phil/vps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: VPS setup documentation

Browse Source 
Add comprehensive documentation for VPS setup and configuration including:
- Project instructions
- VPS1 starting point configuration
- VPS1 current state documentation
- VPS1 todo list

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
service
2026-01-26 07:43:24 +01:00
commit 1e1a528a5e
11 changed files with 3523 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

272
vps1-startpoint.md Normal file
View File

@@ -0,0 +1,272 @@
# VPS1 Analysis - vps1.phiiiil.de
**Generated:** 2025-01-25
**Last Updated:** 2026-01-25
**Target Host:** vps1.phiiiil.de (152.53.119.222)
## System Overview
### Hardware & OS
- **OS:** Debian GNU/Linux 12 (bookworm)
- **Kernel:** Linux 6.1.0-40-arm64 (ARM64 architecture)
- **CPU:** aarch64
- **RAM:** 15GB total, ~13GB available
- **Swap:** 975MB
- **Disk:** 1TB (1006GB), 55GB used (6%), ~900GB free
### Network
- **Public IP:** 152.53.119.222/22
- **Interface:** enp7s0 (46:50:f9:68:52:91)
- **DNS:** 46.38.225.230, 46.38.252.230
- **Domain:** phiiiil.de with subdomains pointing to this host
### Docker Installation
- **Docker Engine:** 20.10.24+dfsg1
- **Docker Compose:** v5.0.2
- **Service Status:** Active (running since Nov 11, 2025)
- **Docker Networks:**
- `bridge` (default)
- `netbird_netbird` - Shared network for all services
- `immich_default` - Immich containers
- `host` (for Coturn TURN server)
## Running Services
### Netbird VPN (8 containers)
**Status:** ✅ Running (healthy)
| Container | Image | Purpose | Network |
|-----------|-------|---------|---------|
| netbird-zitadel-1 | zitadel:v2.64.1 | Identity Provider (OIDC) | netbird_netbird |
| netbird-caddy-1 | caddy:latest | Reverse Proxy (80/443) | netbird_netbird, immich_default |
| netbird-management-1 | management:latest | Management API | netbird_netbird |
| netbird-coturn-1 | coturn:latest | TURN/STUN Relay | host |
| netbird-zdb-1 | postgres:16-alpine | Zitadel DB | netbird_netbird |
| netbird-signal-1 | signal:latest | Signal Service | netbird_netbird |
| netbird-dashboard-1 | dashboard:latest | Web UI | netbird_netbird |
| netbird-relay-1 | relay:latest | Relay Service | netbird_netbird |
**Features:**
- VPN management and user authentication
- Centralized SSO via Zitadel
- Caddy reverse proxy for all services
- Automatic SSL certificate management
### Immich (4 containers)
**Status:** ✅ Running (healthy)
| Container | Image | Purpose | Ports |
|-----------|-------|---------|-------|
| immich_server | immich-server:release | Main application | 2283:2283 |
| immich_machine_learning | immich-machine-learning:release | ML/AI features | - |
| immich_postgres | postgres:14-vector | Database (healthy) | - |
| immich_redis | valkey:8-bookworm | Cache (healthy) | - |
**Important:** Immich contains **34,694 files (39GB)** of photos - Automated daily backup at 04:00 ✅
### Gitea (2 containers)
**Status:** ✅ Running (healthy)
| Container | Image | Purpose | Ports |
|-----------|-------|---------|-------|
| gitea | gitea/gitea:latest | Git hosting | 3000/tcp, 2222:22 |
| gitea-db | postgres:16-alpine | Database (healthy) | 5432/tcp |
**Configuration:**
- **Admin:** User `phil` created
- **Database:** PostgreSQL with strong password
- **SSH:** Port 2222
- **Network:** netbird_netbird
- **Registration:** Disabled (private instance)
## Docker Compose Projects
### 1. Netbird + Caddy
**Location:** `/home/phil/docker/netbird/`
**Files:**
- `docker-compose.yml` - Main compose file
- `Caddyfile` - Reverse proxy configuration for all services
- `dashboard.env`, `relay.env`, `zitadel.env`, `zdb.env` - Environment configs
- `management.json` - Management configuration
- `turnserver.conf` - Coturn TURN server config
- `machinekey/` - Zitadel machine keys
**Caddy Configuration:**
- **nb.phiiiil.de:443** - Netbird Dashboard & API
- **git.phiiiil.de:443** - Gitea reverse proxy
- **immich.phiiiil.de:443** - Immich reverse proxy
- Security headers applied to all routes
- Automatic SSL certificates via Let's Encrypt
**Exposed Ports:** 80/tcp, 443/tcp, 443/udp
### 2. Immich
**Location:** `/home/phil/docker/immich-app/`
**Files:**
- `docker-compose.yml` - Compose file (4 services)
- `.env` - Environment configuration
- `library/` - Photo storage (34,694 files, 39GB) ✅ **Backed up daily**
- `postgres/` - Database files
**Configuration:**
- Upload location: `./library`
- Database location: `./postgres`
- Timezone: Europe/Berlin
- Exposed port: 2283 (internal)
- Backup: Automated daily at 04:00 using rsync
### 3. Gitea
**Location:** `/home/phil/docker/gitea/`
**Files:**
- `docker-compose.yml` - Compose file (2 services)
- `.env` - Database password
**Configuration:**
- Domain: git.phiiiil.de
- Database: PostgreSQL 16
