phil/vps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: VPS setup documentation

Browse Source 
Add comprehensive documentation for VPS setup and configuration including:
- Project instructions
- VPS1 starting point configuration
- VPS1 current state documentation
- VPS1 todo list

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
service
2026-01-26 07:43:24 +01:00
commit 1e1a528a5e
11 changed files with 3523 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

350
vps1-todo.md Normal file
View File

@@ -0,0 +1,350 @@
# VPS1 Todo List
**Host:** vps1.phiiiil.de (152.53.119.222)
**Last Updated:** 2026-01-25
**System Status:** ✅ Production Ready
---
## Priority 1: Critical Data Protection 🔴
### 1.1 Immich Photo Backup (37GB) ✅ COMPLETED
**Status:** ✅ **IMPLEMENTED** - Daily automated backup running
**Completion Date:** 2026-01-25
**Schedule:** Daily at 04:00 German time (CET/CEST)
**Location:** `/mnt/backup/immich-photos/`
**Retention:** 30 days
**What Was Done:**
- [x] Created dedicated Immich photo backup script
- [x] Installed rsync for efficient incremental backups
- [x] Configured cron job for daily 04:00 execution
- [x] Performed initial backup (34,694 files, 39.34GB)
- [x] Set up 30-day retention policy
- [x] Configured logging to `/var/log/immich-photo-backup.log`
**Backup Details:**
- Script: `/home/phil/docker/backup/backup-immich-photos.sh`
- Uses rsync with hardlinking for space efficiency
- First backup: ~4 minutes (164 MB/s)
- Subsequent backups: Incremental (only changed files)
- Total space used: ~39GB per full backup
**Monitoring:**
```bash
# Check backup log
tail -f /var/log/immich-photo-backup.log
# View latest backup
ls -lah /mnt/backup/immich-photos/latest/
# Check backup info
cat /mnt/backup/immich-photos/latest/backup-info.txt
```
**Restore Procedure:**
```bash
# Restore all photos
rsync -av /mnt/backup/immich-photos/latest/ /home/phil/docker/immich-app/library/
# Or restore specific date
rsync -av /mnt/backup/immich-photos/20260125_160319/ /home/phil/docker/immich-app/library/
```
**References:**
- `vps1-state-25012026.md` lines 145-156, 386-396
- `docs/deployment-summary.md` lines 375-388
---
### 1.2 Remote Backup Storage Mount
**Status:** ⚠️ **RECOMMENDED** - Local disk only
**Risk:** Single point of failure
**Effort:** 2-4 hours
**Action Required:**
- [ ] Choose remote storage option:
- S3 bucket via s3fs
- NFS mount
- SSHFS
- WebDAV
- [ ] Mount storage to `/mnt/backup`
- [ ] Update backup script to include Immich photos
- [ ] Test automated backup with remote storage
- [ ] Verify backup completion daily for first week
**Current:** Backups go to `/mnt/backup` (local disk)
**Goal:** Remote off-site storage
**References:**
- `docs/deployment-summary.md` lines 363-372
- `vps1-state-25012026.md` lines 361-374
---
## Priority 2: Enhanced Authentication 🟡
### 2.1 SSO Integration (Gitea + Immich)
**Status:** 📋 Plan created, ready to implement
**Benefit:** Unified authentication across all services
**Effort:** 2.5 hours
**Prerequisites:**
- [ ] Have Netbird admin credentials ready
**Implementation Steps:**
**Phase 1: Zitadel Configuration (30 min)**
- [ ] Login to Zitadel at https://nb.phiiiil.de/ui
- [ ] Create Gitea project and application
- [ ] Save Gitea Client ID and Secret
- [ ] Create Immich project and application
- [ ] Save Immich Client ID and Secret
**Phase 2: Gitea Integration (20 min)**
- [ ] Login to Gitea at https://git.phiiiil.de (phil / j8bKvIl3AtIp5aTG)
- [ ] Configure OAuth2 in Authentication Sources
- [ ] Enable auto-user creation
- [ ] Test SSO login
- [ ] Verify user account creation
**Phase 3: Immich Integration (20 min)**
- [ ] Login to Immich at https://immich.phiiiil.de
- [ ] Configure OAuth2 in Settings
- [ ] Enable auto-registration and auto-linking
- [ ] Test SSO login
- [ ] Verify user account creation
**Phase 4: Testing & Documentation (1 hour)**
- [ ] Test Gitea SSO full flow
- [ ] Test Immich SSO full flow
- [ ] Test cross-service SSO
- [ ] Update documentation with Client IDs (encrypted)
- [ ] Document any issues or workarounds
**References:**
- `docs/sso-integration-plan.md` - Complete implementation guide
- `docs/sso-integration-diagram.txt` - Architecture diagrams
- `docs/oidc-integration-guide.md` - Original setup guide
---
## Priority 3: System Maintenance 🟢
### 3.1 Regular Maintenance Tasks
**Daily:**
- [ ] Check backup completion: `tail -f /var/log/vps-backup.log`
- [ ] Verify all containers running: `docker ps`
**Weekly:**
- [ ] Review fail2ban bans: `sudo fail2ban-client status sshd`
- [ ] Check disk space: `df -h`
- [ ] Review container health: `docker ps --format "table {{.Names}}\t{{.Status}}"`
**Monthly:**
- [ ] Update container images:
```bash
cd /home/phil/docker/gitea && docker compose pull
cd /home/phil/docker/netbird && docker compose pull
cd /home/phil/docker/immich-app && docker compose pull
