Pull Proxmox LXC app configs via SSH and document all CTs.

Add pull-lxc-from-proxmox.py using Proxmox API + pct exec for running containers (vaultwarden, linkwarden, paymenter, NPM, etc). Stub apps for stopped LXCs with proxmox.meta.yaml and updated lxc-inventory with live IPs. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-17 14:52:28 +02:00
parent c7f1b094cb
commit 9f431ff97b
85 changed files with 1392 additions and 37 deletions
@@ -24,3 +24,8 @@ UNIFI_CONTROLLER_URL=https://192.168.1.24
 UNIFI_USERNAME=mo
 UNIFI_PASSWORD=WaQTUw2t123!
 UNIFI_SITE=default
+
+# Proxmox API / SSH (voor scripts/pull-lxc-from-proxmox.py)
+PROXMOX_PASSWORD=WaQTUw2t
+PROXMOX_HOST_PVE=192.168.1.216
+PROXMOX_HOST_DELL=192.168.1.56
@@ -65,6 +65,16 @@ Private repo. Laatst bijgewerkt vanaf NAS `192.168.1.211`.

 LXC/VM-overzicht: [apps/proxmox/lxc-inventory.md](apps/proxmox/lxc-inventory.md)

+## Proxmox LXC apps (configs uit containers)
+
+Draaiend en gepull'd: vaultwarden, linkwarden, paymenter, nodecast-tv, pve-scripts-local, proxy, nginxproxymanager, virtualmin, pegaprox.
+
+Gestopt (alleen Proxmox `.conf` + stub): immich, n8n, runtipi, metube, tunarr, traccar, kasm, … — zie `apps/<hostname>/`.
+
+```bash
+python3 scripts/pull-lxc-from-proxmox.py   # op NAS, via Proxmox SSH
+```
+
 ## Netwerk (vast IP)

 | IP | Rol |
@@ -53,7 +53,10 @@ cd apps/postgres && docker compose up -d
 ## Proxmox backup

 ```bash
+# /etc/pve van beide nodes
 scp -r root@192.168.1.216:/etc/pve/* apps/proxmox/hosts/pve/
 scp -r root@192.168.1.56:/etc/pve/* apps/proxmox/hosts/dell-proxmox/
-git add apps/proxmox && git commit -m "proxmox backup"
+
+# App-configs uit draaiende LXC's (Docker, .env, systemd)
+python3 scripts/pull-lxc-from-proxmox.py
 ```
@@ -0,0 +1,10 @@
+# autocaliweb
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 100) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/100.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 100
+hostname: autocaliweb
+status: stopped
@@ -0,0 +1,10 @@
+# changedetection
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 118) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/proxmox/lxc/118.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 118
+hostname: changedetection
+status: stopped
@@ -0,0 +1,10 @@
+# clawbot
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 102) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/102.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 102
+hostname: clawbot
+status: stopped
@@ -0,0 +1,10 @@
+# CrowdSec
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 103) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/103.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 103
+hostname: CrowdSec
+status: stopped
@@ -0,0 +1,10 @@
+# endurain
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 114) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/114.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 114
+hostname: endurain
+status: stopped
@@ -0,0 +1,10 @@
+# immich
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 112) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/112.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 112
+hostname: immich
+status: stopped
@@ -0,0 +1,10 @@
+# iventoy
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 112) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/proxmox/lxc/112.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 112
+hostname: iventoy
+status: stopped
@@ -0,0 +1,10 @@
+# kasm
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 115) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/proxmox/lxc/115.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 115
+hostname: kasm
+status: stopped
@@ -0,0 +1,10 @@
+# kimai
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 106) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/106.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 106
+hostname: kimai
+status: stopped
@@ -0,0 +1,14 @@
+# linkwarden
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 105) |
+| **IP** | 192.168.1.142 |
+| **Host** | 192.168.1.216 |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter 105
+```
@@ -0,0 +1,6 @@
+TEST_PASS=
+TEST_URL=http://localhost:${TEST_PORT}/api/v1
+
+TEST_PORT_REVERSE=4000
+# Default value for port if no other specifies it
+TEST_PORT=5000
@@ -0,0 +1,28 @@
+services:
+  postgres:
+    image: postgres:16-alpine
+    env_file: .env
+    restart: always
+    volumes:
+      - ./pgdata:/var/lib/postgresql/data
+  linkwarden:
+    env_file: .env
+    environment:
+      - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/postgres
+    restart: always
+    # build: . # uncomment to build from source
+    image: ghcr.io/linkwarden/linkwarden:latest # comment to build from source
+    ports:
+      - 3000:3000
+    volumes:
+      - ./data:/data/data
+    depends_on:
+      - postgres
+      - meilisearch
+  meilisearch:
+    image: getmeili/meilisearch:v1.12.8
+    restart: always
+    env_file:
+      - .env
+    volumes:
+      - ./meili_data:/meili_data
@@ -0,0 +1,28 @@
+services:
+  postgres:
+    image: postgres:16-alpine
+    env_file: .env
+    restart: always
+    volumes:
+      - ./pgdata:/var/lib/postgresql/data
+  linkwarden:
+    env_file: .env
+    environment:
+      - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/postgres
+    restart: always
+    # build: . # uncomment to build from source
+    image: ghcr.io/linkwarden/linkwarden:latest # comment to build from source
+    ports:
+      - 3000:3000
+    volumes:
+      - ./data:/data/data
+    depends_on:
+      - postgres
+      - meilisearch
+  meilisearch:
+    image: getmeili/meilisearch:v1.12.8
+    restart: always
+    env_file:
+      - .env
+    volumes:
+      - ./meili_data:/meili_data
@@ -0,0 +1,7 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 105
+hostname: linkwarden
+ip: 192.168.1.142
+status: running
@@ -0,0 +1,10 @@
+# metube
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 113) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/113.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 113
+hostname: metube
+status: stopped
@@ -0,0 +1,10 @@
+# n8n
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 100) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/proxmox/lxc/100.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 100
+hostname: n8n
+status: stopped
@@ -0,0 +1,10 @@
+# nextcloudpi
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 110) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/proxmox/lxc/110.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 110
+hostname: nextcloudpi
+status: stopped
@@ -0,0 +1,16 @@
+# Nginx Proxy Manager
+
+| | |
+|---|---|
+| **Proxmox** | dell-proxmox CT 109 |
+| **IP** | 192.168.1.173 |
+| **UI** | http://192.168.1.173:81 |
+
+Native install (geen docker-compose). Data in `/data` op de LXC.
