Add homelab part4

Author: gamingrobot

content/posts/homelab-adventure-part-1.md

@@ -7,13 +7,15 @@ slug = "homelab-adventure-part-1"
 tags = ["Linux", "Homelab"]
 +++
 
-Welcome to my journey in building my homelab. This will be an ongoing series of blog posts of my adventures in building my personal infrastructure.
+Welcome to my journey in building my Homelab. This will be an ongoing series of blog posts of my adventures in building my personal infrastructure.
 
 <!-- more -->
 
 **Part 1: The Adventure Begins (You are here!)**  
 [**Part 2: Configuration Management**](@/posts/homelab-adventure-part-2.md)  
 [**Part 3: Internal Network**](@/posts/homelab-adventure-part-3.md)  
+[**Sidequest: Switching from Salt to Ansible**](@/posts/homelab-switching-salt-to-ansible.md)   
+[**Part 4: Application Hosting and Monitoring**](@/posts/homelab-adventure-part-4.md)  
 
 ## What is a Homelab
 
@@ -23,9 +25,9 @@ The primary idea behind a homelab is a place to learn about infrastructure, serv
 
 > Homelab \[hom-læb\](n): a laboratory of (usually slightly outdated) awesome in the domicile
 
-Now by this definition a homelab should reside in a home. In my case part of my homelab will exist outside of my home, due to space and noise constraints. So my homelab is somewhere between a homelab and a "cloudlab".
+Now by this definition a Homelab should reside in a home. In my case part of my Homelab will exist outside of my home, due to space and noise constraints. So my Homelab is somewhere between a Homelab and a "cloudlab".
 
-The [/r/homelab wiki](https://www.reddit.com/r/homelab/wiki/introduction) has a more information on how to get started with a homelab.
+The [/r/homelab wiki](https://www.reddit.com/r/homelab/wiki/introduction) has a more information on how to get started with a Homelab.
 
 ## Inventory
 
@@ -105,3 +107,5 @@ I hope you will join me in this adventure into homelabbing. In the next post in
 **Part 1: The Adventure Begins (You are here!)**  
 [**Part 2: Configuration Management**](@/posts/homelab-adventure-part-2.md)  
 [**Part 3: Internal Network**](@/posts/homelab-adventure-part-3.md)  
+[**Sidequest: Switching from Salt to Ansible**](@/posts/homelab-switching-salt-to-ansible.md)   
+[**Part 4: Application Hosting and Monitoring**](@/posts/homelab-adventure-part-4.md)  

content/posts/homelab-adventure-part-2.md

@@ -7,13 +7,15 @@ slug = "homelab-adventure-part-2"
 tags = ["Linux", "Homelab"]
 +++
 
-Welcome to my journey in building my homelab. This is part of a multipart series, in the last part I gave an overview of the homelab plan. This one will cover how I handle configuration management.
+Welcome to my journey in building my Homelab. This is part of a multipart series; in the last part I gave an overview of the Homelab plan. This one will cover how I handle configuration management.
 
 <!-- more -->
 
 [**Part 1: The Adventure Begins**](@/posts/homelab-adventure-part-1.md)  
 **Part 2: Configuration Management (You are here!)**  
 [**Part 3: Internal Network**](@/posts/homelab-adventure-part-3.md)  
+[**Sidequest: Switching from Salt to Ansible**](@/posts/homelab-switching-salt-to-ansible.md)   
+[**Part 4: Application Hosting and Monitoring**](@/posts/homelab-adventure-part-4.md)  
 
 {% warning() %}
 Since this blog post was written I have [switched from Salt to Ansible](@/posts/homelab-switching-salt-to-ansible.md).
@@ -222,3 +224,5 @@ I hope this gave you a good view of how I use Salt to configure my servers. In t
 [**Part 1: The Adventure Begins**](@/posts/homelab-adventure-part-1.md)  
 **Part 2: Configuration Management (You are here!)**  
 [**Part 3: Internal Network**](@/posts/homelab-adventure-part-3.md)  
+[**Sidequest: Switching from Salt to Ansible**](@/posts/homelab-switching-salt-to-ansible.md)   
+[**Part 4: Application Hosting and Monitoring**](@/posts/homelab-adventure-part-4.md)  

content/posts/homelab-adventure-part-3.md

@@ -7,19 +7,21 @@ slug = "homelab-adventure-part-3"
 tags = ["Linux", "Homelab"]
 +++
 
-Welcome to my journey in building my homelab. This is part of a multipart series, in the last part I gave an overview of how to do configuration management. This one will cover how I set up my internal network.
+Welcome to my journey in building my Homelab. This is part of a multipart series; in the last part I gave an overview of how to setup configuration management. This one will cover how I setup my internal network.
 
