phil/vps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e1a528a5eed9be8d25d1f2a0ebccad7fa666b22
vps/docs/system-plan.md
service 1e1a528a5e Initial commit: VPS setup documentation 
Add comprehensive documentation for VPS setup and configuration including:
- Project instructions
- VPS1 starting point configuration
- VPS1 current state documentation
- VPS1 todo list

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-26 07:43:24 +01:00

312 lines
7.5 KiB
Markdown
Raw Blame History

# VPS1 System Setup Plan
## Overview
This document outlines the plan to configure vps1.phiiiil.de as a secure, Docker-based system running:
- **Immich** - Photo management (already deployed with 37GB of photos)
- **Netbird** - VPN management & reverse proxy (already deployed)
- **Gitea** - Git hosting (to be deployed)
## Current State Assessment
### What's Working
- All containers are healthy and running
- Netbird is configured with Caddy reverse proxy
- Immich has 37GB of photos stored
- DNS: *.vps1.phiiiil.de redirects to the host
- Docker Compose v5 installed
- 900GB disk space available
### Security Gaps Identified
1. No firewall (UFW) installed
2. No fail2ban for SSH protection
3. No automated backup system
4. Nextcloud has hardcoded passwords in compose file
5. No container monitoring
## Implementation Plan
### Phase 1: Security Hardening
#### 1.1 Install UFW Firewall
```bash
# Default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (current connection)
sudo ufw allow 22/tcp comment 'SSH'
# Allow HTTP/HTTPS for Caddy
sudo ufw allow 80/tcp comment 'Caddy HTTP'
sudo ufw allow 443/tcp comment 'Caddy HTTPS'
sudo ufw allow 443/udp comment 'Caddy HTTP3/QUIC'
# Allow Immich direct access (optional, via Caddy recommended)
sudo ufw allow 2283/tcp comment 'Immich Web UI'
# Enable firewall
sudo ufw enable
```
#### 1.2 Fail2ban for SSH Protection
```bash
# Install fail2ban
sudo apt update && sudo apt install -y fail2ban
# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Configure SSH protection
sudo tee -a /etc/fail2ban/jail.local > /dev/null <<EOF
[sshd]
enabled = true
port = 22
maxretry = 3
bantime = 3600
findtime = 600
EOF
sudo systemctl enable --now fail2ban
```
#### 1.3 Secure Nextcloud Credentials
- Move Nextcloud credentials to `.env` file
- Use Docker secrets for sensitive data
- Rotate MariaDB passwords
### Phase 2: Gitea Deployment
#### 2.1 Architecture Decisions
**Questions for User:**
1. Database preference for Gitea?
- SQLite (simple, single file)
- PostgreSQL (better performance, can share with existing)
- MariaDB (separate instance)
2. Authentication integration?
- Local accounts only
- Integrate with Netbird/Zitadel OIDC
3. Storage requirements?
- Estimated repositories/users
- LFS support needed?
#### 2.2 Proposed Gitea Setup
**Location:** `/home/phil/docker/gitea/`
**Domain:** `git.phiiiil.de` (via Caddy reverse proxy)
**Services:**
- Gitea application container
- PostgreSQL database (separate or shared)
- Caddy reverse proxy entry
**Caddy Configuration Addition:**
```caddy
git.phiiiil.de {
import security_headers
reverse_proxy gitea:3000
}
```
**Basic docker-compose.yml:**
```yaml
services:
gitea:
image: gitea/gitea:latest
container_name: gitea
restart: unless-stopped
networks:
- netbird_netbird
ports:
- "2222:22" # SSH for git
volumes:
- gitea_data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
- GITEA__server__DOMAIN=git.phiiiil.de
- GITEA__server__ROOT_URL=https://git.phiiiil.de
- GITEA__server__SSH_PORT=2222
- GITEA__server__SSH_DOMAIN=git.phiiiil.de
depends_on:
- db
db:
image: postgres:16-alpine
container_name: gitea-db
restart: unless-stopped
networks:
- netbird_netbird
volumes:
- gitea_db_data:/var/lib/postgresql/data
environment:
- POSTGRES_DB=gitea
- POSTGRES_USER=gitea
- POSTGRES_PASSWORD=${DB_PASSWORD}
