maddox/silverbullet-notes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
silverbullet-notes/docs/servers/hetzner/.md
maddox 3dc0f4dacf Initial SilverBullet sync
2026-01-25 00:20:24 +00:00

665 lines
16 KiB
Markdown
Raw Permalink Blame History

# Hetzner Server (192.168.12.3) - Network Architecture
_Last updated: 2026-01-05_
This document describes the network architecture of the Hetzner server, including Docker networks, external connectivity, and Traefik routing configuration.
---
## Table of Contents
- [Server Information](#server-information)
- [Docker Networks](#docker-networks)
- [Traefik Configuration](#traefik-configuration)
- [Network Connectivity](#network-connectivity)
- [VPN Configuration](#vpn-configuration)
- [Port Mappings](#port-mappings)
---
## Server Information
**Primary Details:**
- **IP Address:** 192.168.12.3
- **Hostname:** im
- **Role:** Secondary server / Finance automation server
- **Primary Network:** 192.168.12.0/24
- **Primary Server:** 192.168.1.251
- **Timezone:** America/New_York
**Network Interfaces:**
- **Local Network:** 192.168.12.x
- **Tailscale VPN:** Connected (advertises 192.168.12.3/32)
- **ProtonVPN:** Connected via Gluetun container
---
## Docker Networks
### External Networks
These networks are created outside of individual docker-compose files and shared across services.
#### traefik
**Network ID:** 625b93d8e3a3
**Driver:** bridge
**Scope:** local
**Purpose:** External reverse proxy network for Traefik routing
**Connected Containers:**
- matrix-ntfy
- matrix-bot-matrix-reminder-bot
- node-red
- authentik-server
- traefik-mod
- autoheal
- watchtower
- matrix-synapse
- matrix-client-element
- matrix-mautrix-signal
- matrix-traefik
- mariadb-secondary
- matrix-mautrix-whatsapp
- matrix-synapse-admin
- matrix-static-files
- matrix-grafana
- matrix-heisenbridge
- matrix-mautrix-telegram
- matrix-bot-maubot
- matrix-prometheus-node-exporter
- matrix-mautrix-gmessages
**Notes:**
- Primary network for services exposed via Traefik reverse proxy
- Managed by Matrix Traefik instance (matrix-traefik container)
- Allows containers to be discovered and routed by Traefik
- Most user-facing services connect to this network
---
### Service-Specific Networks
These networks are created by individual docker-compose files for service isolation.
#### authentik_authentik-internal
**Network ID:** 5727fa0d4618
**Driver:** bridge
**Scope:** local
**Purpose:** Internal network for Authentik components
**Connected Containers:**
- authentik-postgres
- authentik-redis
- authentik-server
- authentik-worker
**Configuration:**
```yaml
networks:
authentik-internal:
driver: bridge
```
**Notes:**
- Isolates Authentik database and Redis from other services
- Only authentik-server has access to both internal and traefik networks
- Provides security isolation for sensitive authentication data
---
#### firefly_default
**Network ID:** 8fa8552adb14
**Driver:** bridge
**Scope:** local
**Purpose:** Internal network for Firefly III components
**Connected Containers:**
- Firefly-REDIS
- Firefly-DB
- Firefly
**Configuration:**
```yaml
# Default network created by Docker Compose
```
**Notes:**
- Isolates Firefly database and Redis from other services
- No connection to traefik network (Firefly exposed via port mapping)
- Application accessed via port 6182
---
#### gluetun_default
**Network ID:** 6aaeffb0167d
**Driver:** bridge
**Scope:** local
**Purpose:** Network for Gluetun VPN container
**Connected Containers:**
- gluetun
**Configuration:**
```yaml
networks:
default:
driver: bridge
```
**Notes:**
- Isolated network for VPN container
- Services access Gluetun via exposed ports, not network connection
---
#### socket-proxy_default
**Network ID:** 1dca43845b4b
**Driver:** bridge
**Scope:** local
**Purpose:** Network for Docker Socket Proxy
**Connected Containers:**
- docker-proxy-portainer
**Configuration:**
```yaml
# Default network created by Docker Compose
```
**Notes:**
- Isolated network for socket proxy
- Access restricted by binding to 192.168.12.3:2376 only
---
#### node-red_mqtt_network
**Network ID:** 1b4125ad6adf
**Driver:** bridge
**Scope:** local
**Purpose:** MQTT network for Node-RED (if configured)
**Connected Containers:**
- (Network exists but may not have active connections)
**Notes:**
- Created by Node-RED docker-compose configuration
- Available for MQTT broker connectivity if needed
---
### Matrix/Synapse Networks
These networks are managed by the Matrix/Synapse stack (not part of `/volume1/docker/`).