 <!-- more -->
 
 [**Part 1: The Adventure Begins**](@/posts/homelab-adventure-part-1.md)  
 [**Part 2: Configuration Management**](@/posts/homelab-adventure-part-2.md)  
-**Part 3: Internal Network (You are here!)**
+**Part 3: Internal Network (You are here!)**  
+[**Sidequest: Switching from Salt to Ansible**](@/posts/homelab-switching-salt-to-ansible.md)   
+[**Part 4: Application Hosting and Monitoring**](@/posts/homelab-adventure-part-4.md)  
 
 ## Why?
 
-It's helpful to have an internal and external network for your homelab. This allows hosting of internal services without exposing them to the internet.
+It's helpful to have an internal and external network for your Homelab. This allows hosting of internal services without exposing them to the internet.
 
-Since my homelab lives in multiple datacenters (and at home), it's less convenient to use a site-to-site VPN. So a peer-to-peer VPN between all my servers is ideal. This also makes it easy for me to add non-servers to the network like my phone or desktop to access those internal services.
+Since my Homelab lives in multiple datacenters (and at home), it's less convenient to use a site-to-site VPN. So a peer-to-peer VPN between all my servers is ideal. This also makes it easy for me to add non-servers to the network like my phone or desktop to access those internal services.
 
 ## What is ZeroTier
 
@@ -35,14 +37,11 @@ These are some other options for peer-to-peer VPNs:
 
 [Nebula](https://github.com/slackhq/nebula) (inspired by tinc) has similar issues to tinc with certificate distribution. One advantage over tinc is that a discovery server is present in the Nebula network to ease node discovery.
 
-[Tailscale](https://tailscale.com/) while a great alternative to ZeroTier, it didn't exist at the time I set up ZeroTier. [This is a great comparison between Tailscale and ZeroTier](https://tailscale.com/compare/zerotier/).
+[Tailscale](https://tailscale.com/) while a great alternative to ZeroTier, it didn't exist at the time I setup ZeroTier. [This is a great comparison between Tailscale and ZeroTier](https://tailscale.com/compare/zerotier/).
 
 ## ZeroTier and Salt
 
 I have written a salt formula for managing ZeroTier with salt. It allows interacting with the local agent and the network controller's API.
 
 [https://github.com/gamingrobot/salt-formula-zerotier](https://github.com/gamingrobot/salt-formula-zerotier)
 
-[**Part 1: The Adventure Begins**](@/posts/homelab-adventure-part-1.md)  
-[**Part 2: Configuration Management**](@/posts/homelab-adventure-part-2.md)  
-**Part 3: Internal Network (You are here!)**

