traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

final

Browse source
This commit is contained in:
traveler 2026-04-12 16:06:16 -05:00
parent bb997e2fa7
commit 0f82f39fdd
25 changed files with 577 additions and 123 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Netgrimoire/Green-Grimoire/Overview.md
View file

@ -46,7 +46,7 @@ Data lives at `/data/nfs/Baxter/Green/` with two libraries: Clips and Movies.
PocketStash (port 9998) is a separate Stash instance that maintains a curated subset for travel. Before a trip, `syncoid` pushes `vault/Green/Pocket` to the Pocket Grimoire laptop. The Pocket instance runs in read-only travel mode — no writes while traveling.
See [Stash Integration](/Pocket-Grimoire/Software/Stash-Integration) in Pocket Grimoire docs.
See [Stash Integration](/Netgrimoire/Pocket-Grimoire/Software/Stash-Integration) in Pocket Grimoire docs.
---
@ -54,5 +54,5 @@ See [Stash Integration](/Pocket-Grimoire/Software/Stash-Integration) in Pocket G
| | |
|---|---|
| [Stash Management](/Green-Grimoire/Library/Stash-Management) | Library config, scrapers, metadata workflow |
| [VHS Restoration](/Green-Grimoire/Scripts/VHS-Restoration) | Encoding, deinterlace, restoration scripts |
| [Stash Management](/Netgrimoire/Green-Grimoire/Library/Stash-Management) | Library config, scrapers, metadata workflow |
| [VHS Restoration](/Netgrimoire/Green-Grimoire/Scripts/VHS-Restoration) | Encoding, deinterlace, restoration scripts |

8
Netgrimoire/Gremlin-Grimoire/Overview.md
View file

@ -49,7 +49,7 @@ Gremlin is a stack of four services running together on `docker4`, all pinned to
| `qwen2.5-coder:7b` | ~5 GB | Code review, YAML audits, compose analysis |
| `llama3.2:3b` | ~2 GB | Alert triage, Q&A, summarization |
Models must be pulled before workflows run. See [Ollama Model Management](/Gremlin-Grimoire/Runbooks/Model-Management).
Models must be pulled before workflows run. See [Ollama Model Management](/Netgrimoire/Gremlin-Grimoire/Runbooks/Model-Management).
---
@ -57,9 +57,9 @@ Models must be pulled before workflows run. See [Ollama Model Management](/Greml
| | |
|---|---|
| [Stack](/Gremlin-Grimoire/Stack/Build-Config) | Full build config, volumes, env vars, compose YAML |
| [Workflows](/Gremlin-Grimoire/Workflows/Forgejo-Audit) | All n8n workflows — architecture, patterns, gotchas |
| [Runbooks](/Gremlin-Grimoire/Runbooks/Deploy) | Deploy, model management, troubleshooting |
| [Stack](/Netgrimoire/Gremlin-Grimoire/Stack/Build-Config) | Full build config, volumes, env vars, compose YAML |
| [Workflows](/Netgrimoire/Gremlin-Grimoire/Workflows/Forgejo-Audit) | All n8n workflows — architecture, patterns, gotchas |
| [Runbooks](/Netgrimoire/Gremlin-Grimoire/Runbooks/Deploy) | Deploy, model management, troubleshooting |
---

8
Netgrimoire/Keystone-Grimoire/Mail/MailCow-Overview.md
View file

@ -71,10 +71,10 @@ $config['imap_conn_options'] = ['ssl' => ['verify_peer' => false, 'verify_peer_n
## Related Docs
- [MXRoute Integration](/Keystone-Grimoire/Mail/MXRoute-Integration)
- [Domain Setup](/Keystone-Grimoire/Mail/Domain-Setup)
- [MailCow Hardening](/Keystone-Grimoire/Mail/Hardening)
- [MailCow Backup](/Vault-Grimoire/Backups/MailCow-Backup)
- [MXRoute Integration](/Netgrimoire/Keystone-Grimoire/Mail/MXRoute-Integration)
- [Domain Setup](/Netgrimoire/Keystone-Grimoire/Mail/Domain-Setup)
- [MailCow Hardening](/Netgrimoire/Keystone-Grimoire/Mail/Hardening)
- [MailCow Backup](/Netgrimoire/Vault-Grimoire/Backups/MailCow-Backup)
---

