TopherMayor/hermes-ice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: homelab infrastructure wiki

Browse Source 
- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning
This commit is contained in:
Hermes Agent
2026-05-24 16:08:40 -07:00
parent d132442429
commit e4d91aadf9
285 changed files with 30018 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
homelab/entities/aqara-hub-m3.md Normal file
View File

@@ -0,0 +1,84 @@
---
title: Aqara Hub M3
created: 2026-05-10
updated: 2026-05-10
type: entity
tags: [hub, matter, zigbee, smart-home, iot, ecosystem]
confidence: high
---
# Aqara Hub M3
> Aqara's Matter-compatible smart home hub. Provides a secondary Zigbee coordinator and Matter bridge for Aqara devices, independent of [[home-assistant-connect-zbt-2]].
## Overview
| Field | Value |
|-------|-------|
| **Manufacturer** | Aqara |
| **Model** | Aqara Hub M3 |
| **Location** | Bedroom |
| **VLAN** | IoT VLAN 30 |
| **Protocols** | Zigbee 3.0, Thread, Matter, Wi-Fi |
| **Matter Support** | Yes — can be commissioned into multiple fabrics |
## Role in the Smart Home
The Hub M3 serves as Aqara's ecosystem bridge:
1. **Aqara Cloud Bridge** — connects Aqara devices to the Aqara cloud app
2. **Matter Bridge** — exposes paired Aqara Zigbee devices to Matter controllers
3. **Secondary Zigbee Coordinator** — manages its own Zigbee mesh separate from [[home-assistant-connect-zbt-2]]
4. **Thread Border Router** — can participate in the Thread mesh
## Connected Aqara Devices
The Hub M3 bridges these devices via Matter:
| Device | Location | Model | Protocol |
|--------|----------|-------|----------|
| Aqara Door/Window Sensor | Rooftop | Aqara Door/Window Sensor | Zigbee |
| Aqara Vibration Sensor T1 | Rooftop | Aqara Vibration Sensor T1 | Zigbee |
| Aqara Motion Sensor P1 | Living Room | Aqara Motion Sensor P1 | Zigbee |
| Aqara Light Switch H2 US | Baby Room | Aqara Light Switch H2 US | Zigbee |
| Aqara Light Switch H2 US | Front Door | Aqara Light Switch H2 US | Zigbee |
| Aqara Light Switch H2 US | Entrance | Aqara Light Switch H2 US | Zigbee |
| Aqara Light Switch H2 US | 1st Floor | Aqara Light Switch H2 US | Zigbee |
| Aqara Colorful Ceiling Light | Baby Room | Colorful Ceiling Light 36W | Zigbee |
| Aqara Smart Lock U100 | Front Door | Aqara Smart Lock U100 | Zigbee/BLE |
| Aqara Camera Hub G3 | — | Camera Hub G3 | Wi-Fi |
| Aqara Video Doorbell G410 | Front Door | Smart Video Doorbell G410 | Wi-Fi/Zigbee |
## Multi-Fabric Architecture
The Hub M3 is a key node in the [[matter-multi-fabric]] setup:
- **Fabric 1 (HA)**: Commissioned into [[panda]]'s Matter fabric via [[home-assistant-connect-zbt-2]]
- **Fabric 2 (Apple Home)**: Can be commissioned into Apple Home via Apple TV 4K
- **Fabric 3 (Google Home)**: Can be commissioned into Google Home via Nest Hub
- **Fabric 4 (Alexa)**: Can be commissioned into Alexa via Echo Dot
Matter multi-admin allows up to 5 fabrics simultaneously.
## Dual Path: ZHA vs Aqara Hub
Some Aqara devices (sensors, switches, lock) are visible through **two paths**:
1. **ZHA path**: Device → Zigbee → Connect ZBT-2 → [[panda]] HA (direct, low-latency)
2. **Matter Bridge path**: Device → Zigbee → Hub M3 → Matter → HA (bridged, adds latency)
The ZHA path is preferred for automation reliability. The Matter Bridge path is useful for exposing devices to other ecosystems (Apple, Google, Alexa).
## Relationships
- Bridges Aqara devices into [[matter-multi-fabric]]
- Connected to [[panda]] via Matter integration
- Works alongside [[home-assistant-connect-zbt-2]] (dual Zigbee mesh)
- Complemented by Aqara Camera Hub G3 (separate Wi-Fi hub)
- Paired devices overlap with ZHA coordinator — see dual-path note above
## Configuration Notes
- Thread credentials should match [[home-assistant-connect-zbt-2]]'s Thread network for mesh unity
- If adding to Apple Home: use Matter pairing code from Aqara app → Apple Home → Add Accessory
- Hub M3 firmware updates should be applied via Aqara app (not via HA)

41
homelab/entities/authentik.md Normal file
View File

@@ -0,0 +1,41 @@
---
title: authentik
created: 2026-04-28
updated: 2026-04-28
type: entity
tags: [services, sso, identity]
sources: []
---
# authentik
**Role:** SSO identity provider for homelab
**URL:** https://authentik.tophermayor.com
**Host:** [[ubuntu]] (Docker)
## Overview
Authentik provides single sign-on for homelab services. It's the central identity provider that other services (Traefik, Jellyfin, Gitea, etc.) delegate to.
## Configuration
- Runs as Docker container on ubuntu
- Traefik routes `authentik.tophermayor.com` → authentik container
- Users and applications configured via Authentik web UI
## Services Integrated
Known services using Authentik SSO:
- [[traefik]] (forward auth)
- [[gitea]]
- [[jellyfin]]
## Troubleshooting
See [[sso-authentik]] skill for Authentik management.
## Related
- [[ubuntu]] — Host
- [[traefik]] — Routes traffic to Authentik
- [[gitea]] — Git hosting, SSO client

37
homelab/entities/backblaze-b2.md Normal file
View File

@@ -0,0 +1,37 @@
---
title: Backblaze B2
created: 2026-05-24
updated: 2026-05-24
type: entity
tags: [services, storage, s3, backup]
sources: [homelab/architecture.md, docs/TrueNAS-Migration]
confidence: high
---
# Backblaze B2
## Overview
S3-compatible cloud storage for off-site backups of critical homelab data. Configured as a Cold storage tier in TrueNAS and as a rclone remote for Obsidian vault sync.
## Key Facts
- **Service**: Backblaze B2 (S3-compatible)
- **Purpose**: Off-site backup of configuration, documents, and selected data
- **Cost**: ~$7/mo
- **TrueNAS integration**: B2 bucket configured as Cold storage tier in TrueNAS SCALE
- **Obsidian vault sync**: rclone remote `b2-homelab-backups` syncs vault to B2 bucket
- **Access**: Application key-based authentication (not AWS credentials)
## TrueNAS Configuration
TrueNAS exports `backblaze-b2` remote as a Cloud Sync channel. Datasets backed up include:
- Obsidian vault snapshots
- Homelab agent configs and session history
- Database backups
## Related
- [[truenas]] — TrueNAS B2 Cold tier configuration
- [[rustfs]] — S3 service running on TrueNAS (local S3, NOT Backblaze)
- [[nfs-storage]] — local NFS storage vs. cloud backup strategy

52
homelab/entities/cloudflare.md Normal file
View File

@@ -0,0 +1,52 @@
---
title: Cloudflare
created: 2026-05-24
updated: 2026-05-24
type: entity
tags: [services, networking, dns, identity]
sources: [homelab/architecture.md, homelab/concepts/docker-traefik-stack.md]
confidence: high
---
# Cloudflare
## Overview
DNS provider and reverse proxy layer for all `*.tophermayor.com` domains. Handles TLS certificate issuance via DNS challenge on grizzley and ubuntu Traefik instances.
## Key Facts
- **DNS Zone**: `tophermayor.com` managed at Cloudflare
- **Role**: Authoritative DNS for all homelab public-facing services
- **Wildcard cert source**: grizzley Traefik obtains `*.tophermayor.com` cert via Cloudflare DNS challenge
- **certsync**: TLS certs synced from grizzley NFS mount (`/mnt/truenas/traefik-certs/grizzley`) → ubuntu via NFS or direct sync
## Traefik Integration
Both Traefik instances use `certresolver=cloudflare`:
```yaml
# ubuntu Traefik dynamic config
tls:
certresolver: cloudflare
domains:
- main: toophermayor.com
sans:
- "*.tophermayor.com"
```
grizzley is the primary ACME source; ubuntu obtains certs from the shared NFS mount or via grizzley → ubuntu cert sync pipeline.
## DNS Records
| Record | Type | Target | Purpose |
|--------|------|--------|---------|
| `*.tophermayor.com` | A/CNAME | Traefik ingress | Wildcard for all services |
| `@.tophermayor.com` | A | Home IP | Bare domain |
| `traefik.tophermayor.com` | A | 192.168.50.84 | Grizzley edge ingress direct |
## Related
- [[grizzley]] — runs primary ACME Traefik instance
- [[traefik]] — TLS certificate management
- [[docker-traefik-stack]] — Traefik configuration patterns

40
homelab/entities/decypharr.md Normal file
View File

@@ -0,0 +1,40 @@
---
title: decypharr
created: 2026-05-14
updated: 2026-05-14
type: entity
tags: [service, media, lxc]
sources: []
---
# decypharr
**Role:** Black hole Usenet indexer / decypharr service
**Host:** [[proxmox]] LXC CT 110
**IP:** 192.168.50.175
**Port:** 8282
**URL:** https://decypharr.local.tophermayor.com (via [[traefik]])
**Image:** cy01/blackhole:latest
## Overview
Decypharr is a Usenet black hole indexer service. Previously ran as a Docker container on [[ubuntu]] behind the gluetun VPN network. Migrated to a dedicated LXC container during the May 2026 media migration.
## Configuration
- **Config dir:** `/opt/decypharr/` inside container
- **NFS mount:** `/mnt/truenas/mediadata` via PVE bind-mount `mp0`
- **Traefik router:** `decypharr.local.tophermayor.com`
## Migration History
- **Before:** Docker container on ubuntu, part of the gluetun VPN network stack
- **2026-05-14:** Migrated to dedicated LXC CT 110 on Proxmox as part of media stack migration
- **Reason:** Media services moved from ubuntu Docker to individual LXCs; decypharr no longer needed gluetun networking
## Related
- [[proxmox]] — Host hypervisor
- [[media-stack]] — Parent media ecosystem
- [[traefik-ha]] — Ingress routing
- [[ubuntu]] — Previous host