content/posts/homelab-adventure-part-4.md

@@ -0,0 +1,253 @@
++++
+title = "Homelab Adventure - Part 4: Application Hosting and Monitoring"
+description = "Homelab application hosting and monitoring"
+date = 2025-07-13
+slug = "homelab-adventure-part-4"
+[taxonomies]
+tags = ["Linux", "Homelab"]
++++
+
+Welcome to my journey in building my Homelab. This is part of a multipart series; in the last part I showed how to setup an internal network across multiple hosts. This "final" post will go over application hosting and monitoring.
+
+<!-- more -->
+
+[**Part 1: The Adventure Begins**](@/posts/homelab-adventure-part-1.md)  
+[**Part 2: Configuration Management**](@/posts/homelab-adventure-part-2.md)  
+[**Part 3: Internal Network**](@/posts/homelab-adventure-part-3.md)  
+[**Sidequest: Switching from Salt to Ansible**](@/posts/homelab-switching-salt-to-ansible.md)  
+**Part 4: Application Hosting and Monitoring (You are here!)**
+
+## Application Hosting
+
+All applications are hosted in [Docker](https://docs.docker.com/) and configured by [Ansible](https://docs.ansible.com/ansible/latest/index.html) and kept updated via [Watchtower](https://github.com/containrrr/watchtower). I decided to go with this route instead of [Kubernetes](https://kubernetes.io/) because:
+
+- I don't have shared storage across all servers
+- I don't need multiple instances of the applications
+- Most applications are on specific servers
+
+Each container gets a separate role in Ansible that creates a storage folder, a user, and the container. Then in the main playbook I can specify which roles apply to which hosts or the whole group. 
+
+```yaml
+# roles/container-readeck/tasks/main.yml
+- name: readeck-user-present
+  ansible.builtin.user:
+    name: readeck
+    shell: /usr/sbin/nologin
+    uid: 2002
+
+- name: readeck-config-dir
+  ansible.builtin.file:
+    path: /data/readeck
+    state: directory
+    owner: readeck
+    group: readeck
+    mode: '0755'
+
+- name: readeck-container
+  community.docker.docker_container:
+    name: readeck
+    image: codeberg.org/readeck/readeck:latest
+    restart_policy: unless-stopped
+    user: '2002:2002' # has to be the id not name
+    volumes:
+      - "/data/readeck:/readeck"
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
+      traefik.enable: 'true'
+```
+
+### Exposing applications
+
+I use [Traefik](https://doc.traefik.io/traefik/) to expose each application based on labels. I use a wildcard certificate to enable HTTPS, but Let's Encrypt could also be used. If you are worried about mounting the `docker.sock` directly to Traefik, you can setup [socket-proxy](https://github.com/wollomatic/socket-proxy). For managing DNS, I use [DNSControl](https://dnscontrol.org/) but Ansible could also be used, but it is more verbose.
+
+```yaml
+# roles/container-traefik/tasks/main.yml
+- name: traefik-user-present
+  ansible.builtin.user:
+    name: traefik
+    shell: /usr/sbin/nologin
+    uid: 2001
+
+- name: traefik-config-dir
+  ansible.builtin.file:
+    path: /data/traefik
+    state: directory
+    owner: traefik
+    group: traefik
+    mode: '0755'
+
+- name: traefik-cert-dir
+  ansible.builtin.file:
+    path: /data/traefik/config/certs
+    owner: traefik
+    group: traefik
+    state: directory
+    mode: '0755'
+
+- name: traefik-dynamic-config
+  ansible.builtin.template:
+    src: dynamic.yaml.j2
+    dest: /data/traefik/config/dynamic.yaml
+    owner: traefik
+    group: traefik
+    mode: '0644'
+  notify: traefik-container-restart
+
+- name: traefik-config
+  ansible.builtin.template:
+    src: traefik.yaml.j2
+    dest: /data/traefik/config/traefik.yaml
+    owner: traefik
+    group: traefik
+    mode: '0644'
+  notify: traefik-container-restart
+
+- name: traefik-cert
+  ansible.builtin.copy:
+    src: "{{ item.key }}.cert"
+    dest: "/data/traefik/config/certs/{{ item.key }}.cert"
+    owner: traefik
+    group: traefik
+    mode: '0644'
+  loop: "{{ traefik_certs | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  diff: false
+  notify: traefik-container-restart
+  when: traefik_certs is defined
+
+- name: traefik-certkey
+  ansible.builtin.copy:
+    dest: /data/traefik/config/certs/{{ item.key }}.key
+    content: "{{ item.value.key }}"
+    owner: traefik
+    group: traefik
+    mode: '0644'
+  loop: "{{ traefik_certs | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  diff: false
+  notify: traefik-container-restart
+  when: traefik_certs is defined
+
+- name: traefik-container
