Migrate to Proxmox homelab swarm stack definitions

Replace old AWS-oriented compose_files with updated service ymls for
the 3-node Proxmox cluster (pve, adder, game). Services now target
Docker Swarm on the VXLAN overlay (10.10.10.0/24).

New services: authentik, ghost (x3), mariadb
Updated: postgres, n8n, nats, fusionauth, monerod
Added: game node interfaces file for VXLAN config

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

compose_files/Caddyfile

@@ -1,28 +0,0 @@
-# Caddyfile
-# Place this at /etc/caddy/Caddyfile on the caddy instance.
-# Caddy will automatically obtain and renew TLS certificates via Let's Encrypt.
-
-# erda-reader
-reader.erdaverse.com {
-    handle /api/* {
-        reverse_proxy erda-reader-backend:8000
-    }
-    handle {
-        reverse_proxy erda-reader-frontend:3000
-    }
-}
-
-# FusionAuth
-auth.erdaverse.com {
-    reverse_proxy fusionauth:9011
-}
-
-# n8n
-n8n.erdaverse.com {
-    reverse_proxy n8n:5678
-}
-
-# NATS WebSocket
-nats.erdaverse.com {
-    reverse_proxy nats:8080
-}

compose_files/nats.conf

@@ -1,15 +0,0 @@
-listen: 0.0.0.0:4222
-
-jetstream {
-  store_dir: /data
-}
-
-websocket {
-  listen: "0.0.0.0:8080"
-  no_tls: true
-  authorization {
-    token: "LKD0knyFLTBpxW9Tq9eTgLiTYJOzNlyxAHLLb3Th"
-  }
-}
-
-http: 0.0.0.0:8222

compose_files/nats.yml

@@ -1,33 +0,0 @@
-version: "3.8"
-
-services:
-  nats:
-    image: nats:latest
-    command: ["-c", "/etc/nats/nats.conf"]
-    configs:
-      - source: nats_conf
-        target: /etc/nats/nats.conf
-    volumes:
-      - nats_data:/data
-    networks:
-      - erda-net
-    deploy:
-      replicas: 1
-      placement:
-        constraints:
-          - node.hostname == ip-10-0-1-168
-      restart_policy:
-        condition: on-failure
-        delay: 5s
-        max_attempts: 3
-
-configs:
-  nats_conf:
-    file: ./nats.conf
-
-volumes:
-  nats_data:
-
-networks:
-  erda-net:
-    external: true

compose_files/postgres-init/01-init.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-set -e
-
-FUSIONAUTH_PASS=$(cat /run/secrets/fusionauth_db_password)
-N8N_PASS=$(cat /run/secrets/n8n_db_password)
-APP_PASS=$(cat /run/secrets/app_db_password)
-
-psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
-    CREATE USER fusionauth_user WITH PASSWORD '$FUSIONAUTH_PASS';
-    CREATE DATABASE fusionauth_db OWNER fusionauth_user;
-    GRANT ALL PRIVILEGES ON DATABASE fusionauth_db TO fusionauth_user;
-
-    CREATE USER n8n_user WITH PASSWORD '$N8N_PASS';
-    CREATE DATABASE n8n_db OWNER n8n_user;
-    GRANT ALL PRIVILEGES ON DATABASE n8n_db TO n8n_user;
-
-    CREATE USER erda_reader_user WITH PASSWORD '$APP_PASS';
-    CREATE DATABASE erda_reader_db OWNER erda_reader_user;
-    GRANT ALL PRIVILEGES ON DATABASE erda_reader_db TO erda_reader_user;
-EOSQL

