Skip to content

Session Summary - 2026-01-16

Overview

Completed all remaining improvement items from the 2026-01-15 codebase review, documented home devices, and made a major architecture decision: moved Headscale from RPi 5 to VPSfor 24/7 mesh availability. Completed all 24 items from comprehensive codebase review.Added comprehensive security hardeningbased on full codebase audit.Session 2: Completed 12 infrastructure improvements (quick wins + medium priority) from improvement opportunities audit.

Result:24/24 improvements +21/22 security fixes+12/12 infrastructure improvements

Completed Tasks

Medium Priority (4 items)

# Task File Created

| 8 | VLAN documentation | docs/vlan-design.md | | 9 | Backup test procedure | docs/backup-test-procedure.md | | 10 | Certificate strategy | docs/certificate-strategy.md |

Low Priority (2 items)

# Task Action

| 11 | Archive domain-research.md | Added superseded notice | | 12 | Document NAS PSU model | picoPSU-160-XT + 220W brick |

New Documentation

VLAN Design (docs/vlan-design.md)

  • VLAN 1 (Management): Servers, admin devices
  • VLAN 10 (IoT): Cameras, smart devices - no internet
  • VLAN 20 (Guest): Internet-only access
  • OPNsense firewall rules
  • Camera isolation strategy
  • Switch configuration (MokerLink + PoE)

Backup Test Procedure (docs/backup-test-procedure.md)

  • Monthly test schedule (first Sunday)
  • 7 test procedures:
  • Restic repository health
  • Snapshot verification
  • Headscale restore test
  • Vaultwarden restore test
  • Home Assistant restore test
  • Offsite backup verification
  • Full restore drill (quarterly)
  • Test results template
  • RTO/RPO targets

Certificate Strategy (docs/certificate-strategy.md)

  • Decision: Tailscale HTTPS for internal services
  • Public services: Let's Encrypt via Caddy
  • Static sites: Cloudflare edge certificates
  • Internal services: Tailscale MagicDNS certificates
  • Auto-renewal cron script
  • Certificate inventory

Home Devices (docs/home-devices.md)

  • 14 devices served by homelab services
  • 4 mobile: Samsung A16 (x2), Pixel 6, iPhone 14 Pro Max
  • 4 computers: MacBook Air M1, MacBook Pro 2012, ThinkPad X240, Acer C720
  • 2 entertainment: LG Smart TV, Apple TV 4th Gen
  • 2 audio: Yamaha RX-V671, Infinity Speakers
  • 2 office: HP Deskjet printer, Brother scanner
  • Service access matrix per family member
  • Network/VLAN assignment

Architecture Change: Headscale to VPS

Problem: User concerns about mobile kit (RPi 5 + Beryl AX) running 24/7:

  • Paraguay heat - reduce active equipment in home
  • Fire hazards - fewer devices running overnight
  • Energy consumption - RPi 5 + router unnecessary when sleeping

Solution: Move Headscale from RPi 5 to VPS

Component Before After

| Headscale | RPi 5 (mobile, on-demand) | VPS (24/7) | | Mobile Kit | 24/7 operation | On-demand (7AM-7PM) | | Mesh availability | Depends on mobile kit | Always available | | RPi 5 role | Headscale + Pi-hole | Pi-hole only |

Files Updated

  • docs/services.md - Moved Headscale to VPS section
  • docs/hardware.md - RPi 5 now "Pi-hole (mobile DNS)"
  • docs/mobile-homelab.md - Complete rewrite for on-demand operation
  • docs/architecture-review.md - Updated diagrams
  • docs/monitoring-strategy.md - Mobile kit alerts now info-level (not critical)

Files Created

  • docker/vps/networking/headscale/docker-compose.yml - Headscale + backup sidecar
  • docker/vps/networking/headscale/backup.sh - Hourly SQLite backup script

2.5G Switch Clarification

  • Primary use: NAS ↔ MacBook fast file transfers
  • Cameras don't benefit (1G PoE switch sufficient)
  • Optional: can connect casually when needed

Other Updates

  • docs/domain-research.md: Added archive notice (superseded by domain-strategy.md)
  • docs/hardware.md:
  • Documented NAS PSU: picoPSU-160-XT + 220W brick (192W DC-DC, 2013)
  • Fixed NAS services list (Frigate runs on Docker VM, not NAS)

