Document VM 102 security stack and update IPs to 192.168.1.105.

Add ARCHITECTURE.md and HOMELAB_IPS.md, refresh inventory and app configs for Postgres, Neo4j, Homelab Command, pgAdmin, Homarr, and Homepage links. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-25 23:15:42 +02:00
parent 02b1d155d4
commit 0d6ee22247
19 changed files with 248 additions and 35 deletions
@@ -1,7 +1,10 @@
 # Private homelab — echte credentials (repo is privé op Gitea)
 NAS_IP=192.168.1.211
 # Proxmox VM 102 — Postgres, Neo4j, Homelab Command, syslog, NATS, security agent
 VM102_IP=192.168.1.105
 POSTGRES_USER=mo
 PG_HOST=192.168.1.105
 POSTGRES_PASSWORD=WaQTUw2t
 POSTGRES_DB=homelab
 PG_HOST_PORT=5433
@@ -0,0 +1,150 @@
 # Homelab architectuur
 Overzicht van hoe de diensten bij elkaar hangen na de verplaatsing van de **security stack** naar Proxmox VM 102. Vaste IP-referentie: [HOMELAB_IPS.md](HOMELAB_IPS.md).
 ## Fysieke hosts
 ```mermaid
 flowchart TB
  subgraph lan [LAN 192.168.1.0/24]
    NAS["Synology NAS\n192.168.1.211"]
    VM102["Proxmox VM 102 Postgress\n192.168.1.105"]
    VM105["Proxmox VM 105 docker\n192.168.1.227"]
    PVE216["Proxmox pve\n192.168.1.216"]
    PVE56["Proxmox dell\n192.168.1.56"]
    UDM["UniFi / gateway\n192.168.1.24"]
    HA["Home Assistant\n192.168.1.235"]
  end
  User["Browser / Git client"] --> NAS
  User --> VM102
 ```
 ## Security stack (productie op VM 102)
 Het hart van monitoring, syslog, graph en agent-draait op **één VM**. De NAS toont nog dashboards in Homarr/Homepage en beheert Git + metrics.
 ```mermaid
 flowchart LR
  subgraph sources [Data-bronnen LAN]
    UniFi[UniFi controller .24]
    SyslogDev[Routers / switches / APs]
    Zeek[Zeek / Suricata]
  end
  subgraph vm102 [VM 102 — 192.168.1.105]
    UI[homelab-command :8765]
    SyslogUDP[Syslog UDP :5514]
    PG[(postgres-homelab :5433)]
    Neo[(Neo4j :49153 / UI :49154)]
    NATS[NATS :4222]
    Mesh[mesh-normalizer]
    Agent[el-kadi-security-agent]
  end
  subgraph nas [NAS — 192.168.1.211]
    Gitea[Gitea :3000]
    PgAdmin[pgAdmin :5434]
    Graf[Grafana :3002]
    Prom[Prometheus :9090]
    PGexp[postgres-exporter :9187]
    AdGuard[AdGuard :3001]
    PGBkp[(postgres-homelab backup :5433)]
  end
  User2[Gebruiker] --> UI
  User2 --> PgAdmin
  PgAdmin --> PG
  Graf --> PG
  Prom --> PGexp
  PGexp --> PG
  SyslogDev -->|UDP 5514| SyslogUDP
  UniFi -->|API| UI
  Zeek -->|NATS publish| NATS
  NATS --> Mesh
  SyslogUDP --> PG
  UI --> PG
  UI --> Neo
  Mesh --> PG
  Agent --> PG
  AdGuard -->|DNS stats API| UI
  PG -.->|rollback kopie| PGBkp
 ```
 ## Datastromen
 | Stroom | Van | Naar | Poort / protocol |
 |--------|-----|------|------------------|
 | Dashboard UI | Browser | VM 102 | HTTP 8765 |
 | SQL (homelab DB) | homelab-command, agent, mesh | Postgres VM 102 | 5433 |
 | Syslog ingest | Netwerkapparaten | homelab-command | UDP 5514 → `mesh.syslog_entries` |
 | Zeek/Suricata events | Sensors | NATS → mesh-normalizer | 4222 → Postgres |
 | Netwerk-topologie | homelab-command | Neo4j VM 102 | Bolt 49153 |
 | DB beheer | pgAdmin (NAS) | Postgres VM 102 | 5433 |
 | Metrics | Prometheus (NAS) | postgres-exporter → VM 102 | 9187 scrape |
 | Git configs | Ontwikkelaar | Gitea (NAS) | 3000 / SSH 2222 |
 ## NAS — overige Docker (niet op VM 102)
 ```mermaid
