diff --git a/.env.example b/.env.example index d2a453c..f04b718 100644 --- a/.env.example +++ b/.env.example @@ -1,7 +1,10 @@ # Private homelab — echte credentials (repo is privé op Gitea) NAS_IP=192.168.1.211 +# Proxmox VM 102 — Postgres, Neo4j, Homelab Command, syslog, NATS, security agent +VM102_IP=192.168.1.105 POSTGRES_USER=mo +PG_HOST=192.168.1.105 POSTGRES_PASSWORD=WaQTUw2t POSTGRES_DB=homelab PG_HOST_PORT=5433 diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md new file mode 100644 index 0000000..fa56511 --- /dev/null +++ b/ARCHITECTURE.md @@ -0,0 +1,150 @@ +# Homelab architectuur + +Overzicht van hoe de diensten bij elkaar hangen na de verplaatsing van de **security stack** naar Proxmox VM 102. Vaste IP-referentie: [HOMELAB_IPS.md](HOMELAB_IPS.md). + +## Fysieke hosts + +```mermaid +flowchart TB + subgraph lan [LAN 192.168.1.0/24] + NAS["Synology NAS\n192.168.1.211"] + VM102["Proxmox VM 102 Postgress\n192.168.1.105"] + VM105["Proxmox VM 105 docker\n192.168.1.227"] + PVE216["Proxmox pve\n192.168.1.216"] + PVE56["Proxmox dell\n192.168.1.56"] + UDM["UniFi / gateway\n192.168.1.24"] + HA["Home Assistant\n192.168.1.235"] + end + User["Browser / Git client"] --> NAS + User --> VM102 +``` + +## Security stack (productie op VM 102) + +Het hart van monitoring, syslog, graph en agent-draait op **één VM**. De NAS toont nog dashboards in Homarr/Homepage en beheert Git + metrics. + +```mermaid +flowchart LR + subgraph sources [Data-bronnen LAN] + UniFi[UniFi controller .24] + SyslogDev[Routers / switches / APs] + Zeek[Zeek / Suricata] + end + + subgraph vm102 [VM 102 — 192.168.1.105] + UI[homelab-command :8765] + SyslogUDP[Syslog UDP :5514] + PG[(postgres-homelab :5433)] + Neo[(Neo4j :49153 / UI :49154)] + NATS[NATS :4222] + Mesh[mesh-normalizer] + Agent[el-kadi-security-agent] + end + + subgraph nas [NAS — 192.168.1.211] + Gitea[Gitea :3000] + PgAdmin[pgAdmin :5434] + Graf[Grafana :3002] + Prom[Prometheus :9090] + PGexp[postgres-exporter :9187] + AdGuard[AdGuard :3001] + PGBkp[(postgres-homelab backup :5433)] + end + + User2[Gebruiker] --> UI + User2 --> PgAdmin + PgAdmin --> PG + Graf --> PG + Prom --> PGexp + PGexp --> PG + + SyslogDev -->|UDP 5514| SyslogUDP + UniFi -->|API| UI + Zeek -->|NATS publish| NATS + NATS --> Mesh + SyslogUDP --> PG + UI --> PG + UI --> Neo + Mesh --> PG + Agent --> PG + AdGuard -->|DNS stats API| UI + + PG -.->|rollback kopie| PGBkp +``` + +## Datastromen + +| Stroom | Van | Naar | Poort / protocol | +|--------|-----|------|------------------| +| Dashboard UI | Browser | VM 102 | HTTP 8765 | +| SQL (homelab DB) | homelab-command, agent, mesh | Postgres VM 102 | 5433 | +| Syslog ingest | Netwerkapparaten | homelab-command | UDP 5514 → `mesh.syslog_entries` | +| Zeek/Suricata events | Sensors | NATS → mesh-normalizer | 4222 → Postgres | +| Netwerk-topologie | homelab-command | Neo4j VM 102 | Bolt 49153 | +| DB beheer | pgAdmin (NAS) | Postgres VM 102 | 5433 | +| Metrics | Prometheus (NAS) | postgres-exporter → VM 102 | 9187 scrape | +| Git configs | Ontwikkelaar | Gitea (NAS) | 3000 / SSH 2222 | + +## NAS — overige Docker (niet op VM 102) + +```mermaid +flowchart TB + NAS["192.168.1.211"] + NAS --> Gitea + NAS --> AdGuard + NAS --> Portainer + NAS --> Homarr + NAS --> Homepage + NAS --> PromGraf[Prometheus + Grafana] + NAS --> PgAdmin + NAS --> PGbak[Postgres backup] +``` + +| Service | Poort | Opmerking | +|---------|-------|-----------| +| Gitea | 3000 | Config-repo's, Git SSH 2222 | +| AdGuard | 3001 | DNS (dashboard haalt stats op) | +| Portainer | 9000 | Containerbeheer NAS | +| Homarr / Homepage | 4755 / 3010 | Links naar `.105` voor security | +| Grafana | 3002 | Postgres-datasource → `.105:5433` | +| Prometheus | 9090 | Scrapes o.a. Neo4j `.105:2004` | +| postgres (backup) | 5433 | Oude kopie; stoppen na validatie | + +## Proxmox VM 105 docker (apart) + +| VM | IP | Rol | +|----|-----|-----| +| 102 Postgress | 192.168.1.105 | Security + Postgres + Neo4j | +| 105 docker | 192.168.1.227 | `office_desk_agent` :8000 (Proxmox/office tooling) | + +## Repo-structuur (Gitea) + +```mermaid +flowchart LR + Gitea["Gitea :3000\n192.168.1.211"] + Gitea --> CFG[homelab-configs\nDocker compose per app] + Gitea --> CMD[homelab-command\nDashboard broncode] + CFG --> DeployNAS[Deploy NAS apps] + CFG --> DeployVM[Documentatie VM 102] + CMD --> BuildVM[Build op VM 102\n~/homelab-command] +``` + +| Repository | Inhoud | +|------------|--------| +| `homelab-configs` | Compose, env-voorbeelden, Homarr/Homepage, monitoring | +| `homelab-command` | FastAPI dashboard, mesh-ingest, Grafana-dockerfile | + +## Snelle URL-lijst + +| Wat | URL | +|-----|-----| +| Security dashboard | http://192.168.1.105:8765/dashboard | +| Neo4j Browser | http://192.168.1.105:49154 | +| pgAdmin | http://192.168.1.211:5434 | +| Gitea | http://192.168.1.211:3000 | +| Grafana | http://192.168.1.211:3002 | +| Portainer | http://192.168.1.211:9000 | + +## Rollback + +- Postgres: zie [homelab-command/docs/POSTGRES_ROLLBACK.md](http://192.168.1.211:3000/mo/homelab-command/src/branch/main/docs/POSTGRES_ROLLBACK.md) (in homelab-command repo) — `PG_HOST` terug naar `.211`, NAS-container herstarten. diff --git a/HOMELAB_IPS.md b/HOMELAB_IPS.md new file mode 100644 index 0000000..d15ca29 --- /dev/null +++ b/HOMELAB_IPS.md @@ -0,0 +1,30 @@ +# Homelab IP-adressen (referentie) + +## Waar draait wat? + +| IP | Host | Services | +|----|------|----------| +| **192.168.1.105** | Proxmox VM 102 `Postgress` | Postgres :5433, Neo4j :49153–49155, Dashboard :8765, Syslog UDP :5514, NATS :4222, Security agent | +| **192.168.1.211** | Synology NAS | Gitea :3000, pgAdmin :5434, Grafana :3002, Prometheus :9090, AdGuard :3001, Portainer :9000, Postgres **backup** :5433 | +| **192.168.1.227** | Proxmox VM 105 `docker` | Office desk agent :8000 | +| **192.168.1.216** | Proxmox pve | API :8006 | +| **192.168.1.56** | Proxmox dell | API :8006 | + +## Standaard URLs (productie) + +- Dashboard: http://192.168.1.105:8765/dashboard +- Neo4j Browser: http://192.168.1.105:49154 +- pgAdmin: http://192.168.1.211:5434 (server → `192.168.1.105:5433`) +- Gitea: http://192.168.1.211:3000 + +## Env-variabelen (`.env` in repo) + +```env +NAS_IP=192.168.1.211 +VM102_IP=192.168.1.105 +PG_HOST=192.168.1.105 +``` + +## Syslog + +Remote syslog → **192.168.1.105:5514** (niet `.211`). diff --git a/INVENTORY.md b/INVENTORY.md index a0c8b7d..5e99eec 100644 --- a/INVENTORY.md +++ b/INVENTORY.md @@ -1,17 +1,29 @@ # Homelab inventaris — alles thuis -Private repo. Laatst bijgewerkt vanaf NAS `192.168.1.211`. +Private repo. Laatst bijgewerkt: security stack op VM 102 (`192.168.1.105`), overige apps op NAS (`192.168.1.211`). + +## Proxmox VM 102 Postgress — `192.168.1.105` (productie security) + +| App | Map / pad op VM | IP:poort | Status | +|-----|-----------------|----------|--------| +| PostgreSQL | `~/homelab-postgres/` | :5433 | running | +| Neo4j | `~/neo4j/` | :49153–49155 | running | +| Homelab Command | `~/homelab-command/` | :8765 | running | +| Syslog UDP | homelab-command | :5514 | → `.105` | +| NATS + mesh-normalizer | `~/homelab-command/` | :4222 | running | +| Security Agent | `~/home-security-agent/` | host | running | + +**Dashboard:** http://192.168.1.105:8765/dashboard · **Neo4j UI:** http://192.168.1.105:49154 ## Synology NAS — Docker (actief) | App | Map | IP:poort | Status | |-----|-----|----------|--------| -| PostgreSQL | [apps/postgres](apps/postgres/) | :5433 | running | -| pgAdmin | [apps/pgadmin](apps/pgadmin/) | :5434 | running | +| PostgreSQL (backup) | [apps/postgres](apps/postgres/) | 192.168.1.211:5433 | running · fallback | +| pgAdmin | [apps/pgadmin](apps/pgadmin/) | :5434 | running → DB op `.105` | | Gitea | [apps/gitea](apps/gitea/) | :3000 | running | | AdGuard Home | [apps/adguard](apps/adguard/) | :53, :3001 | running | | DuckDNS | [apps/duckdns](apps/duckdns/) | — | running | -| Neo4j | [apps/neo4j](apps/neo4j/) | :49153–49155 | running | | Homarr | [apps/homarr](apps/homarr/) | :4755 | running | | Homepage | [apps/homepage](apps/homepage/) | http://192.168.1.192:3000 (pve CT 120) | running | | Portainer | [apps/portainer](apps/portainer/) | :9000 | running | @@ -19,9 +31,6 @@ Private repo. Laatst bijgewerkt vanaf NAS `192.168.1.211`. | Excalidraw | [apps/excalidraw](apps/excalidraw/) | :3765 | running | | Prometheus | [apps/monitoring](apps/monitoring/) | :9090 | running | | Grafana | [apps/monitoring](apps/monitoring/) | :3002 | running | -| Homelab Command | [homelab-command repo](http://192.168.1.211:3000/mo/homelab-command) | :8765 | running | -| Security Agent | [apps/home-security-agent](apps/home-security-agent/) | Docker (NAS) | agentic · Telegram | -| NATS + mesh | [apps/monitoring](apps/monitoring/) | :4222 | running | ## Synology NAS — Docker (gestopt / image aanwezig) @@ -82,6 +91,8 @@ python3 scripts/pull-lxc-from-proxmox.py # op NAS, via Proxmox SSH | IP | Rol | |----|-----| | 192.168.1.211 | Synology NAS | +| 192.168.1.105 | Proxmox VM 102 Postgress (Postgres, Neo4j, Homelab Command) | +| 192.168.1.227 | Proxmox VM 105 docker (office agent) | | 192.168.1.216 | Proxmox pve | | 192.168.1.56 | Proxmox dell | | 192.168.1.24 | UniFi controller | diff --git a/README.md b/README.md index af057b6..18dd735 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Homelab Infrastructure Configuration -Private Gitea-repo met **alle configs per applicatie** voor Synology NAS (`192.168.1.211`) en Proxmox hosts. +Private Gitea-repo met **alle configs per applicatie** voor Synology NAS (`192.168.1.211`) en Proxmox VM 102 (`192.168.1.105`). Zie [HOMELAB_IPS.md](HOMELAB_IPS.md). **Snel herstellen:** [RESTORE.md](RESTORE.md) **Volledige