{"key":"homelab_vm_baseline_standard_2026_03_22","title":"Homelab VM Baseline Standard","content":"Homelab Linux VM baseline standard defined on 2026-03-22 for new Ubuntu server VMs.\n\nScope:\n- Baseline applies to general-purpose Ubuntu service VMs in the homelab.\n- Separate role-specific add-ons can still be layered on top later, but the baseline includes Docker and a standard Docker project directory layout.\n\nCore baseline standard:\n- OS: Ubuntu 24.04 LTS server\n- Virtualization target: KVM/QEMU guests in Proxmox-style environment\n- Host identity:\n  - unique hostname set correctly before service deployment\n  - timezone set explicitly to `America/Chicago`\n- Admin access:\n  - primary admin user: `svc-admin`\n  - `sudo` enabled for `svc-admin`\n  - root SSH login not used for normal administration\n- SSH:\n  - `openssh-server` installed and enabled\n  - homelab admin key present in `~svc-admin/.ssh/authorized_keys`\n  - key-based access validated before any hardening changes\n  - common SSH client option in the environment: `StrictHostKeyChecking accept-new`\n  - local admin convenience access should be added so `ssh <hostname>` works from the admin workstation\n- DNS and name resolution:\n  - each new VM should get a DNS `A` record in Technitium once its management IP is known\n  - the VM hostname should resolve on the homelab network via Technitium\n  - the admin workstation should be able to SSH to the VM by hostname, either via DNS resolution alone or via a local SSH config host entry\n  - Technitium API automation is part of the baseline when a valid API token is available\n- Firewall:\n  - `ufw` installed and enabled\n  - default posture: deny incoming, allow outgoing\n  - SSH allowed before firewall enablement\n  - only explicitly needed service ports opened per host role\n  - baseline restricted access rules:\n    - allow `8088/tcp` for `cadvisor` from `svc-monitor` only (`192.168.4.116`)\n    - allow node-exporter port `9100/tcp` from `svc-monitor` only (`192.168.4.116`)\n    - allow `9001/tcp` for `portainer-agent` from `svc-mgmt` only (`192.168.4.121`)\n- Core operator packages:\n  - `curl`\n  - `wget`\n  - `git`\n  - `vim`\n  - `nano`\n  - `tmux`\n  - `jq`\n  - `ca-certificates`\n  - `gnupg`\n  - `lsb-release`\n  - `bash-completion`\n  - `ripgrep`\n- Package maintenance baseline commands during provisioning:\n  - `sudo apt update`\n  - `sudo apt upgrade -y`\n  - `sudo apt autoremove -y`\n- Reboot policy:\n  - always reboot after baseline provisioning and package/install work completes\n- Log/journal policy:\n  - keep Ubuntu/systemd journal defaults for baseline v1\n  - revisit later only if retention or disk use becomes a problem\n- Virtualization helpers:\n  - `qemu-guest-agent` installed and enabled inside the guest\n  - `QEMU Guest Agent` option enabled in the Proxmox VM configuration\n- Container runtime baseline:\n  - Docker installed from the official Docker apt repository\n  - `docker-ce`\n  - `docker-ce-cli`\n  - `docker-compose-plugin`\n  - Docker service enabled and running\n  - `svc-admin` added to the `docker` group\n- Standard Docker directory layout under the admin home directory:\n  - `/home/svc-admin/docker`\n  - `/home/svc-admin/docker/cadvisor`\n  - `/home/svc-admin/docker/node-exporter`\n  - `/home/svc-admin/docker/portainer-agent`\n- Directory conventions beyond Docker:\n  - no additional standard directories yet\n  - revisit later if `/home/svc-admin/scripts` or other common paths become consistently useful\n- Baseline monitoring/agent compose projects:\n  - `/home/svc-admin/docker/cadvisor/docker-compose.yml`\n    - service name: `cadvisor`\n    - image: `gcr.io/cadvisor/cadvisor:latest`\n    - container name: `cadvisor`\n    - restart policy: `unless-stopped`\n    - published port: `8088:8080`\n    - volumes:\n      - `/:/rootfs:ro`\n      - `/var/run:/var/run:ro`\n      - `/sys:/sys:ro`\n      - `/var/lib/docker/:/var/lib/docker:ro`\n  - `/home/svc-admin/docker/node-exporter/docker-compose.yml`\n    - service name: `node-exporter`\n    - image: `prom/node-exporter:latest`\n    - container name: `node-exporter`\n    - restart policy: `unless-stopped`\n    - network mode: `host`\n    - volume:\n      - `/:/host:ro,rslave`\n    - command:\n      - `--path.rootfs=/host`\n    - expected exposed port via host networking: `9100/tcp`\n  - `/home/svc-admin/docker/portainer-agent/docker-compose.yml`\n    - service name: `portainer_agent`\n    - image: `portainer/agent:sts`\n    - container name: `portainer_agent`\n    - restart policy: `unless-stopped`\n    - published port: `9001:9001`\n    - volumes:\n      - `/var/run/docker.sock:/var/run/docker.sock`\n      - `/var/lib/docker/volumes:/var/lib/docker/volumes`\n- Baseline container activation:\n  - after the compose files are created, baseline application should also start the standard containers\n  - expected commands:\n    - `cd /home/svc-admin/docker/cadvisor && docker compose up -d`\n    - `cd /home/svc-admin/docker/node-exporter && docker compose up -d`\n    - `cd /home/svc-admin/docker/portainer-agent && docker compose up -d`\n  - baseline validation should confirm the three containers are running\n- Networking:\n  - verify expected management IP after provisioning\n  - verify SSH reachability after firewall and SSH setup\n- Documentation expectation:\n  - add each new VM to inventory/ContextKeep once SSH access is working\n- Backup expectation:\n  - VM-level backups will be configured in Proxmox\n  - backup scheduling is manual for now\n  - automatic backup policy will be added later once the backup system is finished\n- Automatic updates policy:\n  - enable unattended upgrades by default for now\n  - revisit later if it becomes disruptive\n- Security extras:\n  - `fail2ban` not included in the baseline by default\n  - leave it off unless a specific host later needs it\n- Baseline validation checks:\n  - hostname correct\n  - Ubuntu version correct\n  - timezone correct\n  - `svc-admin` sudo works\n  - SSH login works with key auth\n  - `ufw status` is active, default policy is correct, and SSH is allowed\n  - `qemu-guest-agent` is active\n  - Proxmox guest agent option is enabled\n  - Docker is active\n  - `docker compose version` works\n  - expected directories exist under `/home/svc-admin/docker`\n  - baseline compose files exist in their expected directories\n  - restricted firewall rules match the baseline source IP policy\n  - unattended upgrades are enabled if the baseline is fully applied\n  - `cadvisor`, `node-exporter`, and `portainer-agent` containers are running\n  - the hostname resolves in Technitium DNS when API credentials or token are available\n  - `ssh <hostname>` works from the admin workstation\n  - no half-configured packages remain\n\nRole-specific add-ons:\n- AI host baseline:\n  - local model runtime and GPU/runtime setup only when that host is specifically assigned the AI role\n- Database host baseline:\n  - database packages and data layout only on DB-designated hosts\n- App host baseline:\n  - application-specific compose projects and data paths added after baseline completion\n\nExplicitly not universal baseline items:\n- application-specific ports beyond the baseline monitoring/agent stack\n- application stacks or compose projects outside the standard Docker baseline set\n\nObserved de facto environment when baseline was defined:\n- `svc-dev` and `svc-apps` are both Ubuntu 24.04.4 LTS KVM guests\n- both already include `curl`, `wget`, `git`, `vim`, `tmux`, `jq`, and `ufw`\n- `qemu-guest-agent` was not yet consistently present when the baseline was formalized\n- Docker was present on `svc-apps` but not yet on `svc-dev` when this standard was updated\n\nBaseline interpretation:\n- This is a pragmatic homelab standard, not a high-compliance hardening benchmark.\n- Keep the base consistent across service VMs, then add only what the VM role needs above that baseline.