Conventions

naming

VMID equals IP last octet

Container and VM IDs match the last octet of their IP address. New deployments use the next available sequential number.

operations

3-2-1 backup strategy

Three copies of data, on two different media types, with one copy offsite. The target standard for all critical homelab data.

All HTTP services get a Caddy subdomain

Every HTTP service gets a *.hake.rodeo subdomain routed through Caddy with automatic TLS. Internal DNS is handled by Pi-hole local DNS records pointing to Caddy.

All production containers use Pi-hole for DNS

Every production container has DNS set to Pi-hole (10.1.99.100). Static IP containers need it set explicitly via `pct set` since they skip DHCP.

QEMU guest agent on all VMs

Every VM gets the QEMU guest agent installed and enabled. Required for proper shutdown, DNS injection via qm set, IP reporting, and filesystem-consistent backup snapshots.

security

All secrets go in Vaultwarden

API keys, passwords, tokens, and sensitive config are stored in Vaultwarden — never in plain text, env files, or code.

IoT devices on VLAN 30

All IoT devices (smart plugs, cameras, sensors, doorbells, locks) go on VLAN 30. They are untrusted and firewalled from production and infrastructure VLANs.

No CT has SSH enabled

LXC containers do not have SSH configured. All access goes through the PVE host via `pct exec`.

Nothing exposed to the internet

No ports are open to the internet. All remote access is through WireGuard VPN on the UDR 7. Services are internal-only.

Unprivileged containers by default

All LXC containers run unprivileged. Only escalate (e.g., AppArmor unconfined) when a specific requirement demands it, like GPU passthrough.