compose_files/postgres.yml

@@ -1,44 +0,0 @@
-version: '3.8'
-
-services:
-  postgres:
-    image: postgres:16
-    environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-      - /etc/postgres-init:/docker-entrypoint-initdb.d
-    networks:
-      - erda-net
-    secrets:
-      - postgres_password
-      - fusionauth_db_password
-      - n8n_db_password
-      - app_db_password
-    deploy:
-      replicas: 1
-      placement:
-        constraints:
-          - node.hostname == ip-10-0-1-173
-      restart_policy:
-        condition: on-failure
-        delay: 5s
-        max_attempts: 3
-
-volumes:
-  postgres_data:
-
-networks:
-  erda-net:
-    external: true
-
-secrets:
-  postgres_password:
-    external: true
-  fusionauth_db_password:
-    external: true
-  n8n_db_password:
-    external: true
-  app_db_password:
-    external: true

proxmox/services/game-interfaces

@@ -0,0 +1,51 @@
+auto lo
+iface lo inet loopback
+
+iface nic0 inet manual
+
+iface nic1 inet manual
+
+iface wlp7s0 inet manual
+
+auto vmbr0
+iface vmbr0 inet static
+	address 192.168.40.109/24
+	gateway 192.168.40.1
+	bridge-ports nic0
+	bridge-stp off
+	bridge-fd 0
+	post-up ip link add vxlan10 type vxlan id 10 local 192.168.40.109 dstport 4790 || true
+	post-up bridge fdb append 00:00:00:00:00:00 dev vxlan10 dst 192.168.40.198 || true
+	post-up bridge fdb append 00:00:00:00:00:00 dev vxlan10 dst 192.168.40.150 || true
+	post-up ip link set vxlan10 up || true
+
+auto vmbr1
+iface vmbr1 inet static
+	address 10.10.10.172/24
+	bridge-ports none
+	bridge-stp off
+	bridge-fd 0
+	post-up brctl addif vmbr1 vxlan10 || true
+
+auto vmbr2
+iface vmbr2 inet manual
+	bridge-ports none
+	bridge-stp off
+	bridge-fd 0
+#openwrt me
+
+auto vmbr3
+iface vmbr3 inet manual
+	bridge-ports none
+	bridge-stp off
+	bridge-fd 0
+#openwrt donna
+
+auto vmbr4
+iface vmbr4 inet manual
+	bridge-ports none
+	bridge-stp off
+	bridge-fd 0
+#openwrt IoT
+
+source /etc/network/interfaces.d/*

services/authentik.yml

@@ -0,0 +1,74 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c authentik.yml authentik
+#
+# Runs on: docker-swarm-1
+# Authentik server + worker, using the shared postgres stack.
+# No Redis required as of 2026.2.x.
+# Initial setup wizard at http://<host>:9000/if/flow/initial-setup/
+
+services:
+  server:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG:-2026.2.1}
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+      AUTHENTIK_POSTGRESQL__HOST: postgres_postgres
+      AUTHENTIK_POSTGRESQL__PORT: 5432
+      AUTHENTIK_POSTGRESQL__NAME: authentik_db
+      AUTHENTIK_POSTGRESQL__USER: authentik_user
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
+    ports:
+      - "9000:9000"
+      - "9443:9443"
+    volumes:
+      - authentik_media:/media
+      - authentik_templates:/templates
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-tools
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+  worker:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_TAG:-2026.2.1}
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+      AUTHENTIK_POSTGRESQL__HOST: postgres_postgres
+      AUTHENTIK_POSTGRESQL__PORT: 5432
+      AUTHENTIK_POSTGRESQL__NAME: authentik_db
+      AUTHENTIK_POSTGRESQL__USER: authentik_user
+      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_DB_PASSWORD}
+    volumes:
+      - authentik_media:/media
+      - authentik_templates:/templates
+      - authentik_certs:/certs
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-tools
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  authentik_media:
+  authentik_templates:
+  authentik_certs:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

services/caddy.yml

@@ -19,7 +19,7 @@ services:
       - caddy_data:/data
       - caddy_config:/config
     networks:
-      - erda-net
+      - overlay-net
     deploy:
       replicas: 1
       placement:
@@ -35,5 +35,6 @@ volumes:
   caddy_config:
 
 networks:
-  erda-net:
+  overlay-net:
     external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

services/fusionauth.yml

@@ -1,14 +1,11 @@
 version: '3.8'
 
