maddox/silverbullet-notes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
silverbullet-notes/docs/servers/hetzner/00-service-inventory.md
maddox 3dc0f4dacf Initial SilverBullet sync
2026-01-25 00:20:24 +00:00

15 KiB
Raw Blame History

Hetzner Server (192.168.12.3) - Service Inventory

Last updated: 2026-01-05

This document provides a comprehensive inventory of all Docker services running on the Hetzner server at 192.168.12.3. The primary focus is on services managed via docker-compose files in /volume1/docker/.

Table of Contents

Authentication & Identity Services

authentik

Multi-component identity provider with PostgreSQL and Redis backends.

authentik-postgres

Purpose: PostgreSQL database backend for Authentik identity provider

Technical Details:

  • Image: postgres:16-alpine
  • Container: authentik-postgres
  • Ports: 5432 (internal only)
  • Volumes:
    • ${AUTHENTIK_DATA_PATH}/postgres:/var/lib/postgresql/data
  • Network: authentik-internal
  • Watchtower: Enabled
  • Autoheal: Enabled

Dependencies:

  • Requires: None
  • Required by: authentik-server, authentik-worker

Notes:

  • Healthcheck: pg_isready command
  • Start period: 20s, interval: 30s
  • Part of internal authentik network

authentik-redis

Purpose: Redis cache and session storage for Authentik

Technical Details:

  • Image: redis:alpine
  • Container: authentik-redis
  • Ports: 6379 (internal only)
  • Volumes:
    • ${AUTHENTIK_DATA_PATH}/redis:/data
  • Network: authentik-internal
  • Watchtower: Enabled
  • Autoheal: Enabled

Dependencies:

  • Requires: None
  • Required by: authentik-server, authentik-worker

Notes:

  • Command: --save 60 1 --loglevel warning
  • Healthcheck: redis-cli ping | grep PONG
  • Persistence enabled with 60-second save interval

authentik-server

Purpose: Authentik identity provider server (SSO/OAuth2/SAML)

Technical Details:

  • Image: ghcr.io/goauthentik/server:latest
  • Container: authentik-server
  • Ports: 9000 (internal, exposed via Traefik)
  • Volumes:
    • ${AUTHENTIK_DATA_PATH}/media:/media
    • ${AUTHENTIK_DATA_PATH}/custom-templates:/templates
  • Networks: authentik-internal, traefik
  • Watchtower: Enabled
  • Autoheal: Enabled

Dependencies:

  • Requires: authentik-postgres (healthy), authentik-redis (healthy)
  • Required by: None

Traefik Configuration:

  • Domains: id.3ddbrewery.com, id.fails.me
  • Port: 9000
  • TLS: Enabled with certresolver

Notes:

  • SMTP configured for Gmail (xoppaw@gmail.com)
  • Command: server
  • Dual domain setup for redundancy

authentik-worker

Purpose: Authentik background worker for async tasks and outpost management

Technical Details:

  • Image: ghcr.io/goauthentik/server:latest
  • Container: authentik-worker
  • Ports: None
  • Volumes:
    • /var/run/docker.sock:/var/run/docker.sock
    • ${AUTHENTIK_DATA_PATH}/media:/media
    • ${AUTHENTIK_DATA_PATH}/custom-templates:/templates
    • ${AUTHENTIK_DATA_PATH}/certs:/certs
  • Network: authentik-internal
  • Watchtower: Enabled
  • Autoheal: Enabled

Dependencies:

  • Requires: authentik-postgres (healthy), authentik-redis (healthy)
  • Required by: None

Notes:

  • Runs as root with Docker socket access for outpost management
  • Command: worker
  • SMTP configured same as server

authelia (NOT CURRENTLY RUNNING)

Authentication and SSO proxy service with Redis backend.

Note: docker-compose.yml exists in /volume1/docker/authelia/ but containers are not currently running.

