silverbullet-notes/docs/servers/hetzner/00-service-inventory.md

# Hetzner Server (192.168.12.3) - Service Inventory

_Last updated: 2026-01-05_

This document provides a comprehensive inventory of all Docker services running on the Hetzner server at 192.168.12.3. The primary focus is on services managed via docker-compose files in `/volume1/docker/`.

---

## Table of Contents

- [Authentication & Identity Services](#authentication--identity-services)
- [Infrastructure Services](#infrastructure-services)
- [Application Services](#application-services)
- [Utility Services](#utility-services)
- [Matrix/Synapse Containers](#matrixsynapse-containers)

---

## Authentication & Identity Services

### authentik

Multi-component identity provider with PostgreSQL and Redis backends.

#### authentik-postgres

**Purpose:** PostgreSQL database backend for Authentik identity provider

**Technical Details:**
- **Image:** postgres:16-alpine
- **Container:** authentik-postgres
- **Ports:** 5432 (internal only)
- **Volumes:**
  - `${AUTHENTIK_DATA_PATH}/postgres:/var/lib/postgresql/data`
- **Network:** authentik-internal
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Dependencies:**
- **Requires:** None
- **Required by:** authentik-server, authentik-worker

**Notes:**
- Healthcheck: `pg_isready` command
- Start period: 20s, interval: 30s
- Part of internal authentik network

---

#### authentik-redis

**Purpose:** Redis cache and session storage for Authentik

**Technical Details:**
- **Image:** redis:alpine
- **Container:** authentik-redis
- **Ports:** 6379 (internal only)
- **Volumes:**
  - `${AUTHENTIK_DATA_PATH}/redis:/data`
- **Network:** authentik-internal
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Dependencies:**
- **Requires:** None
- **Required by:** authentik-server, authentik-worker

**Notes:**
- Command: `--save 60 1 --loglevel warning`
- Healthcheck: `redis-cli ping | grep PONG`
- Persistence enabled with 60-second save interval

---

#### authentik-server

**Purpose:** Authentik identity provider server (SSO/OAuth2/SAML)

**Technical Details:**
- **Image:** ghcr.io/goauthentik/server:latest
- **Container:** authentik-server
- **Ports:** 9000 (internal, exposed via Traefik)
- **Volumes:**
  - `${AUTHENTIK_DATA_PATH}/media:/media`
  - `${AUTHENTIK_DATA_PATH}/custom-templates:/templates`
- **Networks:** authentik-internal, traefik
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Dependencies:**
- **Requires:** authentik-postgres (healthy), authentik-redis (healthy)
- **Required by:** None

**Traefik Configuration:**
- **Domains:** id.3ddbrewery.com, id.fails.me
- **Port:** 9000
- **TLS:** Enabled with certresolver

**Notes:**
- SMTP configured for Gmail (xoppaw@gmail.com)
- Command: `server`
- Dual domain setup for redundancy

---

#### authentik-worker

**Purpose:** Authentik background worker for async tasks and outpost management

**Technical Details:**
- **Image:** ghcr.io/goauthentik/server:latest
- **Container:** authentik-worker
- **Ports:** None
- **Volumes:**
  - `/var/run/docker.sock:/var/run/docker.sock`
  - `${AUTHENTIK_DATA_PATH}/media:/media`
  - `${AUTHENTIK_DATA_PATH}/custom-templates:/templates`
  - `${AUTHENTIK_DATA_PATH}/certs:/certs`
- **Network:** authentik-internal
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Dependencies:**
- **Requires:** authentik-postgres (healthy), authentik-redis (healthy)
- **Required by:** None

**Notes:**
- Runs as root with Docker socket access for outpost management
- Command: `worker`
- SMTP configured same as server

---

### authelia (NOT CURRENTLY RUNNING)

Authentication and SSO proxy service with Redis backend.

