commit 0ce24f38b5665851d2d180bdaf5a6a4cbcc660d6 · krasovs.ky/homelab

+10 -12

README.md

···

       42
       42
        
       

     

       43
       43
        
       ## Caveats

     

       44
       44
        
       

     

       45
       45
       -
       This is not a ready-to-use configuration that you can just apply. It requires additional configuration files

     

       46
       46
       -
       and initialized state. You can apply it, write those configs, then go to Pocket ID, generate OAuth2 Client IDs,

     

       47
       47
       -
       and paste them into container templates. Technically, it's possible to make it as generic as possible,

     

       48
       48
       -
       but I don't think anyone wants to copy my setup entirely. I see this more as a template for your own setups.

     

       45
       45
       +
       This is not a ready-to-use configuration that you can just apply. It requires initialized state.

     

       46
       46
       +
       You can apply it, then go to Pocket ID, generate OAuth2 Client IDs, and paste them into container templates.

     

       47
       47
       +
       Technically, it's possible to make it as generic as possible, but I don't think anyone wants to copy my setup entirely.

     

       48
       48
       +
       I see this more as a template for your own setups.

     

       49
       49
        
       

     

       50
       50
        
       ## Future plans

     

       51
       51
        
       

     

       52
       52
       -
       I would like to switch to Flatcar Linux, but for now it doesn't include the `i915` kernel driver,

     

       53
       53
       -
       which is a dealbreaker for me. However, it's [already merged](https://github.com/flatcar/scripts/pull/2349)

     

       54
       54
       -
       and will soon be available in the Alpha channel.

     

       55
       55
       -
       

     

       56
       56
       -
       Also, I want to move my Traefik, Grafana Alloy and Victoria vmauth configurations to this repo

     

       57
       57
       -
       at some point, but I didn't figure out how to do it properly now.

     

       58
       58
       -
       

     

       59
       59
       -
       And finally I want to harden my network setup, since for now it's pretty permissive.

     

       52
       52
       +
       - [x] Move Traefik, Graana Alloy and other configs to repository. 

     

       53
       53
       +
       - [ ] Consider switching to Flatcar Linux. Personally I like it more, but in the current version they didn't ship

     

       54
       54
       +
            `i915` driver, which is a dealbreaker for me. However, it's [already merged](https://github.com/flatcar/scripts/pull/2349)

     

       55
       55
       +
             and will soon be available in the Alpha channel.

     

       56
       56
       +
       - [ ] Harden network setup; for now it's pretty permissive.

     

       57
       57
       +
       - [ ] Monitor uptime and setup alerts with Uptime Kuma.

+61

configs/alloy/config.alloy

···

       1
       1
       +
       logging {

     

       2
       2
       +
         level  = "info"

     

       3
       3
       +
         format = "json"

     

       4
       4
       +
       }

     

       5
       5
       +
       

     

       6
       6
       +
       discovery.docker "fcos" {

     

       7
       7
       +
         host = "unix:///var/run/docker.sock"

     

       8
       8
       +
       }

     

       9
       9
       +
       

     

       10
       10
       +
       discovery.relabel "docker" {

     

       11
       11
       +
         targets = discovery.docker.fcos.targets

     

       12
       12
       +
         

     

       13
       13
       +
         rule {

     

       14
       14
       +
           action = "labelmap"

     

       15
       15
       +
           regex  = "^__meta_docker_(.*)$"

     

       16
       16
       +
         }

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       loki.source.docker "podman" {

     

       20
       20
       +
         host          = "unix:///var/run/docker.sock"

     

       21
       21
       +
         targets       = discovery.docker.fcos.targets

     

       22
       22
       +
         labels        = { "source_name" = "podman" } 

     

       23
       23
       +
         forward_to    = [loki.process.copy_msg.receiver]

     

       24
       24
       +
         relabel_rules = discovery.relabel.docker.rules

     

       25
       25
       +
       }

     

       26
       26
       +
       

     

       27
       27
       +
       loki.process "copy_msg" {

     

       28
       28
       +
         forward_to = [loki.write.victoria_logs.receiver]

     

       29
       29
       +
       

     

       30
       30
       +
         // Bluesky logs plain json, so we need to manually remap msg to _msg.

