Update home network doco

docs/home-network/containerisation.md

@@ -0,0 +1,46 @@
+# Containerisation
+
+## Reverse proxy
+
+The proxy receives all connections on TCP ports 80 and 443 and routes the
+requests to services listening on high-numbered ports.
+
+### Adding new services
+
+New services are registered with the reverse proxy by adding a server
+configuration file.
+
+1. Add the configuration file.
+2. Restart the reverse proxy.
+
+### TLS
+
+The proxy has a Let's Encrypt TLS certificate for each service that uses a
+public domain name.
+
+The proxy automatically renews the certificates using an HTTP-01 challenge:
+Let's Encrypt requests a text file from the server to prove that the server is
+controlled by the domain owner.
+
+The proxy generates a separate certificate for each domain; certificates are
+managed separately for each service.
+
+## Systemd services
+
+Each service is registered as a Systemd service: Systemd starts the containers
+when the server boots; systemd auto restarts the containers when they stop.
+
+Systemd also provides a unified interface for disabling/enabling services. The
+exact implementation details of the service's containers is not important: they
+can be standalone docker images or docker compose services.
+
+## Standard service containerisation pattern
+
+Each service will use docker compose to run its containers, even if the service
+only uses a single container. This simplifies maintenance because each service
+can use a similar docker and systemd setup.
+
+Services can break from this pattern for a couple of reasons:
+
+1. docker compose setup is too difficult.
+1. The service needs to run directly on the host.

docs/home-network/services/_index.md

@@ -0,0 +1,21 @@
+# Services on raspberrypi.home
+
+| Service               | Port     | Comment                                            |
+| :-------------------- | :------- | :------------------------------------------------- |
+| OpenSSH server        | 22       | SSH access for system admin                        |
+| Pi-hole DNS server    | 53       | DNS server for home network                        |
+| NGINX reverse proxy   | 80, 443  | Reverse proxy for all web services on home network |
+| Samba SMB server      | 139, 445 | SMB access for uploading files                     |
+| Gitea SSH server      | 2200     | SSH access for forge                               |
+| Gitea web server      | 3001     | Git forge web access                               |
+| Jellyfin media server | 8096     | Media server for viewing media                     |
+| Pi-hole admin server  | 8080     | Admin for Pi-hole                                  |
+| Notes server          | 42069    | Personal notes server                              |
+
+## File structure
+
+## Planned functionality
+
+- Authentik OAuth2 Identity provider
+- Notes server with OAuth2
+- Vaultwarden secrets vault

docs/home-network/services/jellyfin.md

@@ -3,3 +3,7 @@
 Host: raspberrypi
 
 Port: 8096 (Access via web browser)
+
+## AWS Backups
+
+@todo

docs/home-network/services/notes-server.md

@@ -1 +1,3 @@
 # Notes server
+
+Path: `/var/www/html/notes`

docs/home-network/services/reverse-proxy.md

@@ -2,4 +2,6 @@
 
 Host: raspberrypi (192.168.0.105)
 
+Path: `/var/www/html/reverse-proxy`
+
 Routes HTTP requests to other services hosted on home network.