**Note:** docker-compose.yml exists in `/volume1/docker/authelia/` but containers are not currently running.

**Configured containers:**
- **authelia:** Main authentication server (port 9091)
- **authelia_redis:** Redis backend for session storage

**Configured domains:** auth.fails.me, auth.3ddbrewery.com

---

## Infrastructure Services

### mariadb-secondary

**Purpose:** MariaDB database server configured as read-only replica (replicates from 192.168.1.251)

**Technical Details:**
- **Image:** mariadb:latest
- **Container:** mariadb-secondary
- **Ports:** 0.0.0.0:3306->3306/tcp
- **Volumes:**
  - `/volume1/docker/mariadb/databases:/var/lib/mysql`
  - `/volume1/docker/backup:/backup`
  - `/volume1/docker/mariadb/custom.cnf:/etc/mysql/my.cnf`
  - `/volume1/docker/mariadb/log/mysql:/var/log/mysql`
- **Network:** traefik
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Resource Limits:**
- **Memory Reservation:** 60M
- **CPUs:** 0.4

**Dependencies:**
- **Requires:** None
- **Required by:** traefik-mod

**Notes:**
- Configured as read-only replica (server-id=2)
- Replicates from primary server at 192.168.1.251
- Contains `node-staging` database (does NOT replicate, isolated for testing)
- Custom configuration in `/volume1/docker/mariadb/custom.cnf`
- Healthcheck: TCP connection to port 3306
- Logs stored in `/volume1/docker/mariadb/log/mysql`

---

### gluetun

**Purpose:** VPN client using ProtonVPN with HTTP proxy capabilities

**Technical Details:**
- **Image:** qmcgaw/gluetun:v3
- **Container:** gluetun
- **Ports:**
  - 0.0.0.0:38888->38888/tcp (HTTP proxy)
  - 0.0.0.0:38388->8388/tcp+udp (Shadowsocks)
  - 0.0.0.0:38000->8000/tcp (Gluetun control)
- **Volumes:** None
- **Network:** gluetun_default (bridge)
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Resource Limits:**
- **CPU:** 0.10
- **Memory Reservation:** 15M

**Dependencies:**
- **Requires:** None
- **Required by:** None

**Notes:**
- Capabilities: NET_ADMIN, SYS_MODULE
- Device: `/dev/net/tun`
- VPN Provider: ProtonVPN
- Server locations: Secaucus, Chicago, New York (United States)
- HTTP proxy listening on port 38888
- Ad, malware, and surveillance blocking enabled
- Port forwarding enabled
- DNS: 8.8.8.8

---

### tailscale

**Purpose:** Tailscale mesh VPN client advertising routes for this server

**Technical Details:**
- **Image:** tailscale/tailscale:latest
- **Container:** tailscale
- **Hostname:** im-ts
- **Ports:** None (uses host network)
- **Volumes:**
  - `/dev/net/tun:/dev/net/tun`
  - `./tailscale:/var/lib/tailscale`
- **Network:** host (network_mode: host)
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Dependencies:**
- **Requires:** None
- **Required by:** None

**Notes:**
- Runs in privileged mode with host networking
- Capabilities: net_admin, sys_module
- Advertises routes: 192.168.12.3/32
- Accepts routes from other nodes
- Advertises as exit node
- Userspace mode: false

---

### docker-proxy-portainer

**Purpose:** Docker Socket Proxy for secure Docker API access (used by Portainer)

**Technical Details:**
- **Image:** ghcr.io/tecnativa/docker-socket-proxy:0.3.0
- **Container:** docker-proxy-portainer
- **Ports:** 192.168.12.3:2376->2375/tcp (bound to private IP only)
- **Volumes:**
  - `/var/run/docker.sock:/var/run/docker.sock:ro`
- **Network:** socket-proxy_default (bridge)
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Dependencies:**
- **Requires:** None
- **Required by:** External Portainer instance

**Security Configuration:**
Enabled permissions:
- CONTAINERS=1, IMAGES=1, NETWORKS=1, VOLUMES=1
- INFO=1, EVENTS=1, PING=1, VERSION=1
- POST=1, EXEC=1

Disabled for security:
- AUTH=0, SECRETS=0, SWARM=0, CONFIGS=0
- PLUGINS=0, DISTRIBUTION=0, NODES=0, SERVICES=0
- SESSION=0, SYSTEM=0, TASKS=0, GRPC=0, BUILD=0, COMMIT=0

**Notes:**
- Read-only Docker socket access
- Capabilities dropped: ALL
- Tmpfs mounts for /run and /var/lib/haproxy
- Security opt: no-new-privileges
- Binds only to private IP (192.168.12.3)
- Logging: 10MB max size, 3 files

---

### traefik-mod

**Purpose:** Traefik configuration manager with MariaDB backend and Git version control

**Technical Details:**
- **Image:** traefik-mod-traefik-mod (custom build)
- **Container:** traefik-mod
- **Ports:** 5000 (internal, exposed via Traefik)
- **Volumes:**
  - `/matrix/traefik/config/dyno.yml:/config/dyno.yml:rw`
  - `./backups:/backups:rw`
  - `/var/run/docker.sock:/var/run/docker.sock:ro`
- **Network:** traefik
- **Watchtower:** Disabled (commented out)
- **Autoheal:** Enabled