+  community.docker.docker_container:
+    name: traefik
+    image: traefik:3.2
+    restart_policy: unless-stopped
+    command: "--configFile=/config/traefik.yaml"
+    user: "2001:2001" # has to be the id not name
+    published_ports:
+      - 80:80
+  	  - 443:443
+  	  # Use these if you want traefik to only listen on the internal network (define 'traefik_internal_interface' in host_vars or group_vars)
+      # - "{{ vars['ansible_'~traefik_internal_interface].ipv4.address }}:80:8080"
+      # - "{{ vars['ansible_'~traefik_internal_interface].ipv4.address }}:443:8443"
+    volumes:
+      - /data/traefik/config:/config
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    labels:
+      com.centurylinklabs.watchtower.enable: 'true'
+```
+
+```yaml
+# roles/container-traefik/handlers/main.yml
+- name: traefik-container-restart
+  community.docker.docker_container:
+    name: traefik
+    restart: true
+```
+
+This config sets up the certificates and a middleware for HTTPS redirection and an `ipAllowList`. This middleware can then be specified on a container via the `traefik.http.routers.<app_name>.middlewares: 'internal-network@file'` label (replace `<app_name>` with the application name).
+
+```yaml
+# roles/container-traefik/templates/dynamic.yaml.j2
+{% if traefik_certs %}
+tls:
+  certificates:
+{% for name in traefik_certs.keys() %}
+    - certFile: /config/certs/{{ name }}.cert
+      keyFile: /config/certs/{{ name }}.key
+{% endfor %}
+{% endif %}
+
+http:
+  middlewares:
+    internal-network:
+      chain:
+          middlewares:
+            - internal-allowlist
+            - https-only
+            
+    https-only:
+      redirectScheme:
+        scheme: https
+
+    internal-allowlist: 
+      ipAllowList:
+        sourceRange:
+          - "{{ traefik_internal_iprange }}" # internal network
+          - "172.17.0.1/16" # docker range
+          - "192.168.1.1/24" # home network range
+```
+
+This config sets up the entrypoints, HTTPS redirection and the Docker provider.
+
+```yaml
+# roles/container-traefik/templates/traefik.yaml.j2
+log:
+  level: INFO
+
+entryPoints:
+  web:
+    address: ":8080" # will be routed to port 80 by docker
+    http:
+      redirections:
+        entryPoint:
+          to: ":443"
+          scheme: https
+  websecure:
+    address: ":8443" # will be routed to port 443 by docker
+    http:
+      middlewares: 
+        - https-only@file # default to https everything
+      tls: {}  
+
+providers:
+  docker:
+    exposedByDefault: false # require `traefik.enable: 'true'` label
+    defaultRule: "Host(`{{ '{{' }} normalize .Name {{ '}}' }}.{{ traefik_domain }}`)"
+    network: bridge # default network
+  file:
+    filename: "/config/dynamic.yaml"
+    watch: true
+
+serversTransport:
+  insecureSkipVerify: true # enable self signed certs on containers
+```
+
+Now any container with the `traefik.enable: 'true'` will be automatically exposed on `<container_name>.<traefik_domain>`. If `traefik.http.routers.<app_name>.middlewares: 'internal-network@file'` is set as a label, the application will only be accessible from IPs on the `ipAllowList`.
+
+## Monitoring
+
+For general server metrics and monitoring, I use [Netdata](https://www.netdata.cloud/). There are some additional monitoring modules I have setup: 
+
+- [SMART monitoring](https://learn.netdata.cloud/docs/collecting-metrics/hardware-devices-and-sensors/s.m.a.r.t.)
+- [UPS monitoring](https://learn.netdata.cloud/docs/collecting-metrics/ups/apc-ups)
+- [Container metrics](https://learn.netdata.cloud/docs/collecting-metrics/containers-and-vms/docker)
+
+This gives alerts for things like high disk usage, high memory usage, UPS failed over to battery, and SMART failures.
+
+For custom monitoring, I use [Uptime Kuma](https://github.com/louislam/uptime-kuma). It works well for application health monitoring as well as custom webhook monitors. I have setup custom webhook monitors for:
+
+- BTRFS Health
+- BTRFS Scrubbing
+- Backups
+
+I have alerts from both Netdata and Uptime Kuma going to [Pushover](https://pushover.net/) and email.
+
+[**Part 1: The Adventure Begins**](@/posts/homelab-adventure-part-1.md)  
+[**Part 2: Configuration Management**](@/posts/homelab-adventure-part-2.md)  
+[**Part 3: Internal Network**](@/posts/homelab-adventure-part-3.md)  
+[**Sidequest: Switching from Salt to Ansible**](@/posts/homelab-switching-salt-to-ansible.md)  
+**Part 4: Application Hosting and Monitoring (You are here!)**