maddox/silverbullet-notes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
silverbullet-notes/docs/servers/hetzner/.md
maddox 3dc0f4dacf Initial SilverBullet sync
2026-01-25 00:20:24 +00:00

16 KiB
Raw Blame History

Hetzner Server (192.168.12.3) - Network Architecture

Last updated: 2026-01-05

This document describes the network architecture of the Hetzner server, including Docker networks, external connectivity, and Traefik routing configuration.

Table of Contents

Server Information

Primary Details:

  • IP Address: 192.168.12.3
  • Hostname: im
  • Role: Secondary server / Finance automation server
  • Primary Network: 192.168.12.0/24
  • Primary Server: 192.168.1.251
  • Timezone: America/New_York

Network Interfaces:

  • Local Network: 192.168.12.x
  • Tailscale VPN: Connected (advertises 192.168.12.3/32)
  • ProtonVPN: Connected via Gluetun container

Docker Networks

External Networks

These networks are created outside of individual docker-compose files and shared across services.

traefik

Network ID: 625b93d8e3a3 Driver: bridge Scope: local Purpose: External reverse proxy network for Traefik routing

Connected Containers:

  • matrix-ntfy
  • matrix-bot-matrix-reminder-bot
  • node-red
  • authentik-server
  • traefik-mod
  • autoheal
  • watchtower
  • matrix-synapse
  • matrix-client-element
  • matrix-mautrix-signal
  • matrix-traefik
  • mariadb-secondary
  • matrix-mautrix-whatsapp
  • matrix-synapse-admin
  • matrix-static-files
  • matrix-grafana
  • matrix-heisenbridge
  • matrix-mautrix-telegram
  • matrix-bot-maubot
  • matrix-prometheus-node-exporter
  • matrix-mautrix-gmessages

Notes:

  • Primary network for services exposed via Traefik reverse proxy
  • Managed by Matrix Traefik instance (matrix-traefik container)
  • Allows containers to be discovered and routed by Traefik
  • Most user-facing services connect to this network

Service-Specific Networks

These networks are created by individual docker-compose files for service isolation.

authentik_authentik-internal

Network ID: 5727fa0d4618 Driver: bridge Scope: local Purpose: Internal network for Authentik components

Connected Containers:

  • authentik-postgres
  • authentik-redis
  • authentik-server
  • authentik-worker

Configuration:

networks:
  authentik-internal:
    driver: bridge

Notes:

  • Isolates Authentik database and Redis from other services
  • Only authentik-server has access to both internal and traefik networks
  • Provides security isolation for sensitive authentication data

firefly_default

Network ID: 8fa8552adb14 Driver: bridge Scope: local Purpose: Internal network for Firefly III components

Connected Containers:

  • Firefly-REDIS
  • Firefly-DB
  • Firefly

Configuration:

# Default network created by Docker Compose

Notes:

  • Isolates Firefly database and Redis from other services
  • No connection to traefik network (Firefly exposed via port mapping)
  • Application accessed via port 6182

gluetun_default

Network ID: 6aaeffb0167d Driver: bridge Scope: local Purpose: Network for Gluetun VPN container

Connected Containers:

  • gluetun

Configuration:

networks:
  default:
    driver: bridge

Notes:

  • Isolated network for VPN container
  • Services access Gluetun via exposed ports, not network connection

socket-proxy_default

Network ID: 1dca43845b4b Driver: bridge Scope: local Purpose: Network for Docker Socket Proxy

Connected Containers:

  • docker-proxy-portainer

Configuration:

# Default network created by Docker Compose

Notes:

  • Isolated network for socket proxy
  • Access restricted by binding to 192.168.12.3:2376 only

node-red_mqtt_network

Network ID: 1b4125ad6adf Driver: bridge Scope: local Purpose: MQTT network for Node-RED (if configured)

Connected Containers:

  • (Network exists but may not have active connections)

Notes:

  • Created by Node-RED docker-compose configuration
  • Available for MQTT broker connectivity if needed