volumes:
gitea_data:
gitea_db_data:
networks:
netbird_netbird:
external: true
```
### Phase 3: Backup Strategy
#### 3.1 Backup Targets
- Immich photos (37GB) - Critical
- Immich database
- Netbird configuration & data
- Gitea repositories & database
- Nextcloud data
#### 3.2 Backup Solution Options
**Option A: Restic + rclone**
- Incremental backups
- Can backup to multiple destinations (S3, B2, local)
- Built-in encryption
- Automatic pruning
**Option B: Duplicity**
- Classic solution
- GPG encryption
- Supports various backends
**Option C: Custom rsync script**
- Simple
- Full backups only
- No built-in encryption
**Recommended:** Option A (Restic)
#### 3.3 Proposed Backup Script
```bash
#!/bin/bash
# Backup script for VPS1
# Immich database
docker exec immich_postgres pg_dump -U postgres immich | gzip > /backup/immich-db-$(date +%Y%m%d).sql.gz
# Netbird management data
docker run --rm -v netbird_netbird_management:/data -v /backup:/backup alpine tar czf /backup/netbird-$(date +%Y%m%d).tar.gz /data
# Restic snapshots
restic -r rclone:backup:vps1 backup /home/phil/docker
restic -r rclone:backup:vps1 forget --keep-daily 7 --keep-weekly 4 --keep-monthly 12
```
### Phase 4: Monitoring
#### 4.1 Container Monitoring
- **cAdvisor** - Container metrics
- **Node Exporter** - Host metrics
- **Grafana + Prometheus** - Dashboards (optional)
#### 4.2 Simple Monitoring (Recommended)
- Docker health checks
- Uptime monitoring via external service
- Email alerts on container failures
- Log aggregation with Loki (optional)
## File Structure
```
/home/phil/docker/
├── netbird/ # Existing - VPN management
├── immich-app/ # Existing - Photo management
├── nextcloud/ # Existing - File storage
├── gitea/ # NEW - Git hosting
│ ├── docker-compose.yml
│ ├── .env
│ └── Caddy-snippet.conf
└── backup/ # NEW - Backup scripts
├── backup.sh
├── restore.sh
└── restic/
```
## Caddy Unified Configuration
Update `/home/phil/docker/netbird/Caddyfile` to handle all services:
```caddy
{
debug
servers :80,:443 {
protocols h1 h2c h2 h3
}
}
(security_headers) {
header * {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
X-XSS-Protection "1; mode=block"
-Server
Referrer-Policy strict-origin-when-cross-origin
}
}
# Netbird Dashboard & API
nb.phiiiil.de, vps1.phiiiil.de {
import security_headers
# ... existing netbird routes ...
}
# Immich
immich.phiiiil.de {
import security_headers
reverse_proxy immich_server:2283
}
# Gitea
git.phiiiil.de {
import security_headers
reverse_proxy gitea:3000
}
# Nextcloud
nc.phiiiil.de {
# ... existing nextcloud config ...
}
```
## Implementation Order
1.**COMPLETED:** VPS Analysis
2.**COMPLETED:** Documentation created
3. **NEXT:** User approval of plan
4. **TODO:** Security hardening (UFW, fail2ban)
5. **TODO:** Gitea deployment (after user decisions)
6. **TODO:** Backup system setup
7. **TODO:** Monitoring setup
8. **TODO:** Final documentation update
## Questions for User
Before proceeding with Gitea deployment:
1. **Database for Gitea:** SQLite (simpler) or PostgreSQL (better)?
2. **Authentication:** Local accounts or integrate with Netbird OIDC?
3. **Git SSH access:** Use port 2222 or different port?
4. **Backup destination:** Where should backups be stored?
5. **Monitoring level:** Basic (health checks) or full (Grafana dashboards)?
## Risk Assessment
| Risk | Impact | Mitigation |
|------|--------|------------|
| Immich data loss | **CRITICAL** | Automated backups before any changes |
| Container downtime | Medium | Rollback procedures documented |
| Security breach | **HIGH** | UFW, fail2ban, regular updates |
| Disk space exhaustion | Medium | Monitor usage (900GB free) |
| DNS configuration issues | Low | Test DNS before service deployment |
Reference in New Issue View Git Blame Copy Permalink