From b52fe4f2f8c34de7f2c70fdf0aa935ae0adcaeb4 Mon Sep 17 00:00:00 2001 From: Vadym Samoilenko Date: Sun, 3 May 2026 19:16:06 +0100 Subject: [PATCH] vault backup: 2026-05-03 19:16:06 --- 02 Areas/Pending Commands.md | 39 ++++++++++++++++-------- 99 Daily/2026-05-03.md | 3 ++ wiki/homelab/homelab-services-map.md | 44 ++++++++-------------------- 3 files changed, 42 insertions(+), 44 deletions(-) diff --git a/02 Areas/Pending Commands.md b/02 Areas/Pending Commands.md index 7d1a25d..983f53c 100644 --- a/02 Areas/Pending Commands.md +++ b/02 Areas/Pending Commands.md @@ -15,20 +15,24 @@ Commands that need to be run on servers. Move to **Done** after confirmation. ``` _Why: CrowdSec running but no bouncer — IPS observing but not blocking_ -### P2 — Phase 3 (REMAINING): Finish config review -- **Karakeep**: disable dead OIDC (AUTH_OIDC_ENABLED=false) — dead Authentik reference -- **Paperless**: clear oidc.env pointing to deleted Authentik -- **Authentik**: containers still in compose but stopped — decide: remove or restore? -- **qBit WebUI**: change listening port to 50000 (Settings → Connection → Listening Port) -- **Router**: add Virtual Server 50000 TCP+UDP → 192.168.1.230:50000 -- ✅ Already done: log rotation added to all services, Jellyseerr TZ fixed, Jellyfin webhooks confirmed +### P1 — This week -### P3 — Phase 4: *arr stack + Russian content -- Add Bazarr (CT111), Recyclarr (CT111), Readarr (CT111) -- Configure Sonarr/Radarr custom formats for Russian audio (score +200) -- Configure Prowlarr: add rutracker, kinozal, rutor, NNM-Club -- qBit compose port already updated to 50000 — need: WebUI + router Virtual Server -- Jellyfin: set default audio/subtitle language to Russian +#### CT102: Add CrowdSec bouncer for NPM +```bash +# Install nginx-proxy-manager bouncer for crowdsec +# See: https://docs.crowdsec.net/docs/bouncers/nginx-proxy-manager +``` +_Why: CrowdSec running but no bouncer — IPS observing but not blocking_ + +### P2 — Phase 3 (REMAINING) +- **Router**: add Virtual Server 50000 TCP+UDP → 192.168.1.230:50000 (qBit port forwarding) +- **qBit WebUI**: verify listening port is 50000 (Settings → Connection — may need manual confirm after restart) +- **Bazarr**: set OpenSubtitles.com credentials, create Russian language profile, assign to Sonarr/Radarr + +### P3 — Phase 5: Dashboards A/B/C +- Deploy Dashy on port 8086 at dashy.ai-impress.com +- Deploy Dashbrr on port 8087 at dashbrr.ai-impress.com +- After comparison: keep 1-2, destroy others ### P4 — Phase 5: Dashboards A/B/C - Rebuild Glance (4 pages: Home/Infrastructure/Media/Monitoring), add power widget (RAPL/Prometheus) @@ -60,6 +64,15 @@ _Why: CrowdSec running but no bouncer — IPS observing but not blocking_ | 2026-05-03 | Jellyseerr TZ fix | Europe/Kiev → Europe/London + log rotation added | | 2026-05-03 | Log rotation all CT102 services | json-file max-size:10m added to 22 services + nextcloud + karakeep + CT111 media | | 2026-05-03 | Jellyfin webhooks Sonarr/Radarr | API key 121facab.. created; Sonarr/Radarr connections updated; onDownload+onRename=true | +| 2026-05-03 | Karakeep OIDC disabled | AUTH_OIDC_ENABLED=false, 4 Authentik lines removed, container recreated | +| 2026-05-03 | Paperless OIDC cleared | oidc.env emptied (Authentik provider removed), paperless restarted | +| 2026-05-03 | Authentik stopped | docker compose down in /opt/services/authentik/ (was