45
homelab/entities/gitea.md Normal file
View File

@@ -0,0 +1,45 @@
---
title: gitea
created: 2026-04-28
updated: 2026-04-28
type: entity
tags: [services, git, ci-cd]
sources: []
---
# gitea
**Role:** Private Git hosting for homelab infrastructure-as-code
**URL:** https://gitea.tophermayor.com
**Host:** [[ubuntu]] (Docker)
**Token:** `612031934800e7bd846d51d0193b38995c447ea4` (stored in memory)
## Overview
Gitea hosts all homelab git repos. The primary repo is the homelab infrastructure-as-code at the git remote used by the GitOps workflow. Gitea also runs CI/CD via runners that SSH to hosts.
## Repos
| Repo | Purpose |
|------|---------|
| homelab | Infrastructure configs (Docker Compose, Ansible) |
| wiki | This wiki (private) |
| wakehost | Go WoL + Proxmix app |
## GitOps Workflow
1. Push to Gitea repo
2. Gitea runner (via SSH) connects to target host
3. `git pull` in `/home/bear/homelabagentroot/`
4. `sync-configs.sh` copies configs to runtime locations
5. Systemd services reload if needed
## Wiki Repo
The [[index]] lives in a private Gitea repo (`wiki.git`). This is the canonical home — ice pushes here, grizzley/ubuntu pull from here.
## Related
- [[ubuntu]] — Host
- [[ice]] — Control plane, primary GitOps runner target
- [[proxmox]] — May host Gitea runner as VM/LXC

123
homelab/entities/grizzley.md Normal file
View File

@@ -0,0 +1,123 @@
---
title: grizzley
created: 2026-04-28
updated: 2026-04-29
type: entity
tags: [hosts, rpi, edge, ha]
sources: []
---
# grizzley
**Role:** Edge node — Traefik HA backup, Jellyfin media server, Hermes Gateway secondary
**IP:** 192.168.50.84
**Hostname:** grizzley
**Uptime:** 1 day, 14h (as of 2026-04-28 — recently rebooted)
## Overview
grizzley is the edge node of the homelab cluster. It serves as the Traefik HA backup node (via keepalived VRRP), runs Jellyfin for media streaming, and hosts the secondary Hermes Gateway instance. It also has `/mnt/fast_share` as a fast local SSD mount.
## Hardware
| Spec | Detail |
|------|--------|
| Model | Raspberry Pi 5 |
| CPU | ARM Cortex-A76 (4 cores) |
| RAM | 7.7 GB total, 3.7 GB available, 4.0 GB used |
| Swap | 6.0 GB total, 2.0 GB used |
| Storage | 917 GB (`/dev/sdc2`, 8% used, 68 GB) |
| Fast Storage | 916 GB `/mnt/fast_share` (`/dev/sdb1`, 1% used, 4.1 GB) — fast SSD mount |
| Network | Gigabit Ethernet |
| IP | 192.168.50.84 |
## Systemd Services (Running)
| Service | Purpose |
|---------|---------|
| `alert-bridge.service` | Prometheus → Telegram alert bridge (zero AI) |
| `chrony.service` | NTP client/server |
| `containerd.service` | Container runtime |
| `docker.service` | Docker engine |
| `fail2ban.service` | Intrusion prevention |
| `hermes-dashboard.service` | Hermes Agent Web Dashboard |
| `hermes-gateway.service` | Hermes Agent Gateway — messaging platform integration |
| `keepalived.service` | VRRP for Traefik HA (BACKUP mode) |
| `nfs-blkmap.service` | pNFS block layout mapping daemon |
| `nfs-idmapd.service` | NFSv4 ID-name mapping |
| `nfs-mountd.service` | NFS mount daemon |
| `nfsdcld.service` | NFSv4 client tracking |
| `opencode-web.service` | OpenCode Web Interface |
| `rpc-statd.service` | NFS status monitor |
| `rpcbind.service` | RPC portmapper |
| `rsyslog.service` | System logging |
| `snapd.service` | Snap daemon |
| `ssh.service` | OpenSSH server |
| `snap.cups.*` | CUPS printing services |
## Docker Containers
| Container | Port(s) | Status | Purpose |
|-----------|---------|--------|---------|
| `aiomanager` | 1610/tcp | healthy | AI orchestration |
| `aiomanager_db` | 5432/tcp | healthy | PostgreSQL for aiomanager |
| `aiometadata` | 1337/tcp | healthy | AI metadata service |
| `aiometadata-redis` | 6379/tcp | healthy | Redis for aiometadata |
| `aiostreams` | 3002/tcp | healthy | AI streaming service |
| `homepage-grizzley` | 3000/tcp | healthy | Homepage dashboard |
| `jellyfin` | 8096, 9090/tcp | healthy | Media server |
| `komodo` | 9120/tcp | healthy | AI service |
| `komodo-mongo` | 27017/tcp | — | MongoDB for komodo |
| `traefik-pi` | 80,443,2222,8080/tcp; 19132,19134,443/udp | healthy | Traefik edge ingress (HA cert generation) |
| `uptime-kuma` | 3001/tcp | healthy | Uptime monitoring |
| `vaultwarden` | 80/tcp | healthy | Password manager |
## Docker Networks
| Network | Driver | Purpose |
|---------|--------|---------|
| `aiomanager_default` | bridge | aiomanager stack |
| `aiometadata_aiometadata-internal` | bridge | aiometadata internal |
| `komodo_komodo-internal` | bridge | komodo internal |
| `homepage_default` | bridge | Homepage |
| `traefik-proxy` | bridge | Traefik ingress |
| `desktop-test_default` | bridge | Desktop test stack |
## NFS Mounts
```
192.168.50.12:/mnt/TrueNAS/traefik-certs/grizzley → /mnt/truenas/traefik-certs/grizzley (nfs4, rw, tcp, hard)
```
TrueNAS NFS share for Traefik TLS certificate sync. Both traefik-pi (grizzley) and traefik (ubuntu) share the same wildcard cert via this mount.
## Traefik HA (Keepalived VRRP)
grizzley is the **BACKUP** Traefik node. VRRP runs on `eth0.50` (VLAN 50):
```
virtual_router_id: 51
priority: 90 (BACKUP — ubuntu is PRIMARY at higher priority)
virtual_ipaddress: 192.168.50.80/27
auth_type: PASS, auth_pass: HomelabH
check_script: /etc/keepalived/check_traefik.sh (interval 2s, fall 2, rise 2)
```
When ubuntu Traefik fails, keepalived promotes grizzley to MASTER and the virtual IP moves here.
## Access
```bash
ssh bear@192.168.50.84
```
**Note:** NFS client services run automatically. `/etc/keepalived/keepalived.conf` has the VRRP config.
## Related
- [[ice]] — Control plane, primary agent host
- [[ubuntu]] — Main Docker host, Traefik PRIMARY partner
- [[truenas]] — NFS storage backend (cert sync)
- [[traefik]] — Traefik entity
- [[jellyfin]] — Media server running on grizzley
- [[hermes-gateway]] — Hermes Gateway secondary

71
homelab/entities/hermes-gateway.md Normal file
View File

@@ -0,0 +1,71 @@
---
title: hermes-gateway
created: 2026-04-28
updated: 2026-04-29
type: entity
tags: [services, ai, gateway, watchdog]
sources: []
---
# hermes-gateway
**Role:** AI gateway — routes LLM requests across multiple providers
**Hosts:** [[ice]] (primary), [[grizzley]] (secondary)
**Runs on:** ice as systemd user service (`hermes-gateway.service`)
## Overview
hermes-gateway is the AI gateway that routes LLM requests (DeepSeek V4, OpenAI, Anthropic, OpenRouter, etc.) across multiple providers. It has a watchdog pattern deployed via system cron on both [[ice]] and [[grizzley]].
## Providers
| Provider | Model | Endpoint | Notes |
|----------|-------|----------|-------|
| DeepSeek | V4 | `https://api.deepseek.com/anthropic` | Anthropic format, 1M input / 384K output |
| OpenAI | various | `https://api.openai.com` | |
| Anthropic | various | `https://api.anthropic.com` | |
| OpenRouter | various | `https://openrouter.ai/api` | |
## Watchdog Pattern
A shell script (`/home/bear/hermes-gateway-watchdog.sh`) runs via **system cron** on both ice and grizzley:
1. Checks if hermes-gateway is responsive
2. On failure: direct restart → tmux+OpenCode rescue if still down
3. Sends Telegram notification on failure to topic **1033 "Cron Jobs"** in AigentZeroHermes (`-1003820156994`)
**Telegram alert details:**
- Bot token: `836803270:AAH-Ac5Y`
- Chat ID: `-1003820156994` (AigentZeroHermes channel)
- Topic ID: 1033 ("Cron Jobs")
**Critical note:** On [[grizzley]], the systemd override for the watchdog is deployed directly to `/etc/systemd/system/` (not tracked in the homelab repo — it's a system unit).
## DeepSeek V4 Provider
Configured as: `https://api.deepseek.com/anthropic` (Anthropic format, not OpenAI).
Context window: 1M input / 384K output.
⚠️ Known bug: thinking mode passes `reasoning_content` back incorrectly — pass it back in multi-turn.
## Access
hermes-gateway runs as a user service. To check status:
```bash
# On ice (primary)
ssh bear@192.168.50.197 "systemctl --user status hermes-gateway"
journalctl --user -u hermes-gateway -f
# On grizzley (secondary)
ssh bear@192.168.50.84 "systemctl --user status hermes-gateway"
```
Watchdog logs (check cron output in syslog):
```bash
ssh bear@192.168.50.197 "grep hermes-gateway-watchdog /var/log/syslog"
```
## Related
- [[ice]] — Primary host
- [[grizzley]] — Secondary host with watchdog
- [[authentik]] — SSO for gateway access (if applicable)