#### matrix-homeserver
**Network ID:** b25eb4ddfec5
**Driver:** bridge
**Purpose:** Core Matrix Synapse homeserver network
---
#### matrix-postgres
**Network ID:** 79ae7a84c363
**Driver:** bridge
**Purpose:** PostgreSQL database network for Matrix
---
#### matrix-addons
**Network ID:** c8e4deadb7ae
**Driver:** bridge
**Purpose:** Additional Matrix services (bridges, bots)
---
#### matrix-monitoring
**Network ID:** d9dde3dc79f7
**Driver:** bridge
**Purpose:** Monitoring stack (Prometheus, Grafana)
---
#### matrix-coturn
**Network ID:** dd3f25fa9305
**Driver:** bridge
**Purpose:** TURN/STUN server network
---
#### matrix-exim-relay
**Network ID:** 08c1c12c82e1
**Driver:** bridge
**Purpose:** Email relay network
---
#### matrix-ntfy
**Network ID:** 86cac270e021
**Driver:** bridge
**Purpose:** Notification service network
---
#### matrix-container-socket-proxy
**Network ID:** 8d04b33c5a3a
**Driver:** bridge
**Purpose:** Docker socket proxy for Matrix services
---
### Special Network Modes
#### Host Network
**Container:** tailscale
**Mode:** host
```yaml
network_mode: "host"
```
**Notes:**
- Tailscale runs in host network mode for VPN routing
- Required for advertising routes and acting as exit node
- Has full access to host network stack
---
#### Bridge Network
**Network ID:** be4fa4b56199
**Driver:** bridge
**Scope:** local
**Purpose:** Default Docker bridge network
**Notes:**
- Standard Docker bridge network
- Generally not used by services (use custom networks instead)
---
## Traefik Configuration
### Traefik Instance
**Container:** matrix-traefik
**Image:** traefik:v3.6.6
**Network:** traefik (external), matrix-homeserver, matrix-addons
**Ports:**
- 80 → 8080 (HTTP)
- 443 → 8443 (HTTPS/TCP)
- 443 → 8443 (HTTPS/UDP for HTTP/3)
- 8448 → 8448 (Matrix federation/TCP)
- 8448 → 8448 (Matrix federation/UDP)
**Purpose:**
- Reverse proxy for all services
- SSL/TLS termination
- Automatic certificate management (Let's Encrypt)
- HTTP → HTTPS redirection
- Matrix federation endpoint
---
### Traefik Configuration Manager
**Container:** traefik-mod
**Domains:** tm.fails.me, tm.3ddbrewery.com
**Port:** 5000
**Middlewares:** secure-headers@file, authentik@file
**Purpose:**
- Web interface for managing Traefik configuration
- Database-backed configuration (MariaDB)
- Automatic YAML generation
- Git version control for configuration changes
**Configuration File:** `/matrix/traefik/config/dyno.yml`
---
### Routed Services
Services exposed via Traefik reverse proxy:
| Service | Container | Domain(s) | Port | Middlewares |
|---------|-----------|-----------|------|-------------|
| Authentik | authentik-server | id.3ddbrewery.com, id.fails.me | 9000 | - |
| Traefik Manager | traefik-mod | tm.3ddbrewery.com, tm.fails.me | 5000 | secure-headers, authentik |
| Node-RED | node-red | node-het.3ddbrewery.com | 1880 | - |
| Matrix Synapse | matrix-synapse | (Matrix domains) | 8008 | - |
| Element | matrix-client-element | (Element domain) | 8080 | - |
| Synapse Admin | matrix-synapse-admin | (Admin domain) | 80 | - |
| Grafana | matrix-grafana | (Grafana domain) | 3000 | - |
**Notes:**
- All services use TLS with automatic certificate resolution
- Authentik provides SSO for selected services
- Some services have dual domains (3ddbrewery.com and fails.me)
---
## Network Connectivity
### Internal Connectivity
**Server-to-Server Communication:**
- **Primary Server:** 192.168.1.251
- **Connection Type:**
- MariaDB replication (192.168.12.3:3306 ← 192.168.1.251:3306)
- Tailscale VPN mesh
- Standard network connectivity
**Database Replication:**
```
192.168.1.251 (Primary MariaDB)
↓ (replication)
192.168.12.3 (mariadb-secondary)
```
**Notification Flow:**
```
192.168.12.3 (Node-RED healthcheck failure)
↓ (HTTP webhook)
192.168.1.70:6741 (ntfy server)
```
---
### External Connectivity
**VPN Connections:**
1. **Tailscale VPN:**
- **Container:** tailscale
- **Hostname:** im-ts
- **Advertised Route:** 192.168.12.3/32
- **Accept Routes:** Yes
- **Exit Node:** Yes
- **Purpose:** Mesh VPN for remote access and inter-server connectivity
2. **ProtonVPN:**
- **Container:** gluetun
- **Provider:** ProtonVPN
- **Locations:** Secaucus, Chicago, New York (United States)
- **HTTP Proxy:** Port 38888
- **Shadowsocks:** Port 38388 (TCP/UDP)
- **Control Port:** 38000
- **Purpose:** Privacy VPN with HTTP proxy
---
### Internet-Facing Services
**Public Ports:**
- **80 (HTTP):** Traefik (redirects to HTTPS)
- **443 (HTTPS):** Traefik reverse proxy (all web services)
- **8448:** Matrix federation
**Exposed Services:**
All services are exposed via HTTPS (port 443) through Traefik reverse proxy with automatic SSL certificates.