\n\n---\n**2026-03-22 13:17:08 UTC | AI Update via MCP**","summary":"Homelab Linux VM baseline standard defined on 2026-03-22 for new Ubuntu server VMs.\n\nScope:\n- Baseline applies to general-purpose Ubuntu service VMs in the homelab.\n- Separate role-specific add-ons can still be layered on top later, but the baseline includes Docker and a standard Docker project directory layout.\n\nCore baseline standard:\n- OS: Ubuntu 24.04 LTS server\n- Virtualization target: KVM/QEMU guests in Proxmox-style environment\n- Host identity:\n  - unique hostname set correctly before service deployment\n  - timezone set explicitly to `America/Chicago`\n- Admin access:\n  - primary admin user: `svc-admin`\n  - `sudo` enabled for `svc-admin`\n  - root SSH login not used for normal administration\n- SSH:\n  - `openssh-server` installed and enabled\n  - homelab admin key present in `~svc-admin/.ssh/authorized_keys`\n  - key-based access validated before any hardening changes\n  - common SSH client option in the environment: `StrictHostKeyChecking accept-new`\n  - local admin convenience access should be added so `ssh <hostname>` works from the admin workstation\n- DNS and name resolution:\n  - each new VM should get a DNS `A` record in Technitium once its management IP is known\n  - the VM hostname should resolve on the homelab network via Technitium\n  - the admin workstation should be able to SSH to the VM by hostname, either via DNS resolution alone or via a local SSH config host entry\n  - Technitium API automation is part of the baseline when a valid API token is available\n- Firewall:\n  - `ufw` installed and enabled\n  - default posture: deny incoming, allow outgoing\n  - SSH allowed before firewall enablement\n  - only explicitly needed service ports opened per host role\n  - baseline restricted access rules:\n    - allow `8088/tcp` for `cadvisor` from `svc-monitor` only (`192.168.4.116`)\n    - allow node-exporter port `9100/tcp` from `svc-monitor` only (`192.168.4.116`)\n    - allow `9001/tcp` for `portainer-agent` from `svc-mgmt` only (`192.168.4.121`)\n- Core operator packages:\n  - `curl`\n  - `wget`\n  - `git`\n  - `vim`\n  - `nano`\n  - `tmux`\n  - `jq`\n  - `ca-certificates`\n  - `gnupg`\n  - `lsb-release`\n  - `bash-completion`\n  - `ripgrep`\n- Package maintenance baseline commands during provisioning:\n  - `sudo apt update`\n  - `sudo apt upgrade -y`\n  - `sudo apt autoremove -y`\n- Reboot policy:\n  - always reboot after baseline provisioning and package/install work completes\n- Log/journal policy:\n  - keep Ubuntu/systemd journal defaults for baseline v1\n  - revisit later only if retention or disk use becomes a problem\n- Virtualization helpers:\n  - `qemu-guest-agent` installed and enabled inside the guest\n  - `QEMU Guest Agent` option enabled in the Proxmox VM configuration\n- Container runtime baseline:\n  - Docker installed from the official Docker apt repository\n  - `docker-ce`\n  - `docker-ce-cli`\n  - `docker-compose-plugin`\n  - Docker service enabled and running\n  - `svc-admin` added to the `docker` group\n- Standard Docker directory layout under the admin home directory:\n  - `/home/svc-admin/docker`\n  - `/home/svc-admin/docker/cadvisor`\n  - `/home/svc-admin/docker/node-exporter`\n  - `/home/svc-admin/docker/portainer-agent`\n- Directory conventions beyond Docker:\n  - no additional standard directories yet\n  - revisit later if `/home/svc-admin/scripts` or other common paths become consistently useful\n- Baseline monitoring/agent compose projects:\n  - `/home/svc-admin/docker/cadvisor/docker-compose.yml`\n    - service name: `cadvisor`\n    - image: `gcr.io/cadvisor/cadvisor:latest`\n    - container name: `cadvisor`\n    - restart policy: `unless-stopped`\n    - published port: `8088:8080`\n    - volumes:\n      - `/:/rootfs:ro`\n      - `/var/run:/var/run:ro`\n      - `/sys:/sys:ro`\n      - `/var/lib/docker/:/var/lib/docker:ro`\n  - `/home/svc-admin/docker/node-exporter/docker-compose.yml`\n    - service name: `node-exporter`\n    - image: `prom/node-exporter:latest`\n    - container name: `node-exporter`\n    - restart policy: `unless-stopped`\n    - network mode: `host`\n    - volume:\n      - `/:/host:ro,rslave`\n    - command:\n      - `--path.rootfs=/host`\n    - expected exposed port via host networking: `9100/tcp`\n  - `/home/svc-admin/docker/portainer-agent/docker-compose.yml`\n    - service name: `portainer_agent`\n    - image: `portainer/agent:sts`\n    - container name: `portainer_agent`\n    - restart policy: `unless-stopped`\n    - published port: `9001:9001`\n    - volumes:\n      - `/var/run/docker.sock:/var/run/docker.sock`\n      - `/var/lib/docker/volumes:/var/lib/docker/volumes`\n- Baseline container activation:\n  - after the compose files are created, baseline application should also start the standard containers\n  - expected commands:\n    - `cd /home/svc-admin/docker/cadvisor && docker compose up -d`\n    - `cd /home/svc-admin/docker/node-exporter && docker compose up -d`\n    - `cd /home/svc-admin/docker/portainer-agent && docker compose up -d`\n  - baseline validation should confirm the three containers are running\n- Networking:\n  - verify expected management IP after provisioning\n  - verify SSH reachability after firewall and SSH setup\n- Documentation expectation:\n  - add each new VM to inventory/ContextKeep once SSH access is working\n- Backup expectation:\n  - VM-level backups will be configured in Proxmox\n  - backup scheduling is manual for now\n  - automatic backup policy will be added later once the backup system is finished\n- Automatic updates policy:\n  - enable unattended upgrades by default for now\n  - revisit later if it becomes disruptive\n- Security extras:\n  - `fail2ban` not included in the baseline by default\n  - leave it off unless a specific host later needs it\n- Baseline validation checks:\n  - hostname correct\n  - Ubuntu version correct\n  - timezone correct\n  - `svc-admin` sudo works\n  - SSH login works with key auth\n  - `ufw status` is active, default policy is correct, and SSH is allowed\n  - `qemu-guest-agent` is active\n  - Proxmox guest agent option is enabled\n  - Docker is active\n  - `docker compose version` works\n  - expected directories exist under `/home/svc-admin/docker`\n  - baseline compose files exist in their expected directories\n  - restricted firewall rules match the baseline source IP policy\n  - unattended upgrades are enabled if the baseline is fully applied\n  - `cadvisor`, `node-exporter`, and `portainer-agent` containers are running\n  - the hostname resolves in Technitium DNS when API credentials or token are available\n  - `ssh <hostname>` works from the admin workstation\n  - no half-configured packages remain\n\nRole-specific add-ons:\n- AI host baseline:\n  - local model runtime and GPU/runtime setup only when that host is specifically assigned the AI role\n- Database host baseline:\n  - database packages and data layout only on DB-designated hosts\n- App host baseline:\n  - application-specific compose projects and data paths added after baseline completion\n\nExplicitly not universal baseline items:\n- application-specific ports beyond the baseline monitoring/agent stack\n- application stacks or compose projects outside the standard Docker baseline set\n\nObserved de facto environment when baseline was defined:\n- `svc-dev` and `svc-apps` are both Ubuntu 24.04.4 LTS KVM guests\n- both already include `curl`, `wget`, `git`, `vim`, `tmux`, `jq`, and `ufw`\n- `qemu-guest-agent` was not yet consistently present when the baseline was formalized\n- Docker was present on `svc-apps` but not yet on `svc-dev` when this standard was updated\n\nBaseline interpretation:\n- This is a pragmatic homelab standard, not a high-compliance hardening benchmark.\n- Keep the base consistent across service VMs, then add only what the VM role needs above that baseline.\n\n---\n**2026-03-22 13:17:08 UTC | AI Update via MCP**","status":"active","namespace":"general","namespace_name":"general","namespace_tier":"shared","tags":[]}