at `/mnt/immich/database` — contains live data
---
## 👤 User Account Management
- Admin account created at setup; account recovery is **local only**
- No external auth (OIDC, SAML) is currently configured
- Self-registration is likely **disabled**; users must be manually added by admin
- Mobile apps will authenticate using internal credentials

98
jackett_complete.md Normal file
View File

@ -0,0 +1,98 @@
# 🔎 Jackett - Container 106
## Overview
Jackett is a Torznab-compatible indexer proxy that converts Sonarr and Radarr queries into site-specific tracker requests. It supports hundreds of public and private torrent trackers and integrates seamlessly with tools like FlareSolverr to bypass protection mechanisms such as Cloudflare and CAPTCHAs.
## Service Details
- **Container ID**: 106
- **Hostname**: jackett
- **IP Address**: 192.168.1.45
- **Port**: 9117 (Web UI)
- **Exposed Domain**: ❌ Not exposed publicly
- **Authentication**: Optional (disabled by default)
- **API Key**: `jsq2m2fgp0ocbfvc5i2xyoefo98g6cc4`
- **Credentials Storage**: Stored in Bitwarden under `homelab > Jackett`
## Hosting & Platform
- **Platform**: Native install in Debian-based LXC container
- **Install Method**: ProxmoxVE community script
- **Privileged**: No
- **Features Enabled**: `keyctl=1`, `nesting=1`
- **Service Management**: systemd (`jackett.service`)
- **Runs As**: `root` (inside unprivileged LXC)
## Storage & Mounts
| Path | Purpose |
|------------------------------|-----------------------------|
| `/root/.config/Jackett/` | Main config, indexers, logs |
| `/opt/Jackett/` | Jackett binary location |
## Configuration
- **Web UI URL**: `http://192.168.1.45:9117/`
- **Torznab URL Template**:
`http://192.168.1.45:9117/api/v2.0/indexers/<indexer-name>/results/torznab/`
- **Authentication**: Disabled, accessible only on LAN/Tailscale
- **Indexer Management**: Done via Web UI
- **Config File**: `/root/.config/Jackett/ServerConfig.json`
## FlareSolverr Integration
| Setting | Value |
|---------------|--------------------------|
| **Enabled** | ✅ Yes |
| **URL** | `http://192.168.1.46:8191` |
| **Purpose** | Bypass Cloudflare and CAPTCHA |
| **Status** | Confirmed working with key indexers |
## Backup & Recovery
- **Backup Target**: `/root/.config/Jackett/`
- **Strategy**: Include in LXC container snapshots or use cron + tarball
- **Restore Method**: Copy config folder and restart service
## Logs & Monitoring
- **Log File**: `/root/.config/Jackett/log.txt`
- **Monitoring**: Not currently configured
- **Optional**: Can integrate with external logging agents
## Updates
```bash
systemctl stop jackett
curl -Lo /tmp/jackett.tar.gz https://github.com/Jackett/Jackett/releases/latest/download/Jackett.Binaries.LinuxAMDx64.tar.gz
mkdir /tmp/jackett-update
tar -xvzf /tmp/jackett.tar.gz -C /tmp/jackett-update
cp -r /tmp/jackett-update/* /opt/Jackett/
systemctl start jackett
```
## Systemd Service File
`/etc/systemd/system/jackett.service`
```ini
[Unit]
Description=Jackett Daemon
After=network.target
[Service]
ExecStart=/opt/Jackett/jackett --NoUpdates
Restart=on-failure
User=root
[Install]
WantedBy=multi-user.target
```
## Notes
- Do not expose publicly — lacks proper auth and SSL
- Configuration and API key managed via Web UI
- Used as primary indexer source for Sonarr and Radarr
- FlareSolverr required for sites protected by Cloudflare
- Statistically mapped to `192.168.1.45` in the homelab LAN

