revert: drop GitOps split, single compose.yaml manual deploy

Komodo periphery path-mismatch with host docker daemon caused stale
mount issues. For a single-host homelab, GitOps is overkill.

- merge infra-compose.yaml + compose.yaml back into single compose.yaml
- restore name: homelab
- Komodo stays as observability UI only (no auto-deploy)
- deploy via SSH: cd /opt/homelab && docker compose up -d

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: RawSalmon69

homelab/README.md

@@ -1,67 +1,60 @@
 # homelab
 
-Stack on `raws-homelab` (Ubuntu 22.04, Docker).
+Stack on `raws-homelab` (Ubuntu 22.04, Docker). Single `compose.yaml`. Manual deploy via SSH.
 
-## Two-File Layout
-
-- `infra-compose.yaml` → **manual deploy only** (Caddy, Cloudflared, AdGuard, Beszel, Komodo + Mongo + Periphery). Critical foundation; never auto-touched.
-- `compose.yaml` → **Komodo-managed via GitOps**. Push to git → Komodo auto-deploys changed services. Apps: Glance, Vaultwarden, Dozzle, YOURLS, ExcaliDash.
-
-## Manual Infra Deploy
+## Deploy
 
 ```bash
 ssh root@100.106.13.67
 cd /opt/homelab
-docker compose -f infra-compose.yaml up -d
+docker compose up -d
 ```
 
-## App Deploy (GitOps)
-
-Edit on Mac → `git push` → Komodo deploys. No SSH needed.
+Or one-line from Mac after pushing config:
 
-## Stack
-
-| Service | Port | Purpose |
-|---------|------|---------|
-| AdGuard Home | 3000 (UI), 53 (DNS) | Network-wide DNS ad-block |
-| Beszel | 8090 | Lightweight server monitoring |
-| Glance | 8888 | Personal dashboard |
-| Cloudflared | — | Cloudflare tunnel for public exposure |
+```bash
+ssh root@100.106.13.67 "cd /opt/homelab && docker compose up -d"
+```
 
-Box: `192.168.1.100` (LAN) / `100.106.13.67` (Tailscale)
+## Services
 
-## Layout
+| Service | URL |
+|---------|-----|
+| Glance dashboard | https://glance.phanthawas.dev |
+| AdGuard Home | https://adguard.phanthawas.dev |
+| Beszel | https://beszel.phanthawas.dev |
+| Vaultwarden | https://vault.phanthawas.dev |
+| Dozzle (Cloudflare Access) | https://logs.phanthawas.dev |
+| Komodo (UI only) | https://komodo.phanthawas.dev |
+| YOURLS | https://yo.phanthawas.dev/admin/ |
+| ExcaliDash | https://draw.phanthawas.dev |
 
-```
-homelab/
-├── compose.yaml          ← single source of truth
-├── .env                  ← secrets (gitignored)
-├── adguard/{work,conf}/  ← AdGuard state
-├── beszel/data/          ← Beszel hub DB
-├── glance/glance.yml     ← Glance config
-└── cloudflared/          ← (token in .env)
-```
+## Config Sync to Box
 
-## Bring-up
+When editing `homelab/` files locally, sync via:
 
 ```bash
-cd /opt/homelab
-cp .env.example .env       # fill CLOUDFLARED_TOKEN
-docker compose up -d                       # core 3 services
-docker compose --profile tunnel up -d      # add cloudflared
-docker compose --profile agent up -d       # add beszel-agent (needs BESZEL_KEY)
-```
+rsync -av --inplace --exclude='.env' --exclude='cloudflared/credentials.json' \
+  --exclude='*/data/' --exclude='*/work/' --exclude='*/conf/' --exclude='*/db/' \
+  --exclude='komodo/' \
+  ./homelab/ root@100.106.13.67:/opt/homelab/
 
-## First-run checklist
-
-1. **AdGuard** → http://192.168.1.100:3000 → install wizard → set admin pw, upstream DNS (1.1.1.1), enable.
-2. **Beszel** → http://192.168.1.100:8090 → create admin account → "Add system" → copy public key into `.env` as `BESZEL_KEY` → `docker compose --profile agent up -d`.
-3. **Glance** → http://192.168.1.100:8888 → already wired to monitor others.
-4. **Cloudflared** → create tunnel in Cloudflare dashboard → paste token into `.env` → `docker compose --profile tunnel up -d`.
+ssh root@100.106.13.67 "cd /opt/homelab && docker compose up -d"
+```
 
-## Sync from repo to box
+## Layout
 
-```bash
-rsync -av --exclude='.env' --exclude='*/work/' --exclude='*/data/' \
-  ./homelab/ root@192.168.1.100:/opt/homelab/
+```
+homelab/
+├── compose.yaml              ← single source of truth
+├── .env                      ← secrets (gitignored)
+├── caddy/Caddyfile           ← reverse proxy routes
+├── cloudflared/
+│   ├── config.yaml           ← tunnel ingress
+│   └── credentials.json      ← gitignored
+├── glance/
+│   ├── glance.yml            ← dashboard config
+│   └── custom.css            ← (unused, kept for future)
+├── dozzle/data/users.yml     ← bcrypt'd creds
+└── <service>/data            ← per-service runtime data (gitignored)
 ```

