sascha.dodenhoeft/expertfab-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: Infrastructure documentation

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Sascha Dodenhöft
2026-05-03 13:46:47 +02:00
commit bbe86c55d9
9 changed files with 568 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
docs/access.md Normal file
View File

@@ -0,0 +1,98 @@
# ExpertFab Zugangsdaten & Verbindungen
> **SSH-Key:** `~/.ssh/hetzner_key` (für alle Server)
---
## Proxmox
| Zugang | Wert |
|----------------|-------------------------------------------|
| Web-UI | https://95.156.232.42:8006 |
| SSH (Node 1) | `ssh -i ~/.ssh/hetzner_key root@10.42.70.1` |
| SSH (Node 2) | `ssh -i ~/.ssh/hetzner_key root@10.42.70.2` |
| Benutzer | `root` |
---
## K3s Cluster
| Zugang | Wert |
|---------------------|--------------------------------------------------------|
| SSH Control Plane | `ssh -i ~/.ssh/hetzner_key sd@10.42.71.50` |
| kubectl (am Node) | `sudo KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl …` |
| kubectl via Proxmox | `ssh root@10.42.70.1 "qm guest exec 119 -- bash -c 'KUBECONFIG=/etc/rancher/k3s/k3s.yaml kubectl …'"` |
**K3s Version:** v1.34.6+k3s1
**Container Runtime:** containerd 2.2.2
**OS:** Ubuntu 24.04.4 LTS
### Nodes
| Node | IP | Rolle |
|---------------|--------------|----------------|
| efsckubadm | 10.42.71.50 | control-plane |
| efsckubnode1 | 10.42.71.51 | worker |
| efsckubnode2 | 10.42.71.52 | worker |
> Proxmox-VM `efsckubctl` = K3s-Node `efsckubadm`
---
## Paperless-NGX
| Zugang | Wert |
|-------------|----------------------------------------------|
| URL | https://docs.expertfab.de |
| API Token | `3960b56c7c56d21af06af7d32e49613d8e7f78c8` |
| API Header | `Authorization: Token <token>` |
---
## ERPNext
| Zugang | Wert |
|--------------|-------------------------------------------------------------------|
| URL | https://expertfab.de / https://www.expertfab.de |
| Helm Chart | frappe/erpnext 8.0.14 (ERPNext v15) |
| Namespace | `erpnext` |
| Auth Token | Airflow Variable: `ErpnextAuthToken` |
| Base URL | Airflow Variable: `ErpnextBaseurl` |
| Docker Image | git.expertfab.de/expertfab/customdocker:1.0.2 |
| Image Pull | Secret `gitea-registry` im Namespace `erpnext` |
---
## Gitea
| Zugang | Wert |
|--------|-----------------------------|
| URL | https://git.expertfab.de |
| VM | efgit01 (Proxmox n01 / 110) |
---
## SMTP (Accounting)
| Parameter | Airflow Variable |
|-----------|---------------------------|
| Server | `smtpAccountingServer` |
| Port | `smtpAccountingPort` |
| User | `smtpAccountingUser` |
| Password | `smtpAccountingPassword` |
| Sender | `smtpAccountingSenderName`|
---
## Öffentlich erreichbare Dienste
| Dienst | URL | Namespace |
|--------------|------------------------------|--------------|
| ERPNext | https://expertfab.de | erpnext |
| ERPNext | https://www.expertfab.de | erpnext |
| Paperless | https://docs.expertfab.de | paperless |
| Zitadel SSO | https://auth.expertfab.de | zitadel |
| FastAPI | https://api.expertfab.de | rabbitmq |
| Coworkbase | https://coworkbase.de | coworkbase |
| Qubicticker | https://qubicticker.qchief.io| qubicticker |
| Gitea | https://git.expertfab.de | |

