Add full NAS service catalog for disaster recovery.

Compose files and configs for postgres, adguard, duckdns, homarr, neo4j,
portainer, remotely, and monitoring; RESTORE.md and sync-from-nas script.
Sanitize pgAdmin secrets; document homelab-command as separate repo.

Co-authored-by: Cursor <cursoragent@cursor.com>

docker/adguard/docker-compose.yml

@@ -0,0 +1,21 @@
+# AdGuard Home — DNS + filtering (host network, poort 53 + web UI).
+# Config: configs/adguard/AdGuardHome.yaml → mount naar /opt/adguardhome/conf
+
+services:
+  adguard:
+    image: adguard/adguardhome:latest
+    container_name: Adguard
+    restart: always
+    network_mode: host
+    volumes:
+      - ${ADGUARD_CONFIG_DIR:-/volume1/docker/Configs/adguard}:/opt/adguardhome/conf
+      - adguard-work:/opt/adguardhome/work
+    command:
+      - --no-check-update
+      - -c
+      - /opt/adguardhome/conf/AdGuardHome.yaml
+      - -w
+      - /opt/adguardhome/work
+
+volumes:
+  adguard-work:

docker/duckdns/.env.example

@@ -0,0 +1,7 @@
+PUID=1026
+PGID=100
+TZ=Europe/Brussels
+DUCKDNS_SUBDOMAINS=mohome020
+DUCKDNS_TOKEN=your-duckdns-token
+DUCKDNS_UPDATE_IP=true
+DUCKDNS_INTERVAL=300

docker/duckdns/docker-compose.yml

@@ -0,0 +1,16 @@
+# DuckDNS — dynamisch DNS voor mohome020.duckdns.org
+# Start: cp .env.example .env && docker compose up -d
+
+services:
+  duckdns:
+    image: linuxserver/duckdns:latest
+    container_name: duckdns
+    restart: unless-stopped
+    environment:
+      PUID: ${PUID:-1026}
+      PGID: ${PGID:-100}
+      TZ: ${TZ:-Europe/Brussels}
+      SUBDOMAINS: ${DUCKDNS_SUBDOMAINS:?}
+      TOKEN: ${DUCKDNS_TOKEN:?}
+      UPDATE_IP: ${DUCKDNS_UPDATE_IP:-true}
+      INTERVAL: ${DUCKDNS_INTERVAL:-300}

docker/ha-voice-control/docker-compose.yml

@@ -25,11 +25,11 @@ services:
       - PG_HOST=localhost
       - PG_PORT=5433
       - PG_USER=mo
-      - PG_PASSWORD=${PG_PASSWORD:-WaQTUw2t}
+      - PG_PASSWORD=${PG_PASSWORD:?}
       - PG_DATABASE=homelab
       - NEO4J_URI=neo4j://localhost:49153
       - NEO4J_USER=neo4j
-      - NEO4J_PASSWORD=${NEO4J_PASSWORD:-WaQTUw2t}
+      - NEO4J_PASSWORD=${NEO4J_PASSWORD:-}
 
     volumes:
       - whisper-cache:/root/.cache/huggingface

docker/homarr/docker-compose.yml

@@ -0,0 +1,17 @@
+# Homarr — startdashboard (poort 4755).
+# Configs: configs/homarr/ → /app/data/configs
+
+services:
+  homarr:
+    image: ghcr.io/ajnart/homarr:latest
+    container_name: homarr
+    restart: always
+    ports:
+      - "${HOMARR_PORT:-4755}:7575"
+    environment:
+      TZ: ${TZ:-Europe/Brussels}
+    volumes:
+      - ${HOMARR_CONFIG_DIR:-/volume1/docker/homarr}:/app/data/configs
+      - ${HOMARR_ICONS_DIR:-/volume1/docker/homarr/icons}:/app/public/icons
+      - ${HOMARR_DATA_DIR:-/volume1/docker/homarr/data}:/data
+      - /var/run/docker.sock:/var/run/docker.sock

docker/homelab-command/README.md

@@ -0,0 +1,15 @@
+# Homelab Command
+
+Applicatiecode en monitoring-build staan in een aparte repo:
+
+- **Gitea:** http://192.168.1.211:3000/mo/homelab-command
+- **NAS-pad:** `/volume1/homes/mo/homelab-command`
+
+```bash
+git clone http://192.168.1.211:3000/mo/homelab-command.git /volume1/homes/mo/homelab-command
+cd /volume1/homes/mo/homelab-command
+cp .env.example .env   # vul in
+docker compose -f docker-compose.homelab.yml up -d --build
+```
+
+Zie ook `docker/monitoring/` in homelab-configs voor Prometheus/Grafana compose.