```
- [ ] Run system updates: `sudo apt update && sudo apt upgrade`
- [ ] Review banned IPs: `sudo fail2ban-client status sshd`
**Quarterly:**
- [ ] Test backup restoration procedures
- [ ] Review and rotate SSH keys if needed
- [ ] Audit firewall rules: `sudo ufw status numbered`
- [ ] Review and clean old backups (auto-cleanup after 30 days)
- [ ] Review OAuth2 tokens in Zitadel (if SSO implemented)
### 3.2 Security Review
**Next Security Review:** 2026-04-25 (3 months)
- [ ] Review all user accounts and access
- [ ] Check for security updates
- [ ] Review Fail2ban effectiveness
- [ ] Audit UFW rules for necessity
- [ ] Review SSL certificate status
- [ ] Check container image vulnerabilities
---
## Priority 4: Optional Enhancements 🔵
### 4.1 Container Monitoring
**Status:** Optional enhancement
**Benefit:** Proactive issue detection
**Effort:** 4-6 hours
**Options:**
- [ ] Set up Prometheus + Grafana
- [ ] Configure health check alerts
- [ ] Set up log aggregation
- [ ] Implement notification system
### 4.2 Immich External Storage
**Status:** Optional (backup alternative)
**Benefit:** Direct cloud storage integration
**Effort:** 3-4 hours
**Action Required:**
- [ ] Research Immich S3 support
- [ ] Configure external storage backend
- [ ] Migrate existing photos
- [ ] Update backup strategy
### 4.3 Gitea CI/CD Integration
**Status:** Optional
**Benefit:** Automated testing and deployment
**Effort:** 2-3 hours
**Action Required:**
- [ ] Explore Gitea Actions
- [ ] Set up runner container
- [ ] Create example workflows
- [ ] Document CI/CD setup
### 4.4 Additional Applications
**Status:** Future consideration
**Effort:** Varies
**Potential Additions:**
- [ ] Password manager (Bitwarden, Vaultwarden)
- [ ] Monitoring dashboard (Uptime Kuma)
- [ ] Media server (Jellyfin, Plex)
- [ ] Wiki (Wiki.js, BookStack)
- [ ] Automation (n8n, Home Assistant)
---
## Quick Reference Commands
### Backup Management
```bash
# Run backup manually
/home/phil/docker/backup/backup.sh
# Check latest backup
ls -lah /mnt/backup/latest/
cat /mnt/backup/latest/backup-info.txt
# Check backup log
tail -f /var/log/vps-backup.log
```
### Container Management
```bash
# View all containers
docker ps
# View container logs
docker logs -f <container_name>
# Restart service
cd /home/phil/docker/<service> && docker compose restart
# Check container health
docker ps --format "table {{.Names}}\t{{.Status}}"
```
### Security
```bash
# Firewall status
sudo ufw status numbered
# Fail2ban status
sudo fail2ban-client status sshd
# Check active SSH connections
who
```
### System Resources
```bash
# Disk usage
df -h
# Memory usage
free -h
# Container resource usage
docker stats
```
---
## System Information
### Services
| Service | URL | Admin Access | Status |
|---------|-----|--------------|--------|
| Netbird Dashboard | https://nb.phiiiil.de | Netbird admin | ✅ Running |
| Gitea | https://git.phiiiil.de | phil / j8bKvIl3AtIp5aTG | ✅ Running |
| Immich | https://immich.phiiiil.de | Immich admin | ✅ Running |
### Access Credentials
**SSH:** `ssh vps1` (user: phil, key authentication)
**Gitea Admin:**
- Username: `phil`
- Password: `j8bKvIl3AtIp5aTG`
- SSH: git@152.53.119.222:2222
**Netbird:** Configure via Netbird dashboard
**Immich:** Created during initial setup
### Resources
- **Disk:** 55GB used of 1TB (6%) - 900GB free
- **RAM:** ~2GB used of 15GB - 13GB free
- **Containers:** 12 running, 6 healthy
### Documentation
- `vps1-state-25012026.md` - Current system state and operations
- `vps1-startpoint.md` - System analysis and architecture
- `docs/deployment-summary.md` - Deployment details and maintenance
- `docs/oidc-integration-guide.md` - SSO setup guide
- `docs/sso-integration-plan.md` - SSO implementation plan
- `docs/sso-integration-diagram.txt` - SSO architecture diagrams
- `vps1-todo.md` - This document
---
## Decision Log
### 2026-01-25: Nextcloud Removed
**Decision:** Removed Nextcloud due to FastCGI configuration issues
**Reason:** Multiple attempts to fix PHP-FPM and routing failed
**Alternative:** Using Gitea for code, Immich for photos
**Status:** ✅ Complete
### 2025-11-XX: Netbird Deployed
**Decision:** Deployed Netbird VPN with Zitadel SSO
**Reason:** Centralized user management and VPN access
**Status:** ✅ Complete
### 2025-XX-XX: Immich Deployed
**Decision:** Deployed Immich for photo management
**Reason:** Self-hosted Google Photos alternative
**Status:** ✅ Complete (37GB photos)
---
## Notes
- All core services are production-ready
- System is secured with UFW firewall and Fail2ban
- Automated daily backups configured (databases only)
- SSL certificates managed automatically by Caddy
- Regular maintenance is minimal but required
- Photo backup is the highest priority task
**Next Review Date:** 2026-02-25 (1 month)
---
**Document Version:** 1.0
**Created:** 2026-01-25
**Status:** Active