From a1a74f30ba08d371193eda252867e95791429fd0 Mon Sep 17 00:00:00 2001
From: Oskar Kapala <oskar.kapala@gmail.com>
Date: Wed, 15 Apr 2026 17:37:25 +0200
Subject: [PATCH] Document current homelab state

---
 .codex             |  0
 README.md          | 53 ++++++++++++++++++++++++++++++++++++++++++++++
 docs/access.md     | 34 +++++++++++++++++++++++++++++
 docs/core-stack.md | 32 ++++++++++++++++++++++++++++
 docs/hardware.md   | 24 +++++++++++++++++++++
 docs/networking.md | 35 ++++++++++++++++++++++++++++++
 docs/questions.md  | 50 +++++++++++++++++++++++++++++++++++++++++++
 docs/services.md   | 40 ++++++++++++++++++++++++++++++++++
 8 files changed, 268 insertions(+)
 create mode 100644 .codex
 create mode 100644 README.md
 create mode 100644 docs/access.md
 create mode 100644 docs/core-stack.md
 create mode 100644 docs/hardware.md
 create mode 100644 docs/networking.md
 create mode 100644 docs/questions.md
 create mode 100644 docs/services.md

diff --git a/.codex b/.codex
new file mode 100644
index 0000000..e69de29
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..d43948e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,53 @@
+# Homelab Current State
+
+## Description
+
+This repository documents the current known state of the homelab.
+
+The documentation is based only on stated facts. Missing details are recorded as unknowns and need clarification.
+
+## Current configuration
+
+- Main server hardware: Raspberry Pi 5
+- Core stack:
+  - Docker
+  - Portainer
+  - Nginx Proxy Manager
+- Network position: behind NAT
+- Public access path: Nginx Proxy Manager with HTTPS using Let's Encrypt
+- Private access path: Tailscale
+- Known port forwarding:
+  - External ports `80-81` forward to internal ports `4480-4481`
+  - External port `443` forwards to internal port `4443`
+
+## Documentation index
+
+- [Hardware](docs/hardware.md)
+- [Core stack](docs/core-stack.md)
+- [Networking](docs/networking.md)
+- [Access](docs/access.md)
+- [Services](docs/services.md)
+- [Unknowns and clarification questions](docs/questions.md)
+
+## Known facts
+
+- The homelab has one known main server: Raspberry Pi 5.
+- Docker is part of the current stack.
+- Portainer is part of the current stack.
+- Nginx Proxy Manager is part of the current stack.
+- The homelab is behind NAT.
+- Public services are exposed through Nginx Proxy Manager with HTTPS certificates from Let's Encrypt.
+- Private access is provided through Tailscale.
+
+## Unknown / needs clarification
+
+- Operating system and version on the Raspberry Pi 5.
+- Storage layout and attached disks.
+- Network interface configuration.
+- LAN IP addresses.
+- Public domain names.
+- List of all running containers.
+- Exact Nginx Proxy Manager proxy host configuration.
+- Tailscale tailnet, device name, and subnet/exit-node configuration if any.
+- Backup configuration.
+- Monitoring and alerting configuration.
diff --git a/docs/access.md b/docs/access.md
new file mode 100644
index 0000000..9591b4f
--- /dev/null
+++ b/docs/access.md
@@ -0,0 +1,34 @@
+# Access
+
+## Description
+
+This page documents the currently known access methods for the homelab.
+
+## Current configuration
+
+- Public services are accessed through Nginx Proxy Manager.
+- Public HTTPS certificates are issued using Let's Encrypt.
+- Private access is provided through Tailscale.
+
+## Known facts
+
+- Nginx Proxy Manager is the public reverse proxy.
+- HTTPS is used for public services.
+- Let's Encrypt is used for public TLS certificates.
+- Tailscale is used for private access.
+
+## Unknown / needs clarification
+
+- Public domain names and subdomains.
+- Which services are public.
+- Which services are private-only.
+- Nginx Proxy Manager proxy hosts.
+- Nginx Proxy Manager SSL certificate settings.
+- Whether HTTP-to-HTTPS redirection is enabled.
+- Whether Nginx Proxy Manager access lists are used.
+- Tailscale device name for the Raspberry Pi 5.
+- Whether Tailscale SSH is enabled.
+- Whether the Raspberry Pi 5 advertises subnet routes.
+- Whether the Raspberry Pi 5 is an exit node.
+- User accounts or groups with access through Tailscale.
+- Local administrator access method for the Raspberry Pi 5.
diff --git a/docs/core-stack.md b/docs/core-stack.md
new file mode 100644
index 0000000..bbd3064
--- /dev/null
+++ b/docs/core-stack.md
@@ -0,0 +1,32 @@
+# Core Stack
+
+## Description
+
+This page documents the known core software stack running in the homelab.
+
+## Current configuration
+
+- Docker
+- Portainer
+- Nginx Proxy Manager
+
+## Known facts
+
+- Docker is used as part of the core stack.
+- Portainer is used as part of the core stack.
+- Nginx Proxy Manager is used as part of the core stack.
+
+## Unknown / needs clarification
+
+- Docker version.
+- Docker installation method.
+- Whether Docker Compose is used.
+- Location of Compose files, stack files, or deployment manifests.
+- Portainer deployment method.
+- Portainer exposed URL or access method.
+- Nginx Proxy Manager deployment method.
+- Nginx Proxy Manager exposed URL or access method.
+- Container restart policies.
+- Container network names and topology.
+- Persistent volume locations.
+- Backup method for Portainer and Nginx Proxy Manager data.
diff --git a/docs/hardware.md b/docs/hardware.md
new file mode 100644
index 0000000..c4f41b1
--- /dev/null
+++ b/docs/hardware.md
@@ -0,0 +1,24 @@
+# Hardware
+
+## Description
+
+This page documents the currently known physical hardware for the homelab.
