# VPS1 Todo List

**Host:** vps1.phiiiil.de (152.53.119.222)
**Last Updated:** 2026-01-25
**System Status:** ✅ Production Ready

---

## Priority 1: Critical Data Protection 🔴

### 1.1 Immich Photo Backup (37GB) ✅ COMPLETED
**Status:** ✅ **IMPLEMENTED** - Daily automated backup running
**Completion Date:** 2026-01-25
**Schedule:** Daily at 04:00 German time (CET/CEST)
**Location:** `/mnt/backup/immich-photos/`
**Retention:** 30 days

**What Was Done:**
- [x] Created dedicated Immich photo backup script
- [x] Installed rsync for efficient incremental backups
- [x] Configured cron job for daily 04:00 execution
- [x] Performed initial backup (34,694 files, 39.34GB)
- [x] Set up 30-day retention policy
- [x] Configured logging to `/var/log/immich-photo-backup.log`

**Backup Details:**
- Script: `/home/phil/docker/backup/backup-immich-photos.sh`
- Uses rsync with hardlinking for space efficiency
- First backup: ~4 minutes (164 MB/s)
- Subsequent backups: Incremental (only changed files)
- Total space used: ~39GB per full backup

**Monitoring:**
```bash
# Check backup log
tail -f /var/log/immich-photo-backup.log

# View latest backup
ls -lah /mnt/backup/immich-photos/latest/

# Check backup info
cat /mnt/backup/immich-photos/latest/backup-info.txt
```

**Restore Procedure:**
```bash
# Restore all photos
rsync -av /mnt/backup/immich-photos/latest/ /home/phil/docker/immich-app/library/

# Or restore specific date
rsync -av /mnt/backup/immich-photos/20260125_160319/ /home/phil/docker/immich-app/library/
```

**References:**
- `vps1-state-25012026.md` lines 145-156, 386-396
- `docs/deployment-summary.md` lines 375-388

---

### 1.2 Remote Backup Storage Mount
**Status:** ⚠️ **RECOMMENDED** - Local disk only
**Risk:** Single point of failure
**Effort:** 2-4 hours

**Action Required:**
- [ ] Choose remote storage option:
  - S3 bucket via s3fs
  - NFS mount
  - SSHFS
  - WebDAV
- [ ] Mount storage to `/mnt/backup`
- [ ] Update backup script to include Immich photos
- [ ] Test automated backup with remote storage
- [ ] Verify backup completion daily for first week

**Current:** Backups go to `/mnt/backup` (local disk)
**Goal:** Remote off-site storage

**References:**
- `docs/deployment-summary.md` lines 363-372
- `vps1-state-25012026.md` lines 361-374

---

## Priority 2: Enhanced Authentication 🟡

### 2.1 SSO Integration (Gitea + Immich)
**Status:** 📋 Plan created, ready to implement
**Benefit:** Unified authentication across all services
**Effort:** 2.5 hours

**Prerequisites:**
- [ ] Have Netbird admin credentials ready

**Implementation Steps:**

**Phase 1: Zitadel Configuration (30 min)**
- [ ] Login to Zitadel at https://nb.phiiiil.de/ui
- [ ] Create Gitea project and application
- [ ] Save Gitea Client ID and Secret
- [ ] Create Immich project and application
- [ ] Save Immich Client ID and Secret

**Phase 2: Gitea Integration (20 min)**
- [ ] Login to Gitea at https://git.phiiiil.de (phil / j8bKvIl3AtIp5aTG)
- [ ] Configure OAuth2 in Authentication Sources
- [ ] Enable auto-user creation
- [ ] Test SSO login
- [ ] Verify user account creation

**Phase 3: Immich Integration (20 min)**
- [ ] Login to Immich at https://immich.phiiiil.de
- [ ] Configure OAuth2 in Settings
- [ ] Enable auto-registration and auto-linking
- [ ] Test SSO login
- [ ] Verify user account creation

**Phase 4: Testing & Documentation (1 hour)**
- [ ] Test Gitea SSO full flow
- [ ] Test Immich SSO full flow
- [ ] Test cross-service SSO
- [ ] Update documentation with Client IDs (encrypted)
- [ ] Document any issues or workarounds

**References:**
- `docs/sso-integration-plan.md` - Complete implementation guide
- `docs/sso-integration-diagram.txt` - Architecture diagrams
- `docs/oidc-integration-guide.md` - Original setup guide

---

## Priority 3: System Maintenance 🟢

### 3.1 Regular Maintenance Tasks

**Daily:**
- [ ] Check backup completion: `tail -f /var/log/vps-backup.log`
- [ ] Verify all containers running: `docker ps`

**Weekly:**
- [ ] Review fail2ban bans: `sudo fail2ban-client status sshd`
- [ ] Check disk space: `df -h`
- [ ] Review container health: `docker ps --format "table {{.Names}}\t{{.Status}}"`

**Monthly:**
- [ ] Update container images:
  ```bash
  cd /home/phil/docker/gitea && docker compose pull
  cd /home/phil/docker/netbird && docker compose pull
  cd /home/phil/docker/immich-app && docker compose pull
  ```
- [ ] Run system updates: `sudo apt update && sudo apt upgrade`
- [ ] Review banned IPs: `sudo fail2ban-client status sshd`