75
homelab/entities/home-assistant-connect-zbt-2.md Normal file
View File

@@ -0,0 +1,75 @@
---
title: Home Assistant Connect ZBT-2
created: 2026-05-10
updated: 2026-05-10
type: entity
tags: [hub, zigbee, thread, matter, smart-home, iot]
confidence: high
---
# Home Assistant Connect ZBT-2
> Nabu Casa's official Zigbee + Thread coordinator dongle for Home Assistant. Plugged into [[panda]], serves as the primary Zigbee and Thread border router for the smart home.
## Overview
| Field | Value |
|-------|-------|
| **Manufacturer** | Nabu Casa |
| **Model** | Home Assistant Connect ZBT-2 |
| **Serial** | E072A1DC134C |
| **Host** | [[panda]] (plugged into USB) |
| **Protocols** | Zigbee 3.0 + Thread (IEEE 802.15.4) |
| **HA Integration** | ZHA (Zigbee) + Thread (OpenThread Border Router) |
## Role in the Smart Home
The Connect ZBT-2 is the **primary coordinator** for all Zigbee and Thread devices in the home. It provides:
1. **Zigbee Coordinator** — via ZHA integration, manages the Zigbee mesh network
2. **Thread Border Router** — via Thread integration, provides IP connectivity for Thread devices
3. **Matter Controller** — via Matter integration, commissions and controls Matter devices over Thread
## Zigbee Devices (via ZHA)
All Zigbee devices are paired directly to the Connect ZBT-2 coordinator:
| Device | Location | Model | Type |
|--------|----------|-------|------|
| Aqara Door/Window Sensor | Rooftop | Aqara Door and Window Sensor | [[sensor]] |
| Aqara Vibration Sensor T1 | Rooftop | Aqara Vibration Sensor T1 | [[sensor]] |
| Aqara Motion Sensor P1 | Living Room | Aqara Motion Sensor P1 | [[sensor]] |
| Aqara Light Switch H2 US | Baby Room | Aqara Light Switch H2 US | [[actuator]] |
| Aqara Light Switch H2 US | Front Door | Aqara Light Switch H2 US | [[actuator]] |
| Aqara Light Switch H2 US | Entrance | Aqara Light Switch H2 US | [[actuator]] |
| Aqara Light Switch H2 US | 1st Floor | Aqara Light Switch H2 US | [[actuator]] |
| Aqara Colorful Ceiling Light 36W | Baby Room | Colorful Ceiling Light 36W | [[actuator]] |
| Aqara Smart Lock U100 | Front Door | Aqara Smart Lock U100 | [[actuator]] |
| IKEA STARKVIND | — | STARKVIND Air purifier | [[actuator]] |
## Thread Network
The Connect ZBT-2 runs an OpenThread Border Router, creating a Thread network that:
- Provides IP connectivity to Thread-only devices
- Acts as a Matter fabric gateway
- Shares Thread credentials with other border routers (e.g., Apple TV, Nest Hub) for mesh redundancy
## Multi-Fabric Position
In the [[matter-multi-fabric]] architecture, the ZBT-2 serves as:
- **HA's Matter fabric controller** — primary commissioning point for new Matter devices
- **Thread credential source** — other border routers should join this Thread network
- **Zigbee bridge** — exposes Zigbee devices to Matter via HA's Matter Bridge feature
## Relationships
- Connected to [[panda]] via USB
- Controls all Zigbee devices in the home
- Provides Thread connectivity for [[matter-multi-fabric]]
- Complements [[aqara-hub-m3]] (which bridges Aqara-specific devices via Matter)
## Notes
- Thread credentials should be shared with [[aqara-hub-m3]] and Apple TV to ensure a single unified Thread mesh
- If adding more Thread border routers, export credentials from this OTBR and import them
- The ZBT-2 is a dual-protocol radio — Zigbee and Thread cannot run simultaneously on the same radio; HAOS handles multiplexing