Commits

Hash Description

| 917bb69 | docs: add VLAN design for IoT isolation | | 2a6b62d | docs: add backup test procedure | | e10064b | docs: add certificate strategy | | 215a195 | docs: archive domain-research.md | | eef49b0 | docs: document NAS PSU model | | f0cbd8b | docs: add session summary for 2026-01-16 | | cc9cae1 | docs: add home devices inventory | | 14cb6ab | docs: update session summary | | 7a875b8 | feat: move Headscale to VPS for 24/7 availability | | 289fd5d | docs: update network diagram with both switches | | bb1797b | fix: add missing critical config files | | 36e1d0a | docs: complete Phase 2 improvements | | d667a39 | docs: complete Phase 3 improvements (6/12) | | 478a8e6 | docs: update session summary | | 48584f0 | docs: complete all 24 improvement items |

Network Diagram Update

Finalized network topology using both switches:

  • MokerLink 2.5G - Main backbone with VLAN trunking (8 ports)
  • TP-Link PoE - Camera power on VLAN 10 access port (unmanaged)
  • Entertainment devices added: Yamaha RX-V671, Apple TV, LG TV

See docs/fixed-homelab.md and docs/vlan-design.md for updated diagrams.

New Improvement Plan (2026-01-16)

Comprehensive codebase review identified 24 improvement items. All 24 complete.

Phase 1: Critical (7/7 Complete)

Item File Created

| frigate.yml | docker/fixed/docker-vm/security/ | | mosquitto.conf | docker/fixed/docker-vm/automation/ | | Caddyfile | docker/fixed/docker-vm/networking/caddy/ | | htpasswd.example | NAS + VPS backup directories | | Mobile Headscale deprecated | Added notice pointing to VPS | | Port 80 conflict resolved | Pi-hole → 8053 |

Phase 2: High (5/5 Complete)

Item File Created

| .env.example files | 14 docker directories | | Docker network strategy | docker/README.md | | Headscale config template | docker/vps/.../config/config.yaml.example | | NFS mount procedure | docs/nfs-setup.md | | OPNsense setup guide | docs/opnsense-setup.md |

Phase 3: Medium (12/12 Complete)

Item File Created/Modified

| qBittorrent port clarification | docs/services.md | | Service matrix (dependencies, access, criticality) | docs/services.md | | Proxmox setup guide | docs/proxmox-setup.md | | Tailscale IP allocation policy | docs/hardware.md | | Top-level README with navigation | README.md | | Docker directory README | docker/README.md (Phase 2) | | NAS symlink documentation | docs/fixed-homelab.md | | Uptime Kuma monitors config | docker/vps/monitoring/monitors.md | | Backup verification scripts | scripts/backup-verify.sh, backup-notify.sh | | Setup runbook | docs/setup-runbook.md | | TLS/SSL strategy consolidation | Caddyfile updated with Tailscale certs | | Ansible playbooks | ansible/ (inventory, common, docker, tailscale) |

Improvements Summary (2026-01-15 to 2026-01-16)

All 12 items from codebase review now complete:

# Task Status Session

| 1 | Update architecture-review.md domains | ✅ | 01-15 | | 2 | Fix Frigate location in services.md | ✅ | 01-15 | | 3 | Docker VM docker-compose files | ✅ | 01-15 | | 4 | NAS docker-compose files | ✅ | 01-15 | | 5 | Port 8080 conflict | ✅ | 01-15 | | 6 | NUT configuration | ✅ | 01-15 | | 7 | Monitoring strategy | ✅ | 01-15 | | 8 | VLAN documentation | ✅ | 01-16 | | 9 | Backup test procedure | ✅ | 01-16 | | 10 | Certificate strategy | ✅ | 01-16 | | 11 | Archive domain-research.md | ✅ | 01-16 | | 12 | NAS PSU model | ✅ | 01-16 |

Security Hardening

Created comprehensive security documentation and fixed all critical/high priority vulnerabilities.