66
docs/infrastructure.md Normal file
View File

@@ -0,0 +1,66 @@
# ExpertFab VM-Inventar
## Proxmox Cluster
| Hostname | URL / IP | Rolle |
|--------------------|-----------------------------------|-----------------------------|
| efproxcl02 | https://95.156.232.42:8006 | Proxmox Web-UI (Cluster) |
| efproxcl02n01 | 10.42.70.1 | Proxmox Host Node 1 |
| efproxcl02n02 | 10.42.70.2 | Proxmox Host Node 2 |
**Specs je Node:** 64 vCPU / 128 GB RAM
**DNS:** efproxcl02n01.sc.expertfab.de / efproxcl02n02.sc.expertfab.de
---
## VMs efproxcl02n01
| VM-ID | Name | Status | CPU | RAM | IP | Rolle |
|-------|-----------------|---------|--------|-------|-----------------|------------------------------|
| 100 | efscfw01 | stopped | | 16 GB | | OPNsense Backup (inaktiv) |
| 101 | efsmtprelay | running | 4 vCPU | 16 GB | 109.230.227.36 | SMTP Relay |
| 102 | efscweb01 | stopped | | 16 GB | | Webserver (inaktiv) |
| 105 | efcacert | running | | 4 GB | | CA / Zertifikatsserver |
| 110 | efgit01 | running | | 8 GB | | Gitea (git.expertfab.de) |
| 111 | eftrade01 | running | 16vCPU | 16 GB | 10.42.71.102 | Trading-VM |
| 112 | efbtcpay | stopped | | 8 GB | | BTCPay Server (inaktiv) |
| 114 | efubutemp | stopped | | 4 GB | | Ubuntu Template |
| 115 | efxmr01 | stopped | | 16 GB | | Monero Node (inaktiv) |
| 116 | efscbank | stopped | | 4 GB | | Bank-VM (inaktiv) |
| 117 | efmatrix01 | running | | 4 GB | | Matrix Chat Server |
| 118 | efubu24lts* | | | 4 GB | | Template (Ubuntu 24.04 LTS) |
| 119 | efsckubctl | running | 4 vCPU | 8 GB | 10.42.71.50 | K3s Control Plane |
| 121 | efsckubnode02 | running | 4 vCPU | 8 GB | 10.42.71.52 | K3s Worker Node 2 |
| 150 | efscfw01 | running | 8 vCPU | 16 GB | 109.230.227.38 | OPNsense Firewall (aktiv) |
*Template
## VMs efproxcl02n02
| VM-ID | Name | Status | CPU | RAM | IP | Rolle |
|-------|-----------------|---------|---------|-------|-----------------|------------------------------|
| 103 | efscdc01 | running | 8 vCPU | 32 GB | 10.42.71.15 | Domain Controller (Windows) |
| 104 | efscveeam01 | running | 16 vCPU | 16 GB | 10.42.71.16 | Veeam Backup Server |
| 106 | efscprint01 | running | | 8 GB | | Printserver |
| 107 | eferp01 | stopped | | 4 GB | | Alt-ERP (inaktiv) |
| 108 | efscairflow01 | running | | 8 GB | | Apache Airflow |
| 109 | efscmoni01 | running | | 4 GB | | Monitoring |
| 113 | efbookstack01 | running | | 8 GB | | BookStack Wiki |
| 120 | efsckubnode1 | running | 4 vCPU | 8 GB | 10.42.71.51 | K3s Worker Node 1 |
| 122 | efscNffsBackup | running | | | | NFS Backup |
---
## Netzwerk
| Netz | Bereich | Verwendung |
|--------------|-----------------|-----------------------------------|
| Public | 109.230.227.x | Öffentliche IPs (Hetzner) |
| Intern | 10.42.70.x | Proxmox Hosts / Management |
| Intern | 10.42.71.x | VMs / Server |
| K3s Pod-CIDR | 172.16.0.0/16 | Kubernetes Pod-Netzwerk (Flannel) |
| K3s SVC-CIDR | 10.43.0.0/16 | Kubernetes Services |
**Traefik LoadBalancer IP:** 10.42.71.60
**OPNsense** löst `www.expertfab.de``10.42.71.60` (intern), `expertfab.de` → öffentliche IP
→ Wichtig: `host_name` in ERPNext muss `https://www.expertfab.de` sein (Hairpin-NAT-Fix)