114
nextcloud-aio.md Normal file
View File

@ -0,0 +1,114 @@
---
## 🧰 Container Overview and Internal Ports
| Container | Role | Internal Ports | Notes |
|----------|------|----------------|-------|
| `nextcloud-aio-nextcloud` | Main web application | `9000` | Responds to Apache proxy |
| `nextcloud-aio-apache` | Internal reverse proxy | `80`, `11000`, `8000` | Proxies all incoming requests |
| `nextcloud-aio-database` | PostgreSQL 17.5 | `5432` | Secured with password, stored in env |
| `nextcloud-aio-redis` | Redis caching | `6379` | Password-protected |
| `nextcloud-aio-collabora` | WOPI doc editor | `9980` | Connected via `richdocuments` app |
| `nextcloud-aio-whiteboard` | Real-time whiteboard | `3002` | Enabled |
| `nextcloud-aio-imaginary` | Image processor | `9005`, internal only | Speeds up thumbnails/previews |
| `nextcloud-aio-notify-push` | WebSocket push server | `7867` (internal) | Push for mobile and browser |
| `nextcloud-aio-mastercontainer` | Orchestrator | `8080`, `80`, `8443`, `9876` | Admin UI and internal mgmt |
| `cloudflared` | Tunnel client | N/A | Provides secure remote access |
---
## 🧠 Useful OCC Commands for Admins
```bash
# List installed apps
docker exec -u www-data nextcloud-aio-nextcloud php occ app:list
# Enable maintenance mode
docker exec -u www-data nextcloud-aio-nextcloud php occ maintenance:mode --on
# Disable maintenance mode
docker exec -u www-data nextcloud-aio-nextcloud php occ maintenance:mode --off
# Check system status
docker exec -u www-data nextcloud-aio-nextcloud php occ status
# Clear all file cache entries
docker exec -u www-data nextcloud-aio-nextcloud php occ files:cleanup
# Update Nextcloud (should be done via AIO normally)
docker exec -u www-data nextcloud-aio-nextcloud php occ upgrade
```
---
## 🔧 Apache Proxy Configuration (internal)
Apache container proxies internal ports:
| Proxy Route | Target |
|-------------|--------|
| `/``127.0.0.1:9000` | Nextcloud app |
| `/loleaflet`, `/hosting/discovery`, etc. → `127.0.0.1:9980` | Collabora |
| WebSocket and push → notify-push container |
| Optional: `rewrite` rules enabled for overwritehost/protocol logic |
---
## 📡 Collabora Integration Details
- **Container**: `nextcloud-aio-collabora`
- **Hostname**: `nextcloud-aio-collabora`
- **Secrets Used**:
- `COLLABORA_ENABLED=yes`
- `COLLABORA_HOST=nextcloud-aio-collabora`
- `ONLYOFFICE_SECRET`, `SIGNALING_SECRET` present but unused unless OnlyOffice/Talk is enabled
- **SSL Termination**: Handled upstream (SSL disabled in Collabora)
- **Font sync**: Uses remote fonts config JSON:
- `https://drive.whatsolutions.us/apps/richdocuments/settings/fonts.json`
---
## 📋 Additional AIO Environment Variables (Internal Use)
| Variable | Purpose |
|----------|---------|
| `THIS_IS_AIO=true` | Confirms this is a full AIO setup |
| `REMOVE_DISABLED_APPS=yes` | Prunes unused built-in apps |
| `IMAGINARY_SECRET` | Secures internal image requests |
| `WHITEBOARD_SECRET` | Secures whiteboard sessions |
| `STARTUP_APPS=deck ...` | First-time auto-install apps |
| `FULLTEXTSEARCH_*` | Present, but currently unused |
| `AIO_URL=192.168.1.50:8080` | Admin Panel endpoint |
| `PHP_UPLOAD_LIMIT`, `PHP_MEMORY_LIMIT`, etc. | Performance tuning |
| `ADDITIONAL_APKS=imagemagick` | Installed at build time |
| `ADDITIONAL_PHP_EXTENSIONS=imagick` | Enabled at runtime |
---
## 🧪 Debugging Tips
- **Restart a specific container**:
```bash
docker restart nextcloud-aio-nextcloud
```
- **Get container logs**:
```bash
docker logs nextcloud-aio-nextcloud --tail 50
```
- **Check AIO health**:
```bash
docker exec -it nextcloud-aio-mastercontainer /healthcheck.sh
```
---
## ✅ Additional Recommendations
| Area | Suggestion |
|------|------------|
| DNS | Use short TTL for CF-hosted subdomains |
| Backups | Regularly copy `/mnt/nc_data`, PostgreSQL dump volume, and `/mnt/docker-aio-config` |
| Monitoring | Run Uptime Kuma or add healthchecks for cron and ZFS snapshot |
| Updates | Always use AIO Admin UI or `docker restart nextcloud-aio-mastercontainer` after `docker pull` |

