Infrastructure as Code - Proxmox, Terraform, Ansible, Docker. Rocky Linux 9, Forgejo, Nextcloud, Stirling PDF.

Find a file

LE BERRE Mickael 88b30f509c docs: nouvelle feuille de route homelab (phases 7-11) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>		2026-06-02 15:44:15 +02:00
ansible	fix: add restart handler on forgejo config changes, document intentional choices	2026-05-18 16:16:23 +02:00
docker	Forjego: changed landing page	2026-05-12 10:41:18 +02:00
terraform/proxmox	fix: add restart handler on forgejo config changes, document intentional choices	2026-05-18 16:16:23 +02:00
.gitignore	Initial commit - homelab infrastructure	2026-04-09 14:46:59 +02:00
CLAUDE.md	docs: pieges runner et terraform datastore	2026-04-30 14:16:24 +02:00
README.md	docs: nouvelle feuille de route homelab (phases 7-11)	2026-06-02 15:44:15 +02:00

README.md

Projet Homelab

Infrastructure physique

HPE ML110 - Proxmox (192.168.1.242)

CPU : Intel Xeon Gold 5120 (14 cores / 28 threads @ 2.20GHz)
RAM : 48 Go (HP PC4 1RX4 2666 MHz)
Boot : EFI
Kernel : Linux 6.5.11-8-pve
Reseau : vmbr0 (Linux bridge)
Disques :
- /dev/sda - 2 To
- /dev/sda1 - biosboot (1 Mo)
- /dev/sda2 - EFI (1 Go)
- /dev/sda3 - LVM 31 Go (local + local-lvm)
- /dev/sda4 - ext4 104 Go "ISO"
- /dev/sda5 - LVM 1.86 To "VMS"

QNAP TS-431P2 (192.168.1.208)

CPU : Alpine AL-314 (ARM Cortex-A15 quad-core)
RAM : 8 Go
Disques : 4 baies, RAID 1
OS : QTS (on ne touche pas)
Services actuels : Plex, bots Discord, NFS/SMB

Reseau

Box Orange : 192.168.1.1 (gateway + DNS)
Masque : /24
Pas de VLAN (reseau basique)

VMs (Proxmox)

VM	VMID	IP	RAM	vCPU	Disk	Role
VM-DEDICATED	110	192.168.1.110	24 Go	8	40 Go	Serveurs de jeu
gateway	200	192.168.1.254	512 Mo	1	8 Go	WireGuard + Caddy (reverse proxy)
forgejo	201	192.168.1.50	1 Go	2	20 Go	Forge logicielle - https://forge.elewyn.dev
nextcloud	202	192.168.1.51	6 Go	4	20 Go	Cloud personnel - https://cloud.elewyn.dev
tools	203	192.168.1.52	2 Go	2	10 Go	Stirling PDF - http://192.168.1.52:8081
runner	204	192.168.1.53	4 Go	4	20 Go	Forgejo Actions Runner
Reste libre			~8.5 Go			Reserve k3s

Template cloud-init : Rocky Linux 9 (VMID 9000)

Repartition du stockage

Donnee	Emplacement	Raison
OS des VMs + disques virtuels	ML110 (LVM "VMS")	Performance I/O
BDD PostgreSQL (Forgejo, Nextcloud)	ML110 (local)	BDD sur NFS = lent et risque
Fichiers Nextcloud (data utilisateur)	QNAP via NFS	Centralise, sauvegardable
Saves serveurs de jeu	QNAP via NFS	Backups
Backups VMs (vzdump)	QNAP via NFS	Proxmox backup natif
Media (Plex)	QNAP (local)	Deja en place

QNAP - Shares NFS

Share	Usage	Acces restreint a
nextcloud-data	Donnees Nextcloud	192.168.1.51
backups	Backups Proxmox	192.168.1.242
game-saves	Saves serveurs de jeu	192.168.1.110 (VM dedicated)

Poste de pilotage

PC Gaming Windows 11 : VSCodium + Claude Code, WSL2 Debian
Laptop Linux Mint : alternative (non disponible actuellement)
WSL2 Debian : Terraform, Ansible, kubectl, Git, cles SSH

Architecture reseau

Internet --> [VPS Scaleway DEV1-S - 51.158.126.113]
                |  Caddy (reverse proxy + TLS Let's Encrypt)
                |  forge.elewyn.dev -> 192.168.1.50:3000
                |  cloud.elewyn.dev -> 192.168.1.51:8080
                |
             WireGuard tunnel (10.0.0.0/24)
             VPS: 10.0.0.1  Gateway: 10.0.0.2
                |
            [VM gateway - 192.168.1.254]
                |
         +------+-------+-------+
         |      |       |       |
      Forgejo  Nextcloud  Plex  Tools
      (.50)    (.51)     (QNAP) (.52)

Stack technique

Outil	Usage
Terraform (bpg/proxmox)	Provisionnement des VMs
Ansible	Configuration des VMs
Docker Compose	Deploiement des services
WireGuard	VPN entre VPS et homelab
Caddy	Reverse proxy + TLS auto
Forgejo	Forge logicielle (syntaxe GitHub Actions)
Nextcloud	Cloud personnel
Stirling PDF	Convertisseur de fichiers
k3s	Kubernetes (phase future)

