Skip to content

Config Files

Key host configuration files for proxfold. These are not included in vzdump backups and must be manually reconfigured after a fresh Proxmox install. See the Boot Drive Swap runbook for the full post-install procedure.

/etc/network/interfaces

NICs are referenced by their pinned names (nic0nic3) rather than the kernel-assigned enoX names. The pinning itself is defined in /etc/systemd/network below.

auto lo
iface lo inet loopback

iface nic0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.250/24
        gateway 192.168.1.1
        bridge-ports nic0
        bridge-stp off
        bridge-fd 0

iface nic1 inet manual

iface nic2 inet manual

iface nic3 inet manual

source /etc/network/interfaces.d/*

/etc/systemd/network

One .link file per NIC, pinning the kernel-assigned name to a stable nicN name via MAC match. Example for nic0:

# /etc/systemd/network/10-nic0.link
[Match]
MACAddress=aa:bb:cc:dd:ee:ff

[Link]
Name=nic0

The three other NICs have equivalent files (11-nic1.link, 12-nic2.link, 13-nic3.link) with their own MACs. This removes any dependency on PCIe enumeration order, so replacing the motherboard or adding a PCIe NIC does not renumber the onboard ports.

/etc/apt/sources.list

deb http://deb.debian.org/debian trixie main contrib
deb http://deb.debian.org/debian trixie-updates main contrib
deb http://security.debian.org/debian-security trixie-security main contrib
deb http://download.proxmox.com/debian/pve trixie pve-no-subscription

PVE 9 also ships deb822 .sources files under /etc/apt/sources.list.d/ (notably pve-enterprise.sources and ceph.sources). The enterprise entry has Enabled: false on this host. To avoid apt's duplicate-source warning, the PVE no-subscription entry is kept only in /etc/apt/sources.list, not duplicated as a .sources file.

/etc/default/grub (GRUB_DEFAULT only)

GRUB_DEFAULT="gnulinux-advanced-<root-UUID>>gnulinux-6.14.11-6-pve-advanced-<root-UUID>"

Pins boot to kernel 6.14.11-6-pve rather than the PVE 9.1 default (6.17.x). Motivation: keep a kernel compatible with Nvidia 550.x and the Dell 13G platform. Run update-grub after edits. The exact UUID and menuentry ID can be read from /boot/grub/grub.cfg.

/etc/hosts

127.0.0.1 localhost.localdomain localhost
192.168.1.250 proxfold.localdomain proxfold

/etc/resolv.conf

search localdomain
nameserver 192.168.1.1

/etc/exports

/stash 192.168.1.252(rw,sync,no_subtree_check,no_root_squash)

/etc/pve/storage.cfg

Current state (post Phase 4C, boot drive is now a ZFS mirror rpool):

dir: local
        path /var/lib/vz
        content vztmpl,iso,backup
        prune-backups keep-all=1
        shared 0

zfspool: local-zfs
        pool rpool/data
        content rootdir,images
        mountpoint /rpool/data
        sparse 1

cifs: nasbackup
        path /mnt/pve/nasbackup
        server 192.168.1.253
        share backup
        content backup
        prune-backups keep-all=1
        smbversion 2.0
        username admin

Note

Pre-Phase 4C (single 128GB Samsung 840 PRO boot drive) this file listed lvmthin: local-lvm instead of local-zfs. If you restore from a pre-4C vzdump onto a ZFS-mirror rebuild, VM disks land on local-zfs automatically — but container/VM configs referencing ide2: local:iso/... for detached CD images will fail to start until the stale ide2 line is removed (see the Proxfold rebuild runbook for the recovery step).

Note

The nasbackup CIFS storage is codified in the proxmox Ansible role and appears here automatically after a converge — no manual pvesm add cifs call needed on a rebuild.

/etc/lvm/lvm.conf (global_filter only)

global_filter = [ "r|/dev/zd.*|", "r|/dev/rbd.*|" ]

Prevents LVM from scanning ZFS zvols and Ceph RBD devices — without this, LVM prints spurious errors and can latch onto guest disks that happen to contain LVM metadata. On a PVE upgrade, dpkg will offer a new lvm.conf that drops this filter; keep the old file (D at the conffile prompt). Reviewed during the 2026-04 PVE 9 upgrade.