330
homelab/entities/homepage.md Normal file
View File

@@ -0,0 +1,330 @@
---
title: homepage
created: 2026-04-29
updated: 2026-04-29
type: entity
tags: [services, docker, homelab]
sources: []
---
# homepage
**Role:** Unified homelab dashboard — service bookmarks, Docker widget, infrastructure status
**Image:** `gethomepage/homepage:latest`
**Websites:** See Traefik routes below
## Overview
Two Homepage instances provide a unified dashboard for the homelab. [GetHomepage](https://gethomepage.dev/) is a modern, configurable dashboard for homelab services. It uses Docker socket integration for live container status, widgets for service metrics, and Traefik for ingress routing.
| Instance | Host | Port | Network | Traefik Route |
|----------|------|------|---------|--------------|
| `homepage-ubuntu` | [[ubuntu]] | 3003 | `proxy-net` | `homepage.local.tophermayor.com`, `homepage-ubuntu.local.tophermayor.com` |
| `homepage-grizzley` | [[grizzley]] | 3000 | `traefik-proxy` | `homepage-grizzley.local.tophermayor.com` |
**Traefik VIP routing:** `homepage.local.tophermayor.com``homepage-to-self``http://192.168.50.61:3003` (ubuntu). The grizzley instance is accessible at `homepage-grizzley.local.tophermayor.com`.
## Docker Configuration
### homepage-ubuntu
```yaml
container_name: homepage-ubuntu
image: gethomepage/homepage:latest
network: proxy-net
ports: 3003
bind mount: /home/bear/homelab/ubuntu/homepage/config → /app/config
docker socket: /var/run/docker.sock (read-only)
memory limit: (none set — uses host resources)
```
Config path: `/home/bear/homelab/ubuntu/homepage/config/`
### homepage-grizzley
```yaml
container_name: homepage-grizzley
image: ghcr.io/gethomepage/homepage:latest
network: traefik-proxy
ports: 3000
bind mount: /home/bear/homelab/grizzley/docker/homepage/config → /app/config
docker socket: /var/run/docker.sock (read-only)
memory limit: 256MB (hard), 64MB (reserved)
allowed hosts: homepage.local.tophermayor.com, homepage-grizzley.local.tophermayor.com, 192.168.50.84:3000
```
Config path: `/home/bear/homelab/grizzley/docker/homepage/config/`
## Traefik Routes (ubuntu Traefik)
From `homelab/ubuntu/traefik/config/dynamic/upstream-ingress.yml`:
```yaml
# Primary VIP route → ubuntu instance
homepage-vip:
rule: "Host(`homepage.local.tophermayor.com`)"
entryPoints: [websecure]
service: homepage-to-self
priority: 100
tls: {}
# Direct ubuntu route
homepage-local:
rule: "Host(`homepage-ubuntu.local.tophermayor.com`)"
entryPoints: [websecure]
service: homepage-to-self
priority: 100
tls: {}
# grizzley backup route (bypasses VIP)
homepage-backup-grizzley:
rule: "Host(`homepage-grizzley.local.tophermayor.com`)"
entryPoints: [websecure]
service: homepage-grizzley-svc
priority: 100
tls: {}
```
Services:
- `homepage-to-self``http://192.168.50.61:3003`
- `homepage-grizzley-svc``http://192.168.50.84:3000`
## Settings (ubuntu instance)
From `settings.yaml`:
```yaml
title: Ubuntu Homepage
description: Homelab dashboard — all hosts.
target: _self
theme: dark
color: slate
iconStyle: theme
background:
image: https://images.unsplash.com/photo-1451187580459-43490279c0fa?auto=format&fit=crop&w=2560&q=80
opacity: 28
brightness: 55
saturate: 60
cardBlur: md
```
Layout (4-column rows by section):
- Media Servers (4 cols)
- Media Automation (5 cols)
- Grizzley (4 cols)
- Apps (4 cols)
- Infrastructure (4 cols)
## Widgets (ubuntu instance)
From `widgets.yaml`:
```yaml
- resources:
cpu: true
memory: true
disk: /
- search:
provider: duckduckgo
target: _blank
```
From `docker.yaml`:
```yaml
ubuntu:
socket: /var/run/docker.sock
```
Docker socket integration provides live container status for all services on [[ubuntu]].
## Services Displayed (ubuntu homepage)
### Media Servers
| Service | URL | Widget |
|---------|-----|--------|
| Jellyfin | https://jellyfin.tophermayor.com | Jellyfin widget (`http://jellyfin:8096`, key `3aabf1af...`) |
| Immich | https://immich.tophermayor.com | — |
| Navidrome | https://navidrome.tophermayor.com | — |
| Audiobookshelf | https://audiobooks.tophermayor.com | — |
| Kavita | https://kavita.tophermayor.com | — |
| Calibre-Web | https://calibre-web.local.tophermayor.com | — |
| Stremio | https://stremio.local.tophermayor.com | — |
### Media Automation
| Service | URL | Widget |
|---------|-----|--------|
| Gluetun VPN | (internal) | Gluetun widget (`http://gluetun:8000`, v2) |
| Sonarr | https://sonarr.local.tophermayor.com | Sonarr widget (key `0573d93d...`) |
| Sonarr Anime | https://sonarr-anime.local.tophermayor.com | Sonarr widget (key `84de4e4a...`) |
| Radarr | https://radarr.local.tophermayor.com | Radarr widget (key `d69cafc9...`) |
| Radarr Anime | https://radarr-anime.local.tophermayor.com | Radarr widget (key `d4373fbc...`) |
| Lidarr | https://lidarr.local.tophermayor.com | Lidarr widget (key `55921016...`) |
| Readarr | https://readarr.local.tophermayor.com | — |
| Prowlarr | https://prowlarr.local.tophermayor.com | — |
| qBittorrent | https://qbittorrent.local.tophermayor.com | — |
| SABnzbd | https://sabnzbd.local.tophermayor.com | SABnzbd widget (key `01d3c44b...`) |
| NZBdav | https://nzbdav.local.tophermayor.com | — |
| Seerr | https://jellyseerr.tophermayor.com | Overseerr widget (key `MTc2NTIy...`) |
### Grizzley (links through to grizzley-hosted services)
| Service | URL |
|---------|-----|
| Homepage Grizzley | https://homepage-grizzley.local.tophermayor.com |
| Traefik Grizzley | https://traefik-grizzley.local.tophermayor.com |
| Komodo | https://komodo.local.tophermayor.com |
| AIOManager | https://aiomanager.tophermayor.com |
| AIOStreams | https://aiostreams.tophermayor.com |
| AIOMetadata | https://aiometadata.tophermayor.com |
| Vaultwarden | https://vaultwarden.tophermayor.com |
| Status (Uptime Kuma) | https://status.tophermayor.com |
### Apps
| Service | URL | Widget |
|---------|-----|--------|
| Authentik | https://auth.tophermayor.com | — |
| Gitea | https://gitea.tophermayor.com | — |
| Home Assistant | https://ha.tophermayor.com | HomeAssistant widget (key `eyJhbG...`, fields: people_home, lights_on, switches_on) |
| OpenCode | https://opencode.tophermayor.com | — |
| OpenCode Ice | https://opencode-ice.local.tophermayor.com | — |
| Whisper | https://whisper.local.tophermayor.com | — |
### Infrastructure
| Service | URL | Widget |
|---------|-----|--------|
| Traefik | https://traefik.local.tophermayor.com | Traefik widget (`http://traefik:8080`) |
| Proxmox | https://proxmox.local.tophermayor.com | Proxmox widget (user: `homepage@pam!homepage`, node: pve) |
| TrueNAS | https://truenas.local.tophermayor.com | TrueNAS widget (key `1-SdjbJ...`) |
| Grafana | https://grafana.local.tophermayor.com | — |
| Prometheus | https://prometheus.local.tophermayor.com | Prometheus widget (`http://prometheus:9090`) |
| Reccollection | https://reccollection.local.tophermayor.com | — |
## Services Displayed (grizzley homepage)
### Grizzley (local services)
| Service | URL | Widget |
|---------|-----|--------|
| Traefik | https://traefik-grizzley.local.tophermayor.com | Traefik widget (`http://traefik-pi:8080`) |
| Komodo | https://komodo.local.tophermayor.com | Komodo widget (key `K_jjWNbR...`, secret `S_IHGCW15...`) |
| AIOManager | https://aiomanager.tophermayor.com | — |
| AIOStreams | https://aiostreams.tophermayor.com | — |
| AIOMetadata | https://aiometadata.tophermayor.com | — |
| Vaultwarden | https://vaultwarden.tophermayor.com | — |
| Status (Uptime Kuma) | https://status.tophermayor.com | UptimeKuma widget (slug: default) |
| Minecraft Standby | (UDP 19132) | — |
| Minecraft Sison | (UDP 19134) | — |
| Jellyfin Standby | (internal) | — |
### Ubuntu (linked)
| Service | URL |
|---------|-----|
| Homepage Ubuntu | https://homepage-ubuntu.local.tophermayor.com |
| Traefik Ubuntu | https://traefik.local.tophermayor.com |
| OpenCode | https://opencode.tophermayor.com |
| Authentik | https://auth.tophermayor.com |
| Gitea | https://gitea.tophermayor.com |
| Whisper | https://whisper.local.tophermayor.com |
| Stremio Server | https://stremio.local.tophermayor.com |
| Reccollection | https://reccollection.local.tophermayor.com |
### Media (ubuntu via links)
| Service | URL |
|---------|-----|
| Jellyfin | https://jellyfin.tophermayor.com |
| Seerr | https://jellyseerr.tophermayor.com |
| Immich | https://immich.tophermayor.com |
| Navidrome | https://navidrome.tophermayor.com |
| Audiobookshelf | https://audiobooks.tophermayor.com |
| Kavita | https://kavita.tophermayor.com |
| Calibre-Web | https://calibre-web.local.tophermayor.com |
### Media Automation (ubuntu via links)
| Service | URL | Widget |
|---------|-----|--------|
| Sonarr | https://sonarr.local.tophermayor.com | Sonarr (key `0573d93d...`) |
| Radarr | https://radarr.local.tophermayor.com | Radarr (key `d69cafc9...`) |
| Lidarr | https://lidarr.local.tophermayor.com | Lidarr (key `55921016...`) |
| Readarr | https://readarr.local.tophermayor.com | — |
| Prowlarr | https://prowlarr.local.tophermayor.com | — |
| qBittorrent | https://qbittorrent.local.tophermayor.com | — |
| SABnzbd | https://sabnzbd.local.tophermayor.com | SABnzbd (key `01d3c44b...`) |
| Sonarr Anime | https://sonarr-anime.local.tophermayor.com | Sonarr (key `84de4e4a...`) |
| Radarr Anime | https://radarr-anime.local.tophermayor.com | Radarr (key `d4373fbc...`) |
### Apps (ubuntu via links)
| Service | URL | Widget |
|---------|-----|--------|
| Home Assistant | https://ha.tophermayor.com | HomeAssistant (key `eyJhbG...`, fields: people_home, lights_on, switches_on) |
| OpenCode Ice | https://opencode-ice.local.tophermayor.com | — |
### Infrastructure (ubuntu via links)
| Service | URL | Widget |
|---------|-----|--------|
| Proxmox | https://proxmox.local.tophermayor.com | Proxmox (user `homepage@pam!homepage`, node pve) |
| TrueNAS | https://truenas.local.tophermayor.com | TrueNAS (key `1-SdjbJ...`) |
| Grafana | https://grafana.local.tophermayor.com | — |
| Prometheus | https://prometheus.local.tophermayor.com | — |
## Bookmark Groups (ubuntu)
From `bookmarks.yaml`:
```yaml
- Developer:
- Github (abbr: GH) → https://github.com/
- Social:
- Reddit (abbr: RE) → https://reddit.com/
- Entertainment:
- YouTube (abbr: YT) → https://youtube.com/
```
## Kubernetes / Proxmox Configs
Both instances have `kubernetes.yaml` and `proxmox.yaml` for additional infrastructure widgets.
## Upstream Ingress Widget Routes (Traefik)
From `homelab/ubuntu/traefik/config/dynamic/homepage-widgets.yml` — Traefik routes exposed **through** homepage for internal service access (not homepage's own routes):
```yaml
# Routes via gluetun VPN for media services
sonarr-svc: http://gluetun:8989 # Host(`sonarr-internal.local.tophermayor.com`)
radarr-svc: http://gluetun:7878 # Host(`radarr-internal.local.tophermayor.com`)
lidarr-svc: http://gluetun:8686 # Host(`lidarr-internal.local.tophermayor.com`)
sabnzbd-svc: http://gluetun:8080 # Host(`sabnzbd-internal.local.tophermayor.com`)
seerr-svc: http://seerr:5055 # Host(`seerr-internal.local.tophermayor.com`)
jellyfin-svc: http://jellyfin:8096 # Host(`jellyfin-internal.local.tophermayor.com`)
prometheus-svc: http://prometheus:9090 # Host(`prometheus-internal.local.tophermayor.com`)
```
These are the `*-internal.local.tophermayor.com` routes — accessible only inside the network via gluetun VPN tunnel.
## Access URLs
| URL | Host | Notes |
|-----|------|-------|
| https://homepage.local.tophermayor.com | [[ubuntu]] | Primary VIP route |
| https://homepage-ubuntu.local.tophermayor.com | [[ubuntu]] | Direct ubuntu instance |
| https://homepage-grizzley.local.tophermayor.com | [[grizzley]] | Direct grizzley instance |
## Config Files
| File | Purpose |
|------|---------|
| `services.yaml` | Service definitions, URLs, icons, widget configs |
| `settings.yaml` | Theme, layout, background image |
| `widgets.yaml` | Resource monitors, search bar |
| `docker.yaml` | Docker socket connection |
| `bookmarks.yaml` | Quick bookmarks bar |
| `kubernetes.yaml` | K8s widget config |
| `proxmox.yaml` | Proxmox widget config |
| `custom.css` | Custom styles |
| `custom.js` | Custom JavaScript |
## Related
- [[ubuntu]] — Hosts `homepage-ubuntu` on port 3003, `proxy-net`
- [[grizzley]] — Hosts `homepage-grizzley` on port 3000, `traefik-proxy`
- [[traefik]] — Ingress routing for all homepage instances
- [[media-stack]] — Media services displayed on homepage
- [[homelab-monitoring]] — Infrastructure widgets (Prometheus, Grafana, Proxmox, TrueNAS)