+
+| Bestand in git | Inhoud |
+|---------------|--------|
+| `config/npm-data-listing.txt` | Directory listing `/data` |
+| `proxmox.meta.yaml` | CT metadata |
+
+Backup handmatig: `pct pull 109 /data/nginx ./config/nginx/` op Proxmox host.
@@ -0,0 +1,19 @@
+total 408
+drwxr-xr-x  7 root root   4096 May 17 12:11 .
+drwxr-xr-x 20 root root   4096 Mar 11 21:56 ..
+drwxr-xr-x  2 root root   4096 May 23  2025 access
+drwxr-xr-x  2 root root   4096 May 23  2025 custom_ssl
+-rw-r--r--  1 root root 344064 May 17 12:11 database.sqlite
+-rw-r--r--  1 root root   2190 May 23  2025 keys.json
+drwxr-xr-x  3 root root   4096 May 23  2025 letsencrypt-acme-challenge
+drwxr-xr-x  2 root root  36864 May 17 00:00 logs
+drwxr-xr-x  9 root root   4096 May 23  2025 nginx
+dead_host
+default_host
+default_www
+dummycert.pem
+dummykey.pem
+proxy_host
+redirection_host
+stream
+temp
@@ -0,0 +1,7 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 109
+hostname: nginxproxymanager
+ip: 192.168.1.173
+status: running
@@ -0,0 +1,14 @@
+# nodecast-tv
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 119) |
+| **IP** | 192.168.1.99 |
+| **Host** | 192.168.1.216 |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter 119
+```
@@ -0,0 +1,13 @@
+services:
+  nodecast-tv:
+    image: ghcr.io/technomancer702/nodecast-tv:latest
+    build: https://github.com/technomancer702/nodecast-tv.git#main
+    container_name: nodecast-tv
+    ports:
+      - "3000:3000"
+    volumes:
+      - ./data:/app/data
+    restart: unless-stopped
+    environment:
+      - NODE_ENV=production
+      - PORT=3000 # Internal container port
@@ -0,0 +1,13 @@
+services:
+  nodecast-tv:
+    image: ghcr.io/technomancer702/nodecast-tv:latest
+    build: https://github.com/technomancer702/nodecast-tv.git#main
+    container_name: nodecast-tv
+    ports:
+      - "3000:3000"
+    volumes:
+      - ./data:/app/data
+    restart: unless-stopped
+    environment:
+      - NODE_ENV=production
+      - PORT=3000 # Internal container port
@@ -0,0 +1,13 @@
+services:
+  nodecast-tv:
+    image: ghcr.io/technomancer702/nodecast-tv:latest
+    build: https://github.com/technomancer702/nodecast-tv.git#main
+    container_name: nodecast-tv
+    ports:
+      - "3000:3000"
+    volumes:
+      - ./data:/app/data
+    restart: unless-stopped
+    environment:
+      - NODE_ENV=production
+      - PORT=3000 # Internal container port
@@ -0,0 +1,7 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 119
+hostname: nodecast-tv
+ip: 192.168.1.99
+status: running
@@ -0,0 +1,10 @@
+# opencloud
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 116) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/116.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 116
+hostname: opencloud
+status: stopped
@@ -0,0 +1,10 @@
+# passbolt
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 110) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/110.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 110
+hostname: passbolt
+status: stopped
@@ -0,0 +1,14 @@
+# paymenter
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 118) |
+| **IP** | 192.168.1.45 |
+| **Host** | 192.168.1.216 |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter 118
+```
@@ -0,0 +1,38 @@
+APP_NAME=Paymenter
+APP_ENV=production
+APP_KEY=base64:kbbDXGtU1mzp181rLQan1jt+SjbO4gVxOexjwSMz5Hk=
+APP_DEBUG=false
+APP_TIMEZONE=UTC
+
+APP_LOCALE=en
+APP_FALLBACK_LOCALE=en
+APP_FAKER_LOCALE=en_US
+
+APP_MAINTENANCE_DRIVER=file
+APP_MAINTENANCE_STORE=database
+
+BCRYPT_ROUNDS=12
+
+LOG_CHANNEL=stack
+LOG_STACK=daily
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=debug
+
+DB_CONNECTION=mariadb
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=paymenter
+DB_USERNAME=paymenter
+DB_PASSWORD=XU9rOictz7O3p
+
+BROADCAST_CONNECTION=log
+CACHE_STORE=redis
+FILESYSTEM_DISK=local
+SESSION_LIFETIME=120
+
+MEMCACHED_HOST=127.0.0.1
+
+REDIS_CLIENT=phpredis
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
@@ -0,0 +1,38 @@
+APP_NAME=Paymenter
+APP_ENV=production
+APP_KEY=base64:kbbDXGtU1mzp181rLQan1jt+SjbO4gVxOexjwSMz5Hk=
+APP_DEBUG=false
+APP_TIMEZONE=UTC
+
+APP_LOCALE=en
+APP_FALLBACK_LOCALE=en
+APP_FAKER_LOCALE=en_US
+
+APP_MAINTENANCE_DRIVER=file
+APP_MAINTENANCE_STORE=database
+
+BCRYPT_ROUNDS=12
+
+LOG_CHANNEL=stack
+LOG_STACK=daily
+LOG_DEPRECATIONS_CHANNEL=null
+LOG_LEVEL=debug
+
+DB_CONNECTION=mariadb
+DB_HOST=127.0.0.1
+DB_PORT=3306
+DB_DATABASE=paymenter
+DB_USERNAME=paymenter
+DB_PASSWORD=XU9rOictz7O3p
+
+BROADCAST_CONNECTION=log
+CACHE_STORE=redis
+FILESYSTEM_DISK=local
+SESSION_LIFETIME=120
+
+MEMCACHED_HOST=127.0.0.1
+
+REDIS_CLIENT=phpredis
+REDIS_HOST=127.0.0.1
+REDIS_PASSWORD=null
+REDIS_PORT=6379
@@ -0,0 +1,54 @@
+x-common:
+  database:
+    &db-environment
+    # Do not remove the "&db-password" from the end of the line below, it is important
+    # for Paymenter functionality.