8
Netgrimoire/Keystone-Grimoire/Overview.md
View file

@ -20,10 +20,10 @@ The Keystone Grimoire holds the architectural blueprints of Netgrimoire — how
| Section | Contents |
|---------|----------|
| [Hosts](/Keystone-Grimoire/Hosts/Host-Inventory) | Node inventory, roles, IPs, pinned services, hardware |
| [Network](/Keystone-Grimoire/Network/Topology) | Topology, VLANs, DNS, WireGuard, OpenVPN, port assignments |
| [Docker](/Keystone-Grimoire/Docker/Swarm-Template) | Swarm template standard, overlay network, label rules, volume paths |
| [Mail](/Keystone-Grimoire/Mail/MailCow-Overview) | MailCow, MXRoute, DKIM, SRS, domain setup, hardening |
| [Hosts](/Netgrimoire/Keystone-Grimoire/Hosts/Host-Inventory) | Node inventory, roles, IPs, pinned services, hardware |
| [Network](/Netgrimoire/Keystone-Grimoire/Network/Topology) | Topology, VLANs, DNS, WireGuard, OpenVPN, port assignments |
| [Docker](/Netgrimoire/Keystone-Grimoire/Docker/Swarm-Template) | Swarm template standard, overlay network, label rules, volume paths |
| [Mail](/Netgrimoire/Keystone-Grimoire/Mail/MailCow-Overview) | MailCow, MXRoute, DKIM, SRS, domain setup, hardening |
---