     

       31
       31
       +
         stage.match {

     

       32
       32
       +
           selector = "{_msg=\"\"}"

     

       33
       33
       +
       

     

       34
       34
       +
           stage.json {

     

       35
       35
       +
             expressions = { "msg" = "" }

     

       36
       36
       +
           }

     

       37
       37
       +
       

     

       38
       38
       +
           stage.labels {

     

       39
       39
       +
             values = { "_msg" = "msg" }

     

       40
       40
       +
           }

     

       41
       41
       +
         }

     

       42
       42
       +
       }

     

       43
       43
       +
       

     

       44
       44
       +
       loki.write "victoria_logs" {

     

       45
       45
       +
         endpoint {

     

       46
       46
       +
           url = "http://victoria:9428/insert/loki/api/v1/push?_stream_fields=source_name,container_name"

     

       47
       47
       +
         }

     

       48
       48
       +
       }

     

       49
       49
       +
       

     

       50
       50
       +
       // Just Traefik for now

     

       51
       51
       +
       prometheus.scrape "scrape_metrics" {

     

       52
       52
       +
         targets         = [{ __address__ = "traefik:8082" }]

     

       53
       53
       +
         forward_to      = [prometheus.remote_write.victoria_metrics.receiver]

     

       54
       54
       +
         scrape_interval = "10s"

     

       55
       55
       +
       }

     

       56
       56
       +
       

     

       57
       57
       +
       prometheus.remote_write "victoria_metrics" {

     

       58
       58
       +
         endpoint {

     

       59
       59
       +
           url = "http://victoria:8428/prometheus/api/v1/write"

     

       60
       60
       +
         }

     

       61
       61
       +
       }

+3 -1

configs/containers/systemd/glance.container.tftpl

···

       11
       11
        
       User=1000:1000

     

       12
       12
        
       UserNS=keep-id:uid=1000,gid=1000

     

       13
       13
        
       

     

       14
       14
       +
       Secret=glance-github-token,type=env,target=GITHUB_TOKEN

     

       15
       15
       +
       

     

       14
       16
        
       Label="glance.name=Glance"

     

       15
       17
        
       Label="glance.icon=di:glance-light"

     

       16
       18
        
       Label="glance.url=https://glance.${base_domain}"

     
···

       26
       28
        
       Label="traefik.http.routers.glance-private.rule=Host(`glance.${base_domain}`) && (ClientIP(`10.88.0.0/15`) || ClientIP(`192.168.0.0/16`))"

     

       27
       29
        
       Label="traefik.http.routers.glance-private.priority=2"

     

       28
       30
        
       

     

       29
       29
       -
       Volume=/var/mnt/docker/app_data/glance/config:/app/config:Z

     

       31
       31
       +
       Volume=%E/glance:/app/config:Z

     

       30
       32
        
       Volume=/var/mnt/docker/app_data/glance/assets:/app/assets:Z

     

       31
       33
        
       Volume=%t/podman/podman.sock:/var/run/docker.sock

     

       32
       34

+1 -1

configs/containers/systemd/grafana-alloy.container.tftpl

···

       17
       17
        
       

     

       18
       18
        
       Exec=run --storage.path=/var/lib/alloy/data --disable-reporting /etc/alloy/config.alloy

     

       19
       19
        
       

     

       20
       20
       -
       Volume=/var/mnt/docker/app_data/grafana/alloy/config.alloy:/etc/alloy/config.alloy:Z

     

       20
       20
       +
       Volume=%E/alloy/config.alloy:/etc/alloy/config.alloy:Z

     

       21
       21
        
       Volume=%t/podman/podman.sock:/var/run/docker.sock

     

       22
       22
        
       

     

       23
       23
        
       Network=reverse-proxy.network

+2 -2

configs/containers/systemd/victoria/victoria-vmauth.container.tftpl

···

       21
       21
        
       Label="traefik.http.services.vm.loadbalancer.server.port=8427"