**Resource Limits:**
- **CPU:** 0.5
- **Memory Limit:** 256M
- **Memory Reservation:** 64M

**Dependencies:**
- **Requires:** mariadb-secondary
- **Required by:** None

**Traefik Configuration:**
- **Domains:** tm.fails.me, tm.3ddbrewery.com
- **Port:** 5000
- **Middlewares:** secure-headers@file, authentik@file
- **TLS:** Enabled with certresolver

**Database Configuration:**
- **Host:** mariadb-secondary
- **Database:** traefik_config
- **User:** traefik_user

**Notes:**
- Custom Flask application for managing Traefik configuration
- Database-backed with YAML generation
- Git version control enabled (local repository)
- Backup retention: 30 days
- Healthcheck: HTTP request to /health endpoint
- UID/GID: 1000:1000

---

## Application Services

### firefly

Firefly III personal finance manager with MariaDB and Redis.

#### Firefly-REDIS

**Purpose:** Redis cache for Firefly III

**Technical Details:**
- **Image:** redis:latest
- **Container:** Firefly-REDIS
- **Hostname:** firefly-redis
- **Ports:** 6379 (internal only)
- **Volumes:**
  - `/volume1/docker/firefly/redis:/data:rw`
- **Network:** firefly_default (bridge)
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Resource Limits:**
- **Memory Limit:** 128M
- **Memory Reservation:** 50M
- **CPU Shares:** 512

**Dependencies:**
- **Requires:** None
- **Required by:** Firefly

**Notes:**
- Read-only filesystem
- Runs as user 1000:1000
- Security opt: no-new-privileges
- Healthcheck: `redis-cli ping`
- Logging: 10MB max, 3 files

---

#### Firefly-DB

**Purpose:** MariaDB database for Firefly III data

**Technical Details:**
- **Image:** mariadb:11.3-jammy
- **Container:** Firefly-DB
- **Hostname:** firefly-db
- **Ports:** 3306 (internal only)
- **Volumes:**
  - `/volume1/docker/firefly/db:/var/lib/mysql:rw`
- **Network:** firefly_default (bridge)
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Resource Limits:**
- **Memory Limit:** 384M
- **Memory Reservation:** 128M
- **CPU Shares:** 768

**Dependencies:**
- **Requires:** None
- **Required by:** Firefly

**Database Configuration:**
- **Database:** firefly
- **User:** fireflyuser
- **Root Password:** (configured in docker-compose.yml)

**Notes:**
- InnoDB buffer pool: 128M
- Security opt: no-new-privileges
- Healthcheck: TCP connection to port 3306
- Logging: 10MB max, 3 files

---

#### Firefly

**Purpose:** Firefly III personal finance manager (main application)

**Technical Details:**
- **Image:** fireflyiii/core:version-6.2.21 (pinned version)
- **Container:** Firefly
- **Hostname:** firefly
- **Ports:** 0.0.0.0:6182->8080/tcp
- **Volumes:**
  - `/volume1/docker/firefly/upload:/var/www/html/storage/upload:rw`
- **Network:** firefly_default (bridge)
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Resource Limits:**
- **Memory Limit:** 768M
- **Memory Reservation:** 256M
- **CPU Shares:** 768

**Dependencies:**
- **Requires:** Firefly-DB (started), Firefly-REDIS (healthy)
- **Required by:** None

**Homepage Integration:**
- **Group:** Household
- **Name:** Firefly iii
- **URL:** https://f.3ddbrewery.com
- **Widget Type:** firefly
- **API Key:** (configured in labels)

**Notes:**
- Pinned to version 6.2.21 (known working with automated transactions)
- Environment from `stack.env` file
- Security opt: no-new-privileges
- Restart policy: on-failure (max 5 retries)
- Healthcheck: curl to http://localhost:8080/
- Logging: 10MB max, 3 files
- STATIC_CRON_TOKEN in stack.env for automated tasks

