Homelab/README.md

# Projet Homelab

## Infrastructure physique

### HPE ML110 - Proxmox (192.168.1.242)
- **CPU** : Intel Xeon Gold 5120 (14 cores / 28 threads @ 2.20GHz)
- **RAM** : 48 Go (HP PC4 1RX4 2666 MHz)
- **Boot** : EFI
- **Kernel** : Linux 6.5.11-8-pve
- **Reseau** : vmbr0 (Linux bridge)
- **Disques** :
  - /dev/sda - 2 To
  - /dev/sda1 - biosboot (1 Mo)
  - /dev/sda2 - EFI (1 Go)
  - /dev/sda3 - LVM 31 Go (local + local-lvm)
  - /dev/sda4 - ext4 104 Go "ISO"
  - /dev/sda5 - LVM 1.86 To "VMS"

### QNAP TS-431P2 (192.168.1.208)
- **CPU** : Alpine AL-314 (ARM Cortex-A15 quad-core)
- **RAM** : 8 Go
- **Disques** : 4 baies, RAID 1
- **OS** : QTS (on ne touche pas)
- **Services actuels** : Plex, bots Discord, NFS/SMB

### Reseau
- Box Orange : 192.168.1.1 (gateway + DNS)
- Masque : /24
- Pas de VLAN (reseau basique)

---

## VMs (Proxmox)

| VM | VMID | IP | RAM | vCPU | Disk | Role |
|----|------|----|-----|------|------|------|
| VM-DEDICATED | 110 | 192.168.1.110 | 24 Go | 8 | 40 Go | Serveurs de jeu |
| gateway | 200 | 192.168.1.254 | 512 Mo | 1 | 8 Go | WireGuard + Caddy (reverse proxy) |
| forgejo | 201 | 192.168.1.50 | 1 Go | 2 | 20 Go | Forge logicielle - https://forge.elewyn.dev |
| nextcloud | 202 | 192.168.1.51 | 6 Go | 4 | 20 Go | Cloud personnel - https://cloud.elewyn.dev |
| tools | 203 | 192.168.1.52 | 2 Go | 2 | 10 Go | Stirling PDF - http://192.168.1.52:8081 |
| runner | 204 | 192.168.1.53 | 4 Go | 4 | 20 Go | Forgejo Actions Runner |
| **Reste libre** | | | **~8.5 Go** | | | Reserve k3s |

Template cloud-init : Rocky Linux 9 (VMID 9000)

---

## Repartition du stockage

| Donnee | Emplacement | Raison |
|--------|-------------|--------|
| OS des VMs + disques virtuels | ML110 (LVM "VMS") | Performance I/O |
| BDD PostgreSQL (Forgejo, Nextcloud) | ML110 (local) | BDD sur NFS = lent et risque |
| Fichiers Nextcloud (data utilisateur) | QNAP via NFS | Centralise, sauvegardable |
| Saves serveurs de jeu | QNAP via NFS | Backups |
| Backups VMs (vzdump) | QNAP via NFS | Proxmox backup natif |
| Media (Plex) | QNAP (local) | Deja en place |

---

## QNAP - Shares NFS

| Share | Usage | Acces restreint a |
|-------|-------|--------------------|
| nextcloud-data | Donnees Nextcloud | 192.168.1.51 |
| backups | Backups Proxmox | 192.168.1.242 |
| game-saves | Saves serveurs de jeu | 192.168.1.110 (VM dedicated) |

---

## Poste de pilotage

- **PC Gaming Windows 11** : VSCodium + Claude Code, WSL2 Debian
- **Laptop Linux Mint** : alternative (non disponible actuellement)
- **WSL2 Debian** : Terraform, Ansible, kubectl, Git, cles SSH

---

## Architecture reseau

```
Internet --> [VPS Scaleway PLAY2-PICO - 51.158.126.113]
                |  Caddy (reverse proxy + TLS Let's Encrypt)
                |  forge.elewyn.dev -> 192.168.1.50:3000
                |  cloud.elewyn.dev -> 192.168.1.51:8080
                |
             WireGuard tunnel (10.0.0.0/24)
             VPS: 10.0.0.1  Gateway: 10.0.0.2
                |
            [VM gateway - 192.168.1.254]
                |
         +------+-------+-------+
         |      |       |       |
      Forgejo  Nextcloud  Plex  Tools
      (.50)    (.51)     (QNAP) (.52)
```

---

## Stack technique

| Outil | Usage |
|-------|-------|
| **Terraform** (bpg/proxmox) | Provisionnement des VMs |
| **Ansible** | Configuration des VMs |
| **Docker Compose** | Deploiement des services |
| **WireGuard** | VPN entre VPS et homelab |
| **Caddy** | Reverse proxy + TLS auto |
| **Forgejo** | Forge logicielle (syntaxe GitHub Actions) |
| **Nextcloud** | Cloud personnel |
| **Stirling PDF** | Convertisseur de fichiers |
| **k3s** | Kubernetes (phase future) |