 # Deploy with:
-#   export POSTGRES_PASSWORD='...' FUSIONAUTH_DB_PASSWORD='...'
+#   docker stack deploy -c fusionauth.yml fusionauth
-#   sudo -E docker stack deploy -c fusionauth.yml fusionauth
-#
-# Passwords sourced from AWS Secrets Manager (swarm_infra_secrets)
 #
 # Runs on: CADDY_INSTANCE (ip-10-0-1-168)
 # FusionAuth is Java-based and memory hungry — deployed on caddy node (t3.large, 8GB)
-# Accessible publicly via Caddy reverse proxy at auth.erdaverse.com
+# Accessible publicly via Caddy reverse proxy at auth.yourdomain.com
 
 services:
   fusionauth:
@@ -23,7 +20,7 @@ services:
       FUSIONAUTH_APP_RUNTIME_MODE: production
       SEARCH_TYPE: database
     networks:
-      - erda-net
+      - overlay-net
     deploy:
       replicas: 1
       placement:
@@ -35,5 +32,6 @@ services:
         max_attempts: 3
 
 networks:
-  erda-net:
+  overlay-net:
     external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

services/ghost.yml

@@ -0,0 +1,99 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c ghost.yml ghost
+#
+# Runs on: adder-ghost
+# Three Ghost blog instances, each with its own port and MariaDB database.
+# Ghost 1: port 2368, Ghost 2: port 2369, Ghost 3: port 2370
+
+services:
+  ghost1:
+    image: ghost:5-alpine
+    environment:
+      database__client: mysql
+      database__connection__host: mariadb_mariadb
+      database__connection__port: 3306
+      database__connection__user: ghost1_user
+      database__connection__password: ${GHOST1_DB_PASSWORD}
+      database__connection__database: ghost1_db
+      url: ${GHOST1_URL:-http://localhost:2368}
+    ports:
+      - "2368:2368"
+    volumes:
+      - ghost1_data:/var/lib/ghost/content
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == adder-ghost
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+  ghost2:
+    image: ghost:5-alpine
+    environment:
+      database__client: mysql
+      database__connection__host: mariadb_mariadb
+      database__connection__port: 3306
+      database__connection__user: ghost2_user
+      database__connection__password: ${GHOST2_DB_PASSWORD}
+      database__connection__database: ghost2_db
+      url: ${GHOST2_URL:-http://localhost:2369}
+      server__port: 2369
+    ports:
+      - "2369:2369"
+    volumes:
+      - ghost2_data:/var/lib/ghost/content
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == adder-ghost
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+  ghost3:
+    image: ghost:5-alpine
+    environment:
+      database__client: mysql
+      database__connection__host: mariadb_mariadb
+      database__connection__port: 3306
+      database__connection__user: ghost3_user
+      database__connection__password: ${GHOST3_DB_PASSWORD}
+      database__connection__database: ghost3_db
+      url: ${GHOST3_URL:-http://localhost:2370}
+      server__port: 2370
+    ports:
+      - "2370:2370"
+    volumes:
+      - ghost3_data:/var/lib/ghost/content
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == adder-ghost
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  ghost1_data:
+  ghost2_data:
+  ghost3_data:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

services/mariadb.yml

@@ -0,0 +1,35 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c mariadb.yml mariadb
+#
+# Runs on: adder-ghost
+
+services:
+  mariadb:
+    image: mariadb:11
+    environment:
+      MYSQL_ROOT_PASSWORD: ${MARIADB_ROOT_PASSWORD}
+    ports:
+      - "3306:3306"
+    volumes:
+      - mariadb_data:/var/lib/mysql
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == adder-ghost
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  mariadb_data:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