52
homelab/entities/hyte.md Normal file
View File

@@ -0,0 +1,52 @@
---
title: Hyte
created: 2026-05-24
updated: 2026-05-24
type: entity
tags: [hosts, vm, windows]
sources: [homelab/catalog/hosts.json, homelab/AGENTS.md]
confidence: high
---
# Hyte
## Overview
Windows 11 workstation with WSL2. Primary Tdarr media processing node. Static IP on Lab VLAN.
## Key Facts
- **IP**: `192.168.1.143` (Main/Prod VLAN)
- **SSH Port**: 2222 (non-standard)
- **SSH User**: `christopher`
- **SSH Key**: `~/.ssh/id_ed25519`
- **Role**: Desktop host + media workstation (Tdarr)
- **Authoritative Repo**: `homelab/Hyte`
- **Inventory Group**: `hyte_host`
## SSH Access
```bash
ssh -p 2222 christopher@192.168.1.143
# or via ~/.ssh/config
ssh hyte
```
SSH config entry in `~/.ssh/config`:
```
Host Hyte
HostName 192.168.1.143
Port 2222
User christopher
IdentityFile ~/.ssh/id_ed25519
```
## Tdarr Integration
Hyte runs Tdarr (media transcoding) as a Windows-native workload. Uses GPU transcoding for media files on the NFS mounts from [[truenas]].
## Related
- [[truenas]] — NFS storage source for Tdarr processing
- [[media-stack]] — Tdarr transcoding pipeline
- [[proxmox]] — hosts the hypervisor running this workstation VM

96
homelab/entities/ice.md Normal file
View File

@@ -0,0 +1,96 @@
---
title: ice
created: 2026-04-28
updated: 2026-04-29
type: entity
tags: [hosts, rpi, control-plane]
sources: []
---
# ice
**Role:** Control plane node — primary Hermes Agent host, GitOps origin
**IP:** 192.168.50.197
**Hostname:** ice
**Uptime:** 15 days, 10h (as of 2026-04-28)
## Overview
ice is the control plane of the homelab cluster. It runs the primary Hermes Agent instance and OpenCode backend. All GitOps workflows originate here — configs are edited in the repo (`/home/bear/homelab/`), committed, and pushed to Gitea, which triggers runners on each host.
## Hardware
| Spec | Detail |
|------|--------|
| Model | Raspberry Pi 4 |
| CPU | ARM Cortex-A72 (4 cores) |
| RAM | 7.6 GB total, 2.4 GB available, 5.2 GB used |
| Storage | 939 GB microSD/USB SSD (`/dev/sda2`), 45 GB used (5%) |
| Swap | None |
| Network | Gigabit Ethernet |
| IP | 192.168.50.197 |
## Systemd Services (Running)
| Service | Purpose |
|---------|---------|
| `cabo-voting.service` | Cabo Bachelor Party Voting App |
| `chrony.service` | NTP client/server |
| `containerd.service` | Container runtime |
| `docker.service` | Docker engine |
| `fail2ban.service` | Intrusion prevention |
| `hermes-dashboard.service` | Hermes Agent Web Dashboard |
| `hermes-gateway-watchdog.timer` | Cron watchdog for hermes-gateway, Telegram alerts |
| `netplan-wpa-wlan0.service` | WLAN WPA supplicant |
| `nfs-blkmap.service` | pNFS block layout mapping |
| `opencode-web.service` | OpenCode Web Interface |
| `rpcbind.service` | RPC portmapper |
| `rsyslog.service` | System logging |
| `snapd.service` | Snap daemon |
| `ssh.service` | OpenSSH server |
| `unattended-upgrades.service` | Automatic security updates |
| `user@1000.service` | User session manager |
## Docker Containers
| Container | Port | Purpose |
|-----------|------|---------|
| `camofox` | 9377 | Firefox browser automation |
| `hermes-dashboard` | — | Hermes Agent web UI |
| `opencode-web` | 4096 | OpenCode web interface |
## Docker Networks
`bridge`, `host`, `none` (default drivers only — no custom overlay networks)
## NFS Mounts
None configured on ice.
## Hermes Gateway Watchdog
`/home/bear/hermes-gateway-watchdog.sh` runs via system cron on ice:
1. Checks if hermes-gateway is responsive
2. On failure: direct restart → tmux+OpenCode rescue if still down
3. Sends Telegram notification on failure to topic 1033 "Cron Jobs" (bot: `836803270:AAH-Ac5Y`)
## GitOps Context
1. Configs edited in `/home/bear/homelab/` (git worktrees)
2. Pushed to Gitea (`gitea.tophermayor.com`)
3. Runner SSHs to each host, pulls, runs `sync-configs.sh`
4. Systemd services reload
## Access
```bash
ssh bear@192.168.50.197
```
## Related
- [[grizzley]] — RPi5 edge node, Traefik HA backup
- [[ubuntu]] — Main Docker host (~70 containers)
- [[proxmox]] — Hypervisor (may host ice as VM)
- [[hermes-gateway]] — AI gateway on ice
- [[truenas]] — NFS/S3 storage backend

57
homelab/entities/index.md Normal file
View File

@@ -0,0 +1,57 @@
---
title: Homelab Entities Index
created: 2026-04-28
updated: 2026-05-24
type: index
tags: [meta]
---
# Entities Index
> Content catalog for homelab entities. Every entity page listed with a one-line summary.
> Last updated: 2026-05-24 | Total pages: 22
## Hosts
| Entity | Role | IP | Notes |
|--------|------|-----|-------|
| [[ice]] | RPi4 control plane | 192.168.50.197 | Primary Hermes Agent host, OpenCode control node |
| [[grizzley]] | RPi5 edge node | 192.168.50.84 | Traefik HA primary, Jellyfin, MineOS, Hermes |
| [[ubuntu]] | Intel NUC Docker host | 192.168.50.61 | ~70 containers |
| [[proxmox]] | Proxmox VE hypervisor | 192.168.50.11 | VMs and LXCs |
| [[truenas]] | TrueNAS NAS | 192.168.50.12 | ⚠️ Pool corruption, 36TB raw |
| [[panda]] | RPi Home Assistant | 192.168.30.196 | Smart home hub, IoT VLAN |
| [[hyte]] | Windows 11 workstation | 192.168.1.143 | Tdarr media processing, SSH port 2222 |
| [[macos-workstation]] | MacBook Air M4 | Dynamic | Operator workstation, not a deployment target |
## Services
| Entity | Role | Host | Notes |
|--------|------|-------|-------|
| [[homepage]] | Unified homelab dashboard | ubuntu + grizzley | 2 instances, 60+ services tracked |
| [[hermes-gateway]] | AI gateway | ice + grizzley | Watchdog pattern |
| [[traefik]] | Reverse proxy / ingress | grizzley + ubuntu | HA across both hosts |
| [[authentik]] | SSO identity provider | ubuntu | |
| [[jellyfin]] | Media server | grizzley | ⚠️ Bind mount UID issue |
| [[rustfs]] | S3 object storage | truenas | ⚠️ Ignores env vars on first boot |
| [[gitea]] | Private Git hosting | ubuntu | GitOps runner hub |
| [[decypharr]] | Usenet indexer | proxmox CT 110 | 192.168.50.175:8282 |
| [[tdarr]] | Media transcoding | ubuntu + Hyte | GPU-accelerated transcoding |
| [[komodo]] | Container management UI | grizzley | |
| [[uptime-kuma]] | Uptime monitoring | grizzley | |
## Subscriptions & Paid Services
| Entity | Role | Cost/mo | Notes |
|--------|------|---------|-------|
| [[cloudflare]] | DNS + proxy + TLS | ~$20 | DNS challenge for *.tophermayor.com |
| [[nordvpn]] | WireGuard VPN for media stack | ~$12 | Via Gluetun container |
| [[backblaze-b2]] | Off-site backup storage | ~$7 | Cold tier in TrueNAS |
| [[subscriptions]] | Full subscription catalog | ~$81 total | See concept page for breakdown |
## Smart Home / IoT
| Entity | Role | Host | Notes |
|--------|------|-------|-------|
| [[home-assistant-connect-zbt-2]] | Zigbee + Thread coordinator | panda | ZHA + OTBR, 10 Zigbee devices |
| [[aqara-hub-m3]] | Aqara Matter hub | Bedroom | Bridges Aqara to Matter |

44
homelab/entities/jellyfin.md Normal file
View File

@@ -0,0 +1,44 @@
---
title: jellyfin
created: 2026-04-28
updated: 2026-04-28
type: entity
tags: [services, media, jellyfin]
sources: []
---
# jellyfin
**Role:** Media server — movies, TV, music
**URL:** https://jellyfin.tophermayor.com
**Host:** [[grizzley]] (Docker)
## Overview
Jellyfin is the media server for the homelab. It streams movies, TV shows, and music to devices on the network. It runs on [[grizzley]] as a Docker container.
## ⚠️ Known Issues
### Bind Mount UID Permission Crash Loop
Jellyfin may crash loop if bind mounts use a UID that doesn't match Jellyfin's internal user. See [[jellyfin]] skill.
### JellyfinDown False Positive
Prometheus alerts may fire for Jellyfin even when it's up — the blackbox exporter probe may fail while the service is healthy. See [[jellyfin]] skill.
### Debugging
See [[jellyfin]] skill for full debugging workflow.
## Media Stack
Often paired with:
- Tdarr — Automated transcoding
- Sonarr/Radarr — Media acquisition automation (confirm if on [[ubuntu]])
## Related
- [[grizzley]] — Host
- [[truenas]] — Media storage (NFS share)
- Tdarr — Transcoding (check if co-located)

38
homelab/entities/macos-workstation.md Normal file
View File

@@ -0,0 +1,38 @@
---
title: macOS Workstation
created: 2026-05-24
updated: 2026-05-24
type: entity
tags: [hosts, workstation, macos]
sources: [homelab/catalog/hosts.json, homelab/AGENTS.md]
confidence: high
---
# macOS Workstation (macbook-air-m4)
## Overview
MacBook Air M4 — the operator workstation. Used for day-to-day development, Obsidian vault editing, and as the primary access point for homelab management.
## Key Facts
- **Hardware**: MacBook Air M4 (Apple Silicon)
- **IP**: Dynamic (not static)
- **SSH User**: `christopherjohnsisonmayor`
- **Role**: Operator workstation (not a deployment target)
- **Authoritative Repo**: `homelab/macbook-air-m4`
- **Inventory Group**: `raspberry_pis` (grouped with Pis for inventory purposes)
## Purpose
This machine is the **operator**, not a deployment target. It runs:
- Obsidian desktop app (vault sync via Obsidian Sync)
- OpenCode CLI (agent access)
- Terminal + SSH for homelab management
- Browser for UniFi controller, TrueNAS, Home Assistant UIs
## Related
- [[ice]] — primary control plane (SSH target from this workstation)
- [[ubuntu]] — primary Docker host
- [[grizzley]] — edge ingress node