 flowchart TB
  NAS["192.168.1.211"]
  NAS --> Gitea
  NAS --> AdGuard
  NAS --> Portainer
  NAS --> Homarr
  NAS --> Homepage
  NAS --> PromGraf[Prometheus + Grafana]
  NAS --> PgAdmin
  NAS --> PGbak[Postgres backup]
 ```
 | Service | Poort | Opmerking |
 |---------|-------|-----------|
 | Gitea | 3000 | Config-repo's, Git SSH 2222 |
 | AdGuard | 3001 | DNS (dashboard haalt stats op) |
 | Portainer | 9000 | Containerbeheer NAS |
 | Homarr / Homepage | 4755 / 3010 | Links naar `.105` voor security |
 | Grafana | 3002 | Postgres-datasource → `.105:5433` |
 | Prometheus | 9090 | Scrapes o.a. Neo4j `.105:2004` |
 | postgres (backup) | 5433 | Oude kopie; stoppen na validatie |
 ## Proxmox VM 105 docker (apart)
 | VM | IP | Rol |
 |----|-----|-----|
 | 102 Postgress | 192.168.1.105 | Security + Postgres + Neo4j |
 | 105 docker | 192.168.1.227 | `office_desk_agent` :8000 (Proxmox/office tooling) |
 ## Repo-structuur (Gitea)
 ```mermaid
 flowchart LR
  Gitea["Gitea :3000\n192.168.1.211"]
  Gitea --> CFG[homelab-configs\nDocker compose per app]
  Gitea --> CMD[homelab-command\nDashboard broncode]
  CFG --> DeployNAS[Deploy NAS apps]
  CFG --> DeployVM[Documentatie VM 102]
  CMD --> BuildVM[Build op VM 102\n~/homelab-command]
 ```
 | Repository | Inhoud |
 |------------|--------|
 | `homelab-configs` | Compose, env-voorbeelden, Homarr/Homepage, monitoring |
 | `homelab-command` | FastAPI dashboard, mesh-ingest, Grafana-dockerfile |
 ## Snelle URL-lijst
 | Wat | URL |
 |-----|-----|
 | Security dashboard | http://192.168.1.105:8765/dashboard |
 | Neo4j Browser | http://192.168.1.105:49154 |
 | pgAdmin | http://192.168.1.211:5434 |
 | Gitea | http://192.168.1.211:3000 |
 | Grafana | http://192.168.1.211:3002 |
 | Portainer | http://192.168.1.211:9000 |
 ## Rollback
 - Postgres: zie [homelab-command/docs/POSTGRES_ROLLBACK.md](http://192.168.1.211:3000/mo/homelab-command/src/branch/main/docs/POSTGRES_ROLLBACK.md) (in homelab-command repo) — `PG_HOST` terug naar `.211`, NAS-container herstarten.
@@ -0,0 +1,30 @@
 # Homelab IP-adressen (referentie)
 ## Waar draait wat?
 | IP | Host | Services |
 |----|------|----------|
 | **192.168.1.105** | Proxmox VM 102 `Postgress` | Postgres :5433, Neo4j :49153–49155, Dashboard :8765, Syslog UDP :5514, NATS :4222, Security agent |
 | **192.168.1.211** | Synology NAS | Gitea :3000, pgAdmin :5434, Grafana :3002, Prometheus :9090, AdGuard :3001, Portainer :9000, Postgres **backup** :5433 |
 | **192.168.1.227** | Proxmox VM 105 `docker` | Office desk agent :8000 |
 | **192.168.1.216** | Proxmox pve | API :8006 |
 | **192.168.1.56** | Proxmox dell | API :8006 |
 ## Standaard URLs (productie)
 - Dashboard: http://192.168.1.105:8765/dashboard
 - Neo4j Browser: http://192.168.1.105:49154
 - pgAdmin: http://192.168.1.211:5434 (server → `192.168.1.105:5433`)
 - Gitea: http://192.168.1.211:3000
 ## Env-variabelen (`.env` in repo)
 ```env
 NAS_IP=192.168.1.211
 VM102_IP=192.168.1.105
 PG_HOST=192.168.1.105
 ```
 ## Syslog
 Remote syslog → **192.168.1.105:5514** (niet `.211`).
@@ -1,17 +1,29 @@
 # Homelab inventaris — alles thuis
-Private repo. Laatst bijgewerkt vanaf NAS `192.168.1.211`.
+Private repo. Laatst bijgewerkt: security stack op VM 102 (`192.168.1.105`), overige apps op NAS (`192.168.1.211`).