48
Netgrimoire/Overview.md
View file

@ -14,20 +14,7 @@ dateCreated: 2026-04-12T00:00:00.000Z
Netgrimoire is the primary self-hosted homelab infrastructure running on `znas` and a cluster of worker nodes under Docker Swarm. It is the foundation every other grimoire depends on.
This section is intentionally high-level — the spine. Detailed technical content lives in the specialized grimoires.
---
## Infrastructure at a Glance
| Host | Role | IP | Runtime |
|------|------|----|---------|
| znas | NAS + Primary Swarm manager | 192.168.5.10 | Docker Swarm manager + Compose |
| docker2 | VPN gateway | — | Docker Compose |
| docker3 | LibreNMS host | — | Docker Compose |
| docker4 (hermes) | Mail + AI worker | 192.168.5.16 | Docker Compose + Swarm worker |
| docker5 | Media host | 192.168.5.18 | Docker Compose |
| Pi nodes | Swarm workers + vault nodes | various | Docker Swarm workers |
This section is the spine — intentionally high-level. All detailed technical content lives in the specialized grimoires nested here.
---
@ -35,14 +22,27 @@ This section is intentionally high-level — the spine. Detailed technical conte
| Grimoire | What Lives There |
|----------|-----------------|
| [Keystone Grimoire](/Keystone-Grimoire/Overview) | Architecture, network topology, Caddy, Docker template, DNS, mail infrastructure |
| [Vault Grimoire](/Vault-Grimoire/Overview) | ZFS storage, Kopia backups, NFS exports, offsite replication |
| [Ward Grimoire](/Ward-Grimoire/Overview) | OPNsense, CrowdSec, Authentik, Authelia, LLDAP, WireGuard, blocklists |
| [Watch Grimoire](/Watch-Grimoire/Overview) | Uptime Kuma, Beszel, LibreNMS, Grafana, Graylog, ntfy, DIUN |
| [Gremlin Grimoire](/Gremlin-Grimoire/Overview) | Ollama, Open WebUI, Qdrant, n8n, AI workflows |
| [Shadow Grimoire](/Shadow-Grimoire/Overview) | Usenet, torrents, arr stack, indexers, media acquisition |
| [Green Grimoire](/Green-Grimoire/Overview) | Adult media: Stash, Jellyfinx, Namer, Whisparr |
| [Pocket Grimoire](/Pocket-Grimoire/Overview) | Portable laptop lab, offline-first, travel vault node |
| [Keystone Grimoire](/Netgrimoire/Keystone-Grimoire/Overview) | Architecture, network topology, Caddy, Docker template, DNS, mail |
| [Vault Grimoire](/Netgrimoire/Vault-Grimoire/Overview) | ZFS storage, Kopia backups, NFS exports, offsite replication |
| [Ward Grimoire](/Netgrimoire/Ward-Grimoire/Overview) | OPNsense, CrowdSec, Authentik, Authelia, LLDAP, WireGuard, blocklists |
| [Watch Grimoire](/Netgrimoire/Watch-Grimoire/Overview) | Uptime Kuma, Beszel, LibreNMS, Grafana, Graylog, ntfy, DIUN |
| [Gremlin Grimoire](/Netgrimoire/Gremlin-Grimoire/Overview) | Ollama, Open WebUI, Qdrant, n8n, AI workflows |
| [Shadow Grimoire](/Netgrimoire/Shadow-Grimoire/Overview) | Usenet, torrents, arr stack, indexers, media acquisition |
| [Green Grimoire](/Netgrimoire/Green-Grimoire/Overview) | Adult media: Stash, Jellyfinx, Namer, Whisparr |
| [Pocket Grimoire](/Netgrimoire/Pocket-Grimoire/Overview) | Portable laptop lab, offline-first, travel vault node |
---
## Infrastructure at a Glance
| Host | Role | IP | Runtime |
|------|------|----|---------|
| znas | NAS + Primary Swarm manager | 192.168.5.10 | Swarm manager + Compose |
| docker2 | VPN gateway | — | Compose only |
| docker3 | LibreNMS | — | Compose only |
| docker4 (hermes) | Mail + AI worker | 192.168.5.16 | Compose + Swarm worker |
| docker5 | Media host | 192.168.5.18 | Compose only |
| Pi nodes | Swarm workers + vault nodes | various | Swarm workers |
---
@ -57,7 +57,7 @@ This section is intentionally high-level — the spine. Detailed technical conte
| | |
|---|---|
| 📋 [Service Catalog](/Netgrimoire/Service-Catalog) | Full service inventory with status and grimoire assignment |
| 📖 [Documentation Standards](/Netgrimoire/Conventions/Doc-Standards) | How docs are structured, named, and maintained |
| 📄 [Service Doc Template](/Netgrimoire/Conventions/Service-Doc-Template) | Template for writing new service docs |
| 📖 [Doc Standards](/Netgrimoire/Conventions/Doc-Standards) | How docs are structured, named, and maintained |
| 📄 [Service Doc Template](/Netgrimoire/Conventions/Service-Doc-Template) | Template for new service docs |
| 🎨 [Wiki Theme](/Netgrimoire/Conventions/Theme) | CSS customization and branding |
| 🔍 [Audit Reports](/Netgrimoire/Audits/README) | Gremlin-generated weekly YAML audits |

