Runbook: Docker Host Setup with RBAC and Node Exporter on Proxmox

Reviewed-on: #12

Docker/Speed-test/Speedtest.md

@@ -0,0 +1,104 @@
+# Speedtest Tracker (LinuxServer.io) – Installation Runbook
+
+## Purpose
+Deploy **Speedtest Tracker** using the **LinuxServer.io Docker image** to automatically track internet performance over time using Ookla Speedtest.
+
+This runbook covers:
+- Application key requirements
+- Docker Compose configuration
+- Initial access and login
+- Validation checks
+
+---
+
+## 1. Prerequisites
+
+- Docker and Docker Compose installed
+- A persistent storage location available on the host
+- LAN access to the host
+- Known timezone (e.g. `Pacific/Auckland`)
+
+---
+
+## 2. Application Key (APP_KEY)
+
+⚠️ **Mandatory** – the container will refuse to start without an application key.
+
+The LinuxServer.io image **does not generate an APP_KEY automatically**.  
+A valid key **must be generated externally** and provided via environment variables **before the container starts**.
+
+### Important notes
+- The key must be in `base64:` format
+- The key must remain stable for the lifetime of the deployment
+- Regenerating the key later will invalidate encrypted data
+
+---
+
+## 3. Create Docker Compose File
+
+Create or edit `docker-compose.yml`:
+
+```
+services:
+  speedtest-tracker:
+    image: lscr.io/linuxserver/speedtest-tracker:latest
+    container_name: speedtest-tracker
+    restart: unless-stopped
+    ports:
+      - "8765:80"
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Pacific/Auckland
+      - DISPLAY_TIMEZONE=Pacific/Auckland
+      - APP_KEY=base64:REDACTED
+      - APP_URL=http://192.168.50.253:8765
+      - DB_CONNECTION=sqlite
+      - SPEEDTEST_SCHEDULE=0 * * * *
+    volumes:
+      - /mnt/storage01/docker/speedtest-tracker:/config
+```
+
+## 4. Prepare Persistent Storage
+
+Ensure the host directory exists and is owned by the configured PUID/PGID.
+
+```
+bash
+mkdir -p /mnt/storage01/docker/speedtest-tracker
+chown -R 1000:1000 /mnt/storage01/docker/speedtest-tracker
+```
+
+## 5. Start the Container
+
+Start the service using Docker Compose:
+
+```
+bash
+docker compose up -d
+```
+
+## 6.  Access the site 
+
+```
+http://<IP_ADDRESS>:8765
+```
+
+## 7.  Initial Login
+
+The LinuxServer.io image includes a pre-seeded default administrator account.
+Use the following credentials to log in for the first time:
+
+```
+Email:    admin@example.com
+Password: password
+```
+
+## 8.  User Account
+
+Now go create a new user, made it an administrator.
+Logout as admin, and sign in with newly create account.
+Change the admin again to a user account, delete the guest account.
+
+
+## FIN