 ## Proxmox VM 102 Postgress — `192.168.1.105` (productie security)
 | App | Map / pad op VM | IP:poort | Status |
 |-----|-----------------|----------|--------|
 | PostgreSQL | `~/homelab-postgres/` | :5433 | running |
 | Neo4j | `~/neo4j/` | :49153–49155 | running |
 | Homelab Command | `~/homelab-command/` | :8765 | running |
 | Syslog UDP | homelab-command | :5514 | → `.105` |
 | NATS + mesh-normalizer | `~/homelab-command/` | :4222 | running |
 | Security Agent | `~/home-security-agent/` | host | running |
 **Dashboard:** http://192.168.1.105:8765/dashboard · **Neo4j UI:** http://192.168.1.105:49154
 ## Synology NAS — Docker (actief)
 | App | Map | IP:poort | Status |
 |-----|-----|----------|--------|
-| PostgreSQL | [apps/postgres](apps/postgres/) | :5433 | running |
+| PostgreSQL (backup) | [apps/postgres](apps/postgres/) | 192.168.1.211:5433 | running · fallback |
-| pgAdmin | [apps/pgadmin](apps/pgadmin/) | :5434 | running |
+| pgAdmin | [apps/pgadmin](apps/pgadmin/) | :5434 | running → DB op `.105` |
 | Gitea | [apps/gitea](apps/gitea/) | :3000 | running |
 | AdGuard Home | [apps/adguard](apps/adguard/) | :53, :3001 | running |
 | DuckDNS | [apps/duckdns](apps/duckdns/) | — | running |
 | Neo4j | [apps/neo4j](apps/neo4j/) | :49153–49155 | running |
 | Homarr | [apps/homarr](apps/homarr/) | :4755 | running |
 | Homepage | [apps/homepage](apps/homepage/) | http://192.168.1.192:3000 (pve CT 120) | running |
 | Portainer | [apps/portainer](apps/portainer/) | :9000 | running |
@@ -19,9 +31,6 @@ Private repo. Laatst bijgewerkt vanaf NAS `192.168.1.211`.
 | Excalidraw | [apps/excalidraw](apps/excalidraw/) | :3765 | running |
 | Prometheus | [apps/monitoring](apps/monitoring/) | :9090 | running |
 | Grafana | [apps/monitoring](apps/monitoring/) | :3002 | running |
 | Homelab Command | [homelab-command repo](http://192.168.1.211:3000/mo/homelab-command) | :8765 | running |
 | Security Agent | [apps/home-security-agent](apps/home-security-agent/) | Docker (NAS) | agentic · Telegram |
 | NATS + mesh | [apps/monitoring](apps/monitoring/) | :4222 | running |
 ## Synology NAS — Docker (gestopt / image aanwezig)
@@ -82,6 +91,8 @@ python3 scripts/pull-lxc-from-proxmox.py   # op NAS, via Proxmox SSH
 | IP | Rol |
 |----|-----|
 | 192.168.1.211 | Synology NAS |
 | 192.168.1.105 | Proxmox VM 102 Postgress (Postgres, Neo4j, Homelab Command) |
 | 192.168.1.227 | Proxmox VM 105 docker (office agent) |
 | 192.168.1.216 | Proxmox pve |
 | 192.168.1.56 | Proxmox dell |
 | 192.168.1.24 | UniFi controller |
@@ -1,6 +1,6 @@
 # Homelab Infrastructure Configuration
-Private Gitea-repo met **alle configs per applicatie** voor Synology NAS (`192.168.1.211`) en Proxmox hosts.
+Private Gitea-repo met **alle configs per applicatie** voor Synology NAS (`192.168.1.211`) en Proxmox VM 102 (`192.168.1.105`). Zie [HOMELAB_IPS.md](HOMELAB_IPS.md).