+
+## Current configuration
+
+- Main server: Raspberry Pi 5
+
+## Known facts
+
+- The Raspberry Pi 5 is the main server.
+
+## Unknown / needs clarification
+
+- Raspberry Pi 5 RAM size.
+- Raspberry Pi 5 operating system boot media.
+- Storage devices attached to the Raspberry Pi 5.
+- Power supply model or rating.
+- Case, cooling, fan, or heatsink details.
+- UPS presence or absence.
+- Network connection type: Ethernet or Wi-Fi.
+- Physical location of the server.
diff --git a/docs/networking.md b/docs/networking.md
new file mode 100644
index 0000000..b04f03b
--- /dev/null
+++ b/docs/networking.md
@@ -0,0 +1,35 @@
+# Networking
+
+## Description
+
+This page documents the current known network position and port forwarding for the homelab.
+
+## Current configuration
+
+- The homelab is behind NAT.
+- Port forwarding is configured as follows:
+  - External ports `80-81` forward to internal ports `4480-4481`
+  - External port `443` forwards to internal port `4443`
+
+## Known facts
+
+- NAT is present between the public internet and the homelab.
+- Public HTTP/HTTPS traffic reaches the homelab through forwarded ports.
+- External ports `80`, `81`, and `443` are known to be forwarded.
+- Internal ports `4480`, `4481`, and `4443` are known forwarding targets.
+
+## Unknown / needs clarification
+
+- Router or firewall model.
+- Whether the WAN IP is static, dynamic, or CGNAT.
+- Internal IP address of the Raspberry Pi 5.
+- Whether the Raspberry Pi 5 uses DHCP or static addressing.
+- Exact mapping for external ports `80-81` to internal ports `4480-4481`:
+  - Whether `80` maps to `4480`.
+  - Whether `81` maps to `4481`.
+- Protocols forwarded for each port: TCP, UDP, or both.
+- Whether any other ports are forwarded.
+- LAN subnet and gateway.
+- DNS provider and DNS records.
+- IPv6 availability or absence.
+- Firewall rules on the Raspberry Pi 5.
diff --git a/docs/questions.md b/docs/questions.md
new file mode 100644
index 0000000..7cc1ff6
--- /dev/null
+++ b/docs/questions.md
@@ -0,0 +1,50 @@
+# Unknowns and Clarification Questions
+
+## Description
+
+This page lists information that is missing or unclear from the current homelab documentation.
+
+## Current configuration
+
+The currently documented configuration is limited to:
+
+- Raspberry Pi 5 as the main server.
+- Docker, Portainer, and Nginx Proxy Manager as the core stack.
+- NAT with forwarded ports:
+  - `80-81` to `4480-4481`
+  - `443` to `4443`
+- Public access through Nginx Proxy Manager with Let's Encrypt HTTPS.
+- Private access through Tailscale.
+
+## Known facts
+
+- The homelab is documented only from the known facts above.
+- Anything not listed as known remains unconfirmed.
+
+## Unknown / needs clarification
+
+1. What operating system and version is running on the Raspberry Pi 5?
+2. What is the Raspberry Pi 5 RAM size?
+3. What storage devices are used, and where is persistent service data stored?
+4. What is the Raspberry Pi 5 LAN IP address?
+5. Is the Raspberry Pi 5 using DHCP or a static IP address?
+6. What router or firewall performs NAT and port forwarding?
+7. Is the WAN IP static, dynamic, or behind CGNAT?
+8. Does external port `80` map to internal port `4480`, and does external port `81` map to internal port `4481`?
+9. Are the forwarded ports TCP only, UDP only, or both?
+10. Are any other ports forwarded?
+11. What domain names or subdomains point to the homelab?
+12. What are the Nginx Proxy Manager proxy hosts?
+13. Which services are public, and which are private-only?
+14. Is HTTP-to-HTTPS redirection enabled in Nginx Proxy Manager?
+15. Are Nginx Proxy Manager access lists used?
+16. How are Docker, Portainer, and Nginx Proxy Manager deployed?
+17. Are Docker Compose files, Portainer stacks, or other manifests available?
+18. What containers are currently running?
+19. What Docker networks and volumes exist?
+20. What is the Tailscale device name for the Raspberry Pi 5?
+21. Does the Raspberry Pi 5 advertise Tailscale subnet routes?
+22. Is the Raspberry Pi 5 configured as a Tailscale exit node?
+23. Is Tailscale SSH enabled?
+24. What backup system exists, if any?
+25. What monitoring or alerting exists, if any?
diff --git a/docs/services.md b/docs/services.md
new file mode 100644
index 0000000..1c7ac09
--- /dev/null
+++ b/docs/services.md
@@ -0,0 +1,40 @@
+# Services
+
+## Description
+
+This page documents the currently known services in the homelab.
+
+## Current configuration
+
+Known services:
+
+- Portainer
+- Nginx Proxy Manager
+
+Known supporting platform:
+
+- Docker
+
+## Known facts
+
+- Portainer is present in the homelab.
+- Nginx Proxy Manager is present in the homelab.
+- Public services are exposed through Nginx Proxy Manager using HTTPS.
+- Private access is available through Tailscale.
+
+## Unknown / needs clarification
+
+- Full list of running services and containers.
+- Service names.
+- Service purposes.
+- Public or private exposure for each service.
+- Internal ports for each service.
+- External domains for each public service.
+- Docker image names and versions.
+- Data volume paths.
+- Environment variables and secrets handling.
+- Service dependencies.
+- Restart policies.
+- Health checks.
+- Backup coverage for each service.
+- Restore process for each service.