42
homelab/entities/nordvpn.md Normal file
View File

@@ -0,0 +1,42 @@
---
title: NordVPN
created: 2026-05-24
updated: 2026-05-24
type: entity
tags: [services, networking, vpn, media]
sources: [homelab/architecture.md]
confidence: high
---
# NordVPN
## Overview
Commercial VPN (WireGuard protocol) used to tunnel all media automation traffic through Gluetun. Provides exit IPs for accessing geo-restricted content and obscures download source IPs from ISPs.
## Key Facts
- **Protocol**: WireGuard (via Gluetun container)
- **Provider**: NordVPN
- **Purpose**: All media stack downloads (Sonarr, Radarr, Lidarr, Prowlarr, qBittorrent) route through VPN
- **Container**: `gluetun` on ubuntu — acts as VPN gateway for media-net
- **Exit IPs**: Shared NordVPN exit pool; not dedicated IP
- **Cost**: ~$12/mo
## Architecture
```
Media containers (media-net)
Gluetun (WireGuard → NordVPN)
Internet (geo-restricted content)
```
All media automation sits behind Gluetun via Docker network `media-net`. Jellyfin (direct play) does NOT use VPN.
## Related
- [[media-stack]] — all containers using Gluetun
- [[docker-traefik-stack]] — Gluetun network configuration
- [[truenas]] — stores media on NFS mounts

103
homelab/entities/panda.md Normal file
View File

@@ -0,0 +1,103 @@
---
title: Panda (Home Assistant Host)
created: 2026-05-10
updated: 2026-05-10
type: entity
tags: [hosts, rpi, home-assistant, iot, smart-home, hub]
confidence: high
---
# Panda — Home Assistant Host
> Dedicated Raspberry Pi running **Home Assistant OS (HAOS)** — the central smart home automation hub for the homelab.
## Overview
| Field | Value |
|-------|-------|
| **Hostname** | `a0d7b954-ssh` (HAOS SSH add-on container) |
| **Hardware** | Raspberry Pi (BCM) |
| **OS** | Home Assistant Operating System |
| **Role** | Smart home hub, IoT controller, automation engine |
| **VLAN** | IoT VLAN 30 (primary) + Server VLAN 50 |
| **IP (VLAN 30)** | `192.168.30.196` |
| **IP (VLAN 50)** | `192.168.50.196` (currently unreachable via .50) |
| **Domain** | `ha.tophermayor.com` |
| **Port** | 8123 (HTTP) |
| **Physical Path** | UGC Ultra Port 2 → SG108PE trunk |
## Network
- **Primary IP**: `192.168.30.196` on IoT VLAN 30 — directly on the IoT subnet for device discovery
- **Secondary IP**: `192.168.50.196` on Server VLAN 50 — for management access from server network
- **Traefik Proxy**: Both [[ubuntu]] and [[grizzley]] Traefik instances route `ha.tophermayor.com``192.168.30.196:8123`
- **DNS**: Cloudflare `*.tophermayor.com` → Traefik
### Network Reconfiguration History
A planned reconfiguration exists at `scripts/homelab/HOMEASSISTANT-NETWORK-RECONFIGURE.md` to swap the primary interface:
- Target: `end0` on VLAN 50 (192.168.50.196) as primary, `end0.30` on VLAN 30 (192.168.30.196) as secondary
- This would improve management access while keeping IoT discovery on VLAN 30
## SSH Access
- **Port 22**: Requires password auth (`bear` user, password-protected)
- **Port 22222**: Connection refused (Advanced SSH add-on not listening here)
- **SSH add-on**: "Advanced SSH & Web Terminal" is installed and configured with multiple authorized keys
- **Note**: Grizzley's SSH key (`bear@grizzley`) needs to be added to the add-on's authorized_keys for agent access
## Active Integrations
### Controllers & Hubs
- **Matter** — Built-in Matter controller via [[home-assistant-connect-zbt-2]]
- **Thread** — Thread Border Router via [[home-assistant-connect-zbt-2]]
- **ZHA** — Zigbee Home Automation via [[home-assistant-connect-zbt-2]]
- **Apple TV** — Office Apple TV 4K gen 3
- **Nest** — Google Nest Thermostat (Glendora)
- **Alexa** — Amazon Echo devices via `alexa_devices` integration
- **Shelly** — 2× Shelly 1PM Gen4 (local Wi-Fi)
- **Govee** — 4× Govee lights (local LAN API)
- **TP-Link** — 4× Kasa devices (cloud + LAN)
- **webOS** — LG OLED65C5AUA TV
- **VeSync** — Vital 200S air purifier
- **ESPHome** — Home Assistant Voice PE
- **Wyoming** — Whisper (STT), Piper (TTS), openWakeWord
### External Hubs
- **[[aqara-hub-m3]]** — Aqara Hub M3 (Matter-compatible, bridges Aqara devices)
- **Aqara Camera Hub G3** — Camera + Aqara hub
## Installed Add-ons
- Advanced SSH & Web Terminal
- File Editor
- HACS (Home Assistant Community Store)
- ESPHome
- Whisper (STT)
- Piper (TTS)
- openWakeWord
- go2rtc
## Automations & Voice
- **Voice Pipeline**: openWakeWord → Whisper (STT) → HA Assist → Piper (TTS)
- **Voice Hardware**: Home Assistant Voice PE (ESPHome)
- **iBeacon Tracker**: BLE presence detection
## Storage
- **TrueNAS mount**: Configured via Home Assistant Mount integration for backups/media
## Relationships
- Managed by [[ubuntu]] and [[grizzley]] Traefik via reverse proxy
- Integrates with [[aqara-hub-m3]] for Aqara device bridging
- Uses [[home-assistant-connect-zbt-2]] as Zigbee/Thread coordinator
- Connects to [[ubuntu]] mounted storage via NFS
- Part of the [[matter-multi-fabric]] architecture
## Troubleshooting
- **SSH access**: Must use password auth until grizzley key is added to SSH add-on config
- **VLAN 50 IP unreachable**: The `.50.196` address doesn't respond to ping. Only `.30.196` works. Check if VLAN trunk is properly configured on the switch port.
- **HA CLI**: `ha` commands require supervisor token — accessible only from within HAOS supervisor context, not from SSH add-on shell without proper auth

92
homelab/entities/proxmox.md Normal file
View File

@@ -0,0 +1,92 @@
---
title: proxmox
created: 2026-04-28
updated: 2026-05-14
type: entity
tags: [hosts, hypervisor, vm]
sources: []
---
# proxmox
**Role:** Proxmox VE hypervisor — VM and LXC container host
**IP:** 192.168.50.11
**Web UI:** https://proxmox.tophermayor.com (via [[traefik]])
**Uptime:** 15 days, 14h (as of 2026-04-28)
**CPU Load:** 6.83 (elevated — investigate if persistent)
## Overview
Proxmox VE is the hypervisor layer for the homelab. It runs VMs and LXC containers including TrueNAS, ubuntu-server, and 8 LXCs (media stack, traefik, test, hermes, decypharr). It is the physical foundation of the cluster — the Raspberry Pis (ice, grizzley) may run on Proxmox as VMs/LXCs or as bare metal.
**Note:** `qm` and `pct` commands fail via SSH as the `bear` user because `/etc/pve` is a FUSE mount. Run them via `ssh bear@proxmox sudo qm list` or directly on the host console.
## Hardware
| Spec | Detail |
|------|--------|
| Model | Generic x86_64 server hardware |
| CPU | Multi-core x86_64 |
| RAM | 3264 GB (see PVE web UI for exact) |
| Storage | See ZFS pools below |
| Network | Gigabit Ethernet |
| IP | 192.168.50.11 |
## VMs
| VMID | Name | Status | RAM | Boot Disk | Notes |
|------|------|--------|-----|-----------|-------|
| 9001 | TrueNAS | **running** | 22.9 GB | 32 GB | NAS, ZFS storage, S3 via rustfs |
| 9003 | ubuntu-server | **running** | 49 GB | 500 GB | Ubuntu server VM |
| 9100 | W10-migrated | stopped | 16 GB | — | Windows 10 (inactive) |
## LXCs
| LXC ID | Name | Status | Notes |
|--------|------|--------|-------|
| 102 | traefik | offline | Traefik LXC (offline) |
| 103 | gsd-test | running | General test LXC |
| 104 | hermes-pve | running | Hermes agent on PVE |
| 105 | media-arr | running | Sonarr, Radarr, Lidarr, etc. |
| 106 | media-request | running | Jellyseerr, Overseerr |
| 107 | media-music | running | Navidrome, music services |
| 108 | media-reading | running | Kavita, Audiobookshelf |
| 109 | media-db | running | PostgreSQL for media services |
| 110 | [[decypharr]] | running | Black hole indexer (192.168.50.175:8282) |
## Storage Pools
| Pool | Type | Status | Total | Used | Available | % Used |
|------|------|--------|-------|------|-----------|--------|
| `CT1000` | zfspool | active | 942 GB | 31.5 GB | 911 GB | **3.34%** |
| `SHGS31` | zfspool | active | 942 GB | 439 GB | 504 GB | **46.57%** (~460 GB used) |
| `backups` | dir | active | 13.7 TB | 4.26 TB | 9.4 TB | **31.18%** (~4.2 TB used) |
| `local` | dir | active | 847 GB | 5.3 GB | 842 GB | **0.62%** |
| `local-zfs` | zfspool | active | 906 GB | 64 GB | 842 GB | **7.11%** |
| `Evo860` | zfspool | inactive | — | — | — | 0% |
Notable: `SHGS31` pool is ~47% full. `backups` pool has 4.2 TB used.
## Wake-on-LAN
Proxmox can wake hosts via WoL. [[https://github.com/TopherMayor/wakehost|wakehost]] integrates Proxmox VMs with Wake-on-LAN for homelab automation.
## DNS / Network
After UniFi network controller changes, Proxmox's `systemd-resolved` may lose DNS. See [[nfs-storage]] skill for the fix.
## Access
```bash
ssh bear@192.168.50.11
sudo qm list # list VMs
sudo pct list # list LXCs
sudo pvesm status # storage pools
```
## Related
- [[truenas]] — NAS storage (VM 9001 on Proxmox)
- [[ubuntu]] — Docker host (VM 9003 on Proxmox)
- [[ice]] — Control plane (may be VM or bare metal)
- [[grizzley]] — Edge node (may be VM or bare metal)