Docker/proxmox-node/Proxmox.md

@@ -0,0 +1,255 @@
+# Runbook: Docker Host Setup with RBAC and Node Exporter on Proxmox
+
+## Purpose
+
+This runbook describes how to prepare a Proxmox host to run Docker services safely and predictably, using:
+
+* ZFS-backed storage (not the OS disk)
+* Role-based access control (RBAC)
+* Non-root daily administration
+* Docker Engine installed from the official repository
+* Node Exporter as a first monitoring workload
+
+The goal is to support **multiple administrators**, minimise risk, and avoid VM sprawl for simple host-level services.
+
+---
+
+## Scope
+
+This runbook covers:
+
+* Storage decisions on a Proxmox host
+* Admin group and user setup
+* Docker installation and configuration
+* Docker data-root relocation to ZFS
+* Node Exporter deployment via Docker Compose
+
+This runbook does **not** cover:
+
+* Prometheus or Grafana configuration
+* Firewall rules
+* Proxmox cluster configuration
+* Advanced Docker security hardening
+
+---
+
+## Assumptions
+
+* Proxmox VE is already installed and operational
+* A ZFS pool exists (e.g. `/tank`)
+* SSH access to the Proxmox host is available
+* Root access is available for initial setup
+
+---
+
+## High-Level Design
+
+### Storage Model
+
+* Proxmox OS and system services remain on the OS disk
+* ZFS pool is used for:
+
+  * Docker engine data
+  * Docker service directories
+* Proxmox-managed VM storage remains isolated (e.g. `tank/vmdata`)
+
+### Access Model (RBAC)
+
+* One top-level admin group with full control
+* Sub-admin groups for scoped access (Docker, VMs, monitoring)
+* Users operate as themselves, not as root
+* Root access is only used when required
+
+---
+
+## Admin Groups
+
+Create the following Unix groups:
+
+* `sysadmin` – full administrative access (sudo)
+* `docker-admin` – Docker administration
+* `vm-admin` – VM and Proxmox-related tasks
+* `monitoring-admin` – monitoring-related services
+
+> Groups represent **roles**, not individuals.
+
+---
+
+## User Setup
+
+* Create named user accounts for administrators
+* Add full administrators to:
+
+  * `sysadmin`
+  * `docker-admin`
+* Sub-admins may be added only to the groups they require
+
+### Sudo Access
+
+* Grant full sudo access to the `sysadmin` group via `/etc/sudoers.d/`
+* Avoid per-user sudo rules
+
+---
+
+## Docker Base Directory
+
+All Docker-related data must live under the ZFS pool.
+
+Recommended structure:
+
+```
+/tank/docker
+├── engine/          # Docker internal data-root
+├── node-exporter/   # Monitoring exporter
+└── <future-services>/
+```
+
+Ownership and permissions:
+
+* Owner: `root`
+* Group: `docker-admin`
+* Permissions: `2775` (setgid enabled)
+
+---
+
+## Docker Installation
+
+Install Docker Engine from the **official Docker repository**.
+
+Reasons:
+
+* Predictable updates
+* Supported versions
+* Includes Compose plugin
+
+Packages installed:
+
+* docker-ce
+* docker-ce-cli
+* containerd.io
+* docker-buildx-plugin
+* docker-compose-plugin
+
+---
+
+## Docker Data-Root Configuration
+
+Docker’s internal data-root must be moved off the OS disk.
+
+Configure Docker to use:
+
+```
+/tank/docker/engine
+```
+
+via `/etc/docker/daemon.json`:
+
+```json
+{
+  "data-root": "/tank/docker/engine",
+  "group": "docker-admin"
+}
+```
+
+---
+
+## Docker Socket Permissions
+
+Docker access is controlled via the Unix socket:
+
+```
+/var/run/docker.sock
+```
+
+To align with RBAC:
+
+* Override the systemd socket unit
+* Set socket group to `docker-admin`
+
+This allows Docker administration without:
+
+* root shells
+* sudo for every command
+* use of the default `docker` group
+
+---
+
+## Verification (Docker Access)
+
+As a non-root admin user:
+
+```bash
+docker version
+docker info
+```
+
+Success criteria:
+
+* No `permission denied` errors
+* Docker daemon responds
+* Commands run without sudo
+
+---
+
+## Node Exporter Deployment
+
+Node Exporter is used to expose host-level metrics.
+
+### Deployment Model
+
+* Runs directly on the Proxmox host
+* Deployed via Docker Compose
+* Uses host networking
+* Read-only filesystem access
+
+### Service Directory
+
+```
+/tank/docker/node-exporter
+```
+
+### Compose Characteristics
+
+* `network_mode: host`
+* `pid: host`
+* Read-only root filesystem
+* Bind mounts for `/proc`, `/sys`, and `/`
+
+### Verification
+
+```bash
+curl http://localhost:9100/metrics
+```
+
+A successful response returns a large metrics output.
+
+---
+
+## Operational Notes
+
+* No monitoring services (Prometheus, Grafana) should run on the Proxmox host
+* Exporters only — no stateful services
+* Docker services should remain minimal and infrastructure-focused
+* ZFS allows future snapshotting and rollback if required
+
+---
+
+## Outcome
+
+After completing this runbook, the Proxmox host will have:
+
+* Clean separation between OS, VM storage, and Docker workloads
+* ZFS-backed Docker storage
+* Role-based admin access
+* Non-root Docker administration
+* A working Node Exporter endpoint ready for Prometheus
+
+---
+
+## Future Extensions
+
+* Add Prometheus scrape configuration
+* Add firewall rules for exporter ports
+* Add additional exporters (SMART, Proxmox)
+* Automate via Ansible or Terraform
+* Convert into a standard “Host Baseline” template