# Homelab Required Services

Created: 2026-06-07

## Purpose

Track the user's required network/homelab services Nimrod should be able to create and/or manage across Proxmox hosts.

## Operating Rules

- New managed services do not require repeated approval by default, but Nimrod must first verify the target Proxmox host has sufficient CPU, RAM, storage, networking, and ID/name availability.
- Destructive actions, public exposure, credential disclosure, or risky data-affecting changes still require explicit confirmation.
- Use subagents for read-only discovery/preflight/review to conserve parent context.
- Improve/create specialized subagents when a repeated workflow emerges.
- Store secrets in Vaultwarden using Nimrod's dedicated account/approved collections; do not commit secret values to git.

## Required Services / Capabilities

| Service/capability | Desired role | Current status | Primary ticket/runbook |
|---|---|---|---|
| Nginx reverse proxy | Reverse proxy for relevant services | MVP deployed as CT 105 `reverse-proxy`; SearXNG proxied with temporary self-signed TLS | `tickets/active/2026-06-06-nginx-reverse-proxy-and-tls-standard.md`, `runbooks/nginx-reverse-proxy.md` |
| Unbound | Standalone internal DNS server, not OPNsense plugin | MVP deployed as CT 106 `unbound`; direct resolver test works; router/Tailscale integration pending | `tickets/active/2026-06-07-standalone-unbound-internal-dns.md`, `runbooks/unbound-internal-dns.md` |
| Gluetun + Private Internet Access | Optional VPN/proxy path for network users/services | Required / not deployed | ticket needed |
| Pi-hole | Ad blocking for users; transparent if practical | Required / not deployed | ticket needed |
| OPNsense | Existing router/firewall instance; Nimrod should manage it | Existing but access/management not yet configured here | ticket needed / systems inventory update needed |
| Nimrod/Pi LXC | Server-hosted Nimrod runtime | In progress / bootstrap migrated to CT 104 | `tickets/active/2026-06-06-move-pi-instance-to-server.md` |
| Multi-Proxmox management | Manage 3 Proxmox servers and contained VMs/LXCs | Access to 1 of 3 currently documented | needs inventory/access tickets |
| Ansible updates | Keep services up to date safely | MVP installed/configured on Nimrod; first non-critical trial updated Homepage successfully | `tickets/active/2026-06-06-managed-update-schedules-ansible.md`, `runbooks/homelab-managed-updates.md` |
| SearXNG | User search + future Nimrod web researcher gateway | Deployed CT 103; proxied through CT 105 MVP | `tickets/active/2026-06-06-add-searxng-service.md`, `runbooks/searxng-homelab.md` |
| Dashboard | Admin-friendly dashboard configurable by Nimrod without web GUI | Homepage MVP deployed as CT 107; config-as-code under `/opt/homepage/config`; proxied at `dashboard.dropcutstud.io` | `tickets/active/2026-06-06-service-dashboard-registration.md`, `runbooks/homepage-dashboard.md` |
| Backups | Backups for running services | Vaultwarden MVP backup/restore verified; broader service backup standard needed | backup tickets / service template |
| Vaultwarden secrets | Store service secrets in Nimrod's Vaultwarden account | Vaultwarden deployed; backup/restore verified; assistant access model still to implement | `tickets/active/2026-05-18-consolidated-homelab-secrets-management.md`, `runbooks/assistant-vaultwarden-access.md` |

## Near-Term Suggested Order

1. Finish reverse proxy MVP documentation and DNS follow-up.
2. Deploy standalone Unbound or selected dedicated DNS service.
3. Register `search.dropcutstud.io` and proxy service names through internal DNS.
4. Deploy dashboard from registry/config so Nimrod can administer it by file/CLI.
5. Implement Ansible inventory and safe update runbook.
6. Implement controlled assistant Vaultwarden access for service secrets.
7. Add Pi-hole and Gluetun after DNS/proxy foundation is stable.
8. Inventory and add access for the other two Proxmox servers.

## Notes

- User explicitly wants Unbound standalone rather than OPNsense plugin.
- User wants dashboard configuration to be manageable by Nimrod without requiring web UI operations.
- Transparent Pi-hole/ad-blocking may require router/DHCP/firewall changes and should be planned carefully.
- Gluetun/PIA involves external VPN credentials and must go through Vaultwarden/secret-handling gates.