already stopped) | +| 2026-05-03 | qBit port 50000 applied | qBittorrent.conf Session.Port=50000, compose 50000:50000, container recreated | +| 2026-05-03 | Bazarr added CT111 | lscr.io/linuxserver/bazarr:latest, port 6767, Sonarr+Radarr connected, NPM proxy added | +| 2026-05-03 | Recyclarr added CT111 | ghcr.io/recyclarr/recyclarr:latest, config at /opt/media/recyclarr/recyclarr.yml | +| 2026-05-03 | Russian 1080p minFormatScore | Sonarr+Radarr profile 7 updated: minFormatScore=100 (requires Russian audio) | +| 2026-05-03 | Jellyfin metadata language | PreferredMetadataLanguage=ru, MetadataCountryCode=RU via API | +| 2026-05-03 | qBit categories | tv-sonarr/movies-radarr/manual with correct save paths in categories.json | --- diff --git a/99 Daily/2026-05-03.md b/99 Daily/2026-05-03.md index 5dda9b6..fc13c17 100644 --- a/99 Daily/2026-05-03.md +++ b/99 Daily/2026-05-03.md @@ -47,3 +47,6 @@ tags: [daily] - 19:03 (12min) | `aimpress` - **Asked:** Audited PVE homelab containers, documented configs, and created improvement plan | Completed Phase 3 config review: fixed qBittorrent port (6881→50000), corrected Jellyseerr timezone, added log rotation to 22 services, organized Glance app categories | qbittorrent-compose.yml, jellyseerr-compose.yml, logrotate configs, Obsidian audit notes - **Done:** — +- 19:15 | `aimpress` + - **Asked:** Audit PVE homelab server, document all containers/services, identify issues and create improvement plan. + - **Done:** Completed comprehensive server audit, documented all containers and configurations, identified duplicates and issues, created remediation plan with focus on *arr stack, qBittorrent, and Glance dashboard setup. diff --git a/wiki/homelab/homelab-services-map.md b/wiki/homelab/homelab-services-map.md index 53d88a1..8306254 100644 --- a/wiki/homelab/homelab-services-map.md +++ b/wiki/homelab/homelab-services-map.md @@ -13,9 +13,9 @@ status: live | CT/VM | Name | IP | RAM | Cores | Status | Role | |-------|------|----|-----|-------|--------|------| | host | pve | 192.168.1.48 | 24 GB | 4 | running | Proxmox VE 9.1.9 (`ssh pve`) | -| CT101 | adguard | 192.168.1.62 | 512 MB | 1 | running | **Legacy** AdGuard Home (native :53+:80) — pending destroy | +| ~~CT101~~ | ~~adguard~~ | ~~192.168.1.62~~ | — | — | **destroyed** | Legacy AdGuard — destroyed 2026-05-03 | | CT102 | docker | 192.168.1.225 | 9 GB | 4 | running | All Docker services (root 20GB + data-hdd 300GB) | -| CT105 | immich | 192.168.1.71 | 8 GB | 4 | **stopped** | Immich photos (GPU bug — needs dev1+dev2 removed from conf) | +| CT105 | immich | 192.168.1.71 | 8 GB | 4 | running | Immich photos (native install, GPU bug fixed 2026-05-03) | | CT111 | media | 192.168.1.230 | 4 GB | 4 | running | Jellyfin + *arr stack + GPU passthrough | | CT112 | n8n | 192.168.1.232 | 2 GB | 2 | running | n8n workflow automation | | VM200 | kali-linux | DHCP | 8 GB | — | stopped | Pentest (start manually: `qm start 200`) | @@ -24,18 +24,6 @@ status: live --- -## CT101 — AdGuard Home Legacy (192.168.1.62) — PENDING DESTROY - -| Service | Port | Notes | -|---------|------|-------| -| AdGuard Home UI | :80 | native install `/opt/AdGuardHome/` | -| DNS | :53 | **LAN DNS server** — router DHCP still points here | -| Beszel agent | :45876 | | - -> ⚠️ DNS migration: CT102 Docker AdGuard (:53 on 192.168.1.225) is the new DNS server. -> **Pending**: update router