/etc/pve/lxc/100.conf (GPU passthrough block)

lxc.cgroup2.devices.allow: c 195:* rwm
lxc.cgroup2.devices.allow: c 234:* rwm
lxc.cgroup2.devices.allow: c 237:* rwm
lxc.mount.entry: /dev/nvidia0 dev/nvidia0 none bind,optional,create=file
lxc.mount.entry: /dev/nvidiactl dev/nvidiactl none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-modeset dev/nvidia-modeset none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-uvm dev/nvidia-uvm none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-uvm-tools dev/nvidia-uvm-tools none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-caps/nvidia-cap1 dev/nvidia-caps/nvidia-cap1 none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-caps/nvidia-cap2 dev/nvidia-caps/nvidia-cap2 none bind,optional,create=file

See Plex — GPU passthrough for the warning about dynamic major numbers — the 234/237 values shift whenever the Nvidia kernel module is rebuilt.

/etc/modprobe.d/zfs.conf

options zfs zfs_arc_max=15032385536

See Storage — ZFS ARC cap for the value reference table.

/etc/modprobe.d/blacklist-nouveau.conf

blacklist nouveau
options nouveau modeset=0

Required to prevent the open-source Nouveau driver from conflicting with the proprietary Nvidia driver used for GPU passthrough to the Plex LXC.

/etc/nut

Network UPS Tools configuration for the CyberPower PR1500ERT2U UPS. All files are owned root:nut with mode 640 (they contain monitoring credentials and must not be world-readable).

/etc/nut/nut.conf

MODE=standalone

/etc/nut/ups.conf

[cyberpower]
    driver = usbhid-ups
    port = auto
    vendorid = 0764
    productid = 0601
    desc = "CyberPower PR1500ERT2U"

/etc/nut/upsd.conf

LISTEN 127.0.0.1 3493
LISTEN ::1 3493

Loopback only — there are no NUT clients on other hosts. See UPS — guest shutdown behaviour.

/etc/nut/upsd.users

[upsmon]
    password = <REDACTED>
    upsmon master

[admin]
    password = <REDACTED>
    actions = SET
    instcmds = ALL

The upsmon user is consumed by the local upsmon daemon. The admin user is used for interactive upsrw / upscmd calls.

/etc/nut/upsmon.conf (relevant lines)

MONITOR cyberpower@localhost 1 upsmon <REDACTED> master
SHUTDOWNCMD "/sbin/shutdown -h +0"
POWERDOWNFLAG /etc/killpower

Note

The /etc/nut/*.conf files are not in vzdump — they live on the Proxmox host filesystem, so they must be captured alongside the other host configs in the Boot Drive Swap runbook before any OS reinstall. After a fresh Proxmox install, apt install nut and restore these files, then systemctl enable --now nut-server nut-monitor.

UDM-Pro port forwards

Tracked here manually since the UDM has no Ansible automation in this homelab. Configured via UDM controller → Settings → Security → Port Forwarding.

Name WAN port Protocol Forward IP Forward port Phase Purpose
matrix-rtc-ice-tcp 7881 TCP 192.168.1.243 7881 6E.4 LiveKit ICE TCP
matrix-rtc-ice-udp-mux 7882 UDP 192.168.1.243 7882 6E.4 LiveKit ICE UDP-mux
matrix-rtc-turn-udp 3479 UDP 192.168.1.243 3479 6E.4 LiveKit TURN UDP (port shifted from default 3478 to avoid Coturn collision)
matrix-rtc-turn-tcp 5350 TCP 192.168.1.243 5350 6E.4 LiveKit TURN-TLS (port shifted from default 5349 to avoid Coturn collision)
matrix-rtc-turn-relay 30000-30020 UDP 192.168.1.243 30000-30020 6E.4 LiveKit relay range (21 ports) for Element Call group calls

(Plus the pre-existing forwards for the four *.rampancy.cloud hostnames going to CT 107 edge Caddy: TCP 80 + 443. Those are tracked in edge-cutover runbook.)

These bypass edge CrowdSec — see accepted-risks: MatrixRTC port-forwards.