11 KiB
name, description, version, author, date, platforms, metadata
| name | description | version | author | date | platforms | metadata | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| homelab-infrastructure-review | Performs a 3-way infrastructure reconciliation audit: homelab_Infra.md documentation (including Nginx Proxy Route mappings) vs. live Docker container states vs. homelable MCP canvas topology. Also audits the Homepage Dashboard services configuration to ensure newly proxied services are accessible. Triggers ONLY on explicit user command. No automation or cron. | 1.4.0 | wompmacho | 2026-05-30 |
|
|
Homelab Infrastructure Review
Performs a 3-way infrastructure reconciliation audit of living services, active proxy routes, and the network topology canvas.
1. Core Objectives
This skill provides a highly-disciplined auditing workflow that:
- Identifies all live services on the host.
- Identifies all active proxies and domains for services by parsing Nginx Proxy Manager config files.
- Cross-references them against the source of truth documentation (
homelab_Infra.md). - Cross-references them against the
homelable-mcpvisual canvas topology. - Audits the Homepage Dashboard services configuration (
/srv/configs/docker_compose/homepage/config/services.yaml) to ensure all proxied services are accessible. - Generates exact proposed changes to:
- The markdown documentation (
homelab_Infra.md) - The
homelable-mcpvisual canvas nodes and edges - The Homepage Dashboard services config (
services.yaml), with services correctly split into their relevant hosts/categories.
- The markdown documentation (
2. Trigger Conditions
This skill is invoked only on explicit, manual user command — never automatically or periodically. Acceptable trigger phrases: "review homelab", "infrastructure audit", "reconcile homelab", "homelab review", "check infrastructure".
No cron, no automated polling, and no silent background execution.
3. Source Inventory and Boundary Map
| Source Component | Path / Port / Endpoint | Permission Boundaries |
|---|---|---|
| Infra Document | /srv/docs/public/projects/homelab/homelab_Infra.md |
Read: ✅ Write: ❌ (requires explicit user confirmation, never run git commands without auth) |
| Live Docker State | Host session via docker ps |
Read: ✅ Write: ❌ (no automated container lifecycle modifications allowed) |
| Nginx Proxy Configs | /app/nginxproxy/data/nginx/proxy_host/*.conf |
Read: ✅ Write: ❌ (read-only proxy blocks mapping) |
| Homelable Backend API | http://localhost:9445/api/v1 |
Read: ✅ Write: ❌ (node/edge canvas edits require explicit confirmation) |
| Homepage Config | /srv/configs/docker_compose/homepage/config/services.yaml |
Read: ✅ Write: ❌ (requires explicit user confirmation) |
| Homepage Layout | /srv/configs/docker_compose/homepage/config/settings.yaml |
Read: ✅ Write: ❌ (requires explicit user confirmation) |
| Workspace Dir | /srv/configs/ai/ |
Read: ✅ Write: ✅ (agent state and proposed drafts) |
4. Reconciliation Logic & Execution Steps
Step 1: Pre-Flight Safety Checks
Run in order before beginning any audit cycle. If any check fails, simply inform the user directly in the session and abort (do NOT log failures to a local errors.log file):
- Lock Check: Verify no concurrent audit process holds
/srv/configs/ai/.audit.lock. - Backend Port Check: Verify port
9445is actively listening. - Backend API Check: Verify backend returns
HTTP 200on/api/v1/healthusing the parsedMCP_SERVICE_KEYfrom/srv/configs/docker_compose/homelabel/.env. - Source Files Check: Verify both
/srv/configs/.bash_aliasesandhomelab_Infra.mdexist.
Step 2: Nginx Proxy Parsing
Parse every proxy configuration file /app/nginxproxy/data/nginx/proxy_host/*.conf for:
server_name(Proxy Domain name / Route)set $port(Forwarded Container Port)
Keep an internal lookup dictionary of Forwarded Port -> Proxy Domain for comparison.
Step 3: Homepage Dashboard Audit
Read /srv/configs/docker_compose/homepage/config/services.yaml and compare the list of active proxy routes against the dashboard items. Propose adding newly proxied services so the user can navigate to them.
Homepage services must be strictly split into three distinct categories:
- Physical Devices & Networking related (e.g. Proxmox, TrueNAS, Router, Pi-Hole, Moonlight streaming)
- Docker Host Containers (e.g. nginx-proxy-manager, portainer, immich, vaultwarden, paperless-ngx, slopsmith-web)
- TrueNAS Host Containers (e.g. radarr, sonarr, readarr, bazarr, prowlarr, calibre)
Step 4: Documentation Formatting Standardization
Both the ## Docker services and the ## Truenas Services markdown tables inside homelab_Infra.md must strictly maintain this exact 5-column layout:
| Container Name | Mapped Ports | Access | Proxy Route / Domain | Description / Role |
Always parse and print matching columns when proposing or applying documentation edits.