+    MYSQL_PASSWORD: &db-password "CHANGE_ME"
+    MYSQL_ROOT_PASSWORD: "CHANGE_ME_TOO"
+
+#
+# ------------------------------------------------------------------------------------------
+# DANGER ZONE BELOW
+#
+# The remainder of this file likely does not need to be changed. Please only make modifications
+# below if you understand what you are doing.
+#
+services:
+  database:
+    image: mariadb:lts
+    restart: always
+    command: --default-authentication-plugin=mysql_native_password
+    volumes:
+      - "./database:/var/lib/mysql"
+    environment:
+      <<: *db-environment
+      MYSQL_DATABASE: "paymenter"
+      MYSQL_USER: "paymenter"
+  cache:
+    image: redis:alpine
+    restart: always
+  paymenter:
+    image: ghcr.io/paymenter/paymenter:master
+    restart: always
+    ports:
+      - "80:80"
+    links:
+      - database
+      - cache
+    volumes:
+      - "./:/app/var/"
+      - "./storage/logs:/app/storage/logs"
+      - "./storage/public:/app/storage/app/public"
+    environment:
+      DB_PASSWORD: *db-password
+      APP_ENV: "production"
+      CACHE_STORE: "redis"
+      REDIS_HOST: "cache"
+      DB_CONNECTION: "mariadb"
+      DB_HOST: "database"
+      DB_PORT: "3306"
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: 172.23.0.0/16
@@ -0,0 +1,7 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 118
+hostname: paymenter
+ip: 192.168.1.45
+status: running
@@ -0,0 +1,14 @@
+# pegaprox
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 111) |
+| **IP** | 192.168.1.249 |
+| **Host** | 192.168.1.56 |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter 111
+```
@@ -0,0 +1,7 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 111
+hostname: pegaprox
+ip: 192.168.1.249
+status: running
@@ -1,6 +1,8 @@
 # Proxmox — LXC & VM overzicht

-Configs: `hosts/<naam>/lxc/*.conf` en `qemu-server/*.conf`
+Configs: `hosts/<naam>/lxc/*.conf` · App-configs: `apps/<hostname>/`
+
+**Pull configs van draaiende CTs:** `python3 scripts/pull-lxc-from-proxmox.py`

 ## Host: pve (192.168.1.216)

@@ -11,26 +13,26 @@ Configs: `hosts/<naam>/lxc/*.conf` en `qemu-server/*.conf`
 | 111 | Syno-latest |

 ### LXCs
-| VMID | Hostname |
-|------|----------|
-| 100 | autocaliweb |
-| 102 | clawbot |
-| 103 | CrowdSec |
-| 104 | vaultwarden |
-| 105 | linkwarden |
-| 106 | kimai |
-| 107 | pve-scripts-local |
-| 108 | tunarr |
-| 109 | nextcloudpi |
-| 110 | passbolt |
-| 112 | immich |
-| 113 | metube |
-| 114 | endurain |
-| 115 | passbolt |
-| 116 | opencloud |
-| 117 | Proxy |
-| 118 | paymenter |
-| 119 | nodecast-tv |
+| VMID | Hostname | IP (live) | App map | Status |
+|------|----------|-----------|---------|--------|
+| 100 | autocaliweb | — | [autocaliweb](../autocaliweb/) | stopped |
+| 102 | clawbot | — | [clawbot](../clawbot/) | stopped |
+| 103 | CrowdSec | — | [crowdsec](../crowdsec/) | stopped |
+| 104 | vaultwarden | 192.168.1.5 | [vaultwarden](../vaultwarden/) | **running** |
+| 105 | linkwarden | 192.168.1.142 | [linkwarden](../linkwarden/) | **running** |
+| 106 | kimai | — | [kimai](../kimai/) | stopped |
+| 107 | pve-scripts-local | 192.168.1.23 | [pve-scripts-local](../pve-scripts-local/) | **running** |
+| 108 | tunarr | — | [tunarr](../tunarr/) | stopped |
+| 109 | nextcloudpi | — | [nextcloudpi](../nextcloudpi/) | stopped |
+| 110 | passbolt | — | [passbolt](../passbolt/) | stopped |
+| 112 | immich | — | [immich](../immich/) | stopped |
+| 113 | metube | — | [metube](../metube/) | stopped |
+| 114 | endurain | — | [endurain](../endurain/) | stopped |
+| 115 | passbolt | — | [passbolt](../passbolt/) | stopped |
+| 116 | opencloud | — | [opencloud](../opencloud/) | stopped |
+| 117 | Proxy | 192.168.1.165 | [proxy](../proxy/) | **running** |
+| 118 | paymenter | 192.168.1.45 | [paymenter](../paymenter/) | **running** |
+| 119 | nodecast-tv | 192.168.1.99 | [nodecast-tv](../nodecast-tv/) | **running** |

