--- type: Reference status: ACTIVE owner: DevOps Engineer --- # SSoT Konfigurations-Masterplan für Zora (ARM64) ## 1. System-Umgebung (Infrastruktur) | Parameter | Wert | Erklärung | |:---------------------|:------------------|:---------------------------------------------------------| | **Architektur** | `linux/arm64` | Native Architektur von Zora (CIX P1 / CP8180). | | **Hypervisor** | Proxmox VE 8.4.10 | `pve.mo-code.at` — Web-UI: `https://pve.mo-code.at:8006` | | **Proxmox-Node-IP** | `10.0.0.20` | SSH: `ssh root@10.0.0.20` | | **Netz-Bridge** | `vmbr0` | Alle VMs und Container im Subnetz `10.0.0.0/24` | | **Gateway (Router)** | `10.0.0.138` | Standard-Gateway für alle VMs/Container | ### VM & Container Übersicht | ID | Name | Typ | IP | Start-Reihenfolge | Zweck | |:----|:------------------|:-----|:--------------|:------------------|:-----------------------------| | 100 | pangolin-client | LXC | `10.0.0.21` | order=1, up=30 | Pangolin Tunnel Client | | 101 | gitea | LXC | `10.0.0.22` | order=2, up=30 | Gitea Server | | 102 | gitea-runner | VM | `10.0.0.23` | — | Gitea CI/CD Runner (aarch64) | | 103 | immich | LXC | `10.0.0.24` | order=3, up=30 | Immich Foto-Server | | 110 | meldestelle-host | VM | `10.0.0.50` | — | Docker App-Stack | | 120 | ai-stack | LXC | `10.0.0.60` | — | Ollama + Open WebUI | ### Detaillierte Ressourcen-Konfiguration #### CT 100 — pangolin-client (LXC) | Parameter | Wert | |:--------------|:----------------------------------------------------------------| | **OS** | Ubuntu, arm64 | | **CPU** | 4 Cores (cpulimit=4) | | **RAM** | 512 MiB + 512 MiB Swap | | **Disk** | 8 GB (`local:100/vm-100-disk-0.raw`) | | **Netzwerk** | eth0 → vmbr0, IP `10.0.0.21/24`, GW `10.0.0.138`, Firewall: Yes | | **Typ** | Unprivileged, nesting=1 | | **Autostart** | Ja — order=1, up=30 | #### CT 101 — gitea (LXC) | Parameter | Wert | |:--------------|:----------------------------------------------------------------| | **OS** | Ubuntu, arm64 | | **CPU** | 4 Cores | | **RAM** | 1.00 GiB + 512 MiB Swap | | **Disk** | 20 GB (`local:101/vm-101-disk-0.raw`) | | **Netzwerk** | eth0 → vmbr0, IP `10.0.0.22/24`, GW `10.0.0.138`, Firewall: Yes | | **Typ** | Unprivileged, nesting=1 | | **Autostart** | Ja — order=2, up=30 | #### CT 103 — immich (LXC) | Parameter | Wert | |:----------------|:----------------------------------------------------------------| | **OS** | Ubuntu, arm64 | | **CPU** | 8 Cores | | **RAM** | 10.00 GiB + 512 MiB Swap | | **Root Disk** | 200 GB (`local:103/vm-103-disk-0.raw`) | | **Mount Point** | mp0: `/mnt/immich_gross` → `/mnt/fotos` (Foto-Bibliothek) | | **Netzwerk** | eth0 → vmbr0, IP `10.0.0.24/24`, GW `10.0.0.138`, Firewall: Yes | | **Typ** | Unprivileged, nesting=1, keyctl=1, fuse=1 | | **Autostart** | Ja — order=3, up=30 | #### CT 120 — ai-stack (LXC) | Parameter | Wert | |:--------------|:----------------------------------------------------------------| | **OS** | Ubuntu 24.04, arm64 | | **CPU** | 10 Cores (cpulimit=10, cpuunits=1024) | | **RAM** | 48.00 GiB + 4.00 GiB Swap | | **Disk** | 200 GB (`local:120/vm-120-disk-0.raw`) | | **Netzwerk** | eth0 → vmbr0, IP `10.0.0.60/24`, GW `10.0.0.138`, Firewall: Yes | | **Typ** | Unprivileged, nesting=1, keyctl=1 | | **Autostart** | Nein | | **Dienste** | Ollama :11434, Open WebUI :3001 | #### VM 110 — meldestelle-host (QEMU/KVM) | Parameter | Wert | |:---------------|:------------------------------------------------------------------------------| | **BIOS** | OVMF (UEFI) | | **Machine** | virt (ARM64, aarch64) | | **CPU** | 8 Cores (1 Socket, host-type, numa=1) | | **RAM** | 16.00 GiB (balloon=0, kein Dynamic Memory) | | **Disk** | 150 GB SSD (`local:110/vm-110-disk-1.qcow2`, aio=io_uring, iothread=1, ssd=1) | | **EFI Disk** | `local:110/vm-110-disk-0.qcow2`, efitype=4m, 64 MB | | **Netzwerk** | virtio, bridge=vmbr0, Firewall: Yes | | **SCSI** | VirtIO SCSI single | | **Autostart** | Nein (order=any) | | **QEMU Agent** | Enabled | | **Dienste** | Docker App-Stack (API :8081, Keycloak :8180, Prometheus :9090, Grafana :3000) | #### VM 102 — gitea-runner (QEMU/KVM) | Parameter | Wert | |:-------------|:----------------------------------------------------------------------| | **BIOS** | OVMF (UEFI) | | **Machine** | virt (ARM64) | | **CPU** | 8 Cores (1 Socket, host-type, numa=1) | | **RAM** | 16.00 GiB (balloon=0, kein Dynamic Memory) | | **Disk** | 50 GB SSD (`local:102/vm-102-disk-1.qcow2`, aio=io_uring, iothread=1) | | **EFI Disk** | `local:102/vm-102-disk-0.qcow2`, efitype=4m, 64 MB | | **Netzwerk** | virtio, bridge=vmbr0, Firewall: Yes | | **SCSI** | VirtIO SCSI single | ## 2. Mail-Relay (SSoT Identity) Diese Daten müssen in der Spring Boot `application.yml` oder `.env` abgeglichen werden. * **SMTP-Host:** `10.0.0.20` (Zora Proxmox-Node als Mail-Relay) * **SMTP-Port:** `25` (Passwortloser interner Zugriff via `mynetworks`) * **Absender:** `zora@mo-code.at` (Verifizierte World4You Identität) ## 3. Docker-Image Checkliste (ARM64 Kompatibilität) | Dienst | Empfohlenes Image | Status | |:---------------|:-----------------------------------|:------------------------------| | **Datenbank** | `postgres:16-alpine` | ARM64 Support: Ja | | **Cache** | `valkey/valkey:9-alpine` | ARM64 Support: Ja | | **Identity** | `quay.io/keycloak/keycloak:26.5.5` | ARM64 Support: Ja (Offiziell) | | **Monitoring** | `prom/prometheus:v3.7.3` | ARM64 Support: Ja | | **Dashboards** | `grafana/grafana:12.3` | ARM64 Support: Ja | ## 4. Backend & Gateway (Spring Boot) * **Base Image:** `eclipse-temurin:25-jre-alpine` (ARM64-native, via Gitea-Pipeline gebaut) * **Build-Prozess:** Gitea-Runner (VM 102, `10.0.0.23`) baut nativ für `linux/arm64` ## 5. Keycloak SSoT Integration * **External Issuer:** `http://10.0.0.50:8180/realms/meldestelle` * **Internal Issuer:** `http://keycloak:8080/realms/meldestelle` (Docker-intern) * **Client-IDs:** `api-gateway`, `web-app` ## 6. Pangolin Tunnel Routing > Pangolin läuft auf CT 100 (pangolin-client, `10.0.0.21`) als Tunnel-Client zu `pangolin.mo-code.at`. | Route | Ziel (intern) | Port | Sichtbarkeit | |:-----------------------|:---------------|:-------|:---------------------| | `api.mo-code.at` | `10.0.0.50` | `8081` | Öffentlich | | `auth.mo-code.at` | `10.0.0.50` | `8180` | Öffentlich | | `git.mo-code.at` | `10.0.0.22` | `3000` | Öffentlich | | `photos.mo-code.at` | `10.0.0.24` | `2283` | Nur intern / VPN | | `ai.mo-code.at` | `10.0.0.60` | `3001` | Nur intern / VPN |