From af5377e550a32a0910cede12cb5dae87c24972d2 Mon Sep 17 00:00:00 2001
From: wheelz <claytonwheeler3113@gmail.com>
Date: Tue, 16 Jun 2026 21:59:42 +0000
Subject: [PATCH] Add Rackpad compose stacks

---
 rackpad-compose.yml         | 88 +++++++++++++++++++++++++++++++++++++
 rackpad-truenas-compose.yml | 85 +++++++++++++++++++++++++++++++++++
 rackpad-truenas.env.example | 49 +++++++++++++++++++++
 rackpad.env.example         | 41 +++++++++++++++++
 4 files changed, 263 insertions(+)
 create mode 100644 rackpad-compose.yml
 create mode 100644 rackpad-truenas-compose.yml
 create mode 100644 rackpad-truenas.env.example
 create mode 100644 rackpad.env.example

diff --git a/rackpad-compose.yml b/rackpad-compose.yml
new file mode 100644
index 0000000..ae26374
--- /dev/null
+++ b/rackpad-compose.yml
@@ -0,0 +1,88 @@
+# ============================================
+# Rackpad — HomeLab Inventory / IPAM / Topology
+# ============================================
+# Candidate deployment target: standalone Docker host / Portainer Compose environment.
+# Recommended first target for Wheelz's HomeLab: Docker-Test-1 or a dedicated Proxmox LXC.
+#
+# Why regular Compose instead of Swarm:
+# - Rackpad discovery works best with host networking + raw-socket capabilities.
+# - Docker Swarm is a poor fit for network_mode: host discovery and node-local SQLite data.
+# - Keep Rackpad close to the management LAN/VLANs it needs to inventory.
+#
+# Deploy:
+#   docker compose --env-file rackpad.env -f rackpad-compose.yml up -d
+#
+# Validate:
+#   docker compose --env-file rackpad.env.example -f rackpad-compose.yml config
+#
+# Notes:
+# - Uses a local Docker volume for /data because Rackpad stores SQLite state there.
+# - Do not commit real OIDC client secrets, SNMP secrets, or RACKPAD_SECRET_KEY.
+# ============================================
+
+services:
+  rackpad:
+    image: ${RACKPAD_IMAGE:-ghcr.io/kobii-git/rackpad}:${RACKPAD_TAG:-1.6.1}
+    container_name: rackpad
+    user: "0:0"
+    init: true
+    restart: unless-stopped
+    network_mode: host
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - NET_BIND_SERVICE
+    environment:
+      NODE_ENV: production
+      HOST: 0.0.0.0
+      PORT: ${RACKPAD_PORT:-3002}
+      DATABASE_PATH: /data/rackpad.db
+      MONITOR_INTERVAL_MS: ${MONITOR_INTERVAL_MS:-300000}
+      TRUST_PROXY: ${TRUST_PROXY:-0}
+      TRUSTED_HOSTS: ${TRUSTED_HOSTS:-}
+      TRUSTED_ORIGINS: ${TRUSTED_ORIGINS:-}
+      APP_URL: ${APP_URL:-}
+      OIDC_ENABLED: ${OIDC_ENABLED:-0}
+      OIDC_ISSUER_URL: ${OIDC_ISSUER_URL:-}
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-}
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-}
+      OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-}
+      OIDC_LABEL: ${OIDC_LABEL:-OIDC}
+      OIDC_DEFAULT_ROLE: ${OIDC_DEFAULT_ROLE:-viewer}
+      OIDC_DEBUG: ${OIDC_DEBUG:-0}
+      OIDC_ADMIN_USERS: ${OIDC_ADMIN_USERS:-}
+      OIDC_EDITOR_USERS: ${OIDC_EDITOR_USERS:-}
+      OIDC_VIEWER_USERS: ${OIDC_VIEWER_USERS:-}
+      OIDC_ADMIN_GROUPS: ${OIDC_ADMIN_GROUPS:-}
+      OIDC_EDITOR_GROUPS: ${OIDC_EDITOR_GROUPS:-}
+      OIDC_VIEWER_GROUPS: ${OIDC_VIEWER_GROUPS:-}
+      OUI_AUTO_UPDATE: ${OUI_AUTO_UPDATE:-1}
+      DISCOVERY_MAC_SCAN_MODE: ${DISCOVERY_MAC_SCAN_MODE:-auto}
+      RACKPAD_SECRET_KEY: ${RACKPAD_SECRET_KEY:-}
+      SNMP_INVENTORY_SYNC: ${SNMP_INVENTORY_SYNC:-0}
+      SNMP_TRAP_ENABLED: ${SNMP_TRAP_ENABLED:-1}
+      SNMP_TRAP_PORT: ${SNMP_TRAP_PORT:-1162}
+      SNMP_TRAP_BIND: ${SNMP_TRAP_BIND:-0.0.0.0}
+    volumes:
+      - rackpad_data:/data
+    read_only: true
+    tmpfs:
+      - /tmp
+    security_opt:
+      - no-new-privileges:true
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "node",
+          "-e",
+          "fetch('http://127.0.0.1:' + (process.env.PORT || '3002') + '/api/health').then((res) => process.exit(res.ok ? 0 : 1)).catch(() => process.exit(1))",
+        ]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+volumes:
+  rackpad_data:
+    driver: local
diff --git a/rackpad-truenas-compose.yml b/rackpad-truenas-compose.yml
new file mode 100644
index 0000000..703d815
--- /dev/null
+++ b/rackpad-truenas-compose.yml
@@ -0,0 +1,85 @@
+# ============================================
+# Rackpad — TrueNAS Promotion Compose Draft
+# ============================================
+# Target: TrueNAS regular Docker / Portainer Compose deployment.