124
pihole-complete.md Normal file
View File

@ -0,0 +1,124 @@
# 🛡️ Pi-hole - LXC Container 103 (Complete)
Pi-hole is a DNS sinkhole and network-wide ad blocker that improves privacy, performance, and security by filtering known ad, tracker, and malicious domains. This instance is running inside an unprivileged LXC container on Proxmox with Docker installed.
---
## 🧾 Container Overview
| Field | Value |
|---------------------|----------------------------------|
| **Container ID** | 103 |
| **Hostname** | pihole |
| **IP Address** | 192.168.1.3 |
| **MAC Address** | BC:24:11:7F:B8:80 |
| **Bridge** | vmbr0 |
| **Gateway** | 192.168.1.1 |
| **Memory** | 512 MB |
| **Swap** | 512 MB |
| **CPU Cores** | 1 |
| **OS** | Debian 12 (Bookworm) |
| **Privileges** | Unprivileged |
| **Features** | nesting=1, keyctl=1 |
| **On Boot** | Enabled |
---
## 🧱 Hosting & Platform
| Component | Value |
|------------------|--------------------------------------|
| **Proxmox Host** | proxmox04 |
| **ZFS Dataset** | `vm_data/subvol-103-disk-0` |
| **Storage Pool** | `vm_data` (2TB NVMe) |
| **Container Engine** | Docker (inside LXC) |
| **Install Method** | Community-script or custom build |
---
## 🌐 Network & DNS
| Setting | Value |
|--------------------------|---------------------------------------------------|
| **Web UI URL** | `http://192.168.1.3/admin` |
| **DNS Ports** | 53 (TCP/UDP), 4711 (API) |
| **Web UI Ports** | 80 (HTTP), 443 (not used), 4711 (admin API) |
| **Exposed Domain** | Not exposed externally |
| **Reverse Proxy** | None |
| **DHCP Server** | Disabled |
| **Conditional Forwarding** | Disabled |
| **Local DNS Records** | None configured |
| **Query Logging** | Enabled |
---
## 🔒 Authentication
- **Web UI Login**: Single admin password
- **Username**: `root` (inside container)
- **Password Storage**: Bitwarden → `homelab/pihole`
- **Password Location**: Not available in `setupVars.conf`; configured via UI or reset via `pihole -a -p`
---
## 🧩 DNS Upstreams & Blocklists
| Category | Value / Source |
|------------------|------------------------------------------------------------|
| **Upstreams** | Google DNS, OpenDNS (ECS), Cloudflare (DNSSEC) |
| **Blocklist Sources** | StevenBlack Unified, Firebog, EasyList, Adaway, etc. |
| **Adlist Count** | > 20 blocklists active |
| **Gravity DB** | `/etc/pihole/gravity.db` |
---
## 🛠️ Configuration Files
| Path | Description |
|-----------------------------|----------------------------------------|
| `/etc/pihole/` | Main Pi-hole config directory |
| `/etc/pihole/gravity.db` | SQLite DB with adlists and domains |
| `/etc/dnsmasq.d/` | Custom DNS rules |
| `/var/log/pihole.log` | Live DNS query log |
| `/etc/pihole/setupVars.conf`| ❌ Not found |
---
## 🔁 Backup & Recovery
| Method | Details |
|--------------------|------------------------------------------|
| **ZFS Snapshots** | Enabled on dataset via Proxmox host |
| **Manual Export** | Available via Web UI → Settings → Teleporter |
| **Restore** | ZFS rollback or reimport via Teleporter |
---
## 🧪 Monitoring & Logs
- **Log File**: `/var/log/pihole.log`
- **Dashboard**: Available at `/admin` on port 80
- **Health Check**: Web UI + Docker container logs
- **External Monitoring**: Uptime Kuma planned
- **Syslog Export**: Not yet configured
---
## 🐳 Container Image & Version
| Field | Value |
|---------------------|----------------------------|
| **Image** | `pihole/pihole:latest` |
| **Container Engine**| Docker in LXC |
| **Management** | CLI + Web UI |
| **Installed Via** | Community-script installer |
---
## 📝 Notes
- Container is static-IP (`192.168.1.3`) and referenced by other services
- DNS services are LAN-only and not exposed to WAN
- Blocklist effectiveness and uptime are critical for local browsing
- No VPN or external access tunnels configured
- Log retention and upstream filtering could be extended in future