New Documentation

  • docs/security-hardening.md - Complete security guide covering:
  • 2FA setup for all services (YubiKey, TOTP)
  • Fail2ban configuration (SSH, Headscale, Vaultwarden)
  • Firewall rules (UFW for VPS, OPNsense for fixed)
  • DNS privacy (DoH via Cloudflared)
  • IP privacy and anti-doxxing measures
  • Container security best practices

  • Incident response procedures

  • docs/sessions/security-fixes-2026-01-16.md - Security audit findings and remediation plan

Security Fixes Applied (21/22)

Critical (2/2 Complete)

# Issue Fix

| 1 | Pi-hole default password changeme | Changed to ${PIHOLE_PASSWORD:?required} (all 3 instances) | | 2 | Frigate placeholder USER:PASS | Changed to {REOLINK_USER}:{REOLINK_PASS} placeholders |

High Priority (8/8 Complete)

# Issue Fix

| 3-4 | privileged: true on HA + Frigate | Removed privileged mode, use specific device mounts | | 5 | No security_opt | Added no-new-privileges:true to all 35+ services | | 6-7 | No resource limits | Added memory/CPU limits to media stack + changedetection | | 8 | Using :latest tags | Pinned all images to specific versions | | 9 | Default creds in comments | Removed admin/adminadmin from qBittorrent docs | | 10 | No auth enforcement | Added security warning for changedetection |

Medium Priority (11/12 Complete)

# Issue Fix

| 11 | CORS wildcard * | Changed to https://cronova.dev | | 12 | Samba credentials in command | Added ${SAMBA_PASSWORD:?required} validation | | 13-14 | Pi-hole default passwords | Fixed in Critical #1 | | 15 | Restic plaintext creds | Changed to $RESTIC_USER:$RESTIC_HTPASSWD | | 16 | No health checks | Added to 7 critical services | | 17 | SOPS age key placeholder | Added setup warning comment | | 18 | NFS security not documented | Added Security Considerations section | | 19 | Credential examples in comments | Replaced with env var placeholders in 10 files | | 21 | Missing cap_drop | Added cap_drop: ALL to 10 services | | 22 | Network topology in public docs | Sanitized IPs and personal info |

Image Version Pins

Service Before After

| pihole | :latest | :2024.07.0 | | headscale | :latest | :0.23.0 | | vaultwarden | :latest | :1.32.0 | | jellyfin | :latest | :10.9.11 | | caddy | :latest | :2.8 | | soft-serve | :latest | :0.8 | | uptime-kuma | :latest | :1.23 | | ntfy | :latest | :v2.8 | | mosquitto | :latest | :2.0 |

Remaining (1 item)

# Issue Status

| 20 | Containers running as root | Acceptable - many containers require root |

Hardware Added

  • YubiKey 5C NFC (2021) - Hardware 2FA for critical services
  • Kindle Paperwhite 2018 (2020) - Added to accessories inventory

Infrastructure Improvements (Session 2)

Completed all 12 quick win and medium priority items from docs/sessions/improvement-opportunities-2026-01-16.md.

Quick Wins (6/6 Complete)

# Task Files Modified

| 1 | Health checks | All compose files - healthcheck: blocks added | | 2 | Service dependencies | Added depends_on: with conditions | | 3 | Logging limits | All services - max-size: 10m, max-file: 3 | | 4 | Container labels | com.cronova.environment, category, critical | | 5 | Per-service READMEs | 8 docker directories | | 6 | Network topology | docs/network-topology.md |

Medium Priority (6/6 Complete)

# Task Files Modified

| 7 | Resource limits | All 17 services - memory/CPU constraints | | 8 | Shared env files | Created docker/shared/common.env | | 9 | Backup sidecars | Vaultwarden + Home Assistant | | 10 | Read-only filesystems | Caddy, Vaultwarden, Restic REST, DERP | | 11 | Docker secrets | Vaultwarden admin token, restic password | | 12 | Watchtower auto-updates | docker/fixed/docker-vm/maintenance/ |

New Files Created

File Purpose

| docker/shared/common.env | Shared TZ, PUID, PGID | | docker/shared/backup/restic-backup.sh | Reusable backup script | | docker/fixed/docker-vm/maintenance/docker-compose.yml | Watchtower stack | | docker/fixed/docker-vm/maintenance/README.md | Update documentation | | docker/fixed/docker-vm/security/secrets/ | Docker secrets directory | | docs/network-topology.md | Network visualization |

Watchtower Auto-Update Policy

Auto-update enabled (15 containers)

  • Media: Jellyfin, Sonarr, Radarr, Prowlarr, qBittorrent
  • Networking: Pi-hole (×3), Caddy (×2), DERP
  • Storage: Syncthing, Samba, Restic REST (×2)
  • Other: Mosquitto

