# VPS1 System Setup Plan

## Overview

This document outlines the plan to configure vps1.phiiiil.de as a secure, Docker-based system running:
- **Immich** - Photo management (already deployed with 37GB of photos)
- **Netbird** - VPN management & reverse proxy (already deployed)
- **Gitea** - Git hosting (to be deployed)

## Current State Assessment

### What's Working
- All containers are healthy and running
- Netbird is configured with Caddy reverse proxy
- Immich has 37GB of photos stored
- DNS: *.vps1.phiiiil.de redirects to the host
- Docker Compose v5 installed
- 900GB disk space available

### Security Gaps Identified
1. No firewall (UFW) installed
2. No fail2ban for SSH protection
3. No automated backup system
4. Nextcloud has hardcoded passwords in compose file
5. No container monitoring

## Implementation Plan

### Phase 1: Security Hardening

#### 1.1 Install UFW Firewall
```bash
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH (current connection)
sudo ufw allow 22/tcp comment 'SSH'

# Allow HTTP/HTTPS for Caddy
sudo ufw allow 80/tcp comment 'Caddy HTTP'
sudo ufw allow 443/tcp comment 'Caddy HTTPS'
sudo ufw allow 443/udp comment 'Caddy HTTP3/QUIC'

# Allow Immich direct access (optional, via Caddy recommended)
sudo ufw allow 2283/tcp comment 'Immich Web UI'

# Enable firewall
sudo ufw enable
```

#### 1.2 Fail2ban for SSH Protection
```bash
# Install fail2ban
sudo apt update && sudo apt install -y fail2ban

# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Configure SSH protection
sudo tee -a /etc/fail2ban/jail.local > /dev/null <<EOF
[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 3600
findtime = 600
EOF

sudo systemctl enable --now fail2ban
```

#### 1.3 Secure Nextcloud Credentials
- Move Nextcloud credentials to `.env` file
- Use Docker secrets for sensitive data
- Rotate MariaDB passwords

### Phase 2: Gitea Deployment

#### 2.1 Architecture Decisions

**Questions for User:**
1. Database preference for Gitea?
   - SQLite (simple, single file)
   - PostgreSQL (better performance, can share with existing)
   - MariaDB (separate instance)

2. Authentication integration?
   - Local accounts only
   - Integrate with Netbird/Zitadel OIDC

3. Storage requirements?
   - Estimated repositories/users
   - LFS support needed?

#### 2.2 Proposed Gitea Setup

**Location:** `/home/phil/docker/gitea/`

**Domain:** `git.phiiiil.de` (via Caddy reverse proxy)

**Services:**
- Gitea application container
- PostgreSQL database (separate or shared)
- Caddy reverse proxy entry

**Caddy Configuration Addition:**
```caddy
git.phiiiil.de {
    import security_headers
    reverse_proxy gitea:3000
}
```

**Basic docker-compose.yml:**
```yaml
services:
  gitea:
    image: gitea/gitea:latest
    container_name: gitea
    restart: unless-stopped
    networks:
      - netbird_netbird
    ports:
      - "2222:22"  # SSH for git
    volumes:
      - gitea_data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - GITEA__server__DOMAIN=git.phiiiil.de
      - GITEA__server__ROOT_URL=https://git.phiiiil.de
      - GITEA__server__SSH_PORT=2222
      - GITEA__server__SSH_DOMAIN=git.phiiiil.de
    depends_on:
      - db

  db:
    image: postgres:16-alpine
    container_name: gitea-db
    restart: unless-stopped
    networks:
      - netbird_netbird
    volumes:
      - gitea_db_data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=gitea
      - POSTGRES_USER=gitea
      - POSTGRES_PASSWORD=${DB_PASSWORD}

volumes:
  gitea_data:
  gitea_db_data:

networks:
  netbird_netbird:
    external: true
```

### Phase 3: Backup Strategy

#### 3.1 Backup Targets
- Immich photos (37GB) - Critical
- Immich database
- Netbird configuration & data
- Gitea repositories & database
- Nextcloud data

