# VPS1 Analysis - vps1.phiiiil.de

**Generated:** 2025-01-25
**Last Updated:** 2026-01-25
**Target Host:** vps1.phiiiil.de (152.53.119.222)

## System Overview

### Hardware & OS
- **OS:** Debian GNU/Linux 12 (bookworm)
- **Kernel:** Linux 6.1.0-40-arm64 (ARM64 architecture)
- **CPU:** aarch64
- **RAM:** 15GB total, ~13GB available
- **Swap:** 975MB
- **Disk:** 1TB (1006GB), 55GB used (6%), ~900GB free

### Network
- **Public IP:** 152.53.119.222/22
- **Interface:** enp7s0 (46:50:f9:68:52:91)
- **DNS:** 46.38.225.230, 46.38.252.230
- **Domain:** phiiiil.de with subdomains pointing to this host

### Docker Installation
- **Docker Engine:** 20.10.24+dfsg1
- **Docker Compose:** v5.0.2
- **Service Status:** Active (running since Nov 11, 2025)
- **Docker Networks:**
  - `bridge` (default)
  - `netbird_netbird` - Shared network for all services
  - `immich_default` - Immich containers
  - `host` (for Coturn TURN server)

## Running Services

### Netbird VPN (8 containers)
**Status:** ✅ Running (healthy)

| Container | Image | Purpose | Network |
|-----------|-------|---------|---------|
| netbird-zitadel-1 | zitadel:v2.64.1 | Identity Provider (OIDC) | netbird_netbird |
| netbird-caddy-1 | caddy:latest | Reverse Proxy (80/443) | netbird_netbird, immich_default |
| netbird-management-1 | management:latest | Management API | netbird_netbird |
| netbird-coturn-1 | coturn:latest | TURN/STUN Relay | host |
| netbird-zdb-1 | postgres:16-alpine | Zitadel DB | netbird_netbird |
| netbird-signal-1 | signal:latest | Signal Service | netbird_netbird |
| netbird-dashboard-1 | dashboard:latest | Web UI | netbird_netbird |
| netbird-relay-1 | relay:latest | Relay Service | netbird_netbird |

**Features:**
- VPN management and user authentication
- Centralized SSO via Zitadel
- Caddy reverse proxy for all services
- Automatic SSL certificate management

### Immich (4 containers)
**Status:** ✅ Running (healthy)

| Container | Image | Purpose | Ports |
|-----------|-------|---------|-------|
| immich_server | immich-server:release | Main application | 2283:2283 |
| immich_machine_learning | immich-machine-learning:release | ML/AI features | - |
| immich_postgres | postgres:14-vector | Database (healthy) | - |
| immich_redis | valkey:8-bookworm | Cache (healthy) | - |

**Important:** Immich contains **34,694 files (39GB)** of photos - Automated daily backup at 04:00 ✅

### Gitea (2 containers)
**Status:** ✅ Running (healthy)

| Container | Image | Purpose | Ports |
|-----------|-------|---------|-------|
| gitea | gitea/gitea:latest | Git hosting | 3000/tcp, 2222:22 |
| gitea-db | postgres:16-alpine | Database (healthy) | 5432/tcp |

**Configuration:**
- **Admin:** User `phil` created
- **Database:** PostgreSQL with strong password
- **SSH:** Port 2222
- **Network:** netbird_netbird
- **Registration:** Disabled (private instance)

## Docker Compose Projects

### 1. Netbird + Caddy
**Location:** `/home/phil/docker/netbird/`

**Files:**
- `docker-compose.yml` - Main compose file
- `Caddyfile` - Reverse proxy configuration for all services
- `dashboard.env`, `relay.env`, `zitadel.env`, `zdb.env` - Environment configs
- `management.json` - Management configuration
- `turnserver.conf` - Coturn TURN server config
- `machinekey/` - Zitadel machine keys

**Caddy Configuration:**
- **nb.phiiiil.de:443** - Netbird Dashboard & API
- **git.phiiiil.de:443** - Gitea reverse proxy
- **immich.phiiiil.de:443** - Immich reverse proxy
- Security headers applied to all routes
- Automatic SSL certificates via Let's Encrypt

**Exposed Ports:** 80/tcp, 443/tcp, 443/udp

### 2. Immich
**Location:** `/home/phil/docker/immich-app/`

**Files:**
- `docker-compose.yml` - Compose file (4 services)
- `.env` - Environment configuration
- `library/` - Photo storage (34,694 files, 39GB) ✅ **Backed up daily**
- `postgres/` - Database files

**Configuration:**
- Upload location: `./library`
- Database location: `./postgres`
- Timezone: Europe/Berlin
- Exposed port: 2283 (internal)
- Backup: Automated daily at 04:00 using rsync

### 3. Gitea
**Location:** `/home/phil/docker/gitea/`

**Files:**
- `docker-compose.yml` - Compose file (2 services)
- `.env` - Database password

**Configuration:**
- Domain: git.phiiiil.de
- Database: PostgreSQL 16
- SSH port: 2222
- Network: netbird_netbird (shared)
- User registration disabled

## Docker Volumes

| Volume | Purpose | Associated Containers |
|--------|---------|----------------------|
| gitea_gitea_db_data | Gitea PostgreSQL data | gitea-db |
| gitea_gitea_data | Gitea application data | gitea |
| immich_model-cache | ML model caching | immich-machine-learning |
| netbird_netbird_caddy_data | Caddy SSL certificates | netbird-caddy-1 |
| netbird_netbird_management | Netbird management data | netbird-management-1 |
| netbird_netbird_zdb_data | Zitadel PostgreSQL | netbird-zdb-1 |
| netbird_netbird_zitadel_certs | Zitadel certificates | netbird-zitadel-1 |