     

       22
       22
        
       Label="traefik.http.routers.vm-auth.rule=(Host(`metrics.${base_domain}`) || Host(`logs.${base_domain}`)) && PathPrefix(`/oauth2/`)"

     

       23
       23
        
       Label="traefik.http.routers.vm-auth.service=oauth2-proxy"

     

       24
       24
       -
       Label="traefik.http.middlewares.add-victoria-bearer.headers.customRequestHeaders.Authorization=Bearer ${secrets.victoria_bearer_token}"

     

       24
       24
       +
       Label="traefik.http.middlewares.add-victoria-bearer.headers.customRequestHeaders.Authorization=Bearer ${secrets.vmauth_traefik_bearer_token}"

     

       25
       25
        
       Label="traefik.http.routers.vm-api.rule=(Host(`metrics.${base_domain}`) || Host(`logs.${base_domain}`)) && (HeaderRegexp(`Authorization`, `^Bearer .*$`) || HeaderRegexp(`Authorization`, `^Token .*$`))"

     

       26
       26
        
       Label="traefik.http.routers.vm-api.priority=2"

     

       27
       27
        
       

     

       28
       28
        
       Exec="--auth.config=/etc/auth.yml"

     

       29
       29
        
       

     

       30
       30
       -
       Volume=/var/mnt/docker/app_data/victoria/vmauth/auth.yml:/etc/auth.yml:Z

     

       30
       30
       +
       Volume=%E/vmauth/auth.yml:/etc/auth.yml:Z

     

       31
       31
        
       

     

       32
       32
        
       Pod=victoria.pod

     

       33
       33

configs/glance/glance.yml

···

       1
       1
       +
       server:

     

       2
       2
       +
         assets-path: /app/assets

     

       3
       3
       +
       

     

       4
       4
       +
       pages:

     

       5
       5
       +
         !include: home.yml

+86

configs/glance/home.yml

···

       1
       1
       +
       - name: Startpage

     

       2
       2
       +
         width: slim

     

       3
       3
       +
         hide-desktop-navigation: true

     

       4
       4
       +
         center-vertically: true

     

       5
       5
       +
         columns:

     

       6
       6
       +
           - size: full

     

       7
       7
       +
             widgets:

     

       8
       8
       +
               - type: search

     

       9
       9
       +
                 search-engine: google

     

       10
       10
       +
                 autofocus: true

     

       11
       11
       +
       

     

       12
       12
       +
               - type: docker-containers

     

       13
       13
       +
                 hide-by-default: true

     

       14
       14
       +
       

     

       15
       15
       +
               - type: monitor

     

       16
       16
       +
                 cache: 1m

     

       17
       17
       +
                 title: TLS Passthrough

     

       18
       18
       +
                 sites:

     

       19
       19
       +
                   - title: Proxmox

     

       20
       20
       +
                     url: https://pve.${base_domain}/

     

       21
       21
       +
                     icon: di:proxmox-light

     

       22
       22
       +
                   - title: TrueNAS

     

       23
       23
       +
                     url: https://truenas.${base_domain}/

     

       24
       24
       +
                     icon: di:truenas

     

       25
       25
       +
       

     

       26
       26
       +
               - type: bookmarks

     

       27
       27
       +
                 groups:

     

       28
       28
       +
                   - title: General

     

       29
       29
       +
                     links:

     

       30
       30
       +
                       - title: Fastmail

     

       31
       31
       +
                         icon: di:fastmail

     

       32
       32
       +
                         url: https://app.fastmail.com/

     

       33
       33
       +
                       - title: Github

     

       34
       34
       +
                         icon: di:github-light

     

       35
       35
       +
                         url: https://github.com/

     

       36
       36
       +
                   - title: Social

     

       37
       37
       +
                     links:

     

       38
       38
       +
                       - title: Reddit

     

       39
       39
       +
                         icon: di:reddit

     

       40
       40
       +
                         url: https://www.reddit.com/

     

       41
       41
       +
                       - title: Bluesky

     

       42
       42
       +
                         icon: di:bluesky

     