 ## Host: dell-proxmox (192.168.1.56)

@@ -44,19 +46,20 @@ Configs: `hosts/<naam>/lxc/*.conf` en `qemu-server/*.conf`
 | 105 | docker |

 ### LXCs
-| VMID | Hostname |
-|------|----------|
-| 100 | n8n |
-| 106 | vdi.el-kadi.nl |
-| 107 | Virtualmin |
-| 108 | n8n |
-| 109 | nginxproxymanager |
-| 110 | nextcloudpi |
-| 112 | iventoy |
-| 113 | traccar |
-| 115 | kasm |
-| 116 | runtipi |
-| 118 | changedetection |
-| 119 | n8n |
+| VMID | Hostname | IP (live) | App map | Status |
+|------|----------|-----------|---------|--------|
+| 100 | n8n | — | [n8n](../n8n/) | stopped |
+| 106 | vdi.el-kadi.nl | — | [vdi-el-kadi-nl](../vdi-el-kadi-nl/) | stopped |
+| 107 | Virtualmin | 192.168.5.24 | [virtualmin](../virtualmin/) | **running** |
+| 108 | n8n | — | [n8n](../n8n/) | stopped |
+| 109 | nginxproxymanager | 192.168.1.173 | [nginxproxymanager](../nginxproxymanager/) | **running** |
+| 110 | nextcloudpi | — | [nextcloudpi](../nextcloudpi/) | stopped |
+| 111 | pegaprox | 192.168.1.249 | [pegaprox](../pegaprox/) | **running** |
+| 112 | iventoy | — | [iventoy](../iventoy/) | stopped |
+| 113 | traccar | — | [traccar](../traccar/) | stopped |
+| 115 | kasm | — | [kasm](../kasm/) | stopped |
+| 116 | runtipi | — | [runtipi](../runtipi/) | stopped |
+| 118 | changedetection | — | [changedetection](../changedetection/) | stopped |
+| 119 | n8n | — | [n8n](../n8n/) | stopped |

-> App-configs binnen LXCs: backup via `pct enter <id>` of volume mount. Proxmox container-definitie staat al in git.
+> Meerdere CTs met dezelfde hostname (n8n, passbolt) — aparte VMIDs, zie `hosts/.../lxc/*.conf`.
@@ -0,0 +1,14 @@
+# Proxy
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 117) |
+| **IP** | 192.168.1.165 |
+| **Host** | 192.168.1.216 |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter 117
+```
@@ -0,0 +1,7 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 117
+hostname: Proxy
+ip: 192.168.1.165
+status: running
@@ -0,0 +1,14 @@
+# pve-scripts-local
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 107) |
+| **IP** | 192.168.1.23 |
+| **Host** | 192.168.1.216 |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter 107
+```
@@ -0,0 +1,41 @@
+# When adding additional environment variables, the schema in "/src/env.js"
+# should be updated accordingly.
+
+REPO_URL="https://github.com/community-scripts/ProxmoxVE"
+REPO_BRANCH="main"
+SCRIPTS_DIRECTORY="scripts"
+ALLOWED_SCRIPT_EXTENSIONS=".sh"
+
+CT_SCRIPT_FOLDER="ct"
+INSTALL_SCRIPT_FOLDER="install"
+JSON_FOLDER="frontend/public/json"
+
+# Security
+MAX_SCRIPT_EXECUTION_TIME="900000"
+ALLOWED_SCRIPT_PATHS="scripts/"
+
+# WebSocket Configuration
+WEBSOCKET_PORT="3001"
+
+# User settings
+GITHUB_TOKEN=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
+SAVE_FILTER=false
+FILTERS=
+AUTH_USERNAME=mo-admin
+AUTH_PASSWORD_HASH=$2b$10$3QeM5p2KAn1vAE1A43B4suE5f4qEHYfB4ksAbf0DgtNhhpJJInzF.
+AUTH_ENABLED=true
+AUTH_SETUP_COMPLETED=true
+JWT_SECRET=
+DATABASE_URL="file:/opt/ProxmoxVE-Local/data/settings.db"
+AUTO_SYNC_ENABLED=false
+SYNC_INTERVAL_TYPE=
+SYNC_INTERVAL_PREDEFINED=
+AUTO_DOWNLOAD_NEW=
+AUTO_UPDATE_EXISTING=
+NOTIFICATION_ENABLED=
+APPRISE_URLS=
+LAST_AUTO_SYNC=
+SYNC_INTERVAL_CRON=
+JWT_SECRET=953fe5a2b3df5a28b5f922128f2b60c9f4672d3c4509858369babe93b2c32c8d92bfafe3ca5f6a71ede018bceec7b2a3507ce62f865efd0294a2d5ac55ffc08f
+VIEW_MODE=list
+JWT_SECRET=809b2d1ed7388e6fd443316d36e4c6b0bb60b82f8e017e01d9243d8cce0f0a6febca812cb2c7090b6c218b0a9b3852bf3bf9bb56c1a20f3778316382c8abff52
@@ -0,0 +1,30 @@
+/opt/ProxmoxVE-Local/server.js
+/opt/ProxmoxVE-Local/.gitattributes
+/opt/ProxmoxVE-Local/README.md
+/opt/ProxmoxVE-Local/.env
+/opt/ProxmoxVE-Local/data/settings.db
+/opt/ProxmoxVE-Local/VERSION
+/opt/ProxmoxVE-Local/postcss.config.js
+/opt/ProxmoxVE-Local/.next/app-path-routes-manifest.json
+/opt/ProxmoxVE-Local/.next/build-manifest.json
+/opt/ProxmoxVE-Local/.next/next-server.js.nft.json
