# Hetzner Server (192.168.12.3) - Network Architecture _Last updated: 2026-01-05_ This document describes the network architecture of the Hetzner server, including Docker networks, external connectivity, and Traefik routing configuration. --- ## Table of Contents - [Server Information](#server-information) - [Docker Networks](#docker-networks) - [Traefik Configuration](#traefik-configuration) - [Network Connectivity](#network-connectivity) - [VPN Configuration](#vpn-configuration) - [Port Mappings](#port-mappings) --- ## Server Information **Primary Details:** - **IP Address:** 192.168.12.3 - **Hostname:** im - **Role:** Secondary server / Finance automation server - **Primary Network:** 192.168.12.0/24 - **Primary Server:** 192.168.1.251 - **Timezone:** America/New_York **Network Interfaces:** - **Local Network:** 192.168.12.x - **Tailscale VPN:** Connected (advertises 192.168.12.3/32) - **ProtonVPN:** Connected via Gluetun container --- ## Docker Networks ### External Networks These networks are created outside of individual docker-compose files and shared across services. #### traefik **Network ID:** 625b93d8e3a3 **Driver:** bridge **Scope:** local **Purpose:** External reverse proxy network for Traefik routing **Connected Containers:** - matrix-ntfy - matrix-bot-matrix-reminder-bot - node-red - authentik-server - traefik-mod - autoheal - watchtower - matrix-synapse - matrix-client-element - matrix-mautrix-signal - matrix-traefik - mariadb-secondary - matrix-mautrix-whatsapp - matrix-synapse-admin - matrix-static-files - matrix-grafana - matrix-heisenbridge - matrix-mautrix-telegram - matrix-bot-maubot - matrix-prometheus-node-exporter - matrix-mautrix-gmessages **Notes:** - Primary network for services exposed via Traefik reverse proxy - Managed by Matrix Traefik instance (matrix-traefik container) - Allows containers to be discovered and routed by Traefik - Most user-facing services connect to this network --- ### Service-Specific Networks These networks are created by individual docker-compose files for service isolation. #### authentik_authentik-internal **Network ID:** 5727fa0d4618 **Driver:** bridge **Scope:** local **Purpose:** Internal network for Authentik components **Connected Containers:** - authentik-postgres - authentik-redis - authentik-server - authentik-worker **Configuration:** ```yaml networks: authentik-internal: driver: bridge ``` **Notes:** - Isolates Authentik database and Redis from other services - Only authentik-server has access to both internal and traefik networks - Provides security isolation for sensitive authentication data --- #### firefly_default **Network ID:** 8fa8552adb14 **Driver:** bridge **Scope:** local **Purpose:** Internal network for Firefly III components **Connected Containers:** - Firefly-REDIS - Firefly-DB - Firefly **Configuration:** ```yaml # Default network created by Docker Compose ``` **Notes:** - Isolates Firefly database and Redis from other services - No connection to traefik network (Firefly exposed via port mapping) - Application accessed via port 6182 --- #### gluetun_default **Network ID:** 6aaeffb0167d **Driver:** bridge **Scope:** local **Purpose:** Network for Gluetun VPN container **Connected Containers:** - gluetun **Configuration:** ```yaml networks: default: driver: bridge ``` **Notes:** - Isolated network for VPN container - Services access Gluetun via exposed ports, not network connection --- #### socket-proxy_default **Network ID:** 1dca43845b4b **Driver:** bridge **Scope:** local **Purpose:** Network for Docker Socket Proxy **Connected Containers:** - docker-proxy-portainer **Configuration:** ```yaml # Default network created by Docker Compose ``` **Notes:** - Isolated network for socket proxy - Access restricted by binding to 192.168.12.3:2376 only --- #### node-red_mqtt_network **Network ID:** 1b4125ad6adf **Driver:** bridge **Scope:** local **Purpose:** MQTT network for Node-RED (if configured) **Connected Containers:** - (Network exists but may not have active connections) **Notes:** - Created by Node-RED docker-compose configuration - Available for MQTT broker connectivity if needed --- ### Matrix/Synapse Networks These networks are managed by the Matrix/Synapse stack (not part of `/volume1/docker/`). #### matrix-homeserver **Network ID:** b25eb4ddfec5 **Driver:** bridge **Purpose:** Core Matrix Synapse homeserver network --- #### matrix-postgres **Network ID:** 79ae7a84c363 **Driver:** bridge **Purpose:** PostgreSQL database network for Matrix --- #### matrix-addons **Network ID:** c8e4deadb7ae **Driver:** bridge **Purpose:** Additional Matrix services (bridges, bots) --- #### matrix-monitoring **Network ID:** d9dde3dc79f7 **Driver:** bridge **Purpose:** Monitoring stack (Prometheus, Grafana) --- #### matrix-coturn **Network ID:** dd3f25fa9305 **Driver:** bridge **Purpose:** TURN/STUN server network --- #### matrix-exim-relay **Network ID:** 08c1c12c82e1 **Driver:** bridge **Purpose:** Email relay network --- #### matrix-ntfy **Network ID:** 86cac270e021 **Driver:** bridge **Purpose:** Notification service network --- #### matrix-container-socket-proxy **Network ID:** 8d04b33c5a3a **Driver:** bridge **Purpose:** Docker socket proxy for Matrix services --- ### Special Network Modes #### Host Network **Container:** tailscale **Mode:** host ```yaml network_mode: "host" ``` **Notes:** - Tailscale runs in host network mode for VPN routing - Required for advertising routes and acting as exit node - Has full access to host network stack --- #### Bridge Network **Network ID:** be4fa4b56199 **Driver:** bridge **Scope:** local **Purpose:** Default Docker bridge network **Notes:** - Standard Docker bridge network - Generally not used by services (use custom networks instead) --- ## Traefik Configuration ### Traefik Instance **Container:** matrix-traefik **Image:** traefik:v3.6.6 **Network:** traefik (external), matrix-homeserver, matrix-addons **Ports:** - 80 → 8080 (HTTP) - 443 → 8443 (HTTPS/TCP) - 443 → 8443 (HTTPS/UDP for HTTP/3) - 8448 → 8448 (Matrix federation/TCP) - 8448 → 8448 (Matrix federation/UDP) **Purpose:** - Reverse proxy for all services - SSL/TLS termination - Automatic certificate management (Let's Encrypt) - HTTP → HTTPS redirection - Matrix federation endpoint --- ### Traefik Configuration Manager **Container:** traefik-mod **Domains:** tm.fails.me, tm.3ddbrewery.com **Port:** 5000 **Middlewares:** secure-headers@file, authentik@file **Purpose:** - Web interface for managing Traefik configuration - Database-backed configuration (MariaDB) - Automatic YAML generation - Git version control for configuration changes **Configuration File:** `/matrix/traefik/config/dyno.yml` --- ### Routed Services Services exposed via Traefik reverse proxy: | Service | Container | Domain(s) | Port | Middlewares | |---------|-----------|-----------|------|-------------| | Authentik | authentik-server | id.3ddbrewery.com, id.fails.me | 9000 | - | | Traefik Manager | traefik-mod | tm.3ddbrewery.com, tm.fails.me | 5000 | secure-headers, authentik | | Node-RED | node-red | node-het.3ddbrewery.com | 1880 | - | | Matrix Synapse | matrix-synapse | (Matrix domains) | 8008 | - | | Element | matrix-client-element | (Element domain) | 8080 | - | | Synapse Admin | matrix-synapse-admin | (Admin domain) | 80 | - | | Grafana | matrix-grafana | (Grafana domain) | 3000 | - | **Notes:** - All services use TLS with automatic certificate resolution - Authentik provides SSO for selected services - Some services have dual domains (3ddbrewery.com and fails.me) --- ## Network Connectivity ### Internal Connectivity **Server-to-Server Communication:** - **Primary Server:** 192.168.1.251 - **Connection Type:** - MariaDB replication (192.168.12.3:3306 ← 192.168.1.251:3306) - Tailscale VPN