**Quarterly:**
- [ ] Test backup restoration procedures
- [ ] Review and rotate SSH keys if needed
- [ ] Audit firewall rules: `sudo ufw status numbered`
- [ ] Review and clean old backups (auto-cleanup after 30 days)
- [ ] Review OAuth2 tokens in Zitadel (if SSO implemented)

### 3.2 Security Review

**Next Security Review:** 2026-04-25 (3 months)

- [ ] Review all user accounts and access
- [ ] Check for security updates
- [ ] Review Fail2ban effectiveness
- [ ] Audit UFW rules for necessity
- [ ] Review SSL certificate status
- [ ] Check container image vulnerabilities

---

## Priority 4: Optional Enhancements 🔵

### 4.1 Container Monitoring
**Status:** Optional enhancement
**Benefit:** Proactive issue detection
**Effort:** 4-6 hours

**Options:**
- [ ] Set up Prometheus + Grafana
- [ ] Configure health check alerts
- [ ] Set up log aggregation
- [ ] Implement notification system

### 4.2 Immich External Storage
**Status:** Optional (backup alternative)
**Benefit:** Direct cloud storage integration
**Effort:** 3-4 hours

**Action Required:**
- [ ] Research Immich S3 support
- [ ] Configure external storage backend
- [ ] Migrate existing photos
- [ ] Update backup strategy

### 4.3 Gitea CI/CD Integration
**Status:** Optional
**Benefit:** Automated testing and deployment
**Effort:** 2-3 hours

**Action Required:**
- [ ] Explore Gitea Actions
- [ ] Set up runner container
- [ ] Create example workflows
- [ ] Document CI/CD setup

### 4.4 Additional Applications
**Status:** Future consideration
**Effort:** Varies

**Potential Additions:**
- [ ] Password manager (Bitwarden, Vaultwarden)
- [ ] Monitoring dashboard (Uptime Kuma)
- [ ] Media server (Jellyfin, Plex)
- [ ] Wiki (Wiki.js, BookStack)
- [ ] Automation (n8n, Home Assistant)

---

## Quick Reference Commands

### Backup Management
```bash
# Run backup manually
/home/phil/docker/backup/backup.sh

# Check latest backup
ls -lah /mnt/backup/latest/
cat /mnt/backup/latest/backup-info.txt

# Check backup log
tail -f /var/log/vps-backup.log
```

### Container Management
```bash
# View all containers
docker ps

# View container logs
docker logs -f <container_name>

# Restart service
cd /home/phil/docker/<service> && docker compose restart

# Check container health
docker ps --format "table {{.Names}}\t{{.Status}}"
```

### Security
```bash
# Firewall status
sudo ufw status numbered

# Fail2ban status
sudo fail2ban-client status sshd

# Check active SSH connections
who
```

### System Resources
```bash
# Disk usage
df -h

# Memory usage
free -h

# Container resource usage
docker stats
```

---

## System Information

### Services
| Service | URL | Admin Access | Status |
|---------|-----|--------------|--------|
| Netbird Dashboard | https://nb.phiiiil.de | Netbird admin | ✅ Running |
| Gitea | https://git.phiiiil.de | phil / j8bKvIl3AtIp5aTG | ✅ Running |
| Immich | https://immich.phiiiil.de | Immich admin | ✅ Running |

### Access Credentials
**SSH:** `ssh vps1` (user: phil, key authentication)

**Gitea Admin:**
- Username: `phil`
- Password: `j8bKvIl3AtIp5aTG`
- SSH: git@152.53.119.222:2222

**Netbird:** Configure via Netbird dashboard
**Immich:** Created during initial setup

### Resources
- **Disk:** 55GB used of 1TB (6%) - 900GB free
- **RAM:** ~2GB used of 15GB - 13GB free
- **Containers:** 12 running, 6 healthy

### Documentation
- `vps1-state-25012026.md` - Current system state and operations
- `vps1-startpoint.md` - System analysis and architecture
- `docs/deployment-summary.md` - Deployment details and maintenance
- `docs/oidc-integration-guide.md` - SSO setup guide
- `docs/sso-integration-plan.md` - SSO implementation plan
- `docs/sso-integration-diagram.txt` - SSO architecture diagrams
- `vps1-todo.md` - This document

---

## Decision Log

### 2026-01-25: Nextcloud Removed
**Decision:** Removed Nextcloud due to FastCGI configuration issues
**Reason:** Multiple attempts to fix PHP-FPM and routing failed
**Alternative:** Using Gitea for code, Immich for photos
**Status:** ✅ Complete

### 2025-11-XX: Netbird Deployed
**Decision:** Deployed Netbird VPN with Zitadel SSO
**Reason:** Centralized user management and VPN access
**Status:** ✅ Complete

### 2025-XX-XX: Immich Deployed
**Decision:** Deployed Immich for photo management
**Reason:** Self-hosted Google Photos alternative
**Status:** ✅ Complete (37GB photos)

---

## Notes

- All core services are production-ready
- System is secured with UFW firewall and Fail2ban
- Automated daily backups configured (databases only)
- SSL certificates managed automatically by Caddy
- Regular maintenance is minimal but required
- Photo backup is the highest priority task

**Next Review Date:** 2026-02-25 (1 month)

---

**Document Version:** 1.0
**Created:** 2026-01-25
**Status:** Active