93
plex_complete.md Normal file
View File

@ -0,0 +1,93 @@
# 🎥 Plex Media Server - Media02 (Windows)
## Overview
Plex is a self-hosted media server used to organize and stream movies, TV shows, music, and photos across devices. In this homelab, Plex runs natively on a dedicated Windows 10 Pro workstation separate from the Proxmox/LXC infrastructure.
## System Details
- **Machine Name**: Media02
- **Operating System**: Windows 10 Pro (64-bit)
- **Static IP Address**: 192.168.1.32
- **Startup**: ✅ Auto-starts on boot
- **Installation Method**: Standalone installer from plex.tv
- **Version**: Plex Media Server 1.40.2.8395 (Build 4.146.0)
- **Claimed**: ✅ Linked to Plex.tv account
- **Web UI**: http://192.168.1.32:32400/web
## Hardware
| Component | Specification |
|----------------|--------------------------------------------|
| **Motherboard**| Gigabyte Z170X-Gaming 7 |
| **CPU** | Intel Core i7-6700K (4C/8T @ 4.00GHz) |
| **RAM** | 32 GB DDR4 (4x8GB @ 2133 MHz) |
| **GPU** | NVIDIA GeForce RTX 2060 (HW transcode) |
## Transcoding Configuration
| Setting | Value |
|-----------------------------|------------------------------------------|
| Hardware Acceleration | ✅ Enabled (NVENC on RTX 2060) |
| Transcoder Temp Directory | `Z:\` (RAM Disk) |
| Transcoder Quality | Automatic |
| Background x264 Preset | Medium |
| Max Simultaneous Transcodes | Unlimited (default) |
| Audio Transcoding | ✅ Enabled |
## Drive Layout
| Drive | Label | Size (TB) | Model | Purpose |
|-------|-------------------|-----------|-------------------------------|----------------------------------|
| C:\ | — | 0.93 | Intel SSDPEKNW010T8 | Windows OS + Plex binaries |
| E:\ | PlexMetadata | 0.47 | SPCC Solid State Disk | Plex metadata, settings, logs |
| F:\ | FDriveWDRed6TB | 5.46 | WDC WD60EFAX-68SHWN0 | Media storage |
| G:\ | GDrive | 12.73 | WDC WD140EFGX-68B0GN0 | TV media (Sonarr-managed) |
| H:\ | HDriveWDRed | 12.73 | WDC WD142KFGX-68AFPN0 | Media storage |
| I:\ | IDriveWDRed14TB | 12.73 | WDC WD140EFGX-68B0GN0 | Media storage |
| J:\ | JDriveWDRed10TB | 9.1 | WDC WD101EFBX-68B0AN0 | Media storage |
| K:\ | New Volume | 14.55 | ST16000NM000J-2TW103 | Movies (Radarr-managed) |
| Z:\ | — (RAM Disk) | ~7 GB | RAM Disk | Transcode cache |
## Library Configuration
| Library | Path | Managed By | Notes |
|---------|--------------|------------|----------------------------|
| Movies | K:\Movies | ✅ Radarr | Auto-import via webhook |
| TV | G:\TV | ✅ Sonarr | Auto-import via webhook |
| Extras | Mixed | Manual | Pulls from F:/H:/I: drives |
## Integration
| Tool | Method |
|----------|-------------------------------------|
| Sonarr | Webhook to Plex refresh endpoint |
| Radarr | Webhook to Plex refresh endpoint |
| URL | http://192.168.1.32:32400/library/sections/{id}/refresh |
| Auth | ❌ None (LAN only; token optional) |
## Access Control
| Method | Enabled | Notes |
|--------------|---------|------------------------------|
| LAN Access | ✅ Yes | Full access on LAN |
| Remote Access| ❌ No | Not exposed externally |
| Tailscale | 🚧 Not yet configured |
## Maintenance
| Task | Frequency | Notes |
|-------------------------|-----------|----------------------------------------|
| Update Plex | Monthly | Check in Web UI |
| Restart Service | As needed | via Task Manager or services.msc |
| Library Scans | Triggered | Sonarr/Radarr webhooks |
| Metadata Cleanup | Monthly | Clear cache/thumbnails |
| Transcode Temp Cleanup | Automatic | RAM disk wipes on reboot |
| Config Backup | Optional | Backup `E:\PlexMetadata` manually |
## Notes
- Sonarr and Radarr drop completed media directly into Plex-accessible folders
- All drives use consistent paths — no remapping needed
- RAM disk improves transcode speed and reduces SSD wear
- Future: add Tailscale routing or Cloudflare Access for secure remote media access