Matrix/Synapse Networks

These networks are managed by the Matrix/Synapse stack (not part of /volume1/docker/).

matrix-homeserver

Network ID: b25eb4ddfec5 Driver: bridge Purpose: Core Matrix Synapse homeserver network

matrix-postgres

Network ID: 79ae7a84c363 Driver: bridge Purpose: PostgreSQL database network for Matrix

matrix-addons

Network ID: c8e4deadb7ae Driver: bridge Purpose: Additional Matrix services (bridges, bots)

matrix-monitoring

Network ID: d9dde3dc79f7 Driver: bridge Purpose: Monitoring stack (Prometheus, Grafana)

matrix-coturn

Network ID: dd3f25fa9305 Driver: bridge Purpose: TURN/STUN server network

matrix-exim-relay

Network ID: 08c1c12c82e1 Driver: bridge Purpose: Email relay network

matrix-ntfy

Network ID: 86cac270e021 Driver: bridge Purpose: Notification service network

matrix-container-socket-proxy

Network ID: 8d04b33c5a3a Driver: bridge Purpose: Docker socket proxy for Matrix services

Special Network Modes

Host Network

Container: tailscale Mode: host

network_mode: "host"

Notes:

  • Tailscale runs in host network mode for VPN routing
  • Required for advertising routes and acting as exit node
  • Has full access to host network stack

Bridge Network

Network ID: be4fa4b56199 Driver: bridge Scope: local Purpose: Default Docker bridge network

Notes:

  • Standard Docker bridge network
  • Generally not used by services (use custom networks instead)

Traefik Configuration

Traefik Instance

Container: matrix-traefik Image: traefik:v3.6.6 Network: traefik (external), matrix-homeserver, matrix-addons Ports:

  • 80 → 8080 (HTTP)
  • 443 → 8443 (HTTPS/TCP)
  • 443 → 8443 (HTTPS/UDP for HTTP/3)
  • 8448 → 8448 (Matrix federation/TCP)
  • 8448 → 8448 (Matrix federation/UDP)

Purpose:

  • Reverse proxy for all services
  • SSL/TLS termination
  • Automatic certificate management (Let's Encrypt)
  • HTTP → HTTPS redirection
  • Matrix federation endpoint

Traefik Configuration Manager

Container: traefik-mod Domains: tm.fails.me, tm.3ddbrewery.com Port: 5000 Middlewares: secure-headers@file, authentik@file

Purpose:

  • Web interface for managing Traefik configuration
  • Database-backed configuration (MariaDB)
  • Automatic YAML generation
  • Git version control for configuration changes

Configuration File: /matrix/traefik/config/dyno.yml

Routed Services

Services exposed via Traefik reverse proxy:

Service Container Domain(s) Port Middlewares
Authentik authentik-server id.3ddbrewery.com, id.fails.me 9000 -
Traefik Manager traefik-mod tm.3ddbrewery.com, tm.fails.me 5000 secure-headers, authentik
Node-RED node-red node-het.3ddbrewery.com 1880 -
Matrix Synapse matrix-synapse (Matrix domains) 8008 -
Element matrix-client-element (Element domain) 8080 -
Synapse Admin matrix-synapse-admin (Admin domain) 80 -
Grafana matrix-grafana (Grafana domain) 3000 -

Notes:

  • All services use TLS with automatic certificate resolution
  • Authentik provides SSO for selected services
  • Some services have dual domains (3ddbrewery.com and fails.me)

Network Connectivity

Internal Connectivity

Server-to-Server Communication:

  • Primary Server: 192.168.1.251
  • Connection Type:
    • MariaDB replication (192.168.12.3:3306 ← 192.168.1.251:3306)
    • Tailscale VPN mesh
    • Standard network connectivity

Database Replication:

192.168.1.251 (Primary MariaDB)
    ↓ (replication)
192.168.12.3 (mariadb-secondary)

Notification Flow:

192.168.12.3 (Node-RED healthcheck failure)
    ↓ (HTTP webhook)
192.168.1.70:6741 (ntfy server)