       43
       43
       +
                         url: https://bsky.app/

     

       44
       44
       +
                       - title: DTF

     

       45
       45
       +
                         icon: https://dtf.ru/assets/favicon-32x32.png

     

       46
       46
       +
                         url: https://dtf.ru/

     

       47
       47
       +
                   - title: Entertainment

     

       48
       48
       +
                     links:

     

       49
       49
       +
                       - title: YouTube

     

       50
       50
       +
                         icon: di:youtube

     

       51
       51
       +
                         url: https://www.youtube.com/

     

       52
       52
       +
       

     

       53
       53
       +
           - size: small

     

       54
       54
       +
             widgets:

     

       55
       55
       +
               - type: weather

     

       56
       56
       +
                 location: Belgrade, Serbia

     

       57
       57
       +
       

     

       58
       58
       +
               - type: releases

     

       59
       59
       +
                 show-source-icon: true

     

       60
       60
       +
                 limit: 20

     

       61
       61
       +
                 collapse-after: 10

     

       62
       62
       +
                 repositories:

     

       63
       63
       +
                   - actualbudget/actual

     

       64
       64
       +
                   - glanceapp/glance

     

       65
       65
       +
                   - grafana/alloy

     

       66
       66
       +
                   - grafana/grafana

     

       67
       67
       +
                   - hoarder-app/hoarder

     

       68
       68
       +
                   - immich-app/immich

     

       69
       69
       +
                   - miniflux/miniflux

     

       70
       70
       +
                   - oauth2-proxy/oauth2-proxy

     

       71
       71
       +
                   - open-webui/open-webui

     

       72
       72
       +
                   - outline/outline

     

       73
       73
       +
                   - pocket-id/pocket-id

     

       74
       74
       +
                   - dockerhub:qbittorrentofficial/qbittorrent-nox

     

       75
       75
       +
                   - traefik/traefik

     

       76
       76
       +
                   - VictoriaMetrics/VictoriaMetrics

     

       77
       77
       +
       

     

       78
       78
       +
               - type: server-stats

     

       79
       79
       +
                 servers:

     

       80
       80
       +
                   - type: local

     

       81
       81
       +
                     name: Services

     

       82
       82
       +
                     hide-mountpoints-by-default: true

     

       83
       83
       +
                     mountpoints:

     

       84
       84
       +
                       "/app/config":

     

       85
       85
       +
                         name: iSCSI

     

       86
       86
       +
                         hide: false

+16

configs/vmauth/auth.yml

···

       1
       1
       +
       users:

     

       2
       2
       +
         # Traefik

     

       3
       3
       +
         - bearer_token: "${secrets.vmauth_traefik_bearer_token}"

     

       4
       4
       +
           url_map:

     

       5
       5
       +
             - src_hosts:

     

       6
       6
       +
               - "metrics\\.${replace(base_domain, ".", "\\\\.")}"

     

       7
       7
       +
               url_prefix: "http://victoria-metrics:8428/"

     

       8
       8
       +
             - src_hosts:

     

       9
       9
       +
               - "logs\\.${replace(base_domain, ".", "\\\\.")}"

     

       10
       10
       +
               url_prefix: "http://victoria-logs:9428/"

     

       11
       11
       +
         # Proxmox

     

       12
       12
       +
         - bearer_token: "${secrets.vmauth_proxmox_bearer_token}"

     

       13
       13
       +
           url_map:

     

       14
       14
       +
             - src_hosts:

     

       15
       15
       +
               - "metrics\\.${replace(base_domain, ".", "\\\\.")}"

     

       16
       16
       +
               url_prefix: "http://victoria-metrics:8428/"

+12 -7

fcos.tf

···

       1
       1
       -
       data "bitwarden_secret" "victoria_bearer_token" {

     

       2
       2
       -
         id = var.containers_secret_config.victoria_bearer_token

     

       1
       1
       +
       data "bitwarden_secret" "vmauth_traefik_bearer_token" {

     

       2
       2
       +
         id = var.containers_secret_config.vmauth_traefik_bearer_token

     

       3
       3
       +
       }

     