#### 3.2 Backup Solution Options

**Option A: Restic + rclone**
- Incremental backups
- Can backup to multiple destinations (S3, B2, local)
- Built-in encryption
- Automatic pruning

**Option B: Duplicity**
- Classic solution
- GPG encryption
- Supports various backends

**Option C: Custom rsync script**
- Simple
- Full backups only
- No built-in encryption

**Recommended:** Option A (Restic)

#### 3.3 Proposed Backup Script
```bash
#!/bin/bash
# Backup script for VPS1

# Immich database
docker exec immich_postgres pg_dump -U postgres immich | gzip > /backup/immich-db-$(date +%Y%m%d).sql.gz

# Netbird management data
docker run --rm -v netbird_netbird_management:/data -v /backup:/backup alpine tar czf /backup/netbird-$(date +%Y%m%d).tar.gz /data

# Restic snapshots
restic -r rclone:backup:vps1 backup /home/phil/docker
restic -r rclone:backup:vps1 forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12
```

### Phase 4: Monitoring

#### 4.1 Container Monitoring
- **cAdvisor** - Container metrics
- **Node Exporter** - Host metrics
- **Grafana + Prometheus** - Dashboards (optional)

#### 4.2 Simple Monitoring (Recommended)
- Docker health checks
- Uptime monitoring via external service
- Email alerts on container failures
- Log aggregation with Loki (optional)

## File Structure

```
/home/phil/docker/
├── netbird/           # Existing - VPN management
├── immich-app/        # Existing - Photo management
├── nextcloud/         # Existing - File storage
├── gitea/             # NEW - Git hosting
│   ├── docker-compose.yml
│   ├── .env
│   └── Caddy-snippet.conf
└── backup/            # NEW - Backup scripts
    ├── backup.sh
    ├── restore.sh
    └── restic/
```

## Caddy Unified Configuration

Update `/home/phil/docker/netbird/Caddyfile` to handle all services:

```caddy
{
  debug
  servers :80,:443 {
    protocols h1 h2c h2 h3
  }
}

(security_headers) {
    header * {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        X-XSS-Protection "1; mode=block"
        -Server
        Referrer-Policy strict-origin-when-cross-origin
    }
}

# Netbird Dashboard & API
nb.phiiiil.de, vps1.phiiiil.de {
    import security_headers
    # ... existing netbird routes ...
}

# Immich
immich.phiiiil.de {
    import security_headers
    reverse_proxy immich_server:2283
}

# Gitea
git.phiiiil.de {
    import security_headers
    reverse_proxy gitea:3000
}

# Nextcloud
nc.phiiiil.de {
    # ... existing nextcloud config ...
}
```

## Implementation Order

1. ✅ **COMPLETED:** VPS Analysis
2. ✅ **COMPLETED:** Documentation created
3. **NEXT:** User approval of plan
4. **TODO:** Security hardening (UFW, fail2ban)
5. **TODO:** Gitea deployment (after user decisions)
6. **TODO:** Backup system setup
7. **TODO:** Monitoring setup
8. **TODO:** Final documentation update

## Questions for User

Before proceeding with Gitea deployment:

1. **Database for Gitea:** SQLite (simpler) or PostgreSQL (better)?
2. **Authentication:** Local accounts or integrate with Netbird OIDC?
3. **Git SSH access:** Use port 2222 or different port?
4. **Backup destination:** Where should backups be stored?
5. **Monitoring level:** Basic (health checks) or full (Grafana dashboards)?

## Risk Assessment

| Risk | Impact | Mitigation |
|------|--------|------------|
| Immich data loss | **CRITICAL** | Automated backups before any changes |
| Container downtime | Medium | Rollback procedures documented |
| Security breach | **HIGH** | UFW, fail2ban, regular updates |
| Disk space exhaustion | Medium | Monitor usage (900GB free) |
| DNS configuration issues | Low | Test DNS before service deployment |