docker/monitoring/README.md

@@ -0,0 +1,16 @@
+# Monitoring (Prometheus + Grafana + postgres-exporter)
+
+Prometheus-config staat in deze map. **Grafana-image** en dashboards bouw je vanuit [homelab-command](http://192.168.1.211:3000/mo/homelab-command):
+
+```bash
+cd /volume1/homes/mo/homelab-command
+export PG_PASSWORD='...'
+export GRAFANA_ADMIN_PASSWORD='...'
+docker build -f Dockerfile.grafana -t grafana-homelab:latest .
+docker compose -f docker-compose.grafana.yml up -d
+# of: sh scripts/recreate_monitoring_docker.sh
+```
+
+Na start: `docker network create homelab-monitor` en verbind postgres-homelab, neo4j, prometheus, exporter, grafana.
+
+Mesh (NATS + normalizer): `docker compose -f docker-compose.mesh.yml --env-file .env up -d` in homelab-command.

docker/monitoring/docker-compose.grafana.yml

@@ -0,0 +1,77 @@
+# Grafana — aparte stack (projectmap: homelab-command).
+#
+# Start (vanuit deze map):
+#   export PG_PASSWORD='jouw_postgres_wachtwoord'
+#   docker compose -f docker-compose.grafana.yml up -d --build
+#
+# UI: http://<NAS-IP>:3002  (standaard host-poort; 3001 was bezet op deze host)
+#    login: admin / GRAFANA_ADMIN_PASSWORD
+#
+# Vereist: postgres container heet postgres-homelab en luistert intern op 5432.
+# Eénmalig (DNS tussen Prometheus en postgres-exporter op Synology bridge):
+#   sh scripts/docker_monitoring_join.sh homelab-monitor
+# Daarna: docker network connect homelab-monitor postgres-homelab   # als exporter DB niet bereikt
+#
+# Dashboards (Grafana.com IDs): PostgreSQL 9628, Proxmox 10347, Neo4j 10371,
+# Synology overview 14364, Node Exporter 1860 — onder folder "Infrastructure".
+# Prometheus scrape: postgres-exporter + optioneel Neo4j :2004 / Proxmox via targets/extra.yml.
+
+services:
+  prometheus:
+    image: prom/prometheus:v2.53.2
+    container_name: prometheus-homelab
+    restart: unless-stopped
+    ports:
+      - "${PROMETHEUS_PORT:-9090}:9090"
+    volumes:
+      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - ./prometheus/targets:/etc/prometheus/targets:ro
+      - prometheus-homelab-data:/prometheus
+    command:
+      - --config.file=/etc/prometheus/prometheus.yml
+      - --storage.tsdb.path=/prometheus
+      - --web.enable-lifecycle
+    networks:
+      - homelab-monitor
+
+  postgres-exporter:
+    image: prometheuscommunity/postgres-exporter:latest
+    container_name: postgres-exporter-homelab
+    restart: unless-stopped
+    ports:
+      - "${POSTGRES_EXPORTER_PORT:-9187}:9187"
+    environment:
+      DATA_SOURCE_NAME: "postgresql://${PG_USER:-mo}:${PG_PASSWORD}@postgres-homelab:5432/${PG_DATABASE:-homelab}?sslmode=disable"
+    networks:
+      - homelab-monitor
+
+  grafana:
+    # Bouw image vanuit homelab-command repo (zie docker/monitoring/README.md)
+    image: grafana-homelab:latest
+    container_name: grafana-homelab
+    restart: unless-stopped
+    ports:
+      - "${GRAFANA_PORT:-3002}:3000"
+    environment:
+      GF_SECURITY_ADMIN_USER: ${GRAFANA_ADMIN_USER:-admin}
+      GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD:-changeme_grafana}
+      GF_USERS_DEFAULT_THEME: dark
+      GF_SERVER_ROOT_URL: ${GRAFANA_ROOT_URL:-http://localhost:3002}
+      PG_USER: ${PG_USER:-mo}
+      PG_DATABASE: ${PG_DATABASE:-homelab}
+      HOMELAB_PG_PASSWORD: ${PG_PASSWORD:-}
+    volumes:
+      - grafana-homelab-data:/var/lib/grafana
+      # Grafana provisioning/dashboards: clone homelab-command en mount paden daar
+    depends_on:
+      - prometheus
+    networks:
+      - homelab-monitor
+
+volumes:
+  grafana-homelab-data:
+  prometheus-homelab-data:
+
+networks:
+  homelab-monitor:
+    driver: bridge

