Homelab/README.md

# Projet Homelab

## Infrastructure physique

### HPE ML110 - Proxmox (192.168.1.242)
- **CPU** : Intel Xeon Gold 5120 (14 cores / 28 threads @ 2.20GHz)
- **RAM** : 48 Go (HP PC4 1RX4 2666 MHz)
- **Boot** : EFI
- **Kernel** : Linux 6.5.11-8-pve
- **Reseau** : vmbr0 (Linux bridge)
- **Disques** :
  - /dev/sda - 2 To
  - /dev/sda1 - biosboot (1 Mo)
  - /dev/sda2 - EFI (1 Go)
  - /dev/sda3 - LVM 31 Go (local + local-lvm)
  - /dev/sda4 - ext4 104 Go "ISO"
  - /dev/sda5 - LVM 1.86 To "VMS"

### QNAP TS-431P2 (192.168.1.208)
- **CPU** : Alpine AL-314 (ARM Cortex-A15 quad-core)
- **RAM** : 8 Go
- **Disques** : 4 baies, RAID 1
- **OS** : QTS (on ne touche pas)
- **Services actuels** : Plex, bots Discord, NFS/SMB

### Reseau
- Box Orange : 192.168.1.1 (gateway + DNS)
- Masque : /24
- Pas de VLAN (reseau basique)

---

## VMs existantes

| VM | RAM | vCPU | Disk | Role |
|----|-----|------|------|------|
| VM-DEDICATED | 20 Go | 8 | 40 Go | Serveurs de jeu |

---

## VMs a creer (Terraform - provider bpg/proxmox)

| VM | VMID | IP | RAM | vCPU | Disk | Role |
|----|------|----|-----|------|------|------|
| gateway | 200 | 192.168.1.254 | 512 Mo | 1 | 8 Go | WireGuard + Caddy (reverse proxy) |
| forgejo | 201 | 192.168.1.50 | 1 Go | 2 | 20 Go | Forge logicielle - http://192.168.1.50:3000 |
| nextcloud | 202 | 192.168.1.51 | 6 Go | 4 | 20 Go | Cloud personnel - http://192.168.1.51:8080 |
| tools | 203 | 192.168.1.52 | 2 Go | 2 | 10 Go | Stirling PDF - http://192.168.1.52:8081 |
| **Total** | | | **5.5 Go** | **7** | **58 Go** | |
| **Reste libre** | | | **~4.5 Go** | | | Reserve k3s |

Template cloud-init : Rocky Linux 9 (VMID 9000)

---

## Repartition du stockage

| Donnee | Emplacement | Raison |
|--------|-------------|--------|
| OS des VMs + disques virtuels | ML110 (LVM "VMS") | Performance I/O |
| BDD PostgreSQL (Forgejo, Nextcloud) | ML110 (local) | BDD sur NFS = lent et risque |
| Fichiers Nextcloud (data utilisateur) | QNAP via NFS | Centralise, sauvegardable |
| Saves serveurs de jeu | QNAP via NFS | Backups |
| Backups VMs (vzdump) | QNAP via NFS | Proxmox backup natif |
| Media (Plex) | QNAP (local) | Deja en place |

---

## QNAP - Shares NFS a creer

| Share | Usage | Acces restreint a |
|-------|-------|--------------------|
| nextcloud-data | Donnees Nextcloud | 192.168.1.51 |
| backups | Backups Proxmox | 192.168.1.242 |
| game-saves | Saves serveurs de jeu | 192.168.1.x (VM dedicated) |

---

## Poste de pilotage

- **PC Gaming Windows 11** : VSCode + Claude Code, WSL2 Debian
- **Laptop Linux Mint** : alternative (non disponible actuellement)
- **WSL2 Debian** : Terraform, Ansible, kubectl, Git, cles SSH

---

## Architecture reseau cible (avec VPS)

```
Internet --> [VPS Scaleway PLAY2-PICO - 51.158.126.113]
                |  Caddy (reverse proxy + TLS Let's Encrypt)
                |  forge.elewyn.dev -> 192.168.1.50:3000
                |  cloud.elewyn.dev -> 192.168.1.51:8080
                |
             WireGuard tunnel (10.0.0.0/24)
             VPS: 10.0.0.1  Gateway: 10.0.0.2
                |
            [VM gateway - 192.168.1.254]
                |
         +------+-------+-------+
         |      |       |       |
      Forgejo  Nextcloud  Plex  Tools
      (.50)    (.51)     (QNAP) (.52)
```