Arborescence du repo

~/homelab/
├── .env                              # Secrets Terraform (jamais commit)
├── .gitignore
├── terraform/proxmox/
│   ├── main.tf                       # 5 VMs via for_each
│   ├── variables.tf
│   ├── outputs.tf
│   └── terraform.tfvars
├── ansible/
│   ├── ansible.cfg
│   ├── inventory/
│   │   ├── hosts.yml
│   │   └── group_vars/all/vault.yml  # Secrets chiffres (Ansible Vault)
│   ├── site.yml                      # Orchestre tout
│   └── playbooks/
│       ├── base.yml                  # User Elewyn, SSH hardening, packages
│       ├── docker.yml                # Docker sur forgejo/nextcloud/tools
│       ├── gateway.yml               # WireGuard + Caddy (homelab)
│       ├── forgejo.yml               # Forgejo + PostgreSQL
│       ├── nextcloud.yml             # Nextcloud + montage NFS QNAP
│       ├── tools.yml                 # Stirling PDF
│       ├── runner.yml                # Forgejo Actions Runner
│       ├── vps.yml                   # VPS Scaleway (WireGuard + Caddy)
│       └── templates/
│           ├── wg0.conf.j2           # WireGuard gateway
│           ├── wg0-vps.conf.j2       # WireGuard VPS
│           ├── Caddyfile-vps.j2      # Caddy reverse proxy
│           ├── forgejo.env.j2
│           └── nextcloud.env.j2
└── docker/
    ├── gateway/Caddyfile
    ├── forgejo/
    │   ├── docker-compose.yml
    │   └── .env.example
    ├── nextcloud/
    │   ├── docker-compose.yml
    │   └── .env.example
    └── tools/docker-compose.yml

Users sur les VMs

User	Role	Auth
ansible	Deploiement Ansible (cloud-init)	Cle SSH homelab
Elewyn	Admin (sudo via wheel)	Cle SSH homelab
root	Desactive en SSH	-

Plan d'action

Phase 1 - Fondations (FAIT)

WSL2 Debian installe
Terraform, Ansible, Git installes
Cle SSH homelab generee
Template cloud-init Rocky 9 (VMID 9000)
Token API Proxmox (terraform@pam!provider)
Fichiers Terraform + Ansible ecrits

Phase 2 - Provisionnement VMs

terraform apply (creer les 5 VMs)
Verifier acces SSH aux VMs (ping + ansible ping OK)

Phase 3 - Configuration (Ansible)

base.yml (users, SSH hardening, firewalld, qemu-agent)
Installer collections Ansible (ansible.posix, community.docker, community.general)
Ansible Vault (secrets BDD chiffres)
ansible-playbook site.yml (docker, services)

Phase 4 - Services

Forgejo + PostgreSQL deploye
Stirling PDF deploye
Nextcloud + PostgreSQL deploye
NFS QNAP monte (nextcloud-data, backups crees sur QNAP)
Forgejo Actions Runner deploye (vm-runner)

Phase 5 - Exposition externe

Acheter NDD elewyn.dev (~7 EUR/an)
Louer VPS Scaleway DEV1-S (~6 EUR/mois) - 51.158.126.113
WireGuard VPS <-> gateway (10.0.0.1 <-> 10.0.0.2)
Caddy reverse proxy + TLS Let's Encrypt
DNS Cloudflare (forge.elewyn.dev, cloud.elewyn.dev)

Phase 6 - QNAP

Creer shares NFS (nextcloud-data)
Creer share NFS backups
Configurer backups vzdump Proxmox -> NFS (storage qnap-backups, schedule nuit)
Remplacer disque HS + RAID reconstruit

Phase 7 - Resilience & pilotage nomade (en cours)

State Terraform distant (Scaleway Object Storage : hors-site, versionne, verrouille, chiffre)
Acces admin multi-machines via WireGuard (un peer/cle par machine, le VPS reste pur routeur)
Resilience des secrets (inventaire + backstop gestionnaire de mots de passe + runbook de recovery)

Phase 8 - Industrialisation & nouveaux services

Role Ansible docker_service (factoriser forgejo/tools/runner/nextcloud)
Navidrome (musique self-hosted type Spotify, clients offline Android/PC, bibliotheque sur QNAP NFS)

Phase 9 - Observabilite

Prometheus + Grafana interne (vm-tools)
Liveness externe gratuite (Healthchecks.io dead-man-switch + UptimeRobot) -> alertes Discord
Principe : metriques en interne, alerting de survie hors-site (jamais sur le VPS)

Phase 10 - CI/CD & GitOps (futur)

Workflow Forgejo Actions : lint sur PR (terraform fmt/validate, tflint, ansible-lint, yamllint)
Branche master protegee + CI verte obligatoire
terraform plan / ansible --check sur PR, puis apply/playbook au merge (prerequis : state distant)
Trappe de secours manuelle conservee (paradoxe du bootstrap du runner)

Phase 11 - Kubernetes (futur)

VM k3s single-node (6 Go RAM)
Migration progressive des services
ArgoCD (GitOps)

Budget

Recurrent

Poste	Cout
NDD elewyn.dev	~7 EUR/an
VPS Scaleway DEV1-S (compute 0.008/h)	~70 EUR/an
VPS Scaleway - reseau	~40 EUR/an
VPS Scaleway - stockage	~12 EUR/an
Total annuel	~129 EUR/an

Hardware (one-shot)

Poste	Cout
Disque QNAP remplacement	~25 EUR
Intel Xeon Gold 5120	~20 EUR
RAM 16 Go HP PC4 1RX4 2666 MHz	~80 EUR
Total hardware	~125 EUR