       4
       4
       +
       

     

       5
       5
       +
       data "bitwarden_secret" "vmauth_proxmox_bearer_token" {

     

       6
       6
       +
         id = var.containers_secret_config.vmauth_proxmox_bearer_token

     

       3
       7
        
       }

     

       4
       8
        
       

     

       5
       9
        
       data "bitwarden_secret" "immich_map_key" {

     
···

       13
       17
        
           proxmox_ip : var.proxmox_config.host,

     

       14
       18
        
           truenas_ip : var.fcos_config.truenas_ip,

     

       15
       19
        
           secrets : {

     

       16
       16
       -
             victoria_bearer_token : data.bitwarden_secret.victoria_bearer_token.value

     

       17
       17
       -
             immich_map_key = data.bitwarden_secret.immich_map_key.value

     

       20
       20
       +
             vmauth_traefik_bearer_token : data.bitwarden_secret.vmauth_traefik_bearer_token.value

     

       21
       21
       +
             vmauth_proxmox_bearer_token : data.bitwarden_secret.vmauth_proxmox_bearer_token.value

     

       22
       22
       +
             immich_map_key : data.bitwarden_secret.immich_map_key.value

     

       18
       23
        
           }

     

       19
       24
        
         })

     

       20
       25
        
       

     
···

       35
       40
        
         ])

     

       36
       41
        
       

     

       37
       42
        
         butane_config = merge(var.fcos_config, {

     

       38
       38
       -
           config_files  = local.config_files

     

       39
       39
       -
           directories   = local.directories,

     

       43
       43
       +
           config_files = local.config_files

     

       44
       44
       +
           directories  = local.directories,

     

       40
       45
        
         })

     

       41
       46
        
       

     

       42
       47
        
         init_script_path = "${path.module}/scripts/init_fcos.sh.tftpl"

     

       43
       48
        
       }

     

       44
       49
        
       

     

       45
       45
       -
       output "test" {

     

       50
       50
       +
       output "directories_to_create" {

     

       46
       51
        
         value = local.directories

     

       47
       52
        
       }

     

       48
       53

+4 -2

variables.tf

···

       25
       25
        
         type = map(string)

     

       26
       26
        
         default = {

     

       27
       27
        
           traefik_cf_dns_api_token                  = "e9e0f0f0-abc8-4bde-b05f-b292018179bb"

     

       28
       28
       -
           victoria_bearer_token                     = "fba802cf-948f-4ff7-8965-b29f00e2da48"

     

       28
       28
       +
           vmauth_traefik_bearer_token             = "fba802cf-948f-4ff7-8965-b29f00e2da48"

     

       29
       29
       +
           vmauth_proxmox_bearer_token             = "bb281df0-e5e8-4348-a92e-b2a300a30117"

     

       29
       30
        
           oauth2_proxy_cookie_secret                = "289c0832-27c2-463b-97b7-b29200a8cebd"

     

       30
       31
        
           oauth2_proxy_client_secret                = "afdb8ef2-a3d4-4a17-b839-b29200ab6f87"

     

       31
       32
        
           pocket_id_maxmind_license_key             = "08c549a4-bf48-4998-8cb0-b29200ac845d"

     
···

       50
       51
        
           outline_postgres_password                 = "4212e3a7-acd3-4804-ac0e-b29d01015850"

     

       51
       52
        
           outline_oidc_client_secret                = "9c8cae9a-db6d-45d0-8cc0-b29d0101844c"

     

       52
       53
        
           outline_smtp_password                     = "5fdbfb32-257e-4cc3-8b07-b29d01063ba6"

     

       53
       53
       -
           grafana_oauth2_client_secret = "697cf367-a80c-41f6-b975-b2a200a986d8"

     

       54
       54
       +
           grafana_oauth2_client_secret              = "697cf367-a80c-41f6-b975-b2a200a986d8"

     

       55
       55
       +
           glance_github_token                       = "de3353d8-09d9-4063-b513-b2a3008cc2c9"

     

       54
       56
        
         }

     

       55
       57
        
       }

     

       56
       58