96
docs/k3s.md Normal file
View File

@@ -0,0 +1,96 @@
# ExpertFab K3s Cluster
**Schaubild:** [../diagrams/k8s_cluster.png](../diagrams/k8s_cluster.png)
---
## Cluster-Übersicht
| Eigenschaft | Wert |
|-------------------|----------------------------------|
| Distribution | K3s v1.34.6+k3s1 |
| Container Runtime | containerd 2.2.2 |
| OS | Ubuntu 24.04.4 LTS |
| Kernel | 6.8.0-107-generic |
| Ingress | Traefik (websecure / TLS) |
| TLS | cert-manager + Let's Encrypt |
| Storage | Longhorn (verteiltes Block-Storage)|
| CNI | Flannel |
| LB | MetalLB → 10.42.71.60 |
---
## Nodes
| Name | IP | Proxmox-VM | Proxmox-Host | Rolle |
|---------------|--------------|---------------|---------------|---------------|
| efsckubadm | 10.42.71.50 | efsckubctl | efproxcl02n01 | control-plane |
| efsckubnode1 | 10.42.71.51 | efsckubnode1 | efproxcl02n02 | worker |
| efsckubnode2 | 10.42.71.52 | efsckubnode02 | efproxcl02n01 | worker |
---
## Namespaces
| Namespace | Inhalt |
|------------------|-----------------------------------------|
| `erpnext` | ERPNext + MariaDB + DragonflyDB |
| `paperless` | Paperless-NGX + PostgreSQL |
| `zitadel` | Zitadel SSO + PostgreSQL |
| `rabbitmq` | RabbitMQ + FastAPI |
| `coworkbase` | Coworkbase |
| `qubicticker` | Qubic Ticker |
| `longhorn-system`| Longhorn Storage |
| `cert-manager` | cert-manager (Let's Encrypt) |
| `metallb-system` | MetalLB LoadBalancer |
| `kube-system` | Traefik, CoreDNS, etc. |
---
## Ingresses (Traefik)
| Host | Namespace | TLS |
|-----------------------------|--------------|-----|
| expertfab.de | erpnext | ✓ |
| www.expertfab.de | erpnext | ✓ |
| docs.expertfab.de | paperless | ✓ |
| auth.expertfab.de | zitadel | ✓ |
| api.expertfab.de | rabbitmq | ✓ |
| coworkbase.de | coworkbase | ✓ |
| www.coworkbase.de | coworkbase | ✓ |
| qubicticker.qchief.io | qubicticker | ✓ |
**ClusterIssuer:** `letsencrypt`
**TLS Secret (ERPNext):** `expertfab-tls`
---
## ERPNext Deployment
| Komponente | Typ | Details |
|--------------------|------------|--------------------------------------------|
| Nginx | Deployment | Frontend, `frappeSiteNameHeader=expertfab.de` |
| Gunicorn | Deployment | Web Workers |
| Worker default | Deployment | Background Jobs |
| Worker short | Deployment | Kurze Jobs |
| Worker long | Deployment | Lange Jobs |
| MariaDB | StatefulSet| v10.6, PVC: 3Gi RWO |
| DragonflyDB cache | Deployment | Redis-kompatibel |
| DragonflyDB queue | Deployment | Redis-kompatibel, PVC: 2Gi RWO (Anmerkung¹)|
> ¹ Helm-Values definieren 2Gi für Queue, tatsächliche PVC zeigt 3Gi Sites-Volume als RWX
**Helm Chart:** frappe/erpnext 8.0.14
**Custom Image:** git.expertfab.de/expertfab/customdocker:1.0.2
**Apps:** erpnext, hrms, payments, webshop, ecommerce_integrations, efrevolutgateway
---
## DNS-Besonderheit (Hairpin-NAT)
OPNsense löst nur `www.expertfab.de``10.42.71.60` (intern) auf.
`expertfab.de` (ohne www) → öffentliche IP → von innen nicht erreichbar.
**Fix:** Frappe `host_name` = `https://www.expertfab.de`
**Pfad:** `/home/frappe/frappe-bench/sites/expertfab.de/site_config.json`
**Betrifft:** wkhtmltopdf PDF-Generierung (hängt sonst 120s → 504)