External Connectivity

VPN Connections:

  1. Tailscale VPN:

    • Container: tailscale
    • Hostname: im-ts
    • Advertised Route: 192.168.12.3/32
    • Accept Routes: Yes
    • Exit Node: Yes
    • Purpose: Mesh VPN for remote access and inter-server connectivity

  2. ProtonVPN:

    • Container: gluetun
    • Provider: ProtonVPN
    • Locations: Secaucus, Chicago, New York (United States)
    • HTTP Proxy: Port 38888
    • Shadowsocks: Port 38388 (TCP/UDP)
    • Control Port: 38000
    • Purpose: Privacy VPN with HTTP proxy

Internet-Facing Services

Public Ports:

  • 80 (HTTP): Traefik (redirects to HTTPS)
  • 443 (HTTPS): Traefik reverse proxy (all web services)
  • 8448: Matrix federation

Exposed Services: All services are exposed via HTTPS (port 443) through Traefik reverse proxy with automatic SSL certificates.

VPN Configuration

Tailscale Configuration

Container: tailscale Network Mode: host Device: /dev/net/tun

Environment:

TS_EXTRA_ARGS: --advertise-routes=192.168.12.3/32 --accept-routes=true --advertise-exit-node
TS_STATE_DIR: /var/lib/tailscale
TS_USERSPACE: false
TS_ACCEPT_ROUTES: true

Capabilities:

  • Advertises this server (192.168.12.3/32) as a route
  • Accepts routes from other Tailscale nodes
  • Acts as exit node for other Tailscale devices
  • Kernel-mode networking (not userspace)

Purpose:

  • Secure remote access to services
  • Mesh networking with other servers
  • Encrypted communication between nodes

ProtonVPN via Gluetun

Container: gluetun Provider: ProtonVPN Locations: United States (Secaucus, Chicago, New York)

Environment:

VPN_SERVICE_PROVIDER: protonvpn
SERVER_COUNTRIES: United States
SERVER_CITIES: Secaucus,Chicago,New York
VPN_PORT_FORWARDING_PROVIDER: protonvpn
HTTPPROXY: on
HTTPPROXY_LISTENING_ADDRESS: :38888

Features:

  • HTTP proxy on port 38888 (accessible at 192.168.12.3:38888)
  • Shadowsocks proxy on port 38388
  • Port forwarding enabled
  • DNS: 8.8.8.8
  • Ad blocking enabled
  • Malware blocking enabled
  • Surveillance blocking enabled

Resource Limits:

  • CPU: 0.10
  • Memory Reservation: 15M

Use Cases:

  • Applications requiring VPN connection
  • HTTP proxy for privacy-conscious traffic
  • Shadowsocks for additional services

Port Mappings

Externally Accessible Ports

Services exposed on host interfaces:

Port Protocol Service Container Access
80 TCP HTTP (→ HTTPS) matrix-traefik 0.0.0.0
443 TCP HTTPS matrix-traefik 0.0.0.0
443 UDP HTTPS (HTTP/3) matrix-traefik 0.0.0.0
8448 TCP Matrix Federation matrix-traefik 0.0.0.0
8448 UDP Matrix Federation matrix-traefik 0.0.0.0
3306 TCP MariaDB mariadb-secondary 0.0.0.0
1880 TCP Node-RED node-red 0.0.0.0
6182 TCP Firefly III Firefly 0.0.0.0
2376 TCP Docker Socket Proxy docker-proxy-portainer 192.168.12.3 only
38888 TCP HTTP Proxy gluetun 0.0.0.0
38388 TCP/UDP Shadowsocks gluetun 0.0.0.0
38000 TCP Gluetun Control gluetun 0.0.0.0
3478 TCP/UDP TURN/STUN matrix-coturn 0.0.0.0
5349 TCP/UDP TURNS/STUNS matrix-coturn 0.0.0.0
49152-49172 UDP TURN relay matrix-coturn 0.0.0.0

Security Notes:

  • Most services exposed via Traefik reverse proxy (ports 80/443 only)
  • Docker Socket Proxy restricted to 192.168.12.3 (private IP only)
  • Direct port exposure limited to essential services
  • All web services use HTTPS with automatic certificates

Internal-Only Ports

These ports are only accessible within Docker networks:

Port Protocol Service Container Network
5432 TCP PostgreSQL authentik-postgres authentik-internal
6379 TCP Redis authentik-redis authentik-internal
6379 TCP Redis Firefly-REDIS firefly_default
3306 TCP MariaDB Firefly-DB firefly_default
5000 TCP Traefik Manager traefik-mod traefik
9000 TCP Authentik authentik-server traefik
8080 TCP Watchtower watchtower traefik

Network Security

Isolation Strategy

Service Isolation:

  • Each application stack uses dedicated bridge networks
  • Database and cache services isolated from public networks
  • Only web-facing services connect to traefik network

Security Measures:

  • Docker Socket Proxy: Limited permissions, bind to private IP only
  • Read-only filesystems where applicable
  • Capability dropping (cap_drop: ALL where possible)
  • Security opt: no-new-privileges on most containers
  • Tmpfs mounts for temporary storage
  • Non-root users where possible

Network Segmentation:

Internet
   ↓
Traefik (443/80/8448)
   ↓
traefik network (bridge)
   ├─ authentik-server ←→ authentik-internal ←→ [postgres, redis]
   ├─ traefik-mod ←→ mariadb-secondary
   ├─ node-red
   ├─ matrix services
   └─ watchtower, autoheal

Isolated Networks:
   firefly_default: [Firefly ←→ Firefly-DB, Firefly-REDIS]
   gluetun_default: [gluetun]
   socket-proxy_default: [docker-proxy-portainer]

Host Network:
   tailscale (VPN mesh)

Network Troubleshooting

Common Commands

List all networks:

docker network ls

Inspect a network:

docker network inspect traefik
docker network inspect authentik_authentik-internal

Check container networking:

docker inspect <container-name> | grep -A 20 Networks

Test connectivity between containers:

# From one container to another
docker exec <source-container> ping <target-container>
docker exec <source-container> nc -zv <target-container> <port>

Check Traefik routing:

# Check Traefik logs
docker logs matrix-traefik

# Access Traefik API (if enabled)
curl http://192.168.12.3:8080/api/http/routers

Test MariaDB replication:

docker exec -it mariadb-secondary mysql -u root -p -e "SHOW REPLICA STATUS\G"

Check VPN status:

# Tailscale status
docker exec tailscale tailscale status

# Gluetun status
curl http://192.168.12.3:38000/v1/openvpn/status

DNS and Service Discovery

Internal DNS

Docker provides automatic DNS resolution within networks:

  • Containers can resolve each other by container name
  • Container name = hostname by default
  • Custom hostnames defined in docker-compose.yml

Examples:

  • authentik-server can reach authentik-postgres via hostname postgresql
  • Firefly can reach Firefly-DB via hostname firefly-db
  • traefik-mod can reach mariadb-secondary by container name

External DNS

Services exposed via Traefik use these domains:

  • *.3ddbrewery.com (primary domain)
  • *.fails.me (backup/alternative domain)

DNS managed externally (not documented here)

Summary

Network Architecture Highlights:

  • Primary Network: 192.168.12.0/24
  • Docker Networks: 18 total (1 external traefik network + 17 service-specific)
  • VPN Connectivity: Tailscale (mesh VPN) + ProtonVPN (privacy VPN)
  • Reverse Proxy: Traefik v3.6.6 (handles all HTTPS traffic)
  • Security: Network isolation, limited port exposure, proxy-based access
  • Inter-server: MariaDB replication to primary server (192.168.1.251)
  • Management: Database-backed Traefik configuration with web UI

Key Features:

  • Dual VPN setup (Tailscale for access, ProtonVPN for privacy)
  • Isolated networks for security
  • Traefik reverse proxy for all web services
  • Automatic SSL certificate management
  • MariaDB replication for disaster recovery