mesh - Standard network connectivity **Database Replication:** ``` 192.168.1.251 (Primary MariaDB) ↓ (replication) 192.168.12.3 (mariadb-secondary) ``` **Notification Flow:** ``` 192.168.12.3 (Node-RED healthcheck failure) ↓ (HTTP webhook) 192.168.1.70:6741 (ntfy server) ``` --- ### External Connectivity **VPN Connections:** 1. **Tailscale VPN:** - **Container:** tailscale - **Hostname:** im-ts - **Advertised Route:** 192.168.12.3/32 - **Accept Routes:** Yes - **Exit Node:** Yes - **Purpose:** Mesh VPN for remote access and inter-server connectivity 2. **ProtonVPN:** - **Container:** gluetun - **Provider:** ProtonVPN - **Locations:** Secaucus, Chicago, New York (United States) - **HTTP Proxy:** Port 38888 - **Shadowsocks:** Port 38388 (TCP/UDP) - **Control Port:** 38000 - **Purpose:** Privacy VPN with HTTP proxy --- ### Internet-Facing Services **Public Ports:** - **80 (HTTP):** Traefik (redirects to HTTPS) - **443 (HTTPS):** Traefik reverse proxy (all web services) - **8448:** Matrix federation **Exposed Services:** All services are exposed via HTTPS (port 443) through Traefik reverse proxy with automatic SSL certificates. --- ## VPN Configuration ### Tailscale Configuration **Container:** tailscale **Network Mode:** host **Device:** /dev/net/tun **Environment:** ```yaml TS_EXTRA_ARGS: --advertise-routes=192.168.12.3/32 --accept-routes=true --advertise-exit-node TS_STATE_DIR: /var/lib/tailscale TS_USERSPACE: false TS_ACCEPT_ROUTES: true ``` **Capabilities:** - Advertises this server (192.168.12.3/32) as a route - Accepts routes from other Tailscale nodes - Acts as exit node for other Tailscale devices - Kernel-mode networking (not userspace) **Purpose:** - Secure remote access to services - Mesh networking with other servers - Encrypted communication between nodes --- ### ProtonVPN via Gluetun **Container:** gluetun **Provider:** ProtonVPN **Locations:** United States (Secaucus, Chicago, New York) **Environment:** ```yaml VPN_SERVICE_PROVIDER: protonvpn SERVER_COUNTRIES: United States SERVER_CITIES: Secaucus,Chicago,New York VPN_PORT_FORWARDING_PROVIDER: protonvpn HTTPPROXY: on HTTPPROXY_LISTENING_ADDRESS: :38888 ``` **Features:** - HTTP proxy on port 38888 (accessible at 192.168.12.3:38888) - Shadowsocks proxy on port 38388 - Port forwarding enabled - DNS: 8.8.8.8 - Ad blocking enabled - Malware blocking enabled - Surveillance blocking enabled **Resource Limits:** - CPU: 0.10 - Memory Reservation: 15M **Use Cases:** - Applications requiring VPN connection - HTTP proxy for privacy-conscious traffic - Shadowsocks for additional services --- ## Port Mappings ### Externally Accessible Ports Services exposed on host interfaces: | Port | Protocol | Service | Container | Access | |------|----------|---------|-----------|--------| | 80 | TCP | HTTP (→ HTTPS) | matrix-traefik | 0.0.0.0 | | 443 | TCP | HTTPS | matrix-traefik | 0.0.0.0 | | 443 | UDP | HTTPS (HTTP/3) | matrix-traefik | 0.0.0.0 | | 8448 | TCP | Matrix Federation | matrix-traefik | 0.0.0.0 | | 8448 | UDP | Matrix Federation | matrix-traefik | 0.0.0.0 | | 3306 | TCP | MariaDB | mariadb-secondary | 0.0.0.0 | | 1880 | TCP | Node-RED | node-red | 0.0.0.0 | | 6182 | TCP | Firefly III | Firefly | 0.0.0.0 | | 2376 | TCP | Docker Socket Proxy | docker-proxy-portainer | 192.168.12.3 only | | 38888 | TCP | HTTP Proxy | gluetun | 0.0.0.0 | | 38388 | TCP/UDP | Shadowsocks | gluetun | 0.0.0.0 | | 38000 | TCP | Gluetun Control | gluetun | 0.0.0.0 | | 3478 | TCP/UDP | TURN/STUN | matrix-coturn | 0.0.0.0 | | 5349 | TCP/UDP | TURNS/STUNS | matrix-coturn | 0.0.0.0 | | 49152-49172 | UDP | TURN relay | matrix-coturn | 0.0.0.0 | **Security Notes:** - Most services exposed via Traefik reverse proxy (ports 80/443 only) - Docker Socket Proxy restricted to 192.168.12.3 (private IP only) - Direct port exposure limited to essential services - All web services use HTTPS with automatic