86
docs/storage.md Normal file
View File

@@ -0,0 +1,86 @@
# ExpertFab Longhorn Storage Architektur
**Schaubild:** [../diagrams/storage_architecture.png](../diagrams/storage_architecture.png)
---
## StorageClasses
| Name | Reclaim | Binding | Verwendung |
|---------------------|---------|-----------|--------------------------|
| `longhorn` | Delete | Immediate | RabbitMQ, Zitadel |
| `longhorn-erpnext` | Retain | Immediate | ERPNext (Daten bleiben!) |
| `longhorn-paperless`| Retain | Immediate | Paperless (Daten bleiben!)|
| `longhorn-static` | Delete | Immediate | Manuell provisionierte Volumes |
| `local-path` | Delete | WaitForFirstConsumer | Rancher local-path |
> **Retain** = PV bleibt erhalten wenn PVC gelöscht wird → Schutz vor Datenverlust
---
## PVCs nach Namespace
### namespace: erpnext
| PVC | Größe | Mode | StorageClass |
|----------------------------|-------|------|---------------------|
| data-erpnext-mariadb-sts-0 | 3 Gi | RWO | longhorn-erpnext |
| erpnext | 3 Gi | RWX | longhorn-erpnext |
| erpnext-logs | 1 Gi | RWX | longhorn-erpnext |
### namespace: paperless
| PVC | Größe | Mode | StorageClass |
|--------------------|-------|------|----------------------|
| paperless-media | 10 Gi | RWO | longhorn-paperless |
| paperless-consume | 5 Gi | RWO | longhorn-paperless |
| paperless-data | 5 Gi | RWO | longhorn-paperless |
| postgres-data | 5 Gi | RWO | longhorn-paperless |
### namespace: rabbitmq
| PVC | Größe | Mode | StorageClass |
|--------------------------|-------|------|--------------|
| rabbitmq-data-rabbitmq-0 | 5 Gi | RWO | longhorn |
### namespace: zitadel
| PVC | Größe | Mode | StorageClass |
|-------------------------|-------|------|--------------|
| postgres-data-postgres-0| 10 Gi | RWO | longhorn |
---
## Longhorn Pods nach Node
### efsckubnode1 (10.42.71.51)
| Pod | Typ | Replicas |
|---------------------------|------------|----------|
| longhorn-manager | DaemonSet | 1 |
| longhorn-csi-plugin | DaemonSet | 1 |
| engine-image | DaemonSet | 1 |
| instance-manager | | 1 |
| longhorn-driver-deployer | Deployment | 1 |
| longhorn-ui | Deployment | 2 |
| csi-attacher | Deployment | 3 |
| csi-provisioner | Deployment | 3 |
| csi-resizer | Deployment | 3 |
| csi-snapshotter | Deployment | 3 |
### efsckubnode2 (10.42.71.52)
| Pod | Typ | Beschreibung |
|-----------------------------|-----------|-------------------------------------|
| longhorn-manager | DaemonSet | |
| longhorn-csi-plugin | DaemonSet | |
| engine-image | DaemonSet | |
| instance-manager | | |
| share-manager (erpnext) | | Bedient RWX-Volume `erpnext` (3Gi) |
| share-manager (erpnext-logs)| | Bedient RWX-Volume `erpnext-logs` (1Gi) |
| daily-backup | CronJob | Tägliches Backup |
> **share-manager** Pods werden für RWX-Volumes benötigt: Longhorn stellt RWX über NFS-Share-Manager bereit.
> CSI-Controller-Pods (attacher, provisioner, resizer, snapshotter) laufen nur auf `efsckubnode1`.
---
## Hinweise
- Longhorn UI: erreichbar über Port-Forward `kubectl port-forward -n longhorn-system svc/longhorn-frontend 8080:80`
- Replikation: Standard 2 Replicas (beide Worker-Nodes)
- Backups: `daily-backup` CronJob auf efsckubnode2