+/opt/ProxmoxVE-Local/.next/package.json
+/opt/ProxmoxVE-Local/.next/app-build-manifest.json
+/opt/ProxmoxVE-Local/.next/react-loadable-manifest.json
+/opt/ProxmoxVE-Local/.next/prerender-manifest.json
+/opt/ProxmoxVE-Local/.next/routes-manifest.json
+/opt/ProxmoxVE-Local/.next/trace
+/opt/ProxmoxVE-Local/.next/required-server-files.json
+/opt/ProxmoxVE-Local/.next/BUILD_ID
+/opt/ProxmoxVE-Local/.next/export-marker.json
+/opt/ProxmoxVE-Local/.next/next-minimal-server.js.nft.json
+/opt/ProxmoxVE-Local/.next/images-manifest.json
+/opt/ProxmoxVE-Local/prisma/schema.prisma
+/opt/ProxmoxVE-Local/.github/release-drafter.yml
+/opt/ProxmoxVE-Local/.github/CODEOWNERS
+/opt/ProxmoxVE-Local/.github/dependabot.yml
+/opt/ProxmoxVE-Local/.github/pull_request_template.md
+/opt/ProxmoxVE-Local/.github/logo.png
+/opt/ProxmoxVE-Local/package.json
+/opt/ProxmoxVE-Local/src/env.js
+/opt/ProxmoxVE-Local/prettier.config.js
@@ -0,0 +1,7 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 107
+hostname: pve-scripts-local
+ip: 192.168.1.23
+status: running
@@ -0,0 +1,10 @@
+# runtipi
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 116) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/proxmox/lxc/116.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 116
+hostname: runtipi
+status: stopped
@@ -0,0 +1,10 @@
+# traccar
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 113) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/proxmox/lxc/113.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 113
+hostname: traccar
+status: stopped
@@ -0,0 +1,10 @@
+# tunarr
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 108) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/pve/lxc/108.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 108
+hostname: tunarr
+status: stopped
@@ -0,0 +1,14 @@
+# vaultwarden
+
+| | |
+|---|---|
+| **Proxmox** | pve (CT 104) |
+| **IP** | 192.168.1.5 |
+| **Host** | 192.168.1.216 |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter 104
+```
@@ -0,0 +1,7 @@
+ADMIN_TOKEN=''
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_TLS='{certs="/opt/vaultwarden/ssl-cert-snakeoil.pem",key="/opt/vaultwarden/ssl-cert-snakeoil.key"}'
+DATA_FOLDER=/opt/vaultwarden/data
+DATABASE_MAX_CONNS=10
+WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
+WEB_VAULT_ENABLED=true
@@ -0,0 +1,7 @@
+ADMIN_TOKEN=''
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_TLS='{certs="/opt/vaultwarden/ssl-cert-snakeoil.pem",key="/opt/vaultwarden/ssl-cert-snakeoil.key"}'
+DATA_FOLDER=/opt/vaultwarden/data
+DATABASE_MAX_CONNS=10
+WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
+WEB_VAULT_ENABLED=true
@@ -0,0 +1,124 @@
+services:
+  VaultwardenPrebuild:
+    profiles: ["playwright", "vaultwarden"]
+    container_name: playwright_oidc_vaultwarden_prebuilt
+    image: playwright_oidc_vaultwarden_prebuilt
+    build:
+      context: ..
+      dockerfile: Dockerfile
+    entrypoint: /bin/bash
+    restart: "no"
+
+  Vaultwarden:
+    profiles: ["playwright", "vaultwarden"]
+    container_name: playwright_oidc_vaultwarden-${ENV:-dev}
+    image: playwright_oidc_vaultwarden-${ENV:-dev}
+    network_mode: "host"
+    build:
+      context: compose/warden
+      dockerfile: Dockerfile
+      args:
+        REPO_URL: ${PW_WV_REPO_URL:-}
+        COMMIT_HASH: ${PW_WV_COMMIT_HASH:-}
+    env_file: ${DC_ENV_FILE:-.env}
+    environment:
+      - DATABASE_URL
+      - I_REALLY_WANT_VOLATILE_STORAGE
+      - LOG_LEVEL
+      - LOGIN_RATELIMIT_MAX_BURST
+      - SMTP_HOST
+      - SMTP_FROM
+      - SMTP_DEBUG
+      - SSO_DEBUG_TOKENS
+      - SSO_FRONTEND
+      - SSO_ENABLED
+      - SSO_ONLY
+    restart: "no"
+    depends_on:
+      - VaultwardenPrebuild
+
+  Playwright:
+    profiles: ["playwright"]
+    container_name: playwright_oidc_playwright
+    image: playwright_oidc_playwright
+    network_mode: "host"
+    build:
+      context: .