## Current Architecture

```
                    ┌─────────────────────────────────────┐
                    │       vps1.phiiiil.de (152.53...)    │
                    │         Debian 12 (ARM64)            │
                    │         UFW + Fail2ban               │
                    └─────────────────────────────────────┘
                                       │
            ┌──────────────────────────┼──────────────────────────┐
            │                          │                          │
    ┌───────▼────────┐       ┌────────▼────────┐      ┌────────▼────────┐
    │  Netbird VPN   │       │    Immich       │      │     Gitea      │
    │  + Caddy       │       │  (3 containers) │      │  (2 containers) │
    │  (8 containers)│       │                 │      │                 │
    │                │       │ - Server (2283) │      │ - App (3000)    │
    │ - Caddy (443)  │       │ - ML            │      │ - SSH (2222)   │
    │ - Management   │       │ - PostgreSQL    │      │ - PostgreSQL   │
    │ - Dashboard    │       │ - Redis         │      │                 │
    │ - Zitadel      │       │ - 37GB photos   │      │                 │
    │ - Signal/Relay │       │                 │      │                 │
    └────────────────┘       └─────────────────┘      └─────────────────┘
            │                          │                          │
    nb.phiiiil.de          immich.phiiiil.de          git.phiiiil.de
    (reverse proxy)         (via Caddy)                (via Caddy)
```

## Security Status

### ✅ Configured
- **UFW Firewall:** Active and configured
  - Only necessary ports exposed (22, 80, 443, 2283, 2222)
  - Default deny incoming policy
- **Fail2ban:** Active protecting SSH
  - Currently blocking 6 IPs
  - 3 strikes = 1 hour ban
- **Security Headers:** All domains have HSTS, X-Frame-Options, CSP
- **SSH:** Key authentication only (no password)
- **Backups:** Automated daily backups (databases + photos) ✅

### ⚠️ Important
- ✅ Immich photos (39GB) - Automated backup implemented (04:00)
- Remote backup storage recommended (mount to `/mnt/backup`)
- OIDC SSO integration plan created (ready to configure)

## System Administration

### SSH Access
- **User:** phil
- **Config:** `~/.ssh/config` (Host vps1)
- **Key:** `~/.ssh/id_rsa` (RSA)
- **Connection:** `ssh vps1`

### Docker Management
- All compose projects in `/home/phil/docker/`
- Use `docker compose` (v5) for management
- Docker service enabled and running

### Automated Backups

**Database Backup (02:00):**
- **Script:** `/home/phil/docker/backup/backup.sh`
- **Location:** `/mnt/backup/latest/`
- **Retention:** 30 days
- **Log:** `/var/log/vps-backup.log`

**Photo Backup (04:00)** ✨ NEW:
- **Script:** `/home/phil/docker/backup/backup-immich-photos.sh`
- **Location:** `/mnt/backup/immich-photos/latest/`
- **Retention:** 30 days
- **Log:** `/var/log/immich-photo-backup.log`

### Cron Jobs
- `0 2 * * * /home/phil/docker/backup/backup.sh >> /var/log/vps-backup.log 2>&1`
- `0 4 * * * /home/phil/docker/backup/backup-immich-photos.sh >> /var/log/immich-photo-backup.log 2>&1`

## System Resources

### Disk Usage
- **Total:** 1TB (1006GB)
- **Used:** 92GB (10%)
- **Available:** 863GB
- **Critical Data:**
  - Immich photos: 39GB in `/home/phil/docker/immich-app/library/` ✅ **Backed up**
  - Photo backup: 39GB in `/mnt/backup/immich-photos/`
  - Databases: ~83MB total

### Memory
- **Total:** 15GB
- **Used:** ~2GB
- **Available:** ~13GB

### Services Status
- **Total Containers:** 12
- **Healthy:** 6 (with health checks)
- **All Running:** Yes

## Access URLs

| Service | URL | Credentials |
|---------|-----|-------------|
| Netbird Dashboard | https://nb.phiiiil.de | Configure in Netbird |
| Immich | https://immich.phiiiil.de | Create admin account |
| Gitea | https://git.phiiiil.de | User: `phil` / Password: `j8bKvIl3AtIp5aTG` |
| Git via SSH | git@152.53.119.222:2222 | Use Gitea credentials |

## Documentation Files

- **vps1-state-25012026.md** - Current system state and operational guide
- **vps1-todo.md** - Action items and maintenance tasks
- **docs/deployment-summary.md** - Deployment details and maintenance tasks
- **docs/oidc-integration-guide.md** - How to configure SSO with Netbird Zitadel
- **docs/sso-integration-plan.md** - Complete SSO implementation plan (NEW)
- **docs/sso-integration-diagram.txt** - SSO architecture diagrams (NEW)
- **docs/immich-backup-implementation.md** - Photo backup implementation (NEW)

## Next Steps

All core services are operational with complete backup coverage. Optional enhancements:
1. **Remote backup storage** - Mount storage to `/mnt/backup` for off-site backups
2. **OIDC SSO** - Configure Gitea/Immich with Netbird Zitadel (plan created)
3. **Monitoring** - Set up container health monitoring

---

**Last Updated:** 2026-01-25
**Status:** ✅ Production Ready