---
## VPN Configuration
### Tailscale Configuration
**Container:** tailscale
**Network Mode:** host
**Device:** /dev/net/tun
**Environment:**
```yaml
TS_EXTRA_ARGS: --advertise-routes=192.168.12.3/32 --accept-routes=true --advertise-exit-node
TS_STATE_DIR: /var/lib/tailscale
TS_USERSPACE: false
TS_ACCEPT_ROUTES: true
```
**Capabilities:**
- Advertises this server (192.168.12.3/32) as a route
- Accepts routes from other Tailscale nodes
- Acts as exit node for other Tailscale devices
- Kernel-mode networking (not userspace)
**Purpose:**
- Secure remote access to services
- Mesh networking with other servers
- Encrypted communication between nodes
---
### ProtonVPN via Gluetun
**Container:** gluetun
**Provider:** ProtonVPN
**Locations:** United States (Secaucus, Chicago, New York)
**Environment:**
```yaml
VPN_SERVICE_PROVIDER: protonvpn
SERVER_COUNTRIES: United States
SERVER_CITIES: Secaucus,Chicago,New York
VPN_PORT_FORWARDING_PROVIDER: protonvpn
HTTPPROXY: on
HTTPPROXY_LISTENING_ADDRESS: :38888
```
**Features:**
- HTTP proxy on port 38888 (accessible at 192.168.12.3:38888)
- Shadowsocks proxy on port 38388
- Port forwarding enabled
- DNS: 8.8.8.8
- Ad blocking enabled
- Malware blocking enabled
- Surveillance blocking enabled
**Resource Limits:**
- CPU: 0.10
- Memory Reservation: 15M
**Use Cases:**
- Applications requiring VPN connection
- HTTP proxy for privacy-conscious traffic
- Shadowsocks for additional services
---
## Port Mappings
### Externally Accessible Ports
Services exposed on host interfaces:
| Port | Protocol | Service | Container | Access |
|------|----------|---------|-----------|--------|
| 80 | TCP | HTTP (→ HTTPS) | matrix-traefik | 0.0.0.0 |
| 443 | TCP | HTTPS | matrix-traefik | 0.0.0.0 |
| 443 | UDP | HTTPS (HTTP/3) | matrix-traefik | 0.0.0.0 |
| 8448 | TCP | Matrix Federation | matrix-traefik | 0.0.0.0 |
| 8448 | UDP | Matrix Federation | matrix-traefik | 0.0.0.0 |
| 3306 | TCP | MariaDB | mariadb-secondary | 0.0.0.0 |
| 1880 | TCP | Node-RED | node-red | 0.0.0.0 |
| 6182 | TCP | Firefly III | Firefly | 0.0.0.0 |
| 2376 | TCP | Docker Socket Proxy | docker-proxy-portainer | 192.168.12.3 only |
| 38888 | TCP | HTTP Proxy | gluetun | 0.0.0.0 |
| 38388 | TCP/UDP | Shadowsocks | gluetun | 0.0.0.0 |
| 38000 | TCP | Gluetun Control | gluetun | 0.0.0.0 |
| 3478 | TCP/UDP | TURN/STUN | matrix-coturn | 0.0.0.0 |
| 5349 | TCP/UDP | TURNS/STUNS | matrix-coturn | 0.0.0.0 |
| 49152-49172 | UDP | TURN relay | matrix-coturn | 0.0.0.0 |
**Security Notes:**
- Most services exposed via Traefik reverse proxy (ports 80/443 only)
- Docker Socket Proxy restricted to 192.168.12.3 (private IP only)
- Direct port exposure limited to essential services
- All web services use HTTPS with automatic certificates
---
### Internal-Only Ports
These ports are only accessible within Docker networks:
| Port | Protocol | Service | Container | Network |
|------|----------|---------|-----------|---------|
| 5432 | TCP | PostgreSQL | authentik-postgres | authentik-internal |
| 6379 | TCP | Redis | authentik-redis | authentik-internal |
| 6379 | TCP | Redis | Firefly-REDIS | firefly_default |
| 3306 | TCP | MariaDB | Firefly-DB | firefly_default |
| 5000 | TCP | Traefik Manager | traefik-mod | traefik |
| 9000 | TCP | Authentik | authentik-server | traefik |
| 8080 | TCP | Watchtower | watchtower | traefik |
---