inventaris:** [INVENTORY.md](INVENTORY.md) diff --git a/apps/homarr/config/default.json b/apps/homarr/config/default.json index 904779c..ed899cf 100644 --- a/apps/homarr/config/default.json +++ b/apps/homarr/config/default.json @@ -4007,7 +4007,7 @@ { "id": "1446d0cd-5449-4e41-b68b-15b4052f6325", "name": "Neo4j Browser", - "url": "http://192.168.1.211:49154", + "url": "http://192.168.1.105:49154", "appearance": { "iconUrl": "https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/neo4j.png", "appNameStatus": "normal", @@ -4028,7 +4028,7 @@ }, "behaviour": { "isOpeningNewTab": true, - "externalUrl": "http://192.168.1.211:49154" + "externalUrl": "http://192.168.1.105:49154" }, "area": { "type": "category", @@ -4066,7 +4066,7 @@ { "id": "039d3bf6-bf8a-4944-a8b1-7cc886daebe7", "name": "HA Voice Ctrl", - "url": "http://192.168.1.211:8765", + "url": "http://192.168.1.105:8765", "appearance": { "iconUrl": "https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/home-assistant.png", "appNameStatus": "normal", @@ -4087,7 +4087,7 @@ }, "behaviour": { "isOpeningNewTab": true, - "externalUrl": "http://192.168.1.211:8765" + "externalUrl": "http://192.168.1.105:8765" }, "area": { "type": "category", @@ -5426,7 +5426,7 @@ { "id": "9be593d8-a4b4-460a-8998-6cafefb4271e", "name": "Home Control", - "url": "http://192.168.1.211:8765/dashboard#live", + "url": "http://192.168.1.105:8765/dashboard#live", "appearance": { "iconUrl": "https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/svg/crafty-controller.svg", "appNameStatus": "normal", @@ -5447,7 +5447,7 @@ }, "behaviour": { "isOpeningNewTab": true, - "externalUrl": "http://192.168.1.211:8765/dashboard#live" + "externalUrl": "http://192.168.1.105:8765/dashboard#live" }, "area": { "type": "category", diff --git a/apps/home-security-agent/.env.example b/apps/home-security-agent/.env.example index 407f939..0cb6f1b 100644 --- a/apps/home-security-agent/.env.example +++ b/apps/home-security-agent/.env.example @@ -2,8 +2,8 @@ TELEGRAM_BOT_TOKEN= TELEGRAM_CHAT_ID= -# PostgreSQL — observaties voor dashboard http://192.168.1.211:8765 -PG_HOST=192.168.1.211 +# PostgreSQL — observaties voor dashboard http://192.168.1.105:8765 +PG_HOST=192.168.1.105 PG_PORT=5433 PG_USER=mo PG_PASSWORD= diff --git a/apps/home-security-agent/README.md b/apps/home-security-agent/README.md index 1997aeb..1bf6c1f 100644 --- a/apps/home-security-agent/README.md +++ b/apps/home-security-agent/README.md @@ -52,12 +52,13 @@ Voeg in `targets.yaml` services toe. Voor diepere agent-gedrag later: Alle observaties gaan naar **PostgreSQL** (`agent.observation_runs`, `agent.findings`, `agent.incidents`). -Bekijk ze in **Homelab Command**: http://192.168.1.211:8765/dashboard#security (tab Security → Home Security Agent). +Bekijk ze in **Homelab Command**: http://192.168.1.105:8765/dashboard#security (tab Security → Home Security Agent). Eénmalig schema: ```bash docker exec -i postgres-homelab psql -U mo -d homelab < migrations/004_home_agent_observations.sql +# Postgres draait op VM 102: ssh mo@192.168.1.105 → docker exec postgres-homelab psql ... ``` Of vanuit homelab-command: `scripts/apply_mesh_migrations.sh` (past alle `migrations/*.sql` toe). diff --git