---

## Stack technique

| Outil | Usage |
|-------|-------|
| **Terraform** (bpg/proxmox) | Provisionnement des VMs |
| **Ansible** | Configuration des VMs |
| **Docker Compose** | Deploiement des services |
| **WireGuard** | VPN entre VPS et homelab |
| **Caddy** | Reverse proxy + TLS auto |
| **Forgejo** | Forge logicielle (syntaxe GitHub Actions) |
| **Nextcloud** | Cloud personnel |
| **Stirling PDF** | Convertisseur de fichiers |
| **k3s** | Kubernetes (phase future) |

---

## Arborescence du repo

```
~/homelab/
├── .env                              # Secrets Terraform (jamais commit)
├── .gitignore
├── terraform/proxmox/
│   ├── main.tf                       # 4 VMs via for_each
│   ├── variables.tf
│   ├── outputs.tf
│   └── terraform.tfvars
├── ansible/
│   ├── ansible.cfg
│   ├── inventory/hosts.yml
│   ├── templates/wg0.conf.j2
│   ├── site.yml                      # Orchestre tout
│   └── playbooks/
│       ├── base.yml                  # User Elewyn, SSH hardening, packages
│       ├── docker.yml                # Docker sur forgejo/nextcloud/tools
│       ├── gateway.yml               # WireGuard + Caddy
│       ├── forgejo.yml               # Forgejo + PostgreSQL
│       ├── nextcloud.yml             # Nextcloud + montage NFS QNAP
│       └── tools.yml                 # Stirling PDF
└── docker/
    ├── gateway/Caddyfile
    ├── forgejo/
    │   ├── docker-compose.yml
    │   └── .env.example
    ├── nextcloud/
    │   ├── docker-compose.yml
    │   └── .env.example
    └── tools/docker-compose.yml
```

---

## Users sur les VMs

| User | Role | Auth |
|------|------|------|
| ansible | Deploiement Ansible (cloud-init) | Cle SSH homelab |
| Elewyn | Admin (sudo via wheel) | Cle SSH homelab |
| root | Desactive en SSH | - |

---

## Plan d'action

### Phase 1 - Fondations (FAIT)
- [x] WSL2 Debian installe
- [x] Terraform, Ansible, Git installes
- [x] Cle SSH homelab generee
- [x] Template cloud-init Rocky 9 (VMID 9000)
- [x] Token API Proxmox (terraform@pam!provider)
- [x] Fichiers Terraform + Ansible ecrits

### Phase 2 - Provisionnement VMs
- [x] terraform apply (creer les 4 VMs)
- [x] Verifier acces SSH aux VMs (ping + ansible ping OK)

### Phase 3 - Configuration (Ansible)
- [x] base.yml (users, SSH hardening, firewalld, qemu-agent)
- [x] Installer collections Ansible (ansible.posix, community.docker, community.general)
- [x] Ansible Vault (secrets BDD chiffres)
- [x] ansible-playbook site.yml (docker, services)

### Phase 4 - Services
- [x] Forgejo + PostgreSQL deploye
- [x] Stirling PDF deploye
- [x] Nextcloud + PostgreSQL deploye
- [x] NFS QNAP monte (nextcloud-data, backups crees sur QNAP)

### Phase 5 - Exposition externe
- [x] Acheter NDD elewyn.dev (~7 EUR/an)
- [x] Louer VPS Scaleway PLAY2-PICO (~4 EUR/mois) - 51.158.126.113
- [x] WireGuard VPS <-> gateway (10.0.0.1 <-> 10.0.0.2)
- [x] Caddy reverse proxy + TLS Let's Encrypt
- [x] DNS Cloudflare (forge.elewyn.dev, cloud.elewyn.dev)

