Brain

Homelab Linux VM baseline standard defined on 2026-03-22 for new Ubuntu server VMs. Scope: - Baseline applies to general-purpose Ubuntu service VMs in the homelab. - Separate role-specific add-ons can still be layered on top later, but the baseline includes Docker and a standard Docker project directory layout. Core baseline standard: - OS: Ubuntu 24.04 LTS server - Virtualization target: KVM/QEMU guests in Proxmox-style environment - Host identity: - unique hostname set correctly before service deployment - timezone set explicitly to `America/Chicago` - Admin access: - primary admin user: `svc-admin` - `sudo` enabled for `svc-admin` - root SSH login not used for normal administration - SSH: - `openssh-server` installed and enabled - homelab admin key present in `~svc-admin/.ssh/authorized_keys` - key-based access validated before any hardening changes - common SSH client option in the environment: `StrictHostKeyChecking accept-new` - local admin convenience access should be added so `ssh <hostname>` works from the admin workstation - DNS and name resolution: - each new VM should get a DNS `A` record in Technitium once its management IP is known - the VM hostname should resolve on the homelab network via Technitium - the admin workstation should be able to SSH to the VM by hostname, either via DNS resolution alone or via a local SSH config host entry - Technitium API automation is part of the baseline when a valid API token is available - Firewall: - `ufw` installed and enabled - default posture: deny incoming, allow outgoing - SSH allowed before firewall enablement - only explicitly needed service ports opened per host role - baseline restricted access rules: - allow `8088/tcp` for `cadvisor` from `svc-monitor` only (`192.168.4.116`) - allow node-exporter port `9100/tcp` from `svc-monitor` only (`192.168.4.116`) - allow `9001/tcp` for `portainer-agent` from `svc-mgmt` only (`192.168.4.121`) - Core operator packages: - `curl` - `wget` - `git` - `vim` - `nano` - `tmux` - `jq` - `ca-certificates` - `gnupg` - `lsb-release` - `bash-completion` - `ripgrep` - Package maintenance baseline commands during provisioning: - `sudo apt update` - `sudo apt upgrade -y` - `sudo apt autoremove -y` - Reboot policy: - always reboot after baseline provisioning and package/install work completes - Log/journal policy: - keep Ubuntu/systemd journal defaults for baseline v1 - revisit later only if retention or disk use becomes a problem - Virtualization helpers: - `qemu-guest-agent` installed and enabled inside the guest - `QEMU Guest Agent` option enabled in the Proxmox VM configuration - Container runtime baseline: - Docker installed from the official Docker apt repository - `docker-ce` - `docker-ce-cli` - `docker-compose-plugin` - Docker service enabled and running - `svc-admin` added to the `docker` group - Standard Docker directory layout under the admin home directory: - `/home/svc-admin/docker` - `/home/svc-admin/docker/cadvisor` - `/home/svc-admin/docker/node-exporter` - `/home/svc-admin/docker/portainer-agent` - Directory conventions beyond Docker: - no additional standard directories yet - revisit later if `/home/svc-admin/scripts` or other common paths become consistently useful - Baseline monitoring/agent compose projects: - `/home/svc-admin/docker/cadvisor/docker-compose.yml` - service name: `cadvisor` - image: `gcr.io/cadvisor/cadvisor:latest` - container name: `cadvisor` - restart policy: `unless-stopped` - published port: `8088:8080` - volumes: - `/:/rootfs:ro` - `/var/run:/var/run:ro` - `/sys:/sys:ro` - `/var/lib/docker/:/var/lib/docker:ro` - `/home/svc-admin/docker/node-exporter/docker-compose.yml` - service name: `node-exporter` - image: `prom/node-exporter:latest` - container name: `node-exporter` - restart policy: `unless-stopped` - network mode: `host` - volume: - `/:/host:ro,rslave` - command: - `--path.rootfs=/host` - expected exposed port via host networking: `9100/tcp` - `/home/svc-admin/docker/portainer-agent/docker-compose.yml` - service name: `portainer_agent` - image: `portainer/agent:sts` - container name: `portainer_agent` - restart policy: `unless-stopped` - published port: `9001:9001` - volumes: - `/var/run/docker.sock:/var/run/docker.sock` - `/var/lib/docker/volumes:/var/lib/docker/volumes` - Baseline container activation: - after the compose files are created, baseline application should also start the standard containers - expected commands: - `cd /home/svc-admin/docker/cadvisor && docker compose up -d` - `cd /home/svc-admin/docker/node-exporter && docker compose up -d` - `cd /home/svc-admin/docker/portainer-agent && docker compose up -d` - baseline validation should confirm the three containers are running - Networking: - verify expected management IP after provisioning - verify SSH reachability after firewall and SSH setup - Documentation expectation: - add each new VM to inventory/ContextKeep once SSH access is working - Backup expectation: - VM-level backups will be configured in Proxmox - backup scheduling is manual for now - automatic backup policy will be added later once the backup system is finished - Automatic updates policy: - enable unattended upgrades by default for now - revisit later if it becomes disruptive - Security extras: - `fail2ban` not included in the baseline by default - leave it off unless a specific host later needs it - Baseline validation checks: - hostname correct - Ubuntu version correct - timezone correct - `svc-admin` sudo works - SSH login works with key auth - `ufw status` is active, default policy is correct, and SSH is allowed - `qemu-guest-agent` is active - Proxmox guest agent option is enabled - Docker is active - `docker compose version` works - expected directories exist under `/home/svc-admin/docker` - baseline compose files exist in their expected directories - restricted firewall rules match the baseline source IP policy - unattended upgrades are enabled if the baseline is fully applied - `cadvisor`, `node-exporter`, and `portainer-agent` containers are running - the hostname resolves in Technitium DNS when API credentials or token are available - `ssh <hostname>` works from the admin workstation - no half-configured packages remain Role-specific add-ons: - AI host baseline: - local model runtime and GPU/runtime setup only when that host is specifically assigned the AI role - Database host baseline: - database packages and data layout only on DB-designated hosts - App host baseline: - application-specific compose projects and data paths added after baseline completion Explicitly not universal baseline items: - application-specific ports beyond the baseline monitoring/agent stack - application stacks or compose projects outside the standard Docker baseline set Observed de facto environment when baseline was defined: - `svc-dev` and `svc-apps` are both Ubuntu 24.04.4 LTS KVM guests - both already include `curl`, `wget`, `git`, `vim`, `tmux`, `jq`, and `ufw` - `qemu-guest-agent` was not yet consistently present when the baseline was formalized - Docker was present on `svc-apps` but not yet on `svc-dev` when this standard was updated Baseline interpretation: - This is a pragmatic homelab standard, not a high-compliance hardening benchmark. - Keep the base consistent across service VMs, then add only what the VM role needs above that baseline. --- **2026-03-22 13:17:08 UTC | AI Update via MCP**