---

### node-red

**Purpose:** Node-RED automation platform for financial transaction automation

**Technical Details:**
- **Image:** nodered/node-red:latest
- **Container:** node-red
- **Hostname:** node-red-het
- **Ports:** 0.0.0.0:1880->1880/tcp
- **Volumes:**
  - `/volume1/docker/node-red:/data:rw`
  - `/home/maddox:/media:rw`
- **Network:** traefik
- **Watchtower:** Enabled
- **Autoheal:** Enabled

**Dependencies:**
- **Requires:** None
- **Required by:** None

**Homepage Integration:**
- **Group:** Household
- **Name:** Node-Red (Het)
- **URL:** https://node-het.3ddbrewery.com
- **Description:** Node red instance running auto transactions

**Notes:**
- Runs as user 1000:1000
- Credential secret configured for flow encryption
- Authentication: username/password configured
- NPM cache and modules stored in /data
- Custom healthcheck with ntfy notification on failure
  - Notification URL: http://192.168.1.70:6741/hetzner_alerts
  - Alert topic: hetzner_alerts
- Healthcheck interval: 120s, timeout: 60s, 4 retries
- Mounts /home/maddox for file access

---

## Utility Services

### autoheal

**Purpose:** Monitors and automatically restarts unhealthy Docker containers

**Technical Details:**
- **Image:** willfarrell/autoheal:latest
- **Container:** autoheal
- **Ports:** None
- **Volumes:**
  - `/var/run/docker.sock:/var/run/docker.sock`
  - `/volume1/docker/utils/autoheal:/config`
- **Network:** traefik
- **Watchtower:** None (monitors itself)
- **Autoheal:** Enabled (monitors itself)

**Dependencies:**
- **Requires:** None
- **Required by:** All containers with autoheal=true label

**Configuration:**
- **Monitor Label:** autoheal=true
- **Interval:** 5 seconds
- **Start Period:** 0 (immediate)
- **Stop Timeout:** 10 seconds
- **Webhook URL:** https://ntfy.3ddbrewery.com/autoheal-IM

**Notes:**
- Monitors all containers labeled with `autoheal=true`
- Sends webhook notifications to ntfy on restart events
- Has Docker socket access for container management
- Not exposed via Traefik

---

### watchtower

**Purpose:** Automatically updates Docker containers with new images

**Technical Details:**
- **Image:** containrrr/watchtower:latest
- **Container:** watchtower
- **Ports:** 8080 (internal only)
- **Volumes:**
  - `/var/run/docker.sock:/var/run/docker.sock`
  - `/volume1/docker/utils/watchtower:/config`
- **Network:** traefik
- **Watchtower:** Enabled (updates itself)
- **Autoheal:** Enabled

**Dependencies:**
- **Requires:** None
- **Required by:** All containers with watchtower label

**Configuration:**
- **Label Enable:** true (only updates labeled containers)
- **Cleanup:** true (removes old images)
- **Poll Interval:** 3600 seconds (1 hour)
- **Timeout:** 30 seconds
- **Include Restarting:** true
- **Include Stopped:** false
- **Notifications:** Email + ntfy

**Email Notifications:**
- **From:** xoppaw@gmail.com
- **To:** brian.w.maddox@gmail.com
- **Server:** smtp.gmail.com:587
- **Subject Tag:** IM-watchtower-updates

**Webhook Notifications:**
- **URL:** ntfy://ntfy.3ddbrewery.com/watchtower-IM

**Notes:**
- Only updates containers with `com.centurylinklabs.watchtower.enable=true` label
- Rolling restart (one at a time)
- Dual notifications: email and ntfy
- Docker API version: 1.44
- Not exposed via Traefik

---

## Matrix/Synapse Containers

**Note:** These containers are part of the Matrix/Synapse stack managed separately (not in `/volume1/docker/`). Listed for completeness only.

**Matrix/Synapse Container Names:**
- matrix-bot-matrix-reminder-bot
- matrix-bot-maubot
- matrix-client-element
- matrix-container-socket-proxy
- matrix-coturn
- matrix-exim-relay
- matrix-grafana
- matrix-heisenbridge
- matrix-mautrix-gmessages
- matrix-mautrix-signal
- matrix-mautrix-telegram
- matrix-mautrix-whatsapp
- matrix-ntfy
- matrix-postgres
- matrix-postgres-backup
- matrix-prometheus
- matrix-prometheus-node-exporter
- matrix-prometheus-postgres-exporter
- matrix-static-files
- matrix-synapse
- matrix-synapse-admin
- matrix-traefik
- matrix-traefik-certs-dumper

**Total Matrix/Synapse Containers:** 23