127
proxmox04-complete.md Normal file
View File

@ -0,0 +1,127 @@
# 🖥️ Proxmox Host - proxmox04 (Complete)
This document provides a comprehensive overview of the Proxmox virtualization host, its hardware, storage, network configuration, VM/container roles, backup strategy, and system-level settings.
---
## 🧾 Overview
| Field | Value |
|------------------|-------------------------------------|
| **Hostname** | proxmox04 |
| **IP Address** | 192.168.1.37 |
| **Physical Location** | 10" Lab Rax 3D-printed rack |
| **Proxmox Version** | 8.4.0 |
| **Kernel Version** | 6.8.12-9-pve |
| **Timezone** | America/New_York (EDT, UTC-4) |
| **NTP Sync** | Enabled (timedatectl confirmed) |
| **Subscription** | Community (no commercial key) |
---
## 🧠 Hardware Summary
| Component | Details |
|------------------|--------------------------------------------------------|
| **Motherboard** | ASRock B550 Phantom Gaming-ITX/AX |
| **CPU** | AMD Ryzen 5 5600G — 6 cores / 12 threads |
| **RAM** | 62 GiB DDR4 (non-ECC) |
| **Swap** | 8 GiB |
| **Boot Drive** | Crucial 256GB SATA SSD (CT256MX100SSD1) |
| **Case** | Mounted in modular 3D-printed 10" rack |
---
## 💾 Storage Configuration
### ZFS Pool: `vm_data` (NVMe)
- **Device**: `/dev/nvme0n1`
- **Size**: 2TB
- **Usage**: All VM/LXC disk volumes
- **ZFS Dataset Mounts**:
- `/vm_data/subvol-###-disk-0`
- `/vm_data/vm-100-disk-1`
### ZFS Pool: `zfs_pool` (RAIDZ1 HDDs)
- **Devices**: 5× 6TB HDDs (RAIDZ1)
- **Usable Space**: ~21.7TB
- **Usage**:
- `/zfs_pool/nc_data` (Nextcloud)
- `/zfs_pool/immich` (Media archive)
### Additional SSD (ext4)
- **Device**: `/dev/sda` — 525GB Crucial SSD
- **Mount Point**: `/mnt/torrents`
- **Use**: qBittorrent download staging
---
## 🌐 Networking
| Field | Value |
|------------------|---------------------------|
| **Primary NIC** | `enp4s0` |
| **Bridge** | `vmbr0` |
| **Gateway** | `192.168.1.1` |
| **DNS** | `1.1.1.1`, `8.8.8.8` |
| **Firewall** | Enabled at Proxmox level |
| **DHCP** | Disabled (Static IP) |
---
## 🗂️ VM & Container Roles
| ID | Hostname | Type | Description |
|------|----------------|---------|----------------------------------------|
| 100 | homeassistant | VM | Home Assistant OS + Cloudflare Tunnel |
| 103 | pihole | LXC | DNS + Ad-blocker |
| 104 | sonarr | LXC | TV Automation |
| 105 | radarr | LXC | Movie Automation |
| 106 | jackett | LXC | Indexer Proxy |
| 107 | flaresolverr | LXC | Cloudflare Bypass Tool |
| 108 | qbittorrent | LXC | Torrent Client |
| 109 | immich | LXC | Personal Photo Archive |
| 110 | nextcloud | LXC | All-in-One Cloud Storage Suite |
| 111 | nextcloud | LXC | Shared with `cloudflared`, Apache |
---
## 🔒 Credentials & Security
- **Stored In**: Bitwarden (folder: `homelab`)
- **Root Login**: Enabled on proxmox04 (`root@pam`)
- **2FA**: Not enabled at host level
- **SSH Access**: Enabled, static IP (`192.168.1.37`)
- **Web UI Access**: `https://192.168.1.37:8006`
---
## 🔁 Backup & Snapshot Strategy
| Method | Status |
|--------------------|-------------------------------------|
| **ZFS Snapshots** | Manual (daily/weekly planned) |
| **vzdump** | Not yet automated |
| **External Backup**| Not configured |
| **Restore** | GUI or CLI via snapshot rollback |
---
## 🧩 Services Running On Host
| Service | Status | Notes |
|---------------|--------|------------------------------|
| Proxmox GUI | ✅ | Accessible via `:8006` |
| smartd | ✅ | Disk health monitoring |
| ZFS utilities | ✅ | Native to Proxmox |
| Cron | ✅ | Used for task automation |
---
## 📝 Additional Notes
- Cloudflare tunnels are configured in container 111 using `cloudflared`
- All service domains are routed securely through Cloudflare (Nextcloud, Home Assistant)
- All important system and config files are documented in their respective markdown files
- Default container storage: `vm_data`
- All container root volumes use ZFS subvolumes