- SSH port: 2222
- Network: netbird_netbird (shared)
- User registration disabled
## Docker Volumes
| Volume | Purpose | Associated Containers |
|--------|---------|----------------------|
| gitea_gitea_db_data | Gitea PostgreSQL data | gitea-db |
| gitea_gitea_data | Gitea application data | gitea |
| immich_model-cache | ML model caching | immich-machine-learning |
| netbird_netbird_caddy_data | Caddy SSL certificates | netbird-caddy-1 |
| netbird_netbird_management | Netbird management data | netbird-management-1 |
| netbird_netbird_zdb_data | Zitadel PostgreSQL | netbird-zdb-1 |
| netbird_netbird_zitadel_certs | Zitadel certificates | netbird-zitadel-1 |
## Current Architecture
```
┌─────────────────────────────────────┐
│ vps1.phiiiil.de (152.53...) │
│ Debian 12 (ARM64) │
│ UFW + Fail2ban │
└─────────────────────────────────────┘
┌──────────────────────────┼──────────────────────────┐
│ │ │
┌───────▼────────┐ ┌────────▼────────┐ ┌────────▼────────┐
│ Netbird VPN │ │ Immich │ │ Gitea │
│ + Caddy │ │ (3 containers) │ │ (2 containers) │
│ (8 containers)│ │ │ │ │
│ │ │ - Server (2283) │ │ - App (3000) │
│ - Caddy (443) │ │ - ML │ │ - SSH (2222) │
│ - Management │ │ - PostgreSQL │ │ - PostgreSQL │
│ - Dashboard │ │ - Redis │ │ │
│ - Zitadel │ │ - 37GB photos │ │ │
│ - Signal/Relay │ │ │ │ │
└────────────────┘ └─────────────────┘ └─────────────────┘
│ │ │
nb.phiiiil.de immich.phiiiil.de git.phiiiil.de
(reverse proxy) (via Caddy) (via Caddy)
```
## Security Status
### ✅ Configured
- **UFW Firewall:** Active and configured
- Only necessary ports exposed (22, 80, 443, 2283, 2222)
- Default deny incoming policy
- **Fail2ban:** Active protecting SSH
- Currently blocking 6 IPs
- 3 strikes = 1 hour ban
- **Security Headers:** All domains have HSTS, X-Frame-Options, CSP
- **SSH:** Key authentication only (no password)
- **Backups:** Automated daily backups (databases + photos) ✅
### ⚠️ Important
- ✅ Immich photos (39GB) - Automated backup implemented (04:00)
- Remote backup storage recommended (mount to `/mnt/backup`)
- OIDC SSO integration plan created (ready to configure)
## System Administration
### SSH Access
- **User:** phil
- **Config:** `~/.ssh/config` (Host vps1)
- **Key:** `~/.ssh/id_rsa` (RSA)
- **Connection:** `ssh vps1`
### Docker Management
- All compose projects in `/home/phil/docker/`
- Use `docker compose` (v5) for management
- Docker service enabled and running
### Automated Backups
**Database Backup (02:00):**
- **Script:** `/home/phil/docker/backup/backup.sh`
- **Location:** `/mnt/backup/latest/`
- **Retention:** 30 days
- **Log:** `/var/log/vps-backup.log`
**Photo Backup (04:00)** ✨ NEW:
- **Script:** `/home/phil/docker/backup/backup-immich-photos.sh`
- **Location:** `/mnt/backup/immich-photos/latest/`
- **Retention:** 30 days
- **Log:** `/var/log/immich-photo-backup.log`
### Cron Jobs
- `0 2 * * * /home/phil/docker/backup/backup.sh >> /var/log/vps-backup.log 2>&1`
- `0 4 * * * /home/phil/docker/backup/backup-immich-photos.sh >> /var/log/immich-photo-backup.log 2>&1`
## System Resources
### Disk Usage
- **Total:** 1TB (1006GB)
- **Used:** 92GB (10%)
- **Available:** 863GB
- **Critical Data:**
- Immich photos: 39GB in `/home/phil/docker/immich-app/library/`**Backed up**
- Photo backup: 39GB in `/mnt/backup/immich-photos/`
- Databases: ~83MB total
### Memory
- **Total:** 15GB
- **Used:** ~2GB
- **Available:** ~13GB
### Services Status
- **Total Containers:** 12
- **Healthy:** 6 (with health checks)
- **All Running:** Yes
## Access URLs
| Service | URL | Credentials |
|---------|-----|-------------|
| Netbird Dashboard | https://nb.phiiiil.de | Configure in Netbird |
| Immich | https://immich.phiiiil.de | Create admin account |
| Gitea | https://git.phiiiil.de | User: `phil` / Password: `j8bKvIl3AtIp5aTG` |
| Git via SSH | git@152.53.119.222:2222 | Use Gitea credentials |
## Documentation Files
- **vps1-state-25012026.md** - Current system state and operational guide
- **vps1-todo.md** - Action items and maintenance tasks
- **docs/deployment-summary.md** - Deployment details and maintenance tasks
- **docs/oidc-integration-guide.md** - How to configure SSO with Netbird Zitadel
- **docs/sso-integration-plan.md** - Complete SSO implementation plan (NEW)
- **docs/sso-integration-diagram.txt** - SSO architecture diagrams (NEW)
- **docs/immich-backup-implementation.md** - Photo backup implementation (NEW)
## Next Steps
All core services are operational with complete backup coverage. Optional enhancements:
1. **Remote backup storage** - Mount storage to `/mnt/backup` for off-site backups
2. **OIDC SSO** - Configure Gitea/Immich with Netbird Zitadel (plan created)
3. **Monitoring** - Set up container health monitoring
---
**Last Updated:** 2026-01-25
**Status:** ✅ Production Ready