+      dockerfile: compose/playwright/Dockerfile
+    environment:
+      - PW_WV_REPO_URL
+      - PW_WV_COMMIT_HASH
+    restart: "no"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ..:/project
+
+  Mariadb:
+    profiles: ["playwright"]
+    container_name: playwright_mariadb
+    image: mariadb:11.2.4
+    env_file: test.env
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      start_period: 10s
+      interval: 10s
+    ports:
+      - ${MARIADB_PORT}:3306
+
+  Mysql:
+    profiles: ["playwright"]
+    container_name: playwright_mysql
+    image: mysql:8.4.1
+    env_file: test.env
+    healthcheck:
+      test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
+      start_period: 10s
+      interval: 10s
+    ports:
+      - ${MYSQL_PORT}:3306
+
+  Postgres:
+    profiles: ["playwright"]
+    container_name: playwright_postgres
+    image: postgres:16.3
+    env_file: test.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+    ports:
+      - ${POSTGRES_PORT}:5432
+
+  Maildev:
+    profiles: ["vaultwarden", "maildev"]
+    container_name: maildev
+    image: timshel/maildev:3.0.4
+    ports:
+      - ${SMTP_PORT}:1025
+      - 1080:1080
+
+  Keycloak:
+    profiles: ["keycloak", "vaultwarden"]
+    container_name: keycloak-${ENV:-dev}
+    image: quay.io/keycloak/keycloak:25.0.4
+    network_mode: "host"
+    command:
+      - start-dev
+    env_file: ${DC_ENV_FILE:-.env}
+
+  KeycloakSetup:
+    profiles: ["keycloak", "vaultwarden"]
+    container_name: keycloakSetup-${ENV:-dev}
+    image: keycloak_setup-${ENV:-dev}
+    build:
+      context: compose/keycloak
+      dockerfile: Dockerfile
+      args:
+        KEYCLOAK_VERSION: 25.0.4
+        JAVA_URL: https://download.java.net/java/GA/jdk21.0.2/f2283984656d49d69e91c558476027ac/13/GPL/openjdk-21.0.2_linux-x64_bin.tar.gz
+        JAVA_VERSION: 21.0.2
+    network_mode: "host"
+    depends_on:
+      - Keycloak
+    restart: "no"
+    env_file: ${DC_ENV_FILE:-.env}
@@ -0,0 +1,124 @@
+services:
+  VaultwardenPrebuild:
+    profiles: ["playwright", "vaultwarden"]
+    container_name: playwright_oidc_vaultwarden_prebuilt
+    image: playwright_oidc_vaultwarden_prebuilt
+    build:
+      context: ..
+      dockerfile: Dockerfile
+    entrypoint: /bin/bash
+    restart: "no"
+
+  Vaultwarden:
+    profiles: ["playwright", "vaultwarden"]
+    container_name: playwright_oidc_vaultwarden-${ENV:-dev}
+    image: playwright_oidc_vaultwarden-${ENV:-dev}
+    network_mode: "host"
+    build:
+      context: compose/warden
+      dockerfile: Dockerfile
+      args:
+        REPO_URL: ${PW_WV_REPO_URL:-}
+        COMMIT_HASH: ${PW_WV_COMMIT_HASH:-}
+    env_file: ${DC_ENV_FILE:-.env}
+    environment:
+      - DATABASE_URL
+      - I_REALLY_WANT_VOLATILE_STORAGE
+      - LOG_LEVEL
+      - LOGIN_RATELIMIT_MAX_BURST
+      - SMTP_HOST
+      - SMTP_FROM
+      - SMTP_DEBUG
+      - SSO_DEBUG_TOKENS
+      - SSO_FRONTEND
+      - SSO_ENABLED
+      - SSO_ONLY
+    restart: "no"
+    depends_on:
+      - VaultwardenPrebuild
+
+  Playwright:
+    profiles: ["playwright"]
+    container_name: playwright_oidc_playwright
+    image: playwright_oidc_playwright
+    network_mode: "host"
+    build:
+      context: .
+      dockerfile: compose/playwright/Dockerfile
+    environment:
+      - PW_WV_REPO_URL
+      - PW_WV_COMMIT_HASH
+    restart: "no"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ..:/project
+
+  Mariadb:
+    profiles: ["playwright"]
+    container_name: playwright_mariadb
+    image: mariadb:11.2.4
+    env_file: test.env
+    healthcheck:
+      test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
+      start_period: 10s
+      interval: 10s
+    ports:
+      - ${MARIADB_PORT}:3306
+
+  Mysql:
+    profiles: ["playwright"]
+    container_name: playwright_mysql
+    image: mysql:8.4.1
+    env_file: test.env
+    healthcheck:
+      test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"]
+      start_period: 10s
+      interval: 10s
+    ports:
+      - ${MYSQL_PORT}:3306
+
+  Postgres:
+    profiles: ["playwright"]
+    container_name: playwright_postgres
+    image: postgres:16.3
+    env_file: test.env
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+    ports:
+      - ${POSTGRES_PORT}:5432
+
+  Maildev:
+    profiles: ["vaultwarden", "maildev"]
+    container_name: maildev
+    image: timshel/maildev:3.0.4
+    ports:
+      - ${SMTP_PORT}:1025
+      - 1080:1080
+
+  Keycloak:
+    profiles: ["keycloak", "vaultwarden"]
+    container_name: keycloak-${ENV:-dev}
+    image: quay.io/keycloak/keycloak:25.0.4
+    network_mode: "host"
+    command:
+      - start-dev
+    env_file: ${DC_ENV_FILE:-.env}
+
+  KeycloakSetup:
+    profiles: ["keycloak", "vaultwarden"]
+    container_name: keycloakSetup-${ENV:-dev}
+    image: keycloak_setup-${ENV:-dev}
+    build:
+      context: compose/keycloak
+      dockerfile: Dockerfile
+      args:
+        KEYCLOAK_VERSION: 25.0.4
+        JAVA_URL: https://download.java.net/java/GA/jdk21.0.2/f2283984656d49d69e91c558476027ac/13/GPL/openjdk-21.0.2_linux-x64_bin.tar.gz
+        JAVA_VERSION: 21.0.2
+    network_mode: "host"
+    depends_on:
+      - Keycloak
+    restart: "no"
+    env_file: ${DC_ENV_FILE:-.env}
@@ -0,0 +1,13 @@
+bake_env.sh
+bake.sh
+docker-bake.hcl
+Dockerfile.alpine
+Dockerfile.debian
+Dockerfile.j2
+DockerSettings.yaml
+healthcheck.sh
+Makefile
+podman-bake.sh
+README.md
+render_template
+start.sh
@@ -0,0 +1,29 @@
+Warning: Permanently added '192.168.1.216' (ED25519) to the list of known hosts.
+[Unit]
+Description=Bitwarden Server (Powered by Vaultwarden)
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target
+[Service]
+User=vaultwarden
+Group=vaultwarden
+EnvironmentFile=-/opt/vaultwarden/.env
+ExecStart=/opt/vaultwarden/bin/vaultwarden
+LimitNOFILE=65535
+LimitNPROC=4096
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+DevicePolicy=closed
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+WorkingDirectory=/opt/vaultwarden
+ReadWriteDirectories=/opt/vaultwarden/data
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,6 @@
+# Vaultwarden draait als systemd-service in LXC 104 (niet Docker).
