Add home-security-agent with PostgreSQL persistence for dashboard.

The autonomous agent writes all observations to agent.* tables consumed by Homelab Command on port 8765.

Co-authored-by: Cursor <cursoragent@cursor.com>

apps/home-security-agent/config/policies.yaml

@@ -0,0 +1,20 @@
+# Agent-gedrag
+interval_seconds: 300
+quiet_hours:
+  start: "23:00"
+  end: "07:00"
+  timezone: Europe/Brussels
+  allow_severity: critical
+
+dedupe_minutes: 30
+
+severity_telegram:
+  - critical
+  - high
+
+# Zonder LLM: regels
+rules:
+  any_service_down: high
+  proxmox_unreachable: critical
+  nas_unreachable: critical
+  unknown_lan_device: medium

apps/home-security-agent/config/targets.yaml

@@ -0,0 +1,44 @@
+# Doelen die de agent zelf monitort (geen Wazuh/Uptime Kuma/n8n)
+nas:
+  host: 192.168.1.211
+  checks:
+    - name: NAS SSH
+      type: tcp
+      port: 22
+    - name: Gitea
+      type: http
+      url: http://192.168.1.211:3000
+    - name: AdGuard
+      type: http
+      url: http://192.168.1.211:3001
+
+proxmox_hosts:
+  - name: pve
+    host: 192.168.1.216
+    port: 8006
+    tls: true
+  - name: dell-proxmox
+    host: 192.168.1.56
+    port: 8006
+    tls: true
+
+services:
+  - name: Homepage
+    url: http://192.168.1.192:3000
+  - name: Home Assistant
+    url: http://192.168.1.235:8123
+  - name: UniFi
+    url: https://192.168.1.24
+    insecure_tls: true
+  - name: Frigate
+    url: https://192.168.1.185:30058
+    insecure_tls: true
+  - name: Homelab Command
+    url: http://192.168.1.211:8765
+
+# Optioneel: bekende apparaten op LAN (ARP/ping — geen externe SIEM)
+lan_watch:
+  enabled: true
+  subnet: 192.168.1.0/24
+  # Bekende MACs → negeer of label (vul aan na eerste scan)
+  known_hosts: []