+# Source pattern from Wheelz's TrueNAS mock:
+# - Data root: /mnt/HomeStorage02/Docker/<ContainerName>/...
+# - Container user convention: PUID=568 / PGID=568
+# - Per-container directory layout under /mnt/HomeStorage02/Docker/
+#
+# Deploy after review:
+#   docker compose --env-file rackpad-truenas.env -f rackpad-truenas-compose.yml up -d
+#
+# Validate:
+#   docker compose --env-file rackpad-truenas.env.example -f rackpad-truenas-compose.yml config
+#
+# Notes:
+# - Rackpad stores SQLite state at /data/rackpad.db.
+# - Keep RACKPAD_SECRET_KEY runtime-only; do not commit real secrets.
+# - Keep Rackpad LAN/VPN-only during promotion.
+# - Host networking is retained because Rackpad discovery works best from the host network view.
+# ============================================
+
+services:
+  rackpad:
+    image: ${RACKPAD_IMAGE:-ghcr.io/kobii-git/rackpad}:${RACKPAD_TAG:-1.6.1}
+    container_name: rackpad
+    user: "${PUID:-568}:${PGID:-568}"
+    init: true
+    restart: unless-stopped
+    network_mode: host
+    cap_add:
+      - NET_RAW
+      - NET_ADMIN
+      - NET_BIND_SERVICE
+    environment:
+      NODE_ENV: production
+      TZ: ${TZ:-America/Chicago}
+      HOST: 0.0.0.0
+      PORT: ${RACKPAD_PORT:-3002}
+      DATABASE_PATH: /data/rackpad.db
+      MONITOR_INTERVAL_MS: ${MONITOR_INTERVAL_MS:-300000}
+      TRUST_PROXY: ${TRUST_PROXY:-0}
+      TRUSTED_HOSTS: ${TRUSTED_HOSTS:-}
+      TRUSTED_ORIGINS: ${TRUSTED_ORIGINS:-}
+      APP_URL: ${APP_URL:-}
+      OIDC_ENABLED: ${OIDC_ENABLED:-0}
+      OIDC_ISSUER_URL: ${OIDC_ISSUER_URL:-}
+      OIDC_CLIENT_ID: ${OIDC_CLIENT_ID:-}
+      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET:-}
+      OIDC_REDIRECT_URI: ${OIDC_REDIRECT_URI:-}
+      OIDC_LABEL: ${OIDC_LABEL:-OIDC}
+      OIDC_DEFAULT_ROLE: ${OIDC_DEFAULT_ROLE:-viewer}
+      OIDC_DEBUG: ${OIDC_DEBUG:-0}
+      OIDC_ADMIN_USERS: ${OIDC_ADMIN_USERS:-}
+      OIDC_EDITOR_USERS: ${OIDC_EDITOR_USERS:-}
+      OIDC_VIEWER_USERS: ${OIDC_VIEWER_USERS:-}
+      OIDC_ADMIN_GROUPS: ${OIDC_ADMIN_GROUPS:-}
+      OIDC_EDITOR_GROUPS: ${OIDC_EDITOR_GROUPS:-}
+      OIDC_VIEWER_GROUPS: ${OIDC_VIEWER_GROUPS:-}
+      OUI_AUTO_UPDATE: ${OUI_AUTO_UPDATE:-1}
+      DISCOVERY_MAC_SCAN_MODE: ${DISCOVERY_MAC_SCAN_MODE:-auto}
+      RACKPAD_SECRET_KEY: ${RACKPAD_SECRET_KEY:-}
+      SNMP_INVENTORY_SYNC: ${SNMP_INVENTORY_SYNC:-0}
+      SNMP_TRAP_ENABLED: ${SNMP_TRAP_ENABLED:-1}
+      SNMP_TRAP_PORT: ${SNMP_TRAP_PORT:-1162}
+      SNMP_TRAP_BIND: ${SNMP_TRAP_BIND:-0.0.0.0}
+    volumes:
+      - ${TRUENAS_DOCKER_ROOT:-/mnt/HomeStorage02/Docker}/Rackpad/data:/data
+    read_only: true
+    tmpfs:
+      - /tmp
+    security_opt:
+      - no-new-privileges:true
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "node",
+          "-e",
+          "fetch('http://127.0.0.1:' + (process.env.PORT || '3002') + '/api/health').then((res) => process.exit(res.ok ? 0 : 1)).catch(() => process.exit(1))",
+        ]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
diff --git a/rackpad-truenas.env.example b/rackpad-truenas.env.example
new file mode 100644
index 0000000..97a53b8
--- /dev/null
+++ b/rackpad-truenas.env.example
@@ -0,0 +1,49 @@
+# Rackpad TrueNAS environment example for Wheelz's HomeLab.