Configured containers:

  • authelia: Main authentication server (port 9091)
  • authelia_redis: Redis backend for session storage

Configured domains: auth.fails.me, auth.3ddbrewery.com

Infrastructure Services

mariadb-secondary

Purpose: MariaDB database server configured as read-only replica (replicates from 192.168.1.251)

Technical Details:

  • Image: mariadb:latest
  • Container: mariadb-secondary
  • Ports: 0.0.0.0:3306->3306/tcp
  • Volumes:
    • /volume1/docker/mariadb/databases:/var/lib/mysql
    • /volume1/docker/backup:/backup
    • /volume1/docker/mariadb/custom.cnf:/etc/mysql/my.cnf
    • /volume1/docker/mariadb/log/mysql:/var/log/mysql
  • Network: traefik
  • Watchtower: Enabled
  • Autoheal: Enabled

Resource Limits:

  • Memory Reservation: 60M
  • CPUs: 0.4

Dependencies:

  • Requires: None
  • Required by: traefik-mod

Notes:

  • Configured as read-only replica (server-id=2)
  • Replicates from primary server at 192.168.1.251
  • Contains node-staging database (does NOT replicate, isolated for testing)
  • Custom configuration in /volume1/docker/mariadb/custom.cnf
  • Healthcheck: TCP connection to port 3306
  • Logs stored in /volume1/docker/mariadb/log/mysql

gluetun

Purpose: VPN client using ProtonVPN with HTTP proxy capabilities

Technical Details:

  • Image: qmcgaw/gluetun:v3
  • Container: gluetun
  • Ports:
    • 0.0.0.0:38888->38888/tcp (HTTP proxy)
    • 0.0.0.0:38388->8388/tcp+udp (Shadowsocks)
    • 0.0.0.0:38000->8000/tcp (Gluetun control)
  • Volumes: None
  • Network: gluetun_default (bridge)
  • Watchtower: Enabled
  • Autoheal: Enabled

Resource Limits:

  • CPU: 0.10
  • Memory Reservation: 15M

Dependencies:

  • Requires: None
  • Required by: None

Notes:

  • Capabilities: NET_ADMIN, SYS_MODULE
  • Device: /dev/net/tun
  • VPN Provider: ProtonVPN
  • Server locations: Secaucus, Chicago, New York (United States)
  • HTTP proxy listening on port 38888
  • Ad, malware, and surveillance blocking enabled
  • Port forwarding enabled
  • DNS: 8.8.8.8

tailscale

Purpose: Tailscale mesh VPN client advertising routes for this server

Technical Details:

  • Image: tailscale/tailscale:latest
  • Container: tailscale
  • Hostname: im-ts
  • Ports: None (uses host network)
  • Volumes:
    • /dev/net/tun:/dev/net/tun
    • ./tailscale:/var/lib/tailscale
  • Network: host (network_mode: host)
  • Watchtower: Enabled
  • Autoheal: Enabled

Dependencies:

  • Requires: None
  • Required by: None

Notes:

  • Runs in privileged mode with host networking
  • Capabilities: net_admin, sys_module
  • Advertises routes: 192.168.12.3/32
  • Accepts routes from other nodes
  • Advertises as exit node
  • Userspace mode: false

docker-proxy-portainer

Purpose: Docker Socket Proxy for secure Docker API access (used by Portainer)

Technical Details:

  • Image: ghcr.io/tecnativa/docker-socket-proxy:0.3.0
  • Container: docker-proxy-portainer
  • Ports: 192.168.12.3:2376->2375/tcp (bound to private IP only)
  • Volumes:
    • /var/run/docker.sock:/var/run/docker.sock:ro
  • Network: socket-proxy_default (bridge)
  • Watchtower: Enabled
  • Autoheal: Enabled

Dependencies:

  • Requires: None
  • Required by: External Portainer instance

Security Configuration: Enabled permissions:

  • CONTAINERS=1, IMAGES=1, NETWORKS=1, VOLUMES=1
  • INFO=1, EVENTS=1, PING=1, VERSION=1
  • POST=1, EXEC=1

Disabled for security:

  • AUTH=0, SECRETS=0, SWARM=0, CONFIGS=0
  • PLUGINS=0, DISTRIBUTION=0, NODES=0, SERVICES=0
  • SESSION=0, SYSTEM=0, TASKS=0, GRPC=0, BUILD=0, COMMIT=0

Notes:

  • Read-only Docker socket access
  • Capabilities dropped: ALL
  • Tmpfs mounts for /run and /var/lib/haproxy
  • Security opt: no-new-privileges
  • Binds only to private IP (192.168.12.3)
  • Logging: 10MB max size, 3 files

traefik-mod

Purpose: Traefik configuration manager with MariaDB backend and Git version control

Technical Details:

  • Image: traefik-mod-traefik-mod (custom build)
  • Container: traefik-mod
  • Ports: 5000 (internal, exposed via Traefik)
  • Volumes:
    • /matrix/traefik/config/dyno.yml:/config/dyno.yml:rw
    • ./backups:/backups:rw
    • /var/run/docker.sock:/var/run/docker.sock:ro
  • Network: traefik
  • Watchtower: Disabled (commented out)
  • Autoheal: Enabled

Resource Limits:

  • CPU: 0.5
  • Memory Limit: 256M
  • Memory Reservation: 64M

Dependencies:

  • Requires: mariadb-secondary
  • Required by: None

Traefik Configuration:

  • Domains: tm.fails.me, tm.3ddbrewery.com
  • Port: 5000
  • Middlewares: secure-headers@file, authentik@file
  • TLS: Enabled with certresolver

Database Configuration:

  • Host: mariadb-secondary
  • Database: traefik_config
  • User: traefik_user

Notes:

  • Custom Flask application for managing Traefik configuration
  • Database-backed with YAML generation
  • Git version control enabled (local repository)
  • Backup retention: 30 days
  • Healthcheck: HTTP request to /health endpoint
  • UID/GID: 1000:1000

Application Services

firefly

Firefly III personal finance manager with MariaDB and Redis.

Firefly-REDIS

Purpose: Redis cache for Firefly III

Technical Details:

  • Image: redis:latest
  • Container: Firefly-REDIS
  • Hostname: firefly-redis
  • Ports: 6379 (internal only)
  • Volumes:
    • /volume1/docker/firefly/redis:/data:rw
  • Network: firefly_default (bridge)
  • Watchtower: Enabled
  • Autoheal: Enabled

Resource Limits:

  • Memory Limit: 128M
  • Memory Reservation: 50M
  • CPU Shares: 512

Dependencies:

  • Requires: None
  • Required by: Firefly

Notes:

  • Read-only filesystem
  • Runs as user 1000:1000
  • Security opt: no-new-privileges
  • Healthcheck: redis-cli ping
  • Logging: 10MB max, 3 files

Firefly-DB

Purpose: MariaDB database for Firefly III data

Technical Details:

  • Image: mariadb:11.3-jammy
  • Container: Firefly-DB
  • Hostname: firefly-db
  • Ports: 3306 (internal only)
  • Volumes:
    • /volume1/docker/firefly/db:/var/lib/mysql:rw
  • Network: firefly_default (bridge)
  • Watchtower: Enabled
  • Autoheal: Enabled

Resource Limits:

  • Memory Limit: 384M
  • Memory Reservation: 128M
  • CPU Shares: 768

Dependencies:

  • Requires: None
  • Required by: Firefly

Database Configuration:

  • Database: firefly
  • User: fireflyuser
  • Root Password: (configured in docker-compose.yml)

Notes:

  • InnoDB buffer pool: 128M
  • Security opt: no-new-privileges
  • Healthcheck: TCP connection to port 3306
  • Logging: 10MB max, 3 files

Firefly

Purpose: Firefly III personal finance manager (main application)

Technical Details:

  • Image: fireflyiii/core:version-6.2.21 (pinned version)
  • Container: Firefly
  • Hostname: firefly
  • Ports: 0.0.0.0:6182->8080/tcp
  • Volumes:
    • /volume1/docker/firefly/upload:/var/www/html/storage/upload:rw
  • Network: firefly_default (bridge)
  • Watchtower: Enabled
  • Autoheal: Enabled

Resource Limits:

  • Memory Limit: 768M
  • Memory Reservation: 256M
  • CPU Shares: 768

Dependencies:

  • Requires: Firefly-DB (started), Firefly-REDIS (healthy)
  • Required by: None

Homepage Integration:

Notes:

  • Pinned to version 6.2.21 (known working with automated transactions)
  • Environment from stack.env file
  • Security opt: no-new-privileges
  • Restart policy: on-failure (max 5 retries)
  • Healthcheck: curl to http://localhost:8080/
  • Logging: 10MB max, 3 files
  • STATIC_CRON_TOKEN in stack.env for automated tasks

node-red

Purpose: Node-RED automation platform for financial transaction automation

Technical Details:

  • Image: nodered/node-red:latest
  • Container: node-red
  • Hostname: node-red-het
  • Ports: 0.0.0.0:1880->1880/tcp
  • Volumes:
    • /volume1/docker/node-red:/data:rw
    • /home/maddox:/media:rw
  • Network: traefik
  • Watchtower: Enabled
  • Autoheal: Enabled

Dependencies:

  • Requires: None
  • Required by: None

Homepage Integration:

Notes:

  • Runs as user 1000:1000
  • Credential secret configured for flow encryption
  • Authentication: username/password configured
  • NPM cache and modules stored in /data
  • Custom healthcheck with ntfy notification on failure
  • Healthcheck interval: 120s, timeout: 60s, 4 retries
  • Mounts /home/maddox for file access

Utility Services

autoheal

Purpose: Monitors and automatically restarts unhealthy Docker containers

Technical Details:

  • Image: willfarrell/autoheal:latest
  • Container: autoheal
  • Ports: None
  • Volumes:
    • /var/run/docker.sock:/var/run/docker.sock
    • /volume1/docker/utils/autoheal:/config
  • Network: traefik
  • Watchtower: None (monitors itself)
  • Autoheal: Enabled (monitors itself)

Dependencies:

  • Requires: None
  • Required by: All containers with autoheal=true label

Configuration:

Notes:

  • Monitors all containers labeled with autoheal=true
  • Sends webhook notifications to ntfy on restart events
  • Has Docker socket access for container management
  • Not exposed via Traefik

watchtower

Purpose: Automatically updates Docker containers with new images

Technical Details:

  • Image: containrrr/watchtower:latest
  • Container: watchtower
  • Ports: 8080 (internal only)
  • Volumes:
    • /var/run/docker.sock:/var/run/docker.sock
    • /volume1/docker/utils/watchtower:/config
  • Network: traefik
  • Watchtower: Enabled (updates itself)
  • Autoheal: Enabled

Dependencies:

  • Requires: None
  • Required by: All containers with watchtower label

Configuration:

  • Label Enable: true (only updates labeled containers)
  • Cleanup: true (removes old images)
  • Poll Interval: 3600 seconds (1 hour)
  • Timeout: 30 seconds
  • Include Restarting: true
  • Include Stopped: false
  • Notifications: Email + ntfy

Email Notifications:

Webhook Notifications:

  • URL: ntfy://ntfy.3ddbrewery.com/watchtower-IM

Notes:

  • Only updates containers with com.centurylinklabs.watchtower.enable=true label
  • Rolling restart (one at a time)
  • Dual notifications: email and ntfy
  • Docker API version: 1.44
  • Not exposed via Traefik

Matrix/Synapse Containers

Note: These containers are part of the Matrix/Synapse stack managed separately (not in /volume1/docker/). Listed for completeness only.

Matrix/Synapse Container Names:

  • matrix-bot-matrix-reminder-bot
  • matrix-bot-maubot
  • matrix-client-element
  • matrix-container-socket-proxy
  • matrix-coturn
  • matrix-exim-relay
  • matrix-grafana
  • matrix-heisenbridge
  • matrix-mautrix-gmessages
  • matrix-mautrix-signal
  • matrix-mautrix-telegram
  • matrix-mautrix-whatsapp
  • matrix-ntfy
  • matrix-postgres
  • matrix-postgres-backup
  • matrix-prometheus
  • matrix-prometheus-node-exporter
  • matrix-prometheus-postgres-exporter
  • matrix-static-files
  • matrix-synapse
  • matrix-synapse-admin
  • matrix-traefik
  • matrix-traefik-certs-dumper

Total Matrix/Synapse Containers: 23