---

## Arborescence du repo

```
~/homelab/
├── .env                              # Secrets Terraform (jamais commit)
├── .gitignore
├── terraform/proxmox/
│   ├── main.tf                       # 5 VMs via for_each
│   ├── variables.tf
│   ├── outputs.tf
│   └── terraform.tfvars
├── ansible/
│   ├── ansible.cfg
│   ├── inventory/
│   │   ├── hosts.yml
│   │   └── group_vars/all/vault.yml  # Secrets chiffres (Ansible Vault)
│   ├── site.yml                      # Orchestre tout
│   └── playbooks/
│       ├── base.yml                  # User Elewyn, SSH hardening, packages
│       ├── docker.yml                # Docker sur forgejo/nextcloud/tools
│       ├── gateway.yml               # WireGuard + Caddy (homelab)
│       ├── forgejo.yml               # Forgejo + PostgreSQL
│       ├── nextcloud.yml             # Nextcloud + montage NFS QNAP
│       ├── tools.yml                 # Stirling PDF
│       ├── runner.yml                # Forgejo Actions Runner
│       ├── vps.yml                   # VPS Scaleway (WireGuard + Caddy)
│       └── templates/
│           ├── wg0.conf.j2           # WireGuard gateway
│           ├── wg0-vps.conf.j2       # WireGuard VPS
│           ├── Caddyfile-vps.j2      # Caddy reverse proxy
│           ├── forgejo.env.j2
│           └── nextcloud.env.j2
└── docker/
    ├── gateway/Caddyfile
    ├── forgejo/
    │   ├── docker-compose.yml
    │   └── .env.example
    ├── nextcloud/
    │   ├── docker-compose.yml
    │   └── .env.example
    └── tools/docker-compose.yml
```

---

## Users sur les VMs

| User | Role | Auth |
|------|------|------|
| ansible | Deploiement Ansible (cloud-init) | Cle SSH homelab |
| Elewyn | Admin (sudo via wheel) | Cle SSH homelab |
| root | Desactive en SSH | - |

---

## Plan d'action

### Phase 1 - Fondations (FAIT)
- [x] WSL2 Debian installe
- [x] Terraform, Ansible, Git installes
- [x] Cle SSH homelab generee
- [x] Template cloud-init Rocky 9 (VMID 9000)
- [x] Token API Proxmox (terraform@pam!provider)
- [x] Fichiers Terraform + Ansible ecrits

### Phase 2 - Provisionnement VMs
- [x] terraform apply (creer les 5 VMs)
- [x] Verifier acces SSH aux VMs (ping + ansible ping OK)

### Phase 3 - Configuration (Ansible)
- [x] base.yml (users, SSH hardening, firewalld, qemu-agent)
- [x] Installer collections Ansible (ansible.posix, community.docker, community.general)
- [x] Ansible Vault (secrets BDD chiffres)
- [x] ansible-playbook site.yml (docker, services)

### Phase 4 - Services
- [x] Forgejo + PostgreSQL deploye
- [x] Stirling PDF deploye
- [x] Nextcloud + PostgreSQL deploye
- [x] NFS QNAP monte (nextcloud-data, backups crees sur QNAP)
- [x] Forgejo Actions Runner deploye (vm-runner)

### Phase 5 - Exposition externe
- [x] Acheter NDD elewyn.dev (~7 EUR/an)
- [x] Louer VPS Scaleway PLAY2-PICO (~4 EUR/mois) - 51.158.126.113
- [x] WireGuard VPS <-> gateway (10.0.0.1 <-> 10.0.0.2)
- [x] Caddy reverse proxy + TLS Let's Encrypt
- [x] DNS Cloudflare (forge.elewyn.dev, cloud.elewyn.dev)

### Phase 6 - QNAP
- [x] Creer shares NFS (nextcloud-data)
- [x] Creer share NFS backups
- [x] Configurer backups vzdump Proxmox -> NFS (storage qnap-backups, schedule nuit)
- [x] Remplacer disque HS + RAID reconstruit

### Phase 7 - Kubernetes (futur)
- [ ] VM k3s single-node (6 Go RAM)
- [ ] Migration progressive des services
- [ ] ArgoCD (GitOps)
- [ ] Monitoring (Grafana/Loki/Prometheus)

---

## Budget

### Recurrent

| Poste | Cout |
|-------|------|
| NDD elewyn.dev | ~7 EUR/an |
| VPS Scaleway PLAY2-PICO | ~48 EUR/an |
| **Total annuel** | **~55 EUR/an** |

### Hardware (one-shot)

| Poste | Cout |
|-------|------|
| Disque QNAP remplacement | ~25 EUR |
| Intel Xeon Gold 5120 | ~20 EUR |
| RAM 16 Go HP PC4 1RX4 2666 MHz | ~80 EUR |
| **Total hardware** | **~125 EUR** |