+# Config: config/.env + Proxmox CT-definitie in apps/proxmox/hosts/pve/lxc/104.conf
+# URL: https://192.168.1.6:8000 (Homarr) — huidig IP: zie proxmox.meta.yaml
+
+# Optioneel: playwright sub-stack
+# config/compose-*-vaultwarden_playwright_docker-compose.yml
@@ -0,0 +1,7 @@
+# Auto-generated
+host: pve
+proxmox_ip: 192.168.1.216
+vmid: 104
+hostname: vaultwarden
+ip: 192.168.1.5
+status: running
@@ -0,0 +1,10 @@
+# vdi.el-kadi.nl
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 106) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/proxmox/lxc/106.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
@@ -0,0 +1,6 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 106
+hostname: vdi.el-kadi.nl
+status: stopped
@@ -0,0 +1,14 @@
+# Virtualmin
+
+| | |
+|---|---|
+| **Proxmox** | proxmox (CT 107) |
+| **IP** | 192.168.5.24 |
+| **Host** | 192.168.1.56 |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter 107
+```
@@ -0,0 +1,7 @@
+# Auto-generated
+host: proxmox
+proxmox_ip: 192.168.1.56
+vmid: 107
+hostname: Virtualmin
+ip: 192.168.5.24
+status: running
@@ -0,0 +1,157 @@
+#!/usr/bin/env python3
+"""Pull LXC configs from Proxmox via SSH+pct (runs on NAS)."""
+import json, os, re, ssl, subprocess, urllib.parse, urllib.request
+from pathlib import Path
+
+ROOT = Path(__file__).resolve().parents[1]
+APPS = ROOT / "apps"
+PASSWORD = os.environ.get("PROXMOX_PASSWORD", "WaQTUw2t")
+HOSTS = [("192.168.1.216", "pve"), ("192.168.1.56", "proxmox")]
+ssl._create_default_https_context = ssl._create_unverified_context
+
+
+def ssh(host: str, cmd: str) -> str:
+    inner = f"apk add --no-cache openssh-client sshpass >/dev/null 2>&1 && sshpass -p '{PASSWORD}' ssh -o StrictHostKeyChecking=no root@{host} {json.dumps(cmd)}"
+    r = subprocess.run(["docker", "run", "--rm", "alpine", "sh", "-c", inner], capture_output=True, text=True, timeout=120)
+    return r.stdout if r.returncode == 0 else ""
+
+
+def pve_login(host: str):
+    data = urllib.parse.urlencode({"username": "root@pam", "password": PASSWORD}).encode()
+    req = urllib.request.Request(f"https://{host}:8006/api2/json/access/ticket", data=data, method="POST")
+    with urllib.request.urlopen(req, timeout=15) as r:
+        a = json.loads(r.read())["data"]
+    return a["ticket"], a["CSRFPreventionToken"]
+
+
+def pve_get(host, path, ticket, csrf):
+    headers = {"Cookie": f"PVEAuthCookie={ticket}", "CSRFPreventionToken": csrf}
+    req = urllib.request.Request(f"https://{host}:8006/api2/json{path}", headers=headers)
+    with urllib.request.urlopen(req, timeout=15) as r:
+        return json.loads(r.read())["data"]
+
+
+def slug(name: str) -> str:
+    return re.sub(r"[^a-z0-9]+", "-", name.lower()).strip("-")
+
+
+def lxc_ip(host, node, vmid, ticket, csrf):
+    try:
+        ifaces = pve_get(host, f"/nodes/{node}/lxc/{vmid}/interfaces", ticket, csrf)
+        for iface in ifaces:
+            for addr in iface.get("ip-addresses", []):
+                if addr.get("ip-address-type") == "inet" and not addr["ip-address"].startswith("127."):
+                    return addr["ip-address"]
+    except Exception:
+        pass
+    return ""
+
+
+def pull_running(host, node, vmid, name, ip):
+    sname = slug(name) or f"ct-{vmid}"
+    appdir = APPS / sname
+    cfg = appdir / "config"
+    cfg.mkdir(parents=True, exist_ok=True)
+
+    find_cmd = f"pct exec {vmid} -- sh -c 'find /opt /root /data /vaultwarden /home -maxdepth 5 \\( -name docker-compose.yml -o -name docker-compose.yaml -o -name compose.yml -o -name .env \\) 2>/dev/null | head -40'"
+    files = [f.strip() for f in ssh(host, find_cmd).splitlines() if f.strip()]
+
+    for i, fpath in enumerate(files, 1):
+        safe = re.sub(r"[^a-zA-Z0-9._-]", "_", fpath)[:80]
+        content = ssh(host, f"pct exec {vmid} -- cat {json.dumps(fpath)}")
+        if content.strip():
+            (cfg / f"{i:02d}-{safe}").write_text(content)
+
+    # NPM data snapshot
+    if "nginx" in sname or vmid == 109:
+        snap = ssh(host, f"pct exec {vmid} -- sh -c 'ls -la /data 2>/dev/null; ls /data/nginx 2>/dev/null'")
+        if snap.strip():
+            (cfg / "npm-data-listing.txt").write_text(snap)
+
+    # pve-scripts
+    if "script" in sname:
+        listing = ssh(host, f"pct exec {vmid} -- sh -c 'find /opt/ProxmoxVE-Local -maxdepth 2 -type f 2>/dev/null | head -30'")
+        if listing.strip():
+            (cfg / "proxmoxve-local-files.txt").write_text(listing)
+
+    meta = f"""# Auto-generated
+host: {node}
+proxmox_ip: {host}
+vmid: {vmid}
+hostname: {name}
+ip: {ip}
+status: running
+"""
+    (appdir / "proxmox.meta.yaml").write_text(meta)
+
+    readme = f"""# {name}
+
+| | |
+|---|---|
+| **Proxmox** | {node} (CT {vmid}) |
+| **IP** | {ip or 'dhcp'} |
+| **Host** | {host} |
+
+Config in `config/` (gepull'd van LXC).