41
homelab/entities/rustfs.md Normal file
View File

@@ -0,0 +1,41 @@
---
title: rustfs
created: 2026-04-28
updated: 2026-04-28
type: entity
tags: [services, storage, s3]
sources: []
confidence: medium
---
# rustfs
**Role:** S3-compatible object storage
**Host:** [[truenas]] (Docker with bind mount)
**Data dir:** `/mnt/TrueNAS/rustfs/`
## Overview
rustfs provides S3-compatible object storage backed by [[truenas]] ZFS pool. It runs as a Docker container on the host that has access to the TrueNAS NFS share.
## ⚠️ Critical Gotcha
rustfs **ignores** `RUSTFS_S3_ACCESS_KEY` and `RUSTFS_S3_SECRET_KEY` environment variables on first boot — it uses hardcoded defaults:
- Access key: `rustfsadmin`
- Secret key: `rustfsadmin`
This means whatever's passed via env vars is silently discarded on first start.
## Reset Procedure
If you need to reset rustfs (change credentials, recover from misconfiguration):
1. Stop the rustfs container
2. Wipe the data directory: `rm -rf /mnt/TrueNAS/rustfs/*`
3. Restart the container
4. rustfs re-initializes with the env vars now taking effect
**Wiping the data dir is required** — just stopping the container is not enough.
## Related
- [[truenas]] — Storage backend

127
homelab/entities/traefik.md Normal file
View File

@@ -0,0 +1,127 @@
---
title: traefik
created: 2026-04-28
updated: 2026-04-29
type: entity
tags: [services, networking, reverse-proxy, ha, docker]
sources: []
---
# traefik
**Role:** Reverse proxy / ingress controller — HA across grizzley + ubuntu
**Instances:** 2 (ubuntu = PRIMARY, grizzley = BACKUP)
**Ports:** 80 (HTTP), 443 (HTTPS), 2222 (SSH proxy), 8080 (metrics)
**Dashboard:** traefik dashboard on each instance
## Overview
Traefik is the reverse proxy for the homelab. It runs in HA mode across [[grizzley]] and [[ubuntu]], handling TLS termination for all incoming traffic. Cloudflare routes DNS to Traefik. Two separate Docker Compose stacks manage each instance independently.
## Instances
| Instance | Host | Role | Ports | Cert Source |
|----------|------|------|-------|-------------|
| `traefik` (ubuntu) | ubuntu (192.168.50.61) | **PRIMARY** — handles majority of traffic | 80, 443 | Syncs from grizzley via NFS |
| `traefik-pi` (grizzley) | grizzley (192.168.50.84) | **BACKUP** + ACME cert generation | 80, 443, 2222, 8080 | Cloudflare DNS challenge |
### Ubuntu (Primary)
Docker Compose: `homelab/ubuntu/traefik/`
- Network: `proxy-net` (bridge)
- Reads TLS certs from NFS mount at `/mnt/truenas/traefik-certs/`
- Prometheus metrics: port 8080
- Connects via `authentik_authentik-internal` for SSO middleware
### Grizzley (Backup + ACME)
Docker Compose: `homelab/grizzley/traefik-pi/`
- Network: `traefik-proxy` (bridge)
- Generates wildcard certs via Cloudflare DNS challenge
- Writes certs to NFS mount `/mnt/truenas/traefik-certs/grizzley`
- Prometheus metrics: port 8080
## HA Configuration (Keepalived VRRP)
| Parameter | Value |
|-----------|-------|
| Interface | `eth0.50` (VLAN 50) |
| Virtual Router ID | 51 |
| grizzley State | BACKUP (priority 90) |
| ubuntu State | PRIMARY (higher priority) |
| Virtual IP | 192.168.50.80/27 |
| Auth | PASS (`HomelabH`) |
| Check Script | `/etc/keepalived/check_traefik.sh` (2s interval, fall 2, rise 2) |
When ubuntu Traefik fails health checks, keepalived promotes grizzley to MASTER and traffic to 192.168.50.80 fails over automatically.
## Certificate Flow
```
Cloudflare DNS Challenge
traefik-pi on grizzley (ACME DNS challenge)
Writes certs to /mnt/TrueNAS/traefik-certs/grizzley (NFS)
traefik on ubuntu reads same certs from NFS mount
Both serve *.tophermayor.com wildcard cert
```
## Routes (Known)
| Service | URL | Host |
|---------|-----|------|
| Authentik | authentik.tophermayor.com | ubuntu |
| Gitea | gitea.tophermayor.com | ubuntu |
| OpenCode (ice) | opencode-ice.tophermayor.com | ubuntu → ice:4096 |
| Jellyfin | jellyfin.tophermayor.com | grizzley |
| Proxmox | proxmox.tophermayor.com | ubuntu → proxmox |
| Immich | immich.tophermayor.com | ubuntu |
| Homepage | home.tophermayor.com | ubuntu |
Dynamic config files in `homelab/ubuntu/traefik/config/dynamic/`:
| File | Services |
|------|---------|
| `canonical-hosts.yml` | Grizzley ingress proxy, PVE OpenCode |
| `gitea.yml` | gitea.tophermayor.com |
| `immich.yml` | immich.tophermayor.com |
| `jellyfin.yml` | jellyfin.tophermayor.com |
| `media-stack.yml` | Sonarr, Radarr, SABnzbd, Prowlarr, qBittorrent |
| `middlewares.yml` | 30+ middleware definitions |
| `opencode.yml` | opencode.tophermayor.com |
| `proxmox.yml` | proxmox.local.tophermayor.com |
## Middlewares
| Middleware | Purpose |
|------------|---------|
| `local-only@file` | Restrict to local network IPs |
| `authentik-auth@file` | SSO authentication |
| `security-headers@file` | Add security headers |
| `crowdsec-bouncer@file` | Rate limiting and threat protection |
## Prometheus Monitoring
Both Traefik instances expose Prometheus metrics at `:8080/metrics`. The monitoring stack scrapes:
- Request rates
- Error rates
- Backend health
## Troubleshooting
- ServiceDown alerts: see [[homelab-servicedown-triage]] skill
- DNS issues: see [[homelab-systemd-resolved-dns]] skill
- VRRP failover: check `systemctl status keepalived` on grizzley
- Certificate issues: check NFS mount `/mnt/truenas/traefik-certs/` on both hosts
- traefik-pi not starting: check `docker logs traefik-pi` on grizzley
## Related
- [[ubuntu]] — Primary Traefik node
- [[grizzley]] — Backup Traefik node + ACME generation
- [[truenas]] — NFS storage for cert sync
- [[authentik]] — SSO behind Traefik
- [[traefik-ha]] — Full HA concept page

91
homelab/entities/truenas.md Normal file
View File

@@ -0,0 +1,91 @@
---
title: truenas
created: 2026-04-28
updated: 2026-04-29
type: entity
tags: [hosts, nas, storage, s3]
sources: []
confidence: medium
---
# truenas
**Role:** NAS — ZFS storage, NFS shares, S3 via [[rustfs]]
**IP:** 192.168.50.12
**Hostname:** TrueNAS
**Running on:** Proxmox VM 9001 (22.9 GB RAM, 32 GB boot disk, **running**)
**Web UI:** TrueNAS web interface (via browser)
## Overview
TrueNAS provides network storage for the homelab. It serves NFS shares to proxmox and the cluster nodes, and runs [[rustfs]] for S3-compatible object storage. It runs as VM 9001 on [[proxmox]].
## ⚠️ Pool Corruption
**Status:** Pool has known corruption issues. Monitor pool health via TrueNAS web UI.
Monitor for:
- Pool import failures on boot
- Checksum errors on disk
- NFS share timeouts
If the pool becomes unavailable, data on `SHGS31` (47% full, ~460 GB used) and `backups` (31% full, ~4.2 TB used) is at risk.
See [[nfs-storage]] skill for ZFS troubleshooting.
## SSH Access
⚠️ SSH access as `bear` user is **blocked** (Permission denied, publickey). The `bear` user's SSH key is not authorized on TrueNAS.
Options:
- Use the TrueNAS web UI for management
- Add `bear`'s SSH key to TrueNAS via the web UI
- Use `admin` or `root` account if keys are configured
## ZFS Pools
| Pool | Purpose | % Used | Notes |
|------|---------|--------|-------|
| `SHGS31` | General storage | 47% (~460 GB) | Main data pool |
| `backups` | Backup storage | 31% (~4.2 TB) | Large backup volume |
| `CT1000` | (unknown) | 3% | Smaller pool |
TrueNAS runs with these pools visible in the web UI under Storage.
## Shares
Known NFS exports:
- `/mnt/TrueNAS/traefik-certs/grizzley` — mounted by [[grizzley]] at `/mnt/truenas/traefik-certs/grizzley` (nfs4, rw)
Other shares to confirm via TrueNAS web UI:
- `/mnt/TrueNAS/` — main pool mount point
- May serve to: proxmox, ubuntu, ice
## rustfs (S3)
[[rustfs]] runs on TrueNAS via Docker (on TrueNAS itself or via bind mount) or on [[ubuntu]] as a Docker container connecting to TrueNAS storage.
**Current config on ubuntu:** rustfs Docker container on ubuntu binds to TrueNAS storage path for S3 bucket `obsidian-vault`:
- Endpoint: `http://192.168.50.12:9000`
- Access Key: `rustfsadmin`
- Secret Key: (stored in env or .env file)
- Bucket: `obsidian-vault`
On first boot, rustfs ignores env vars `RUSTFS_S3_ACCESS_KEY` and `RUSTFS_S3_SECRET_KEY` — uses hardcoded defaults (`rustfsadmin/rustfsadmin`). To reset: stop container, wipe data dir, restart.
## Access
```bash
# ⚠️ bear user SSH fails — use web UI or fix SSH keys
ssh admin@192.168.50.12 # may not work
ssh root@192.168.50.12 # may not work
# Best: use TrueNAS web UI
```
## Related
- [[proxmox]] — Proxmox hypervisor (hosts TrueNAS as VM 9001)
- [[rustfs]] — S3 storage layer
- [[grizzley]] — NFS client (traefik certs)
- [[ubuntu]] — NFS client, rustfs container
- [[ice]] — May NFS mount TrueNAS