 **Snel herstellen:** [RESTORE.md](RESTORE.md)  
 **Volledige inventaris:** [INVENTORY.md](INVENTORY.md)  
@@ -4007,7 +4007,7 @@
    {
      "id": "1446d0cd-5449-4e41-b68b-15b4052f6325",
      "name": "Neo4j Browser",
-      "url": "http://192.168.1.211:49154",
+      "url": "http://192.168.1.105:49154",
      "appearance": {
        "iconUrl": "https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/neo4j.png",
        "appNameStatus": "normal",
@@ -4028,7 +4028,7 @@
      },
      "behaviour": {
        "isOpeningNewTab": true,
-        "externalUrl": "http://192.168.1.211:49154"
+        "externalUrl": "http://192.168.1.105:49154"
      },
      "area": {
        "type": "category",
@@ -4066,7 +4066,7 @@
    {
      "id": "039d3bf6-bf8a-4944-a8b1-7cc886daebe7",
      "name": "HA Voice Ctrl",
-      "url": "http://192.168.1.211:8765",
+      "url": "http://192.168.1.105:8765",
      "appearance": {
        "iconUrl": "https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/png/home-assistant.png",
        "appNameStatus": "normal",
@@ -4087,7 +4087,7 @@
      },
      "behaviour": {
        "isOpeningNewTab": true,
-        "externalUrl": "http://192.168.1.211:8765"
+        "externalUrl": "http://192.168.1.105:8765"
      },
      "area": {
        "type": "category",
@@ -5426,7 +5426,7 @@
    {
      "id": "9be593d8-a4b4-460a-8998-6cafefb4271e",
      "name": "Home Control",
-      "url": "http://192.168.1.211:8765/dashboard#live",
+      "url": "http://192.168.1.105:8765/dashboard#live",
      "appearance": {
        "iconUrl": "https://cdn.jsdelivr.net/gh/walkxcode/dashboard-icons/svg/crafty-controller.svg",
        "appNameStatus": "normal",
@@ -5447,7 +5447,7 @@
      },
      "behaviour": {
        "isOpeningNewTab": true,
-        "externalUrl": "http://192.168.1.211:8765/dashboard#live"
+        "externalUrl": "http://192.168.1.105:8765/dashboard#live"
      },
      "area": {
        "type": "category",
@@ -2,8 +2,8 @@
 TELEGRAM_BOT_TOKEN=
 TELEGRAM_CHAT_ID=
-# PostgreSQL — observaties voor dashboard http://192.168.1.211:8765
+# PostgreSQL — observaties voor dashboard http://192.168.1.105:8765
-PG_HOST=192.168.1.211
+PG_HOST=192.168.1.105
 PG_PORT=5433
 PG_USER=mo
 PG_PASSWORD=
@@ -52,12 +52,13 @@ Voeg in `targets.yaml` services toe. Voor diepere agent-gedrag later:
 Alle observaties gaan naar **PostgreSQL** (`agent.observation_runs`, `agent.findings`, `agent.incidents`).
-Bekijk ze in **Homelab Command**: http://192.168.1.211:8765/dashboard#security (tab Security → Home Security Agent).
+Bekijk ze in **Homelab Command**: http://192.168.1.105:8765/dashboard#security (tab Security → Home Security Agent).
 Eénmalig schema:
 ```bash
 docker exec -i postgres-homelab psql -U mo -d homelab < migrations/004_home_agent_observations.sql
 # Postgres draait op VM 102: ssh mo@192.168.1.105 → docker exec postgres-homelab psql ...
 ```
 Of vanuit homelab-command: `scripts/apply_mesh_migrations.sh` (past alle `migrations/*.sql` toe).
@@ -25,7 +25,7 @@ def _connect():
    if url:
        return psycopg2.connect(url)
    return psycopg2.connect(
-        host=os.getenv("PG_HOST", "192.168.1.211"),
+        host=os.getenv("PG_HOST", "192.168.1.105"),
        port=int(os.getenv("PG_PORT", "5433")),
        user=os.getenv("PG_USER", "mo"),
        password=os.getenv("PG_PASSWORD", ""),
@@ -34,7 +34,7 @@ services:
    url: https://192.168.1.185:30058
    insecure_tls: true
  - name: Homelab Command
-    url: http://192.168.1.211:8765
+    url: http://192.168.1.105:8765
 # Optioneel: bekende apparaten op LAN (ARP/ping — geen externe SIEM)
 lan_watch:
@@ -8,7 +8,7 @@ services:
    env_file:
      - .env
    environment:
-      PG_HOST: ${PG_HOST:-192.168.1.211}
+      PG_HOST: ${PG_HOST:-192.168.1.105}
      PG_PORT: ${PG_PORT:-5433}
      PG_USER: ${PG_USER:-mo}
      PG_PASSWORD: ${PG_PASSWORD:-}
@@ -207,9 +207,9 @@
    - HA Voice Ctrl:
        icon: home-assistant.png
-        href: http://192.168.1.211:8765