a/apps/home-security-agent/agent/pg_store.py b/apps/home-security-agent/agent/pg_store.py index 09fe3e4..64a1d07 100644 --- a/apps/home-security-agent/agent/pg_store.py +++ b/apps/home-security-agent/agent/pg_store.py @@ -25,7 +25,7 @@ def _connect(): if url: return psycopg2.connect(url) return psycopg2.connect( - host=os.getenv("PG_HOST", "192.168.1.211"), + host=os.getenv("PG_HOST", "192.168.1.105"), port=int(os.getenv("PG_PORT", "5433")), user=os.getenv("PG_USER", "mo"), password=os.getenv("PG_PASSWORD", ""), diff --git a/apps/home-security-agent/config/targets.yaml b/apps/home-security-agent/config/targets.yaml index 830f322..ecd878a 100644 --- a/apps/home-security-agent/config/targets.yaml +++ b/apps/home-security-agent/config/targets.yaml @@ -34,7 +34,7 @@ services: url: https://192.168.1.185:30058 insecure_tls: true - name: Homelab Command - url: http://192.168.1.211:8765 + url: http://192.168.1.105:8765 # Optioneel: bekende apparaten op LAN (ARP/ping — geen externe SIEM) lan_watch: diff --git a/apps/home-security-agent/docker-compose.yml b/apps/home-security-agent/docker-compose.yml index b1d4e29..7d71372 100644 --- a/apps/home-security-agent/docker-compose.yml +++ b/apps/home-security-agent/docker-compose.yml @@ -8,7 +8,7 @@ services: env_file: - .env environment: - PG_HOST: ${PG_HOST:-192.168.1.211} + PG_HOST: ${PG_HOST:-192.168.1.105} PG_PORT: ${PG_PORT:-5433} PG_USER: ${PG_USER:-mo} PG_PASSWORD: ${PG_PASSWORD:-} diff --git a/apps/homepage/config/services.yaml b/apps/homepage/config/services.yaml index bbb9b31..67ced2a 100644 --- a/apps/homepage/config/services.yaml +++ b/apps/homepage/config/services.yaml @@ -207,9 +207,9 @@ - HA Voice Ctrl: icon: home-assistant.png - href: http://192.168.1.211:8765 + href: http://192.168.1.105:8765 description: HA Voice Ctrl - siteMonitor: http://192.168.1.211:8765 + siteMonitor: http://192.168.1.105:8765 statusStyle: dot - Productivity: @@ -302,9 +302,9 @@ - Neo4j Browser: icon: neo4j.png - href: http://192.168.1.211:49154 + href: http://192.168.1.105:49154 description: Neo4j Browser - siteMonitor: http://192.168.1.211:49154 + siteMonitor: http://192.168.1.105:49154 statusStyle: dot - OnlyOffice: @@ -478,9 +478,9 @@ - Home Control: icon: mdi-server-network-#14b8a6 - href: http://192.168.1.211:8765/dashboard#live + href: http://192.168.1.105:8765/dashboard#live description: Home Control - siteMonitor: http://192.168.1.211:8765 + siteMonitor: http://192.168.1.105:8765 statusStyle: dot - Web Design: diff --git a/apps/joplin/docker-compose.yml b/apps/joplin/docker-compose.yml index 087f585..903c395 100644 --- a/apps/joplin/docker-compose.yml +++ b/apps/joplin/docker-compose.yml @@ -14,7 +14,7 @@ services: POSTGRES_DATABASE: ${JOPLIN_DB:-joplin} POSTGRES_USER: ${POSTGRES_USER:-mo} POSTGRES_PORT: 5432 - POSTGRES_HOST: postgres-homelab + POSTGRES_HOST: ${POSTGRES_HOST:-192.168.1.105} depends_on: - joplin-db diff --git a/apps/monitoring/docker-compose.grafana.yml b/apps/monitoring/docker-compose.grafana.yml index fbad98d..9c1d25b 100644 --- a/apps/monitoring/docker-compose.grafana.yml +++ b/apps/monitoring/docker-compose.grafana.yml @@ -41,7 +41,7 @@ services: ports: - "${POSTGRES_EXPORTER_PORT:-9187}:9187" environment: - DATA_SOURCE_NAME: "postgresql://${PG_USER:-mo}:${PG_PASSWORD}@postgres-homelab:5432/${PG_DATABASE:-homelab}?sslmode=disable" + DATA_SOURCE_NAME: "postgresql://${PG_USER:-mo}:${PG_PASSWORD}@${PG_HOST:-192.168.1.105}:${PG_PORT:-5433}/${PG_DATABASE:-homelab}?sslmode=disable" networks: - homelab-monitor diff --git a/apps/monitoring/prometheus.yml b/apps/monitoring/prometheus.yml index a7994a6..f8d9a56 100644 --- a/apps/monitoring/prometheus.yml +++ b/apps/monitoring/prometheus.yml @@ -12,14 +12,14 @@ scrape_configs: static_configs: - targets: ["postgres-exporter-homelab:9187"] labels: - instance: postgres-homelab + instance: postgres-vm102 # Neo4j 4.4+ enterprise metrics.prometheus.enabled → endpoint op poort 2004 - job_name: neo4j scrape_interval: 30s metrics_path: /metrics static_configs: - - targets: ["neo4j:2004"] + - targets: ["192.168.1.105:2004"] labels: instance: neo4j diff --git a/apps/neo4j/README.md b/apps/neo4j/README.md index d91f388..f2be79d 100644 --- a/apps/neo4j/README.md +++ b/apps/neo4j/README.md @@ -2,7 +2,8 @@ | | | |---|---| +| **Productie** | **192.168.1.105** — Bolt :49153, Browser :49154 (`~/neo4j/` op VM 102) | +| **NAS compose** | Oude map; stack verplaatst naar VM 102 | | **Poort** | 49153 | -| **Start** | `docker compose up -d` | Zie [apps/README.md](../README.md) en [RESTORE.md](../../RESTORE.md). diff --git a/apps/pgadmin/docker-compose.yml b/apps/pgadmin/docker-compose.yml index 833d24a..451ba33 100644 --- a/apps/pgadmin/docker-compose.yml +++ b/apps/pgadmin/docker-compose.yml @@ -22,6 +22,7 @@ services: # Masquerade root URL voor nginx reverse proxy - PGADMIN_CONFIG_SERVER_MODE=True - PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED=False + - PGADMIN_SERVER_JSON_FILE=/pgadmin4/servers.json volumes: - pgadmin-data:/var/lib/pgadmin # persistentie: server lijst, instellingen diff --git a/apps/pgadmin/servers.json b/apps/pgadmin/servers.json index aee57ca..60128db 100644 --- a/apps/pgadmin/servers.json +++ b/apps/pgadmin/servers.json @@ -1,8 +1,23 @@ { "Servers": { "1": { - "Name": "Homelab PostgreSQL", - "Group": "Servers", + "Name": "Homelab PostgreSQL (VM102)", + "Group": "Homelab", + "Host": "192.168.1.105", + "Port": 5433, + "MaintenanceDB": "homelab", + "Username": "mo", + "Password": "WaQTUw2t", + "SSLMode": "prefer", + "PassFile": "", + "SSLCert": "", + "SSLKey": "", + "SSLRootCert": "", + "Comment": "Proxmox VM 102 Postgress — productie homelab DB" + }, + "2": { + "Name": "Homelab PostgreSQL NAS backup", + "Group": "Homelab", "Host": "192.168.1.211", "Port": 5433, "MaintenanceDB": "homelab", @@ -13,7 +28,7 @@ "SSLCert": "", "SSLKey": "", "SSLRootCert": "", - "Comment": "Synology NAS — Homelab dashboard database" + "Comment": "Oude NAS-kopie — rollback / vergelijken" } } } diff --git a/apps/postgres/README.md b/apps/postgres/README.md index 5624a19..5bada10 100644 --- a/apps/postgres/README.md +++ b/apps/postgres/README.md @@ -2,7 +2,8 @@ | | | |---|---| +| **Productie** | **192.168.1.105:5433** (VM 102, `~/homelab-postgres/`) | +| **NAS backup** | 192.168.1.211:5433 (`docker compose up -d` in deze map) | | **Poort** | 5433 | -| **Start** | `docker compose up -d` | Zie [apps/README.md](../README.md) en [RESTORE.md](../../RESTORE.md).