homelab/compose.yaml

@@ -1,16 +1,74 @@
-name: apps
+name: homelab
 
 # ───────────────────────────────────────────────────────────
-# USER-FACING APPS — Komodo-managed via GitOps
+# Single source of truth for the homelab box.
+# Deploy on box (manual via SSH):
+#   cd /opt/homelab && docker compose up -d
 #
-# Edit on Mac → git push → Komodo auto-deploys.
-# Only services with config drift get recreated; rest stay up.
-#
-# Infra (Caddy, Cloudflared, AdGuard, Beszel, Komodo itself)
-# lives in infra-compose.yaml — manual deploy only.
+# Komodo runs as observability UI only — no GitOps deploys.
 # ───────────────────────────────────────────────────────────
 
 services:
+  caddy:
+    image: caddy:2-alpine
+    container_name: caddy
+    network_mode: host
+    volumes:
+      - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
+      - ./caddy/data:/data
+      - ./caddy/config:/config
+    restart: unless-stopped
+
+  cloudflared:
+    image: cloudflare/cloudflared:latest
+    container_name: cloudflared
+    network_mode: host
+    command: tunnel --config /etc/cloudflared/config.yaml run
+    volumes:
+      - ./cloudflared/config.yaml:/etc/cloudflared/config.yaml:ro
+      - ./cloudflared/credentials.json:/etc/cloudflared/credentials.json:ro
+    restart: unless-stopped
+
+  adguard:
+    image: adguard/adguardhome:latest
+    container_name: adguard
+    network_mode: host
+    volumes:
+      - ./adguard/work:/opt/adguardhome/work
+      - ./adguard/conf:/opt/adguardhome/conf
+    restart: unless-stopped
+
+  beszel:
+    image: henrygd/beszel:latest
+    container_name: beszel
+    ports:
+      - "8090:8090"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    volumes:
+      - ./beszel/data:/beszel_data
+    restart: unless-stopped
+
+  beszel-agent:
+    image: henrygd/beszel-agent:latest
+    container_name: beszel-agent
+    network_mode: host
+    restart: unless-stopped
+    privileged: true
+    environment:
+      LISTEN: 45876
+      KEY: ${BESZEL_KEY}
+      TOKEN: ${BESZEL_TOKEN:-}
+      HUB_URL: ${BESZEL_HUB_URL:-http://localhost:8090}
+    volumes:
+      - ./beszel/agent_data:/var/lib/beszel-agent
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /usr/sbin/smartctl:/usr/sbin/smartctl:ro
+      - /var/lib/smartmontools:/var/lib/smartmontools:ro
+    devices:
+      - /dev/sda
+      - /dev/nvme0n1
+
   glance:
     image: glanceapp/glance:latest
     container_name: glance
@@ -68,6 +126,51 @@ services:
       DOZZLE_AUTH_PROVIDER: simple
     restart: unless-stopped
 
+  komodo-mongo:
+    image: mongo:7.0
+    container_name: komodo-mongo
+    restart: unless-stopped
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: komodo
+      MONGO_INITDB_ROOT_PASSWORD: ${MONGO_PASS}
+    volumes:
+      - ./komodo/mongo:/data/db
+    command: ["--quiet", "--wiredTigerCacheSizeGB", "0.25"]
+
+  komodo-core:
+    image: ghcr.io/mbecker20/komodo:latest
+    container_name: komodo-core
+    restart: unless-stopped
+    depends_on:
+      - komodo-mongo
+    ports:
+      - "9120:9120"
+    environment:
+      KOMODO_DATABASE_ADDRESS: komodo-mongo:27017
+      KOMODO_DATABASE_USERNAME: komodo
+      KOMODO_DATABASE_PASSWORD: ${MONGO_PASS}
+      KOMODO_PASSKEY: ${KOMODO_PASSKEY}
+      KOMODO_WEBHOOK_SECRET: ${KOMODO_WEBHOOK_SECRET}
+      KOMODO_HOST: https://komodo.phanthawas.dev
+      KOMODO_TITLE: raws-homelab
+      KOMODO_FIRST_SERVER: http://komodo-periphery:8120
+      KOMODO_DISABLE_CONFIRM_DIALOG: "false"
+      KOMODO_LOCAL_AUTH: "true"
+      KOMODO_DISABLE_USER_REGISTRATION: "true"
+      KOMODO_ENABLE_NEW_USERS: "true"
+
+  komodo-periphery:
+    image: ghcr.io/mbecker20/periphery:latest
+    container_name: komodo-periphery
+    restart: unless-stopped
+    environment:
+      PERIPHERY_PASSKEYS: ${KOMODO_PASSKEY}
+      PERIPHERY_ROOT_DIRECTORY: /etc/komodo
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./komodo/periphery:/etc/komodo
+      - /proc:/proc:ro
+
   yourls-db:
     image: mariadb:10
     container_name: yourls-db