Manual update required

  • Vaultwarden - Password manager, test first
  • Headscale - Mesh coordinator, coordinate nodes
  • Frigate - NVR, breaking changes possible
  • Home Assistant - Automations, manual testing

Session 2 Commits

Hash Description

| a8bccb3 | docs: add network topology diagram | | f28c9dc | feat: add memory and CPU resource limits | | e7d8c52 | feat: add shared env file for common variables | | c9fe533 | feat: add backup sidecars for Vaultwarden and Home Assistant | | f26bb68 | feat: add read-only root filesystems | | aed5185 | feat: migrate Vaultwarden and backup to Docker secrets | | 757de58 | feat: add Watchtower for automatic container updates |

Next Steps

Documentation: All 24 original improvements + 12 infrastructure improvements complete.

Security: 21/22 fixes complete. Only #20 (root containers) remains - acceptable risk.

Infrastructure: 12/12 quick wins + medium priority items complete.

Remaining lower priority items (#13-19)

# Item Effort

| 13 | Compose file version strategy | 15 min | | 14 | Docker network documentation | 1 hour | | 15 | Prometheus/Grafana monitoring | 2+ hours | | 16 | DR testing automation | 2+ hours | | 17 | Service upgrade strategy | 2 hours | | 18 | Capacity planning doc | 2 hours | | 19 | Non-root containers | Variable |

Deployment priorities:

  1. Deploy Headscale on VPS - First service to enable mesh
  2. Hardware arrival - Wait for RPi 5 PSU to arrive
  3. Deploy mobile kit - Pi-hole on RPi 5 (Headscale now on VPS)
  4. Deploy fixed homelab - Proxmox on Mini PC
  5. Purchase verava.ai - Complete domain strategy

New resources available

  • docs/setup-runbook.md - Full deployment guide
  • docs/network-topology.md - Network visualization
  • docker/shared/common.env - Shared environment variables
  • docker/shared/backup/restic-backup.sh - Backup sidecar script
  • scripts/backup-verify.sh - Monthly backup verification
  • ansible/ - Infrastructure automation playbooks

Next Session Plan

Priority: Begin Deployment

Documentation and infrastructure prep complete. Ready to deploy.

Phase 1: VPS Foundation

  1. Deploy Headscale - Mesh coordinator (enables everything else)
  2. SSH to VPS
  3. Create directories, deploy compose file
  4. Configure ACLs

  5. Register first node (MacBook)

  6. Deploy VPS Caddy - Reverse proxy

  7. TLS for vault.cronova.dev, derp.cronova.dev

  8. Static sites (status page)

  9. Deploy VPS Pi-hole - Fallback DNS

  10. Configure upstream (Cloudflare + Quad9)

  11. Basic blocklists

  12. Deploy DERP relay - NAT traversal helper

  13. Configure in Headscale

Phase 2: Fixed Homelab (requires hardware)

  • Proxmox on Mini PC
  • Docker VM setup
  • NAS configuration
  • Service deployment

Optional: Lower Priority Items

If time permits, address #13-19 from improvement opportunities:

  • Prometheus/Grafana monitoring (#15)
  • DR testing automation (#16)

Prerequisites Check

  • [ ] VPS SSH access working
  • [ ] Domain DNS configured (cronova.dev → VPS IP)
  • [ ] .env files prepared with secrets
  • [ ] Tailscale auth key generated

Reference Documents

  • docs/setup-runbook.md - Step-by-step deployment
  • docs/services.md - Service matrix
  • docker/vps/ - VPS compose files

Notes

  • Pre-push hook requires TTY for main branch confirmation
  • picoPSU from 2013 still functional - consider replacement as future purchase
  • Mobile kit now on-demand operation (7AM-7PM) - reduces heat/energy concerns
  • Mesh works 24/7 via VPS even when mobile kit is off
  • Security audit completed - 22 issues identified, 21 fixed
  • All containers now have security_opt: no-new-privileges:true
  • All containers now have cap_drop: ALL (with specific cap_add where needed)
  • All images pinned to specific versions (no more :latest)
  • Resource limits added to prevent runaway containers
  • Health checks added to critical services
  • Credential examples replaced with env var placeholders
  • Network topology sanitized in public docs (removed specific IPs, family names)