### Phase 6 - QNAP
- [x] Creer shares NFS (nextcloud-data)
- [x] Creer share NFS backups
- [x] Configurer backups vzdump Proxmox -> NFS (storage qnap-backups, schedule nuit)
- [x] Remplacer disque HS + RAID reconstruit

### Phase 7 - Kubernetes (futur)
- [ ] VM k3s single-node (6 Go RAM)
- [ ] Migration progressive des services
- [ ] ArgoCD (GitOps)
- [ ] Monitoring (Grafana/Loki/Prometheus)

---

## Budget

| Poste | Cout |
|-------|------|
| NDD elewyn.dev | ~7 EUR/an |
| VPS Scaleway PLAY2-PICO | ~48 EUR/an |
| Disque QNAP remplacement | ~20-30 EUR (une fois) |
| **Total premiere annee** | **~80 EUR** |
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00			`# Projet Homelab`

			`## Infrastructure physique`

			`### HPE ML110 - Proxmox (192.168.1.242)`
feat: phase 5 complete - exposition externe et correctifs services, maj de la doc 2026-04-29 13:49:37 +00:00			`- CPU : Intel Xeon Gold 5120 (14 cores / 28 threads @ 2.20GHz)`
			`- RAM : 48 Go (HP PC4 1RX4 2666 MHz)`
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00			`- Boot : EFI`
			`- Kernel : Linux 6.5.11-8-pve`
			`- Reseau : vmbr0 (Linux bridge)`
			`- Disques :`
			`- /dev/sda - 2 To`
			`- /dev/sda1 - biosboot (1 Mo)`
			`- /dev/sda2 - EFI (1 Go)`
			`- /dev/sda3 - LVM 31 Go (local + local-lvm)`
			`- /dev/sda4 - ext4 104 Go "ISO"`
			`- /dev/sda5 - LVM 1.86 To "VMS"`

			`### QNAP TS-431P2 (192.168.1.208)`
			`- CPU : Alpine AL-314 (ARM Cortex-A15 quad-core)`
			`- RAM : 8 Go`
feat: phase 5 complete - exposition externe et correctifs services, maj de la doc 2026-04-29 13:49:37 +00:00			`- Disques : 4 baies, RAID 1`
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00			`- OS : QTS (on ne touche pas)`
			`- Services actuels : Plex, bots Discord, NFS/SMB`

			`### Reseau`
			`- Box Orange : 192.168.1.1 (gateway + DNS)`
			`- Masque : /24`
			`- Pas de VLAN (reseau basique)`

			`---`

			`## VMs existantes`

			`\| VM \| RAM \| vCPU \| Disk \| Role \|`
			`\|----\|-----\|------\|------\|------\|`
			`\| VM-DEDICATED \| 20 Go \| 8 \| 40 Go \| Serveurs de jeu \|`

			`---`

			`## VMs a creer (Terraform - provider bpg/proxmox)`

			`\| VM \| VMID \| IP \| RAM \| vCPU \| Disk \| Role \|`
			`\|----\|------\|----\|-----\|------\|------\|------\|`
			`\| gateway \| 200 \| 192.168.1.254 \| 512 Mo \| 1 \| 8 Go \| WireGuard + Caddy (reverse proxy) \|`
			`\| forgejo \| 201 \| 192.168.1.50 \| 1 Go \| 2 \| 20 Go \| Forge logicielle - http://192.168.1.50:3000 \|`
fix: nextcloud reverse proxy https et auth app android 2026-04-29 15:34:14 +00:00			`\| nextcloud \| 202 \| 192.168.1.51 \| 6 Go \| 4 \| 20 Go \| Cloud personnel - http://192.168.1.51:8080 \|`
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00			`\| tools \| 203 \| 192.168.1.52 \| 2 Go \| 2 \| 10 Go \| Stirling PDF - http://192.168.1.52:8081 \|`
			`\| Total \| \| \| 5.5 Go \| 7 \| 58 Go \| \|`
			`\| Reste libre \| \| \| ~4.5 Go \| \| \| Reserve k3s \|`