Step 5: Proxmox LXC/VM Auditing
Proxmox host virtualization represents nodes (containers/VMs) that communicate on the LAN subnet 10.0.0.0/16.
- Parse the Proxmox Node Table under
### Proxmox node (laptop-proxmox)inhomelab_Infra.md. - Retrieve all network canvas nodes from
http://localhost:9445/api/v1/nodesmatching typesvm,lxc, or direct hosts. - Compare and verify that active virtualization nodes on your network (such as
invidiouson10.0.0.217orpterodactylon10.0.0.110) exist inside the documentation table. Propose additions for any unregistered LXCs or VMs.
Step 6: Homelable MCP Canvas Styling Standards
When registering new Docker containers on the visual canvas using the POST endpoint at /api/v1/nodes, you must strictly match the styling of other standard services (use gitea_runner as reference):
"type"must be"docker_container""hostname"must be"docker""ip"must be""(empty string, as they reside behind parent container networking)"width"must be140.0"height"must be50.0"bottom_handles"must be1"custom_colors"must be{"show_services": false}"parent_id"must be set to the Docker parent host node UUID (e.g.ee61411a-018a-4471-8a76-bcd4a1f5579a)
5. Safety and Guardrails
Important
- No silent writes: All modifications to
homelab_Infra.md, thehomelable-mcpcanvas, orservices.yamlmust be presented as a clear diff block and receive explicit, manual user validation.- NO UNAUTHORIZED GIT COMMANDS: Never execute any Git commands (such as
git add,git commit,git status,git diff, etc.) without the user's explicit, per-action authorization.- Preserve Comments: Do not remove, alter, or strip existing documentation comments or section text blocks.
- No Errors Log File: Do not append failures to a local
errors.logfile. Output error details directly to the active console stream to keep workspace logs clean.
6. Technical Pitfalls & Workarounds
Warning
- Windows CRLF line endings (
\r\n): The Homepage dashboard'sservices.yamlcontains Windows CRLF terminators. Traditional bash/unix line-ending regex matches (such as$) will silently fail to match titles or categories. Always runtr -d '\r'to sanitize lines before attempting pattern matches.- Direct REST API bypass: Querying
homelable-mcpon8001via SSE requires an async JSON-RPC transport negotiation which is fragile and slow. Instead, bypass the MCP layer entirely and query thehomelable-backendREST API directly on port9445at/api/v1/nodes. Pass the header"X-MCP-Service-Key"parsed from/srv/configs/docker_compose/homelabel/.envfor instant, authenticated, and robust network nodes lookup.
- Active Port Verification (Stale Config Filter): Nginx Proxy Manager configuration files on disk can be stale/leftover (e.g. Moonlight). To completely prevent reporting decommissioned configs, always verify that the port associated with any Nginx config is actively listening on the host (or mapped in active docker container port-mappings) before reporting it as an active proxy. If the port is inactive, ignore the proxy block completely.
- TrueNAS SCALE Node Socket Verification: Rather than setting up fragile credentials or SSH logins, TrueNAS SCALE container port verification is achieved securely and in milliseconds using lightweight, non-destructive
/dev/tcp/10.0.0.2/[port]network socket connection handshakes. - Proxmox VE API Live Verification: To verify running LXCs and VMs, query
https://10.0.0.142:8006/api2/json/cluster/resources?type=vmdirectly. LoadHOMEPAGE_VAR_proxmox_passworddynamically from/srv/configs/docker_compose/homepage/.envat runtime and strip outer double quotes before passing to the Authorization headers. Never hardcode credentials in codebase or transcripts. - Homepage Settings Layout Syncing: When renaming category names in
/srv/configs/docker_compose/homepage/config/services.yaml(such asArr->Truenas Containers, andContainers->Docker Containers), the layout block names inside/srv/configs/docker_compose/homepage/config/settings.yamlunderlayout:must be updated identically or the cards will fail to render on the dashboard. - Do NOT Invent Public Proxies: Do not invent public proxy domains or automatically propose changing local/VPN hrefs (such as
http://radarr/orhttp://calibre/) to public domains (likeradarr.wompmacho.com) in homepage configurations. They must remain as local/VPN URLs exactly as currently configured to preserve network isolation and security. - Multi-Alias Substring Matcher: Nginx Proxy configs often specify multiple space-separated aliases (e.g.
server_name vaultwarden vaultwarden.wompmacho.com;). When searching for these inservices.yamlto detect missing cards, token-split the domains and verify if any alias matches as a substring within the homepage cardhrefor name (case-insensitively). This prevents false-positives (such as flagging Vaultwarden or Gitea as missing).
7. Skill File Structure
All scripts and files associated with this skill are stored in this self-contained directory:
SKILL.md— Custom skill documentation and procedures.scripts/homelab-infrastructure-review.sh— Bash shell auditing script.scripts/mcp_client.py— Python client for direct database and API queries.errors.log— Legacy log file (decommissioned per safety rules — errors print straight to console)..audit.lock— Legitimate lock file preventing concurrent executions.