82
qbittorrent_complete.md Normal file
View File

@ -0,0 +1,82 @@
# 🧲 qBittorrent - Container 108
## Overview
qBittorrent is a lightweight and powerful BitTorrent client with a modern Web UI. It is used in this homelab setup as the primary download client for Sonarr and Radarr.
## Service Details
- **Container ID**: 108
- **Hostname**: qbittorrent
- **IP Address**: 192.168.1.47
- **Port**: 8080 (Web UI)
- **Access**: LAN-only or via Tailscale
- **Authentication**: Web UI login enabled
- **Username / Password**: `admin` / `pcideas` (stored in Bitwarden under `homelab > qBittorrent`)
## Hosting & Platform
- **Platform**: Native install in unprivileged Debian-based LXC container
- **Install Method**: Community script or manual binary install
- **Privileged**: No
- **Features Enabled**: `keyctl=1`, `nesting=1`
- **Service Management**: Runs as systemd service or default user session
- **Runs As**: root
## Storage & Mounts
| Host Path | Container Path | Purpose |
|----------------------|----------------|-----------------------------|
| `/mnt/ssd_downloads` | `/downloads` | Download storage volume |
## Configuration
- **Web UI URL**: `http://192.168.1.47:8080/`
- **Username / Password**: `admin` / `pcideas`
- **Download Categories**: Optional (`tv`, `movies`)
- **Save Path**: `/downloads/completed`
- **Temp Path**: `/downloads/incomplete`
- **ShareLimitAction**: `Pause` (allows Radarr/Sonarr import + cleanup)
- **Remote Path Mapping**:
- Host: `/mnt/ssd_downloads`
- Sonarr/Radarr Container: `/downloads`
## Backup & Recovery
- **Config File**: `~/.config/qBittorrent/qBittorrent.conf`
- **Log Directory**: `~/.config/qBittorrent/logs/`
- **Backup Strategy**: LXC snapshot or `tar` archive of config directory
- **Manual Backup**:
```bash
tar -czvf /root/qbittorrent-config-$(date +%F).tar.gz ~/.config/qBittorrent
```
- **Restore**: Drop files back in place and restart the service
## Logs & Monitoring
- **Log Path**: `~/.config/qBittorrent/logs/qbittorrent.log`
- **Monitoring**: Not configured (can be added via custom agent or `journalctl`)
- **Health Check**: Optional; port check on 8080 via Prometheus or watchdog
## Updates
To update manually:
1. Stop qBittorrent
2. Download latest binary or package
3. Replace executable (if not using apt-managed version)
4. Restart service or container
## System Behavior
- **ShareLimitAction = Pause** ensures completed torrents can be removed or cleaned up by Radarr/Sonarr without conflict.
- **No Hardlinking** used (due to SMB-backed storage).
- **Resource Footprint**: Very lightweight — runs well with 2 vCPU / 2 GB RAM.
- **Firewall**: LAN/Tailscale access only; not exposed externally.
## Notes
- Acts as the central downloader for all automated media.
- Runs as `root` (inside LXC), allowing clean access to mount paths.
- Categories can help organize media intake (`tv`, `movies`, etc.)
- Paused torrents enable smooth post-processing.
- Web UI can be accessed only internally, secured via basic auth.