8
Netgrimoire/Pocket-Grimoire/Overview.md
View file

@ -51,7 +51,7 @@ Pocket Grimoire receives a `syncoid` push from `znas` before each trip:
syncoid znas:vault/Green/Pocket pocket:/srv/greenpg/Green
```
This makes it an offsite encrypted backup node whenever it leaves home. See [Vault Architecture](/Vault-Grimoire/Offsite/Vault-Architecture).
This makes it an offsite encrypted backup node whenever it leaves home. See [Vault Architecture](/Netgrimoire/Vault-Grimoire/Offsite/Vault-Architecture).
---
@ -59,6 +59,6 @@ This makes it an offsite encrypted backup node whenever it leaves home. See [Vau
| | |
|---|---|
| [Hardware](/Pocket-Grimoire/Hardware/Inventory) | Full hardware list, power kit, storage layout |
| [Software](/Pocket-Grimoire/Software/Stack) | Services, Docker config, ZFS pool |
| [Sync & Deployment](/Pocket-Grimoire/Sync/Pre-Travel-Sync) | Pre-travel checklist, syncoid, deployment guide |
| [Hardware](/Netgrimoire/Pocket-Grimoire/Hardware/Inventory) | Full hardware list, power kit, storage layout |
| [Software](/Netgrimoire/Pocket-Grimoire/Software/Stack) | Services, Docker config, ZFS pool |
| [Sync & Deployment](/Netgrimoire/Pocket-Grimoire/Sync/Pre-Travel-Sync) | Pre-travel checklist, syncoid, deployment guide |

2
Netgrimoire/Pocket-Grimoire/Sync/Pre-Travel-Sync.md
View file

@ -47,4 +47,4 @@ ssh pocket "zpool status pocket-green"
## Deployment Guide
See original [Deployment Guide](/Pocket-Grimoire/Sync/Deployment-Guide) for full from-scratch build procedure.
See original [Deployment Guide](/Netgrimoire/Pocket-Grimoire/Sync/Deployment-Guide) for full from-scratch build procedure.

2
Netgrimoire/Vault-Grimoire/Offsite/Vault-Architecture.md
View file

@ -41,4 +41,4 @@ The vault container (`vault.yaml`) runs a Kopia server on port 51516 that serves
Pocket Grimoire's ZFS pool (`pocket-green` at `/srv/greenpg/`) receives a `syncoid` push from `znas` before each trip. This makes Pocket Grimoire an offsite backup node whenever it leaves the house.
See [Pocket Grimoire Sync](/Pocket-Grimoire/Sync/Pre-Travel-Sync) for the pre-travel checklist.
See [Pocket Grimoire Sync](/Netgrimoire/Pocket-Grimoire/Sync/Pre-Travel-Sync) for the pre-travel checklist.

8
Netgrimoire/Vault-Grimoire/Overview.md
View file

@ -20,10 +20,10 @@ The Vault Grimoire covers all storage and backup infrastructure. Data starts at
| Section | Contents |
|---------|----------|
| [ZFS](/Vault-Grimoire/ZFS/Storage-Layout) | ZFS pools, datasets, NFS exports, commands reference |
| [Kopia](/Vault-Grimoire/Kopia/Kopia-Overview) | Backup repos, retention, restore, two-repo architecture |
| [Backups](/Vault-Grimoire/Backups/Services-Backup) | Per-service backup runbooks (Immich, MailCow, Nextcloud, Wiki, services) |
| [Offsite](/Vault-Grimoire/Offsite/Vault-Architecture) | Pi vault nodes, ZFS raw send, syncoid workflow |
| [ZFS](/Netgrimoire/Vault-Grimoire/ZFS/Storage-Layout) | ZFS pools, datasets, NFS exports, commands reference |
| [Kopia](/Netgrimoire/Vault-Grimoire/Kopia/Kopia-Overview) | Backup repos, retention, restore, two-repo architecture |
| [Backups](/Netgrimoire/Vault-Grimoire/Backups/Services-Backup) | Per-service backup runbooks (Immich, MailCow, Nextcloud, Wiki, services) |