services/monerod.yml

@@ -0,0 +1,45 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c monerod.yml monerod
+#
+# Runs on: fedora
+# Restricted RPC node with pruning enabled to reduce disk usage.
+# Blockchain data is persisted in a named Docker volume.
+# Restricted RPC exposed on port 18089 for external wallet access.
+
+services:
+  monerod:
+    image: ghcr.io/sethforprivacy/simple-monerod:latest
+    command:
+      - --rpc-restricted-bind-ip=0.0.0.0
+      - --rpc-restricted-bind-port=18089
+      - --no-igd
+      - --enable-dns-blocklist
+      - --ban-list=/home/monero/ban_list.txt
+      - --prune-blockchain
+    ports:
+      - "18080:18080"
+      - "18089:18089"
+    volumes:
+      - bitmonero:/home/monero/.bitmonero
+      - ./monerod-ban-list.txt:/home/monero/ban_list.txt:ro
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == fedora
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  bitmonero:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

services/n8n.yml

@@ -3,53 +3,43 @@ version: '3.8'
 # Deploy with:
 #   docker stack deploy -c n8n.yml n8n
 #
-# Runs on: CADDY_INSTANCE (ip-10-0-1-168)
+# Runs on: pve-tools
-# Accessible publicly via Caddy reverse proxy at n8n.erdaverse.com
 
 services:
   n8n:
     image: n8nio/n8n:latest
-    entrypoint: /bin/sh
-    command:
-      - -c
-      - |
-        export DB_POSTGRESDB_PASSWORD=$(cat /run/secrets/n8n_db_password)
-        exec n8n
     environment:
       DB_TYPE: postgresdb
-      DB_POSTGRESDB_HOST: postgres
+      DB_POSTGRESDB_HOST: postgres_postgres
       DB_POSTGRESDB_PORT: 5432
       DB_POSTGRESDB_DATABASE: n8n_db
       DB_POSTGRESDB_USER: n8n_user
-      N8N_HOST: n8n.erdaverse.com
+      DB_POSTGRESDB_PASSWORD: ${N8N_DB_PASSWORD}
+      N8N_HOST: n8n.yourdomain.com
       N8N_PORT: 5678
       N8N_PROTOCOL: https
-      WEBHOOK_URL: https://n8n.erdaverse.com
+      WEBHOOK_URL: https://n8n.yourdomain.com
       GENERIC_TIMEZONE: UTC
-      NODES_EXCLUDE: "[]"
+      # NATS connection for event-driven workflows
-    secrets:
+      # Configure in n8n credentials UI after first boot
-      - n8n_db_password
     volumes:
       - n8n_data:/home/node/.n8n
     networks:
-      - erda-net
+      - overlay-net
     deploy:
       replicas: 1
       placement:
         constraints:
-          - node.hostname == ip-10-0-1-168
+          - node.hostname == pve-tools
       restart_policy:
         condition: on-failure
         delay: 5s
         max_attempts: 3
 
-secrets:
-  n8n_db_password:
-    external: true
-
 volumes:
   n8n_data:
 
 networks:
-  erda-net:
+  overlay-net:
     external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

services/nats.yml

@@ -0,0 +1,37 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c nats.yml nats
+#
+# Runs on: pve-tools
+# JetStream enabled for persistent messaging.
+# Internal only — services connect to nats_nats:4222 via overlay.
+
+services:
+  nats:
+    image: nats:latest
+    command:
+      - -js                          # Enable JetStream
+      - -sd=/data                    # JetStream storage directory
+      - -m=8222                      # Enable monitoring endpoint
+    volumes:
+      - nats_data:/data
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-tools
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  nats_data:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}

services/postgres.yml

@@ -0,0 +1,38 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c postgres.yml postgres
+#
+# Runs on: POSTGRES_INSTANCE (ip-10-0-1-173)
+# Creates databases and users for all services on first boot via init scripts.
+# Data is persisted in a named Docker volume on the postgres node.
+
+services:
+  postgres:
+    image: postgres:16
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    ports:
+      - "5432:5432"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-postgres
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  postgres_data:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}