+# Copy to rackpad-truenas.env on TrueNAS/Portainer and fill runtime-only values there.
+# Do not commit real secrets.
+
+RACKPAD_IMAGE=ghcr.io/kobii-git/rackpad
+RACKPAD_TAG=1.6.1
+RACKPAD_PORT=3002
+TZ=America/Chicago
+
+# Wheelz TrueNAS Docker directory pattern.
+TRUENAS_DOCKER_ROOT=/mnt/HomeStorage02/Docker
+PUID=568
+PGID=568
+
+MONITOR_INTERVAL_MS=300000
+
+# Reverse proxy settings. For LAN-only testing leave these disabled/blank.
+TRUST_PROXY=0
+TRUSTED_HOSTS=
+TRUSTED_ORIGINS=
+APP_URL=
+
+# Optional OIDC. Do not commit real client secrets.
+OIDC_ENABLED=0
+OIDC_ISSUER_URL=
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_REDIRECT_URI=
+OIDC_LABEL=OIDC
+OIDC_DEFAULT_ROLE=viewer
+OIDC_DEBUG=0
+OIDC_ADMIN_USERS=
+OIDC_EDITOR_USERS=
+OIDC_VIEWER_USERS=
+OIDC_ADMIN_GROUPS=
+OIDC_EDITOR_GROUPS=
+OIDC_VIEWER_GROUPS=
+
+# Discovery / MAC vendor lookup.
+OUI_AUTO_UPDATE=1
+DISCOVERY_MAC_SCAN_MODE=auto
+
+# SNMP. RACKPAD_SECRET_KEY is required before storing shared SNMPv3 credentials.
+# Generate on the deployment host with: openssl rand -hex 32
+RACKPAD_SECRET_KEY=
+SNMP_INVENTORY_SYNC=0
+SNMP_TRAP_ENABLED=1
+SNMP_TRAP_PORT=1162
+SNMP_TRAP_BIND=0.0.0.0
diff --git a/rackpad.env.example b/rackpad.env.example
new file mode 100644
index 0000000..db4b81e
--- /dev/null
+++ b/rackpad.env.example
@@ -0,0 +1,41 @@
+# Rackpad example environment for Wheelz's HomeLab.
+# Copy to rackpad.env on the deployment host and fill secrets there.
+
+RACKPAD_IMAGE=ghcr.io/kobii-git/rackpad
+RACKPAD_TAG=1.6.1
+RACKPAD_PORT=3002
+MONITOR_INTERVAL_MS=300000
+
+# Reverse proxy settings. For LAN-only testing leave these disabled/blank.
+TRUST_PROXY=0
+TRUSTED_HOSTS=
+TRUSTED_ORIGINS=
+APP_URL=
+
+# Optional OIDC. Do not commit real client secrets.
+OIDC_ENABLED=0
+OIDC_ISSUER_URL=
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_REDIRECT_URI=
+OIDC_LABEL=OIDC
+OIDC_DEFAULT_ROLE=viewer
+OIDC_DEBUG=0
+OIDC_ADMIN_USERS=
+OIDC_EDITOR_USERS=
+OIDC_VIEWER_USERS=
+OIDC_ADMIN_GROUPS=
+OIDC_EDITOR_GROUPS=
+OIDC_VIEWER_GROUPS=
+
+# Discovery / MAC vendor lookup.
+OUI_AUTO_UPDATE=1
+DISCOVERY_MAC_SCAN_MODE=auto
+
+# SNMP. RACKPAD_SECRET_KEY is required only if storing shared SNMPv3 credentials.
+# Generate on the deployment host with: openssl rand -hex 32
+RACKPAD_SECRET_KEY=
+SNMP_INVENTORY_SYNC=0
+SNMP_TRAP_ENABLED=1
+SNMP_TRAP_PORT=1162
+SNMP_TRAP_BIND=0.0.0.0