## Network Security
### Isolation Strategy
**Service Isolation:**
- Each application stack uses dedicated bridge networks
- Database and cache services isolated from public networks
- Only web-facing services connect to traefik network
**Security Measures:**
- Docker Socket Proxy: Limited permissions, bind to private IP only
- Read-only filesystems where applicable
- Capability dropping (cap_drop: ALL where possible)
- Security opt: no-new-privileges on most containers
- Tmpfs mounts for temporary storage
- Non-root users where possible
**Network Segmentation:**
```
Internet
Traefik (443/80/8448)
traefik network (bridge)
├─ authentik-server ←→ authentik-internal ←→ [postgres, redis]
├─ traefik-mod ←→ mariadb-secondary
├─ node-red
├─ matrix services
└─ watchtower, autoheal
Isolated Networks:
firefly_default: [Firefly ←→ Firefly-DB, Firefly-REDIS]
gluetun_default: [gluetun]
socket-proxy_default: [docker-proxy-portainer]
Host Network:
tailscale (VPN mesh)
```
---
## Network Troubleshooting
### Common Commands
**List all networks:**
```bash
docker network ls
```
**Inspect a network:**
```bash
docker network inspect traefik
docker network inspect authentik_authentik-internal
```
**Check container networking:**
```bash
docker inspect <container-name> | grep -A 20 Networks
```
**Test connectivity between containers:**
```bash
# From one container to another
docker exec <source-container> ping <target-container>
docker exec <source-container> nc -zv <target-container> <port>
```
**Check Traefik routing:**
```bash
# Check Traefik logs
docker logs matrix-traefik
# Access Traefik API (if enabled)
curl http://192.168.12.3:8080/api/http/routers
```
**Test MariaDB replication:**
```bash
docker exec -it mariadb-secondary mysql -u root -p -e "SHOW REPLICA STATUS\G"
```
**Check VPN status:**
```bash
# Tailscale status
docker exec tailscale tailscale status
# Gluetun status
curl http://192.168.12.3:38000/v1/openvpn/status
```
---
## DNS and Service Discovery
### Internal DNS
Docker provides automatic DNS resolution within networks:
- Containers can resolve each other by container name
- Container name = hostname by default
- Custom hostnames defined in docker-compose.yml
**Examples:**
- `authentik-server` can reach `authentik-postgres` via hostname `postgresql`
- `Firefly` can reach `Firefly-DB` via hostname `firefly-db`
- `traefik-mod` can reach `mariadb-secondary` by container name
### External DNS
Services exposed via Traefik use these domains:
- *.3ddbrewery.com (primary domain)
- *.fails.me (backup/alternative domain)
**DNS managed externally** (not documented here)
---
## Summary
**Network Architecture Highlights:**
- **Primary Network:** 192.168.12.0/24
- **Docker Networks:** 18 total (1 external traefik network + 17 service-specific)
- **VPN Connectivity:** Tailscale (mesh VPN) + ProtonVPN (privacy VPN)
- **Reverse Proxy:** Traefik v3.6.6 (handles all HTTPS traffic)
- **Security:** Network isolation, limited port exposure, proxy-based access
- **Inter-server:** MariaDB replication to primary server (192.168.1.251)
- **Management:** Database-backed Traefik configuration with web UI
**Key Features:**
- Dual VPN setup (Tailscale for access, ProtonVPN for privacy)
- Isolated networks for security
- Traefik reverse proxy for all web services
- Automatic SSL certificate management
- MariaDB replication for disaster recovery
Reference in a new issue View git blame Copy permalink