168
homelab/entities/ubuntu.md Normal file
View File

@@ -0,0 +1,168 @@
---
title: ubuntu
created: 2026-04-28
updated: 2026-04-29
type: entity
tags: [hosts, docker, primary]
sources: []
---
# ubuntu
**Role:** Primary Docker host — runs ~70 containers for the homelab
**IP:** 192.168.50.61
**Hostname:** ubuntu
**Uptime:** 5 days, 11h (as of 2026-04-28)
**CPU Load:** 7.44 (elevated — investigate if persistent)
## Overview
ubuntu is the workhorse of the homelab — a beefy Intel NUC or server-class machine running Ubuntu with Docker. It hosts approximately 70 containers including authentik SSO, the full monitoring stack, media automation (Sonarr/Radarr/Prowlarr), AI services (whisper, qdrant, reccollection), and the primary Traefik reverse proxy.
## Hardware
| Spec | Detail |
|------|--------|
| Model | Intel NUC or server-class x86_64 |
| CPU | Multi-core x86_64 |
| RAM | 47 GB total, 31 GB available |
| Storage | NVMe/SSD (check `df -h` for details) |
| Network | Gigabit Ethernet |
| IP | 192.168.50.61 |
## Docker Containers (Live)
### Git & CI/CD
| Container | Port(s) | Status | Purpose |
|-----------|---------|--------|---------|
| `gitea` | 2222, 3000/tcp | healthy | Git hosting at gitea.tophermayor.com |
| `gitea-runner` | 3010/tcp | healthy | Gitea Actions self-hosted runner |
| `registry` | 5000/tcp | healthy | Private Docker registry |
### Identity & SSO
| Container | Port(s) | Status | Purpose |
|-----------|---------|--------|---------|
| `authentik-server` | — | healthy | SSO identity provider |
| `authentik-worker` | — | healthy | Background worker |
| `authentik-redis` | 6379/tcp | healthy | Redis for authentik |
| `postgres-shared` | 5432/tcp (127.0.0.1 + 192.168.50.61) | healthy | Shared PostgreSQL |
### Media Stack
| Container | Port(s) | Status | Purpose |
|-----------|---------|--------|---------|
| `jellyfin` | 8096/tcp | healthy | Media server |
| `sonarr` | — | healthy | TV management |
| `sonarr-anime` | — | healthy | Anime TV management |
| `radarr` | — | healthy | Movie management |
| `radarr-anime` | — | healthy | Anime movie management |
| `prowlarr` | — | healthy | Indexer aggregation |
| `lidarr` | — | healthy | Music management |
| `readarr` | — | healthy | E-book management |
| `bazarr` | 6767/tcp | healthy | Subtitles |
| `ombi` | 3579/tcp | healthy | Media request UI |
| `lazylibrarian` | 5299/tcp | healthy | eBook downloader |
| `flaresolverr` | 8191-8192/tcp | healthy | Proxy forflare solver |
| `sabnzbd` | — | healthy | Usenet downloader |
| `qbittorrent` | — | healthy | BitTorrent downloader |
| `gluetun` | 8000,8388,8888/tcp; 8388/udp | healthy | VPN (WireGuard/OpenVPN) |
| `stremio-server` | 11470, 12470/tcp | healthy | Streaming server |
| `navidrome` | 4533/tcp | healthy | Music streaming |
| `audiobookshelf` | 80/tcp | healthy | Audiobook streaming |
| `kavita` | 5000/tcp | healthy | Comic/ebook reader |
| `calibre` | 3000-3001/tcp | healthy | eBook management |
| `calibre-web` | 8083/tcp | healthy | Calibre web UI |
### AI & ML Services
| Container | Port(s) | Status | Purpose |
|-----------|---------|--------|---------|
| `faster-whisper-server` | 8394/tcp | healthy | Whisper speech-to-text |
| `qdrant-qdrant-1` | 6333-6334/tcp | healthy | Vector database |
| `ai-subscriptions` | 8020/tcp | healthy | AI subscription management |
| `ai-alert-aggregator-frontend-1` | 3002/tcp | healthy | Alert aggregator UI |
| `ai-alert-aggregator-backend-1` | — | restarting | Alert aggregator backend |
| `ai-job-pipeline-frontend-1` | 3000/tcp | healthy | Job pipeline UI |
| `ai-job-pipeline-backend-1` | — | restarting | Job pipeline backend |
| `ai-media-intelligence-backend-1` | — | restarting | Media AI backend |
| `reccollection-backend-local` | 3001/tcp | healthy | Recommendation collection backend |
| `reccollection-frontend-local` | 8081/tcp | healthy | Recommendation collection frontend |
| `reccollection-postgres-local` | 5432/tcp | healthy | reccollection PostgreSQL |
| `comparaison` | 3000/tcp | healthy | Comparison service |
### Monitoring Stack
| Container | Port(s) | Status | Purpose |
|-----------|---------|--------|---------|
| `prometheus` | 9090/tcp | healthy | Metrics database |
| `grafana` | 3000/tcp | healthy | Dashboards |
| `loki` | 3100/tcp | healthy | Log aggregation |
| `alertmanager` | 9093/tcp | healthy | Alert routing |
| `blackbox-exporter` | 9115/tcp | healthy | Blackbox probing |
| `node-exporter` | 9100/tcp | healthy | Host metrics |
| `cadvisor` | 8080/tcp | healthy | Container metrics |
| `promtail` | — | healthy | Log scraping |
### Infrastructure & Utility
| Container | Port(s) | Status | Purpose |
|-----------|---------|--------|---------|
| `traefik` | 80,443/tcp | healthy | Primary reverse proxy (HA primary) |
| `homepage-ubuntu` | 3003/tcp | healthy | Homepage dashboard |
| `rustfs` | 9000-9001/tcp | healthy | S3-compatible storage (TrueNAS backend) |
| `infisical-backend` | 8080,443/tcp | — | Secrets management |
| `infisical-db` | 5432/tcp | healthy | Infisical PostgreSQL |
| `infisical-redis` | 6379/tcp | — | Infisical Redis |
| `docker-osx` | 5901,50922/tcp | healthy | macOS VM in Docker |
| `immich_server` | 2283/tcp | healthy | Photo/video backup |
| `immich_redis` | 6379/tcp | healthy | Immich Redis |
| `immich_postgres` | 5432/tcp | healthy | Immich PostgreSQL |
| `immich_machine_learning` | — | healthy | ML for photos |
| `analyzarr` | 4310/tcp | healthy | Media analysis |
| `recyclarr` | — | — | Automated arr config sync |
| `musicseerr` | 8688/tcp | healthy | Music request server |
| `seerr` | 5055/tcp | healthy | Media request server |
| `open-computer-use` | 8080/tcp | healthy | Computer use agent (OpenComputerUse) |
| `unified-media-manager-*` | 80,3000/tcp | healthy | Multi-variant media manager UI |
**Note:** `ai-alert-aggregator-backend-1`, `ai-job-pipeline-backend-1`, `ai-media-intelligence-backend-1` are in a restart loop — investigate.
## Docker Networks
| Network | Driver | Connected services |
|---------|--------|-------------------|
| `proxy-net` | bridge | traefik (primary ingress) |
| `app-net` | bridge | general app containers |
| `uefi-proxynet` | bridge | — |
| `authentik_authentik-internal` | bridge | authentik stack |
| `monitoring_monitoring-internal` | bridge | prometheus, grafana, loki, etc. |
| `immich_immich-internal` | bridge | immich stack |
| `reccollection-internal` | bridge | reccollection stack |
| `ai-subscriptions_default` | bridge | ai-subscriptions |
| `calibre-web_default` | bridge | calibre-web |
| `faster-whisper-service_default` | bridge | faster-whisper |
| `homepage_default` | bridge | homepage |
| `comparaison_default` | bridge | comparaison |
| `infisical_infisical` | bridge | infisical stack |
| `reccollection_default` | bridge | reccollection |
## Traefik Role
ubuntu runs the **primary** Traefik instance (HA mode). It handles the majority of ingress traffic. Certificate sync via NFS from grizzley's traefik-pi. See [[traefik-ha]] for full architecture.
## Access
```bash
ssh bear@192.168.50.61
```
## Related
- [[ice]] — Control plane
- [[grizzley]] — Edge node, Traefik HA backup
- [[authentik]] — SSO running on ubuntu
- [[traefik]] — Traefik entity
- [[proxmox]] — Hosts ubuntu as a VM (VMID 9003)
- [[truenas]] — NFS/S3 storage backend