			`Template cloud-init : Rocky Linux 9 (VMID 9000)`

			`---`

			`## Repartition du stockage`

			`\| Donnee \| Emplacement \| Raison \|`
			`\|--------\|-------------\|--------\|`
			`\| OS des VMs + disques virtuels \| ML110 (LVM "VMS") \| Performance I/O \|`
			`\| BDD PostgreSQL (Forgejo, Nextcloud) \| ML110 (local) \| BDD sur NFS = lent et risque \|`
			`\| Fichiers Nextcloud (data utilisateur) \| QNAP via NFS \| Centralise, sauvegardable \|`
			`\| Saves serveurs de jeu \| QNAP via NFS \| Backups \|`
			`\| Backups VMs (vzdump) \| QNAP via NFS \| Proxmox backup natif \|`
			`\| Media (Plex) \| QNAP (local) \| Deja en place \|`

			`---`

			`## QNAP - Shares NFS a creer`

			`\| Share \| Usage \| Acces restreint a \|`
			`\|-------\|-------\|--------------------\|`
			`\| nextcloud-data \| Donnees Nextcloud \| 192.168.1.51 \|`
			`\| backups \| Backups Proxmox \| 192.168.1.242 \|`
			`\| game-saves \| Saves serveurs de jeu \| 192.168.1.x (VM dedicated) \|`

			`---`

			`## Poste de pilotage`

			`- PC Gaming Windows 11 : VSCode + Claude Code, WSL2 Debian`
			`- Laptop Linux Mint : alternative (non disponible actuellement)`
			`- WSL2 Debian : Terraform, Ansible, kubectl, Git, cles SSH`

			`---`

			`## Architecture reseau cible (avec VPS)`

			```
feat: phase 5 complete - exposition externe et correctifs services, maj de la doc 2026-04-29 13:49:37 +00:00			`Internet --> [VPS Scaleway PLAY2-PICO - 51.158.126.113]`
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00			`\| Caddy (reverse proxy + TLS Let's Encrypt)`
feat: phase 5 complete - exposition externe et correctifs services, maj de la doc 2026-04-29 13:49:37 +00:00			`\| forge.elewyn.dev -> 192.168.1.50:3000`
			`\| cloud.elewyn.dev -> 192.168.1.51:8080`
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00			`\|`
			`WireGuard tunnel (10.0.0.0/24)`
feat: phase 5 complete - exposition externe et correctifs services, maj de la doc 2026-04-29 13:49:37 +00:00			`VPS: 10.0.0.1 Gateway: 10.0.0.2`
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00			`\|`
			`[VM gateway - 192.168.1.254]`
			`\|`
			`+------+-------+-------+`
			`\| \| \| \|`
			`Forgejo Nextcloud Plex Tools`
			`(.50) (.51) (QNAP) (.52)`
			```

			`---`

			`## Stack technique`

			`\| Outil \| Usage \|`
			`\|-------\|-------\|`
			`\| Terraform (bpg/proxmox) \| Provisionnement des VMs \|`
			`\| Ansible \| Configuration des VMs \|`
			`\| Docker Compose \| Deploiement des services \|`
			`\| WireGuard \| VPN entre VPS et homelab \|`
			`\| Caddy \| Reverse proxy + TLS auto \|`
			`\| Forgejo \| Forge logicielle (syntaxe GitHub Actions) \|`
			`\| Nextcloud \| Cloud personnel \|`
			`\| Stirling PDF \| Convertisseur de fichiers \|`
			`\| k3s \| Kubernetes (phase future) \|`

			`---`

			`## Arborescence du repo`

			```
			`~/homelab/`
			`├── .env # Secrets Terraform (jamais commit)`
			`├── .gitignore`
			`├── terraform/proxmox/`
			`│ ├── main.tf # 4 VMs via for_each`
			`│ ├── variables.tf`
			`│ ├── outputs.tf`
			`│ └── terraform.tfvars`
			`├── ansible/`
			`│ ├── ansible.cfg`
			`│ ├── inventory/hosts.yml`
			`│ ├── templates/wg0.conf.j2`
			`│ ├── site.yml # Orchestre tout`
			`│ └── playbooks/`
			`│ ├── base.yml # User Elewyn, SSH hardening, packages`
			`│ ├── docker.yml # Docker sur forgejo/nextcloud/tools`
			`│ ├── gateway.yml # WireGuard + Caddy`
			`│ ├── forgejo.yml # Forgejo + PostgreSQL`
			`│ ├── nextcloud.yml # Nextcloud + montage NFS QNAP`
			`│ └── tools.yml # Stirling PDF`
			`└── docker/`
			`├── gateway/Caddyfile`
			`├── forgejo/`
			`│ ├── docker-compose.yml`
			`│ └── .env.example`
			`├── nextcloud/`
			`│ ├── docker-compose.yml`
			`│ └── .env.example`
			`└── tools/docker-compose.yml`
			```