123
radarr_complete.md Normal file
View File

@ -0,0 +1,123 @@
# 🎬 Radarr - Container 105
## Overview
Radarr automates the discovery, downloading, renaming, and management of movie files. In this homelab, Radarr runs **natively inside an unprivileged LXC container** on Proxmox (not Docker), and integrates with qBittorrent and Jackett. Plex is notified via webhook after successful imports.
## Service Details
- **Container ID**: 105
- **Hostname**: radarr
- **IP Address**: 192.168.1.43
- **Port**: 7878 (Web UI)
- **Access**: LAN-only via Tailscale (not publicly exposed)
- **Authentication**: Enabled (`Forms` login)
- **Username / Password**: `admin` / `pcideas` (stored in Bitwarden under `homelab > Radarr`)
## Hosting & Platform
- **Platform**: Native install in Debian-based LXC
- **Privileged**: No
- **Features**: `keyctl=1`, `nesting=1`
- **Service**: systemd-managed (`radarr.service`)
- **Binary Path**: `/opt/Radarr/Radarr`
- **Config Directory**: `/var/lib/radarr`
- **Runs As**: `root` (inside unprivileged LXC)
## Storage & Mounts
| Host Path | Container Path | Purpose |
| ------------------------- | -------------- | ----------------------------- |
| `/mnt/ssd_downloads` | `/downloads` | Source of completed downloads |
| `/mnt/smb_shares/g_media` | `/mnt/g_media` | Movie media root folder |
| `/mnt/smb_shares/h_media` | `/mnt/h_media` | Movie media root folder |
| `/mnt/smb_shares/i_media` | `/mnt/i_media` | Movie media root folder |
| `/mnt/smb_shares/j_media` | `/mnt/j_media` | Movie media root folder |
| `/mnt/smb_shares/k_media` | `/mnt/k_media` | Movie media root folder |
| `/mnt/smb_shares/f_media` | `/mnt/f_media` | Movie media root folder |
## Configuration
- **Indexer**: Jackett (Torznab URL)
- **Download Client**: qBittorrent at `192.168.1.47:8080`
- **Username / Password**: `admin` / `pcideas`
- **Remote Path Mapping**: `/mnt/ssd_downloads` (host) → `/downloads` (Radarr)
- **Share Limit Action**: `Pause` (ensures import + cleanup works)
## Import Behavior
- **Completed Download Handling**: ✅ Enabled
- **Import Method**: Move + Rename
- **Category Use**: Optional (`movies`) in qBittorrent
- **Hardlinking**: ❌ Disabled
- Radarr auto-selects the correct root folder based on configured libraries
## Config Files
- **Primary Config**: `/var/lib/radarr/config.xml`
- Stores:
- Web UI port (7878)
- Bind address (`*`)
- SSL settings (disabled)
- Authentication method (Forms)
- API key
- **Web UI Behavior**:
- `LaunchBrowser`: false
- `UrlBase`: empty
- `Branch`: master
## Backup & Recovery
- **Backup Target**: `/var/lib/radarr`
- **Strategy**: Scheduled LXC container snapshots + optional tarball or rsync
- **Manual Backup Command**:
```bash
tar -czvf /root/radarr-config-backup-$(date +%F).tar.gz /var/lib/radarr
```
- **Restore**: Extract and restart the Radarr service
## Logs & Monitoring
- **Log Path**: `/var/lib/radarr/logs/`
- **Monitoring**: Not currently configured
## Updates
To update manually:
```bash
systemctl stop radarr
curl -Lo /tmp/radarr.tar.gz https://services.radarr.video/v1/download/main/latest?os=linux&arch=x64
tar -xvzf /tmp/radarr.tar.gz -C /tmp/radarr-update
cp -r /tmp/radarr-update/* /opt/Radarr/
chown -R root:root /opt/Radarr
systemctl start radarr
```
## Systemd Service File
`/etc/systemd/system/radarr.service`
```ini
[Unit]
Description=Radarr Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/opt/Radarr/Radarr -nobrowser -data=/var/lib/radarr/
TimeoutStopSec=20
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
```
## Notes
- Hardlinking is disabled
- All media mounts are SMB-backed ZFS datasets
- Remote path mapping is required due to separate qBittorrent container
- Integration with Plex is via webhook
- Config and logs are stored in `/var/lib/radarr`
- Radarr runs as `root` which simplifies file access across mounts