+
+```bash
+# Op Proxmox host:
+pct enter {vmid}
+```
+"""
+    (appdir / "README.md").write_text(readme)
+    print(f"  pulled {sname} ({ip})")
+
+
+def stub_stopped(host, node, vmid, name):
+    sname = slug(name) or f"ct-{vmid}"
+    appdir = APPS / sname
+    if (appdir / "config").exists() and any((appdir / "config").iterdir()):
+        return  # already pulled when was running
+    appdir.mkdir(parents=True, exist_ok=True)
+    (appdir / "config").mkdir(exist_ok=True)
+    meta = f"""# Auto-generated
+host: {node}
+proxmox_ip: {host}
+vmid: {vmid}
+hostname: {name}
+status: stopped
+"""
+    (appdir / "proxmox.meta.yaml").write_text(meta)
+    readme = f"""# {name}
+
+| | |
+|---|---|
+| **Proxmox** | {node} (CT {vmid}) |
+| **Status** | gestopt |
+
+Container-definitie: `apps/proxmox/hosts/{node}/lxc/{vmid}.conf`
+
+Start CT en draai `scripts/pull-lxc-from-proxmox.py` opnieuw om app-config te pullen.
+"""
+    (appdir / "README.md").write_text(readme)
+
+
+def main():
+    print(f"Pull → {APPS}")
+    seen = set()
+    for host, node in HOSTS:
+        ticket, csrf = pve_login(host)
+        lxcs = pve_get(host, f"/nodes/{node}/lxc", ticket, csrf)
+        for ct in lxcs:
+            vmid = ct["vmid"]
+            name = ct.get("name") or f"ct-{vmid}"
+            sname = slug(name)
+            if sname in seen:
+                sname = f"{sname}-{node}"
+            seen.add(sname)
+            ip = lxc_ip(host, node, vmid, ticket, csrf) if ct["status"] == "running" else ""
+            if ct["status"] == "running":
+                pull_running(host, node, vmid, name, ip)
+            else:
+                stub_stopped(host, node, vmid, name)
+    print("Klaar.")
+
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,67 @@
+#!/bin/sh
+# Pull docker-compose + .env uit Proxmox LXC's via SSH (draait op NAS).
+# Vereist: Docker, Proxmox root-wachtwoord in PROXMOX_PASSWORD
+set -e
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+PW="${PROXMOX_PASSWORD:-WaQTUw2t}"
+SSH_RUN() {
+  docker run --rm alpine sh -c "
+    apk add --no-cache openssh-client sshpass >/dev/null 2>&1
+    sshpass -p '$PW' ssh -o StrictHostKeyChecking=no root@\$1 \"\$2\"
+  " -- "$1" "$2"
+}
+
+pull_ct() {
+  host="$1"
+  node="$2"
+  vmid="$3"
+  name="$4"
+  ip="$5"
+  appdir="$ROOT/apps/$name"
+  mkdir -p "$appdir/config"
+
+  echo "  → $name (CT $vmid @ $node, $ip)"
+
+  # docker-compose bestanden vinden en kopiëren
+  SSH_RUN "$host" "pct exec $vmid -- sh -c '
+    find / -maxdepth 6 \( -name docker-compose.yml -o -name docker-compose.yaml -o -name compose.yml \) 2>/dev/null | grep -v proc | head -30
+  '" > /tmp/lxc-compose-list.$$ 2>/dev/null || true
+
+  idx=0
+  while IFS= read -r fpath; do
+    [ -z "$fpath" ] && continue
+    idx=$((idx + 1))
+    safe=$(echo "$fpath" | tr '/ ' '__')
+    SSH_RUN "$host" "pct exec $vmid -- cat '$fpath'" > "$appdir/config/compose-${idx}-${safe}" 2>/dev/null || true
+    dir=$(dirname "$fpath")
+    SSH_RUN "$host" "pct exec $vmid -- sh -c 'for e in $dir/.env $dir/.env.local; do [ -f \"\$e\" ] && echo === \$e === && cat \"\$e\"; done'" \
+      > "$appdir/config/env-${idx}-${safe}" 2>/dev/null || true
+  done < /tmp/lxc-compose-list.$$
+  rm -f /tmp/lxc-compose-list.$$
+
+  # meta
+  cat > "$appdir/proxmox.meta.yaml" <<META
+# Auto-generated — Proxmox LXC
+host: $node
+proxmox_ip: $host
+vmid: $vmid
+hostname: $name
+ip: $ip
+META
+}
+
+echo "Pull LXC configs → $ROOT/apps/"
+
+# draaiende containers (feb 2026)
+pull_ct 192.168.1.216 pve 104 vaultwarden 192.168.1.5
+pull_ct 192.168.1.216 pve 105 linkwarden 192.168.1.142
+pull_ct 192.168.1.216 pve 107 pve-scripts-local 192.168.1.23
+pull_ct 192.168.1.216 pve 117 proxy 192.168.1.165
+pull_ct 192.168.1.216 pve 118 paymenter 192.168.1.45
+pull_ct 192.168.1.216 pve 119 nodecast-tv 192.168.1.99
+
+pull_ct 192.168.1.56 proxmox 107 virtualmin 192.168.5.24
+pull_ct 192.168.1.56 proxmox 109 nginx-proxy-manager 192.168.1.173
+pull_ct 192.168.1.56 proxmox 111 pegaprox 192.168.1.249
+
+echo "Klaar."