docker/monitoring/docker-compose.mesh.yml

@@ -0,0 +1,31 @@
+# Security Mesh stack — NATS + Go-normalizer (Zeek/Suricata JSON → Postgres).
+# Start vanuit homelab-command: docker compose -f docker-compose.mesh.yml --env-file .env.mesh up -d
+# Stop bestaande NATS op poort 4222 of wijzig poorten hieronder.
+
+services:
+  nats:
+    image: nats:2.10-alpine
+    command: ["-js", "-m", "8222"]
+    ports:
+      - "${NATS_CLIENT_PORT:-4222}:4222"
+      - "${NATS_HTTP_PORT:-8222}:8222"
+    restart: unless-stopped
+
+  mesh-normalizer:
+    image: mesh-normalizer:local
+    build:
+      context: ./mesh-ingest
+      dockerfile: Dockerfile
+    environment:
+      NATS_URL: nats://nats:4222
+      MESH_DEFAULT_TENANT_ID: ${MESH_DEFAULT_TENANT_ID:-00000000-0000-4000-8000-000000000001}
+      PG_HOST: ${PG_HOST:-172.17.0.1}
+      PG_PORT: ${PG_PORT:-5433}
+      PG_USER: ${PG_USER:-mo}
+      PG_PASSWORD: ${PG_PASSWORD:-}
+      PG_DATABASE: ${PG_DATABASE:-homelab}
+    depends_on:
+      - nats
+    restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"

docker/monitoring/prometheus.yml

@@ -0,0 +1,44 @@
+# Prometheus — scrape targets op Docker bridge (naast postgres-homelab, neo4j, …).
+global:
+  scrape_interval: 15s
+  evaluation_interval: 15s
+
+scrape_configs:
+  - job_name: prometheus
+    static_configs:
+      - targets: ["localhost:9090"]
+
+  - job_name: postgres-exporter
+    static_configs:
+      - targets: ["postgres-exporter-homelab:9187"]
+        labels:
+          instance: postgres-homelab
+
+  # Neo4j 4.4+ enterprise metrics.prometheus.enabled → endpoint op poort 2004
+  - job_name: neo4j
+    scrape_interval: 30s
+    metrics_path: /metrics
+    static_configs:
+      - targets: ["neo4j:2004"]
+        labels:
+          instance: neo4j
+
+  # Proxmox VE — prometheus-pve-exporter; vul monitoring/prometheus/targets/extra.yml
+  - job_name: proxmox-pve
+    scrape_interval: 30s
+    file_sd_configs:
+      - files:
+          - /etc/prometheus/targets/extra.yml
+        refresh_interval: 1m
+
+  # Synology / SNMP: zet targets in monitoring/prometheus/targets/snmp.yml en uncomment hieronder.
+  # - job_name: snmp
+  #   scrape_interval: 60s
+  #   metrics_path: /snmp
+  #   params:
+  #     module: [synology]
+  #   static_configs:
+  #     - targets:
+  #         - 192.168.1.211
+  #       labels:
+  #         job: snmp-nas

docker/monitoring/prometheus/targets/extra.yml

@@ -0,0 +1,9 @@
+# Voeg hier scrape-targets toe (YAML array van scrape_configs entries wordt NIET ondersteund —
+# dit bestand is voor **file_sd** formaat: lijst van static_configs targets).
+#
+# Voorbeeld Proxmox (prometheus-pve-exporter op host of VM):
+# - targets:
+#     - '192.168.1.10:9221'
+#   labels:
+#     instance: pve
+[]

docker/monitoring/prometheus/targets/extra.yml.example

@@ -0,0 +1,7 @@
+# Hernoem naar extra.yml of merge handmatig. Formaat: lijst van static config groepen.
+#
+# Proxmox VE exporter (github.com/prometheus-pve/prometheus-pve-exporter):
+- targets:
+    - "192.168.1.50:9221"
+  labels:
+    instance: proxmox

docker/monitoring/prometheus/targets/snmp.yml

@@ -0,0 +1,2 @@
+# SNMP exporter targets (Synology via snmp_exporter). Leeg = geen scrapes.
+[]