| [Offsite](/Netgrimoire/Vault-Grimoire/Offsite/Vault-Architecture) | Pi vault nodes, ZFS raw send, syncoid workflow |
---

4
Netgrimoire/Ward-Grimoire/Notifications/Alert-Routing.md
View file

@ -24,8 +24,8 @@ All Netgrimoire alerts route through self-hosted ntfy at `ntfy.netgrimoire.com`.
## Alert Sources
**OPNsense → ntfy:** CrowdSec HTTP plugin (`/usr/local/etc/crowdsec/notifications/ntfy.yaml`) + Monit script (`/usr/local/bin/ntfy-alert.sh`). See [OPNsense Alerts](/Ward-Grimoire/Notifications/OPNsense-Alerts).
**OPNsense → ntfy:** CrowdSec HTTP plugin (`/usr/local/etc/crowdsec/notifications/ntfy.yaml`) + Monit script (`/usr/local/bin/ntfy-alert.sh`). See [OPNsense Alerts](/Netgrimoire/Ward-Grimoire/Notifications/OPNsense-Alerts).
**Uptime Kuma → Gremlin → ntfy:** Kuma webhook fires on DOWN/RECOVERED → n8n triage workflow → Ollama analysis (DOWN path only) → ntfy `gremlin-alerts`. See [Gremlin Kuma Triage](/Gremlin-Grimoire/Workflows/Kuma-Triage).
**Uptime Kuma → Gremlin → ntfy:** Kuma webhook fires on DOWN/RECOVERED → n8n triage workflow → Ollama analysis (DOWN path only) → ntfy `gremlin-alerts`. See [Gremlin Kuma Triage](/Netgrimoire/Gremlin-Grimoire/Workflows/Kuma-Triage).
**DIUN → ntfy:** Docker image update watcher. Schedule: every 6 hours. Priority must be integer (15), not string `"default"`.

6
Netgrimoire/Ward-Grimoire/Overview.md
View file

@ -20,9 +20,9 @@ The Ward Grimoire covers all security enforcement, access control, and threat re
| Section | Contents |
|---------|----------|
| [Firewall](/Ward-Grimoire/Firewall/OPNsense) | OPNsense dual-WAN, NAT, static IPs, Suricata IDS, Zenarmor, blocklists, GeoIP |
| [Access](/Ward-Grimoire/Access/Auth-Overview) | Authentik (SSO), Authelia (wasted-bandwidth), LLDAP, Vaultwarden, YubiKey, WireGuard |
| [Notifications](/Ward-Grimoire/Notifications/Alert-Routing) | ntfy, CrowdSec alerts, OPNsense Monit, alert routing |
| [Firewall](/Netgrimoire/Ward-Grimoire/Firewall/OPNsense) | OPNsense dual-WAN, NAT, static IPs, Suricata IDS, Zenarmor, blocklists, GeoIP |
| [Access](/Netgrimoire/Ward-Grimoire/Access/Auth-Overview) | Authentik (SSO), Authelia (wasted-bandwidth), LLDAP, Vaultwarden, YubiKey, WireGuard |
| [Notifications](/Netgrimoire/Ward-Grimoire/Notifications/Alert-Routing) | ntfy, CrowdSec alerts, OPNsense Monit, alert routing |
---

6
Netgrimoire/Watch-Grimoire/Overview.md
View file

@ -20,9 +20,9 @@ The Watch Grimoire is the observatory of Netgrimoire. The Oracle sees every hear
| Section | Contents |
|---------|----------|
| [Monitoring](/Watch-Grimoire/Monitoring/Services) | Uptime Kuma, AutoKuma, Beszel, LibreNMS, DIUN, phpIPAM, Scrutiny |
| [Logging](/Watch-Grimoire/Logging/Log-Stack) | Graylog, Loki + Promtail + Grafana, Dozzle |
| [Dashboards](/Watch-Grimoire/Dashboards/Homepage) | Homepage, Glance, Portainer, Homelable |
| [Monitoring](/Netgrimoire/Watch-Grimoire/Monitoring/Services) | Uptime Kuma, AutoKuma, Beszel, LibreNMS, DIUN, phpIPAM, Scrutiny |
| [Logging](/Netgrimoire/Watch-Grimoire/Logging/Log-Stack) | Graylog, Loki + Promtail + Grafana, Dozzle |
| [Dashboards](/Netgrimoire/Watch-Grimoire/Dashboards/Homepage) | Homepage, Glance, Portainer, Homelable |
---