docs: README.md et CLAUDE.md

CLAUDE.md

@@ -0,0 +1,47 @@
+# CLAUDE.md
+
+## Commandes Ansible
+
+Toujours `--ask-vault-pass`, jamais `--vault-password-file`.
+
+```bash
+# Déployer tout
+ansible-playbook -i ansible/inventory/hosts.yml ansible/site.yml --ask-vault-pass
+
+# Un seul playbook
+ansible-playbook -i ansible/inventory/hosts.yml ansible/playbooks/forgejo.yml --ask-vault-pass
+
+# Éditer le vault
+ansible-vault edit ansible/inventory/group_vars/all/vault.yml --ask-vault-pass
+```
+
+## SSH agent (obligatoire avant Ansible)
+
+```bash
+eval $(ssh-agent -s) && ssh-add ~/.ssh/homelab
+```
+
+## Infrastructure
+
+| Hôte | IP | Rôle |
+|------|----|------|
+| Proxmox | 192.168.1.242 | Hyperviseur |
+| vm-gateway | 192.168.1.254 | WireGuard |
+| vm-forgejo | 192.168.1.50 | Forgejo :3000 |
+| vm-nextcloud | 192.168.1.51 | Nextcloud :8080 |
+| vm-tools | 192.168.1.52 | Stirling PDF :8081 |
+| VPS Scaleway | 51.158.126.113 | Caddy + WireGuard |
+| QNAP | 192.168.1.208 | NAS NFS/SMB |
+
+## Vault — variables clés
+
+`vault_forgejo_db_password`, `vault_forgejo_domain`, `vault_nextcloud_db_password`,
+`vault_nextcloud_admin_user`, `vault_nextcloud_admin_password`, `vault_nextcloud_domain`,
+`vault_admin_password`, `vault_wg_*`
+
+## Pièges connus
+
+- Les VMs Rocky Linux utilisent `firewalld`, le VPS Debian utilise `ufw`
+- Docker gère lui-même les règles firewalld — ne pas les gérer dans les playbooks
+- `NEXTCLOUD_TRUSTED_DOMAINS` n'est lu qu'au premier démarrage — utiliser `occ` pour modifier après install
+- Le VPS a `ansible_user: Elewyn` (root SSH désactivé)

terraform/proxmox/main.tf

@@ -1,122 +1,122 @@
-# Provider Proxmox (bpg) - plus moderne, pas le bug user list de telmate
-terraform {
-  required_providers {
-    proxmox = {
-      source  = "bpg/proxmox"
-      version = "~> 0.78"
-    }
-  }
-}
-
-provider "proxmox" {
-  endpoint  = var.proxmox_url
-  api_token = var.proxmox_api_token
-  insecure  = true
-
-  ssh {
-    agent = false
-  }
-}
-
-# --- Locals : configuration centralisee des VMs ---
-locals {
-  vms = {
-    gateway = {
-      vmid    = 200
-      cores   = 1
-      memory  = 512
-      balloon = 256
-      disk    = 10
-      ip      = var.gateway_ip
-    }
-    forgejo = {
-      vmid    = 201
-      cores   = 2
-      memory  = 1024
-      balloon = 512
-      disk    = 20
-      ip      = var.forgejo_ip
-    }
-    nextcloud = {
-      vmid    = 202
-      cores   = 4
-      memory  = 6144
-      balloon = 2048
-      disk    = 20
-      ip      = var.nextcloud_ip
-    }
-    tools = {
-      vmid    = 203
-      cores   = 2
-      memory  = 2048
-      balloon = 1024
-      disk    = 10
-      ip      = var.tools_ip
-    }
-  }
-}
-
-# --- VMs generees dynamiquement par clonage du template ---
-resource "proxmox_virtual_environment_vm" "vm" {
-  for_each = local.vms
-
-  name      = each.key
-  node_name = var.proxmox_node
-  vm_id     = each.value.vmid
-
-  clone {
-    vm_id = var.template_vmid
-  }
-
-  scsi_hardware = "virtio-scsi-single"
-
-  cpu {
-    cores   = each.value.cores
-    sockets = 1
-    type    = "x86-64-v2-AES"
-  }
-
-  memory {
-    dedicated = each.value.memory
-    floating  = each.value.balloon
-  }
-
-  agent {
-    enabled = true
-    timeout = "10s"
-  }
-
-  disk {
-    interface    = "scsi0"
-    size         = each.value.disk
-    datastore_id = var.storage_name
-  }
-
-  network_device {
-    bridge = var.network_bridge
-    model  = "virtio"
-  }
-
-  initialization {
-    ip_config {
-      ipv4 {
-        address = "${each.value.ip}/24"
-        gateway = var.network_gateway
-      }
-    }
-    dns {
-      servers = [var.dns_server]
-    }
-    user_account {
-      username = var.ci_user
-      keys     = [var.ssh_public_key]
-    }
-  }
-
-  lifecycle {
-    ignore_changes = [
-      initialization,
-      network_device
-    ]
-  }
-}
+# Provider Proxmox (bpg)
+terraform {
+  required_providers {
+    proxmox = {
+      source  = "bpg/proxmox"
+      version = "~> 0.78"
+    }
+  }
+}
+
+provider "proxmox" {
+  endpoint  = var.proxmox_url
+  api_token = var.proxmox_api_token
+  insecure  = true
+
+  ssh {
+    agent = false
+  }
+}
+
+# --- Locals : configuration centralisee des VMs ---
+locals {
+  vms = {
+    gateway = {
+      vmid    = 200
+      cores   = 1
+      memory  = 512
+      balloon = 256
+      disk    = 10
+      ip      = var.gateway_ip
+    }
+    forgejo = {
+      vmid    = 201
+      cores   = 2
+      memory  = 1024
+      balloon = 512
+      disk    = 20
+      ip      = var.forgejo_ip
+    }
+    nextcloud = {
+      vmid    = 202
+      cores   = 4
+      memory  = 6144
+      balloon = 2048
+      disk    = 20
+      ip      = var.nextcloud_ip
+    }
+    tools = {
+      vmid    = 203
+      cores   = 2
+      memory  = 2048
+      balloon = 1024
+      disk    = 10
+      ip      = var.tools_ip
+    }
+  }
+}
+
+# --- VMs generees dynamiquement par clonage du template ---
+resource "proxmox_virtual_environment_vm" "vm" {
+  for_each = local.vms
+
+  name      = each.key
+  node_name = var.proxmox_node
+  vm_id     = each.value.vmid
+
+  clone {
+    vm_id = var.template_vmid
+  }
+
+  scsi_hardware = "virtio-scsi-single"
+
+  cpu {
+    cores   = each.value.cores
+    sockets = 1
+    type    = "x86-64-v2-AES"
+  }
+
+  memory {
+    dedicated = each.value.memory
+    floating  = each.value.balloon
+  }
+
+  agent {
+    enabled = true
+    timeout = "10s"
+  }
+
+  disk {
+    interface    = "scsi0"
+    size         = each.value.disk
+    datastore_id = var.storage_name
+  }
+
+  network_device {
+    bridge = var.network_bridge
+    model  = "virtio"
+  }
+
+  initialization {
+    ip_config {
+      ipv4 {
+        address = "${each.value.ip}/24"
+        gateway = var.network_gateway
+      }
+    }
+    dns {
+      servers = [var.dns_server]
+    }
+    user_account {
+      username = var.ci_user
+      keys     = [var.ssh_public_key]
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [
+      initialization,
+      network_device
+    ]
+  }
+}