DHCP primary DNS from 192.168.1.62 → 192.168.1.225. -> After router update: stop CT101 → destroy. - --- ## CT102 — Docker Services (192.168.1.225) @@ -98,7 +86,8 @@ status: live |---------|-----|---------------|--------|--------| | Prometheus | http://192.168.1.225:9090 | :9090 | /opt/monitoring/ | ✅ running | | Alertmanager | http://192.168.1.225:9093 | :9093 | /opt/monitoring/ | ✅ running | -| Loki | — | :3100 | /opt/monitoring/ | ✅ running (⚠️ no Promtail — logs not flowing) | +| Loki | — | :3100 | /opt/monitoring/ | ✅ running | +| Promtail | — | :9080 | /opt/monitoring/ | ✅ running (Docker + syslog targets) | | Node Exporter | — | :9100 | — | ✅ running | | Beszel Agent | — | (internal) | — | ✅ running | | Ntfy | https://ntfy.ai-impress.com 🌐 | :2586 | /opt/services/ntfy/ | ✅ running | @@ -111,21 +100,7 @@ status: live | Backrest (restic) | https://backup.ai-impress.com 🏠 | :9898 | /opt/services/backrest/ | ✅ running | | Watchtower | — | — | /opt/services/watchtower/ | ✅ running | | Diun | — | — | /opt/services/diun/ | ✅ running | -| Docker Socket Proxy | — | **0.0.0.0:2376** | — | ✅ running ⚠️ | - -> ⚠️ **docker-socket-proxy** exposed on `0.0.0.0:2376` — Docker TCP API accessible on LAN. Should be restricted to `127.0.0.1` or internal Docker network only. Fix in docker-compose. - -### Stirling PDF — Known Issue - -Crashes on startup: `Unable to resolve Configuration with Issuer https://auth.ai-impress.com/...` -**Root cause:** OIDC config references Authentik which was deleted. -**Fix:** -```bash -ssh pve "pct exec 102 -- bash -lc 'cd /opt/services/stirling-pdf && \ - sed -i s/SECURITY_OAUTH2_ENABLED=true/SECURITY_OAUTH2_ENABLED=false/ .env; \ - docker compose up -d --force-recreate'" -# Or edit docker-compose.yml: set SECURITY_OAUTH2_ENABLED=false, SECURITY_ENABLELOGIN=false -``` +| Docker Socket Proxy | — | **127.0.0.1:2376** | — | ✅ running ✅ fixed | --- @@ -137,11 +112,18 @@ ssh pve "pct exec 102 -- bash -lc 'cd /opt/services/stirling-pdf && \ | Sonarr | https://sonarr.ai-impress.com 🏠 | :8989 | /opt/media/sonarr/ | ✅ running | | Radarr | https://radarr.ai-impress.com 🏠 | :7878 | /opt/media/radarr/ | ✅ running | | Prowlarr | https://prowlarr.ai-impress.com 🏠 | :9696 | /opt/media/prowlarr/ | ✅ running | -| qBittorrent | https://qbit.ai-impress.com 🏠 | :8080 | /opt/media/qbittorrent/ | ✅ running | +| qBittorrent | https://qbit.ai-impress.com 🏠 | :8080 (WebUI) / :50000 (P2P) | /opt/media/qbittorrent/ | ✅ running | +| Bazarr | https://bazarr.ai-impress.com 🏠 | :6767 | /opt/media/bazarr/ | ✅ running (added 2026-05-03) | +| Recyclarr | — (cron only) | — | /opt/media/recyclarr/ | ✅ running (added 2026-05-03) | | FlareSolverr | — | :8191 | — | ✅ running | - GPU: Intel HD Graphics 630 → `/dev/dri/card1` + `/dev/dri/renderD128` (NOT renderD129 — that doesn't exist) - Media mount: `data-hdd:vm-111-media` (500 GB LV) → `/mnt/media` +- qBit port: changed 6881 → 50000 (compose + config). **Pending**: router Virtual Server 50000 TCP+UDP → 192.168.1.230:50000 +- Russian 1080p quality profile: minFormatScore=100 (requires Russian audio). Custom formats: Russian Audio +500, English Audio +50 +- Prowlarr indexers: RuTracker, RuTor, NNM-Club, 1337x, Nyaa, Anidub, LimeTorrents +- Bazarr: connected to Sonarr+Radarr, OpenSubtitles.com provider enabled +- Recyclarr: config at /opt/media/recyclarr/recyclarr.yml (Sonarr+Radarr API keys set) ---