certificates --- ### Internal-Only Ports These ports are only accessible within Docker networks: | Port | Protocol | Service | Container | Network | |------|----------|---------|-----------|---------| | 5432 | TCP | PostgreSQL | authentik-postgres | authentik-internal | | 6379 | TCP | Redis | authentik-redis | authentik-internal | | 6379 | TCP | Redis | Firefly-REDIS | firefly_default | | 3306 | TCP | MariaDB | Firefly-DB | firefly_default | | 5000 | TCP | Traefik Manager | traefik-mod | traefik | | 9000 | TCP | Authentik | authentik-server | traefik | | 8080 | TCP | Watchtower | watchtower | traefik | --- ## Network Security ### Isolation Strategy **Service Isolation:** - Each application stack uses dedicated bridge networks - Database and cache services isolated from public networks - Only web-facing services connect to traefik network **Security Measures:** - Docker Socket Proxy: Limited permissions, bind to private IP only - Read-only filesystems where applicable - Capability dropping (cap_drop: ALL where possible) - Security opt: no-new-privileges on most containers - Tmpfs mounts for temporary storage - Non-root users where possible **Network Segmentation:** ``` Internet ↓ Traefik (443/80/8448) ↓ traefik network (bridge) ├─ authentik-server ←→ authentik-internal ←→ [postgres, redis] ├─ traefik-mod ←→ mariadb-secondary ├─ node-red ├─ matrix services └─ watchtower, autoheal Isolated Networks: firefly_default: [Firefly ←→ Firefly-DB, Firefly-REDIS] gluetun_default: [gluetun] socket-proxy_default: [docker-proxy-portainer] Host Network: tailscale (VPN mesh) ``` --- ## Network Troubleshooting ### Common Commands **List all networks:** ```bash docker network ls ``` **Inspect a network:** ```bash docker network inspect traefik docker network inspect authentik_authentik-internal ``` **Check container networking:** ```bash docker inspect | grep -A 20 Networks ``` **Test connectivity between containers:** ```bash # From one container to another docker exec ping docker exec nc -zv ``` **Check Traefik routing:** ```bash # Check Traefik logs docker logs matrix-traefik # Access Traefik API (if enabled) curl http://192.168.12.3:8080/api/http/routers ``` **Test MariaDB replication:** ```bash docker exec -it mariadb-secondary mysql -u root -p -e "SHOW REPLICA STATUS\G" ``` **Check VPN status:** ```bash # Tailscale status docker exec tailscale tailscale status # Gluetun status curl http://192.168.12.3:38000/v1/openvpn/status ``` --- ## DNS and Service Discovery ### Internal DNS Docker provides automatic DNS resolution within networks: - Containers can resolve each other by container name - Container name = hostname by default - Custom hostnames defined in docker-compose.yml **Examples:** - `authentik-server` can reach `authentik-postgres` via hostname `postgresql` - `Firefly` can reach `Firefly-DB` via hostname `firefly-db` - `traefik-mod` can reach `mariadb-secondary` by container name ### External DNS Services exposed via Traefik use these domains: - *.3ddbrewery.com (primary domain) - *.fails.me (backup/alternative domain) **DNS managed externally** (not documented here) --- ## Summary **Network Architecture Highlights:** - **Primary Network:** 192.168.12.0/24 - **Docker Networks:** 18 total (1 external traefik network + 17 service-specific) - **VPN Connectivity:** Tailscale (mesh VPN) + ProtonVPN (privacy VPN) - **Reverse Proxy:** Traefik v3.6.6 (handles all HTTPS traffic) - **Security:** Network isolation, limited port exposure, proxy-based access - **Inter-server:** MariaDB replication to primary server (192.168.1.251) - **Management:** Database-backed Traefik configuration with web UI **Key Features:** - Dual VPN setup (Tailscale for access, ProtonVPN for privacy) - Isolated networks for security - Traefik reverse proxy for all web services - Automatic SSL certificate management - MariaDB replication for disaster recovery