docker/monitoring/prometheus/targets/snmp.yml.example

@@ -0,0 +1,5 @@
+# snmp_exporter (poort 9116) die naar je Synology SNMP wijst.
+- targets:
+    - "snmp-exporter:9116"
+  labels:
+    job: synology

docker/neo4j/docker-compose.yml

@@ -0,0 +1,16 @@
+# Neo4j — graph database (bolt 49153, browser 49154/49155).
+# Data: /volume1/docker/neo4j
+
+services:
+  neo4j:
+    image: neo4j:latest
+    container_name: neo4j
+    restart: unless-stopped
+    ports:
+      - "${NEO4J_BOLT_PORT:-49153}:7687"
+      - "${NEO4J_HTTP_PORT:-49154}:7474"
+      - "${NEO4J_HTTPS_PORT:-49155}:7473"
+    environment:
+      NEO4J_AUTH: ${NEO4J_AUTH:-neo4j/changeme}
+    volumes:
+      - ${NEO4J_DATA_DIR:-/volume1/docker/neo4j}:/data

docker/portainer/docker-compose.yml

@@ -0,0 +1,13 @@
+# Portainer CE — Docker UI (poorten 8000, 9000).
+
+services:
+  portainer:
+    image: portainer/portainer-ce:latest
+    container_name: portainer
+    restart: always
+    ports:
+      - "${PORTAINER_EDGE:-8000}:8000"
+      - "${PORTAINER_HTTP:-9000}:9000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${PORTAINER_DATA_DIR:-/volume1/docker/portainer}:/data

docker/postgres-web/docker-compose.yml

@@ -18,7 +18,7 @@ services:
     environment:
       # Standaard inlog voor de web UI
       - PGADMIN_DEFAULT_EMAIL=mo@el-kadi.nl
-      - PGADMIN_DEFAULT_PASSWORD=${PGADMIN_PASSWORD:-WaQTUw2t}
+      - PGADMIN_DEFAULT_PASSWORD=${PGADMIN_PASSWORD:?Zet PGADMIN_PASSWORD in .env}
       # Masquerade root URL voor nginx reverse proxy
       - PGADMIN_CONFIG_SERVER_MODE=True
       - PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED=False

docker/postgres-web/servers.json

@@ -7,7 +7,7 @@
       "Port": 5433,
       "MaintenanceDB": "homelab",
       "Username": "mo",
-      "Password": "WaQTUw2t",
+      "Password": "",
       "SSLMode": "prefer",
       "PassFile": "",
       "SSLCert": "",

docker/postgres-web/servers.json.example

@@ -0,0 +1,15 @@
+{
+  "Servers": {
+    "1": {
+      "Name": "Homelab PostgreSQL",
+      "Group": "Servers",
+      "Host": "192.168.1.211",
+      "Port": 5433,
+      "MaintenanceDB": "homelab",
+      "Username": "mo",
+      "Password": "VUL_IN_PGADMIN_UI",
+      "SSLMode": "prefer",
+      "Comment": "Synology NAS — Homelab dashboard database"
+    }
+  }
+}

docker/postgres/.env.example

@@ -0,0 +1,5 @@
+POSTGRES_USER=mo
+POSTGRES_PASSWORD=changeme
+POSTGRES_DB=homelab
+PG_HOST_PORT=5433
+PG_DATA_DIR=/volume1/docker/postgres/data

docker/postgres/docker-compose.yml

@@ -0,0 +1,17 @@
+# PostgreSQL — centrale homelab-database (poort 5433 op host).
+# NAS-pad: /volume1/docker/postgres/
+# Start:   cp .env.example .env && docker compose up -d
+
+services:
+  postgres-homelab:
+    image: postgres:16-alpine
+    container_name: postgres-homelab
+    restart: unless-stopped
+    ports:
+      - "${PG_HOST_PORT:-5433}:5432"
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-mo}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?Zet POSTGRES_PASSWORD in .env}
+      POSTGRES_DB: ${POSTGRES_DB:-homelab}
+    volumes:
+      - ${PG_DATA_DIR:-/volume1/docker/postgres/data}:/var/lib/postgresql/data

docker/remotely/docker-compose.yml

@@ -0,0 +1,11 @@
+# Remotely — remote support (poort 8080).
+
+services:
+  remotely:
+    image: immybot/remotely:latest
+    container_name: remotely
+    restart: always
+    ports:
+      - "${REMOTELY_PORT:-8080}:8080"
+    volumes:
+      - ${REMOTELY_CONFIG_DIR:-/volume1/docker/remotely}:/config