123
sonarr_complete.md Normal file
View File

@ -0,0 +1,123 @@
# 📺 Sonarr - Container 104
## Overview
Sonarr is a TV series management and downloader tool. It automates the discovery, downloading, and organization of TV content through indexers and torrent clients. In this homelab, Sonarr runs **natively inside an unprivileged LXC container** on Proxmox (not Docker).
## Service Details
- **Container ID**: 104
- **Hostname**: sonarr
- **IP Address**: 192.168.1.39
- **Port**: 8989 (Web UI)
- **Access**: LAN-only via Tailscale (not publicly exposed)
- **Authentication**: Enabled (`Forms` login)
- **Username / Password**: `admin` / `pcideas` (stored in Bitwarden under `homelab > Sonarr`)
## Hosting & Platform
- **Platform**: Native install in Debian-based LXC
- **Privileged**: No
- **Features**: `keyctl=1`, `nesting=1`
- **Service**: systemd-managed (`sonarr.service`)
- **Binary Path**: `/opt/Sonarr/Sonarr`
- **Config Directory**: `/var/lib/sonarr`
- **Runs As**: `root` (inside unprivileged LXC)
## Storage & Mounts
| Host Path | Container Path | Purpose |
| ------------------------- | -------------- | ----------------------------- |
| `/mnt/ssd_downloads` | `/downloads` | Source of completed downloads |
| `/mnt/smb_shares/g_media` | `/mnt/g_media` | TV media root folder |
| `/mnt/smb_shares/h_media` | `/mnt/h_media` | TV media root folder |
| `/mnt/smb_shares/i_media` | `/mnt/i_media` | TV media root folder |
| `/mnt/smb_shares/j_media` | `/mnt/j_media` | TV media root folder |
| `/mnt/smb_shares/k_media` | `/mnt/k_media` | TV media root folder |
| `/mnt/smb_shares/f_media` | `/mnt/f_media` | TV media root folder |
## Configuration
- **Indexer**: Jackett (Torznab URL)
- **Download Client**: qBittorrent at `192.168.1.47:8080`
- **Username / Password**: `admin` / `pcideas`
- **Remote Path Mapping**: `/mnt/ssd_downloads` (host) → `/downloads` (Sonarr)
- **Share Limit Action**: `Pause` (prevents interference with file import)
## Import Behavior
- **Completed Download Handling**: ✅ Enabled
- **Import Method**: Move + Rename
- **Category Use**: Optional (`tv`) in qBittorrent
- **Hardlinking**: ❌ Disabled
- Sonarr auto-detects the correct root folder based on existing library paths.
## Config Files
- **Primary Config**: `/var/lib/sonarr/config.xml`
- Stores:
- Web UI port (8989)
- Bind address (`*`)
- SSL settings (disabled)
- Authentication method (Forms)
- API key
- **Web UI Behavior**:
- `LaunchBrowser`: false
- `UrlBase`: empty
- `Branch`: master
## Backup & Recovery
- **Backup Target**: `/var/lib/sonarr`
- **Strategy**: Scheduled LXC container backups + optional rsync or tarball
- **Manual Backup Command**:
```bash
tar -czvf /root/sonarr-config-backup-$(date +%F).tar.gz /var/lib/sonarr
```
- **Restore**: Extract and restart the service
## Logs & Monitoring
- **Log Path**: `/var/lib/sonarr/logs/`
- **Monitoring**: Not currently configured
## Updates
To update manually:
```bash
systemctl stop sonarr
curl -Lo /tmp/sonarr.tar.gz https://services.sonarr.tv/v1/download/main/latest?version=3&os=linux&arch=x64
tar -xvzf /tmp/sonarr.tar.gz -C /tmp/sonarr-update
cp -r /tmp/sonarr-update/* /opt/Sonarr/
chown -R root:root /opt/Sonarr
systemctl start sonarr
```
## Systemd Service File
`/etc/systemd/system/sonarr.service`
```ini
[Unit]
Description=Sonarr Daemon
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/opt/Sonarr/Sonarr -nobrowser -data=/var/lib/sonarr/
TimeoutStopSec=20
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.target
```
## Notes
- Hardlinking is disabled
- All media mounts are SMB-backed ZFS datasets
- Remote path mapping is required due to separate qBittorrent container
- Integration with Plex is via webhook
- Config and logs are stored in `/var/lib/sonarr`
- Sonarr runs as `root` which simplifies file access across mounts