+        href: http://192.168.1.105:8765
        description: HA Voice Ctrl
-        siteMonitor: http://192.168.1.211:8765
+        siteMonitor: http://192.168.1.105:8765
        statusStyle: dot
 - Productivity:
@@ -302,9 +302,9 @@
    - Neo4j Browser:
        icon: neo4j.png
-        href: http://192.168.1.211:49154
+        href: http://192.168.1.105:49154
        description: Neo4j Browser
-        siteMonitor: http://192.168.1.211:49154
+        siteMonitor: http://192.168.1.105:49154
        statusStyle: dot
    - OnlyOffice:
@@ -478,9 +478,9 @@
    - Home Control:
        icon: mdi-server-network-#14b8a6
-        href: http://192.168.1.211:8765/dashboard#live
+        href: http://192.168.1.105:8765/dashboard#live
        description: Home Control
-        siteMonitor: http://192.168.1.211:8765
+        siteMonitor: http://192.168.1.105:8765
        statusStyle: dot
 - Web Design:
@@ -14,7 +14,7 @@ services:
      POSTGRES_DATABASE: ${JOPLIN_DB:-joplin}
      POSTGRES_USER: ${POSTGRES_USER:-mo}
      POSTGRES_PORT: 5432
-      POSTGRES_HOST: postgres-homelab
+      POSTGRES_HOST: ${POSTGRES_HOST:-192.168.1.105}
    depends_on:
      - joplin-db
@@ -41,7 +41,7 @@ services:
    ports:
      - "${POSTGRES_EXPORTER_PORT:-9187}:9187"
    environment:
-      DATA_SOURCE_NAME: "postgresql://${PG_USER:-mo}:${PG_PASSWORD}@postgres-homelab:5432/${PG_DATABASE:-homelab}?sslmode=disable"
+      DATA_SOURCE_NAME: "postgresql://${PG_USER:-mo}:${PG_PASSWORD}@${PG_HOST:-192.168.1.105}:${PG_PORT:-5433}/${PG_DATABASE:-homelab}?sslmode=disable"
    networks:
      - homelab-monitor
@@ -12,14 +12,14 @@ scrape_configs:
    static_configs:
      - targets: ["postgres-exporter-homelab:9187"]
        labels:
-          instance: postgres-homelab
+          instance: postgres-vm102
  # Neo4j 4.4+ enterprise metrics.prometheus.enabled → endpoint op poort 2004
  - job_name: neo4j
    scrape_interval: 30s
    metrics_path: /metrics
    static_configs:
-      - targets: ["neo4j:2004"]
+      - targets: ["192.168.1.105:2004"]
        labels:
          instance: neo4j
@@ -2,7 +2,8 @@
 | | |
 |---|---|
 | **Productie** | **192.168.1.105** — Bolt :49153, Browser :49154 (`~/neo4j/` op VM 102) |
 | **NAS compose** | Oude map; stack verplaatst naar VM 102 |
 | **Poort** | 49153 |
 | **Start** | `docker compose up -d` |
 Zie [apps/README.md](../README.md) en [RESTORE.md](../../RESTORE.md).
@@ -22,6 +22,7 @@ services:
      # Masquerade root URL voor nginx reverse proxy
      - PGADMIN_CONFIG_SERVER_MODE=True
      - PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED=False
      - PGADMIN_SERVER_JSON_FILE=/pgadmin4/servers.json
    volumes:
      - pgadmin-data:/var/lib/pgadmin        # persistentie: server lijst, instellingen
@@ -1,8 +1,23 @@
 {
  "Servers": {
    "1": {
-      "Name": "Homelab PostgreSQL",
+      "Name": "Homelab PostgreSQL (VM102)",
-      "Group": "Servers",
+      "Group": "Homelab",
      "Host": "192.168.1.105",
      "Port": 5433,
      "MaintenanceDB": "homelab",
      "Username": "mo",
      "Password": "WaQTUw2t",
      "SSLMode": "prefer",
      "PassFile": "",
      "SSLCert": "",
      "SSLKey": "",
      "SSLRootCert": "",
      "Comment": "Proxmox VM 102 Postgress — productie homelab DB"
    },
    "2": {
      "Name": "Homelab PostgreSQL NAS backup",
      "Group": "Homelab",
      "Host": "192.168.1.211",
      "Port": 5433,
      "MaintenanceDB": "homelab",
@@ -13,7 +28,7 @@
      "SSLCert": "",
      "SSLKey": "",
      "SSLRootCert": "",
-      "Comment": "Synology NAS — Homelab dashboard database"
+      "Comment": "Oude NAS-kopie — rollback / vergelijken"
    }
  }
 }
@@ -2,7 +2,8 @@
 | | |
 |---|---|
 | **Productie** | **192.168.1.105:5433** (VM 102, `~/homelab-postgres/`) |
 | **NAS backup** | 192.168.1.211:5433 (`docker compose up -d` in deze map) |
 | **Poort** | 5433 |
 | **Start** | `docker compose up -d` |
 Zie [apps/README.md](../README.md) en [RESTORE.md](../../RESTORE.md).