			`---`

			`## Users sur les VMs`

			`\| User \| Role \| Auth \|`
			`\|------\|------\|------\|`
			`\| ansible \| Deploiement Ansible (cloud-init) \| Cle SSH homelab \|`
			`\| Elewyn \| Admin (sudo via wheel) \| Cle SSH homelab \|`
			`\| root \| Desactive en SSH \| - \|`

			`---`

			`## Plan d'action`

			`### Phase 1 - Fondations (FAIT)`
			`- [x] WSL2 Debian installe`
			`- [x] Terraform, Ansible, Git installes`
			`- [x] Cle SSH homelab generee`
			`- [x] Template cloud-init Rocky 9 (VMID 9000)`
			`- [x] Token API Proxmox (terraform@pam!provider)`
			`- [x] Fichiers Terraform + Ansible ecrits`

			`### Phase 2 - Provisionnement VMs`
			`- [x] terraform apply (creer les 4 VMs)`
			`- [x] Verifier acces SSH aux VMs (ping + ansible ping OK)`

			`### Phase 3 - Configuration (Ansible)`
			`- [x] base.yml (users, SSH hardening, firewalld, qemu-agent)`
			`- [x] Installer collections Ansible (ansible.posix, community.docker, community.general)`
			`- [x] Ansible Vault (secrets BDD chiffres)`
			`- [x] ansible-playbook site.yml (docker, services)`

			`### Phase 4 - Services`
			`- [x] Forgejo + PostgreSQL deploye`
			`- [x] Stirling PDF deploye`
			`- [x] Nextcloud + PostgreSQL deploye`
			`- [x] NFS QNAP monte (nextcloud-data, backups crees sur QNAP)`

			`### Phase 5 - Exposition externe`
feat: phase 5 complete - exposition externe et correctifs services, maj de la doc 2026-04-29 13:49:37 +00:00			`- [x] Acheter NDD elewyn.dev (~7 EUR/an)`
			`- [x] Louer VPS Scaleway PLAY2-PICO (~4 EUR/mois) - 51.158.126.113`
			`- [x] WireGuard VPS <-> gateway (10.0.0.1 <-> 10.0.0.2)`
			`- [x] Caddy reverse proxy + TLS Let's Encrypt`
			`- [x] DNS Cloudflare (forge.elewyn.dev, cloud.elewyn.dev)`
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00
			`### Phase 6 - QNAP`
			`- [x] Creer shares NFS (nextcloud-data)`
			`- [x] Creer share NFS backups`
			`- [x] Configurer backups vzdump Proxmox -> NFS (storage qnap-backups, schedule nuit)`
			`- [x] Remplacer disque HS + RAID reconstruit`

			`### Phase 7 - Kubernetes (futur)`
			`- [ ] VM k3s single-node (6 Go RAM)`
			`- [ ] Migration progressive des services`
			`- [ ] ArgoCD (GitOps)`
			`- [ ] Monitoring (Grafana/Loki/Prometheus)`

			`---`

			`## Budget`

			`\| Poste \| Cout \|`
			`\|-------\|------\|`
feat: phase 5 complete - exposition externe et correctifs services, maj de la doc 2026-04-29 13:49:37 +00:00			`\| NDD elewyn.dev \| ~7 EUR/an \|`
			`\| VPS Scaleway PLAY2-PICO \| ~48 EUR/an \|`
Initial commit - homelab infrastructure 2026-04-09 12:46:59 +00:00			`\| Disque QNAP remplacement \| ~20-30 EUR (une fois) \|`
			`\| Total premiere annee \| ~80 EUR \|`