diff --git a/AGENTS.md b/AGENTS.md index 0ca05db..c98bd57 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -6,42 +6,50 @@ |------|------|----|--------|-------|----------| | hector | Dev machine (this one) | Linux Mint Mate | — | — | — | | agge | Backend server | Ubuntu Server | 192.168.1.188 | 10.0.0.2 | tebarbi | -| raspen | VPS / reverse proxy | Raspberry Pi OS Lite | 192.168.1.187 | 10.0.0.1 | rasput | +| heron | VPS / reverse proxy | Ubuntu Server | 82.197.73.238 | 10.0.0.1 | qbert | ## Architecture -All traffic goes through **raspen** (single entry point): -- nginx in Docker (`vps/docker-compose.yml`) terminates SSL and reverse proxies +All traffic goes through **heron** (single entry point, public IP `82.197.73.238`): +- nginx in Docker (`vps/docker-compose.yml`) terminates SSL (Let's Encrypt) and reverse proxies - WireGuard sidecar container encrypts traffic to agge +- agge connects *out* to heron (agge is behind residential NAT, heron listens passively) - All backend services bind to `10.0.0.2` only (tunnel-only access) ## Services -| Domain | Service | Backend | Via raspen | -|--------|---------|---------|------------| -| git.home | Gitea | agge:10.0.0.2:3000 (HTTP), :2222 (SSH) | HTTPS :443, TCP :2222 | -| nc.home | Nextcloud | agge:10.0.0.2:8080 | HTTPS :443 | -| pg.home | PostgreSQL | agge:10.0.0.2:5432 | TCP :5432 | -| raspen.home | Static page | Served directly by nginx | HTTP/HTTPS | +| Domain | Service | Backend | Via heron | +|--------|---------|---------|-----------| +| git.qmoln.se | Gitea | agge:10.0.0.2:3000 (HTTP), :2222 (SSH) | HTTPS :443, TCP :2222 | +| nc.qmoln.se | Nextcloud | agge:10.0.0.2:8080 | HTTPS :443 | +| pg.qmoln.se | PostgreSQL | agge:10.0.0.2:5432 | TCP :5432 | +| qmoln.se | Static page | Served directly by nginx | HTTP/HTTPS | ## Repo structure - `backend/docker-compose.yml` — agge stack (postgres, nextcloud, gitea, postgres_remote) -- `vps/docker-compose.yml` — raspen stack (wireguard sidecar + nginx) +- `vps/docker-compose.yml` — heron stack (wireguard sidecar + nginx) - `vps/nginx/conf.d/` — HTTP/HTTPS proxy configs - `vps/nginx/stream.d/` — TCP stream proxy configs (postgres, gitea ssh) - `vps/wireguard/wg_confs/` — WireGuard tunnel config - `.env.example` — template for secrets (real `.env` is gitignored) -## Git remote +## WireGuard keys + +- agge public key: `02k4BaH3iZTQnPZe7zifcaS9n8xxrwCLyIOLTBWLdgk=` +- heron public key: `4BtJlUWOzBtvrRu3llQbD0GPvlXgTwLq79iBth3uOSo=` +- agge connects out to heron at `82.197.73.238:51820` +- heron's WG private key is in `vps/wireguard/wg_confs/wg0.conf` + +## Git remote (via tunnel — only reachable when tunnel is up) ``` -ssh://git@git.home:2222/scoot/selfhosted2.git +ssh://git@git.qmoln.se:2222/scoot/selfhosted2.git ``` ## Conventions -- The machines `agge` and `raspen` require `sudo` for most commands. Do **not** attempt to execute commands requiring sudo via SSH — present the command to the user and let them run it manually. +- The machines `agge` and `heron` require `sudo` for most commands. Do **not** attempt to execute commands requiring sudo via SSH — present the command to the user and let them run it manually. ## Password management diff --git a/vps/docker-compose.yml b/vps/docker-compose.yml index 940dce3..3800884 100644 --- a/vps/docker-compose.yml +++ b/vps/docker-compose.yml @@ -26,6 +26,6 @@ services: - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro - ./nginx/conf.d:/etc/nginx/conf.d:ro - ./nginx/stream.d:/etc/nginx/stream.d:ro - - ./ssl:/etc/nginx/certs:ro + - /etc/letsencrypt:/etc/letsencrypt:ro - ./html:/usr/share/nginx/html:ro restart: unless-stopped diff --git a/vps/nginx/conf.d/default.conf b/vps/nginx/conf.d/default.conf index 265aa27..7f89a28 100644 --- a/vps/nginx/conf.d/default.conf +++ b/vps/nginx/conf.d/default.conf @@ -8,19 +8,19 @@ upstream gitea { server { listen 80; - server_name nc.home; - return 301 https://nc.home$request_uri; + server_name nc.qmoln.se; + return 301 https://nc.qmoln.se$request_uri; } server { listen 80; - server_name git.home; - return 301 https://git.home$request_uri; + server_name git.qmoln.se; + return 301 https://git.qmoln.se$request_uri; } server { listen 80; - server_name raspen.home; + server_name qmoln.se; root /usr/share/nginx/html; index index.html; @@ -37,10 +37,10 @@ server { server { listen 443 ssl; - server_name nc.home; + server_name nc.qmoln.se; - ssl_certificate /etc/nginx/certs/ssl.crt; - ssl_certificate_key /etc/nginx/certs/ssl.key; + ssl_certificate /etc/letsencrypt/live/qmoln.se/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/qmoln.se/privkey.pem; client_max_body_size 10G; client_body_timeout 3600s; @@ -63,10 +63,10 @@ server { server { listen 443 ssl; - server_name git.home; + server_name git.qmoln.se; - ssl_certificate /etc/nginx/certs/ssl.crt; - ssl_certificate_key /etc/nginx/certs/ssl.key; + ssl_certificate /etc/letsencrypt/live/qmoln.se/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/qmoln.se/privkey.pem; location / { proxy_pass http://gitea; @@ -82,10 +82,10 @@ server { server { listen 443 ssl; - server_name raspen.home; + server_name qmoln.se; - ssl_certificate /etc/nginx/certs/ssl.crt; - ssl_certificate_key /etc/nginx/certs/ssl.key; + ssl_certificate /etc/letsencrypt/live/qmoln.se/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/qmoln.se/privkey.pem; root /usr/share/nginx/html; index index.html; diff --git a/vps/wireguard/wg_confs/wg0.conf b/vps/wireguard/wg_confs/wg0.conf index 254f419..431ae22 100644 --- a/vps/wireguard/wg_confs/wg0.conf +++ b/vps/wireguard/wg_confs/wg0.conf @@ -1,9 +1,9 @@ [Interface] Address = 10.0.0.1/30 -PrivateKey = 0Junydsr+YBVFgkHbDEEmWAXAhR7JCpSWyT1yzSzjFU= +PrivateKey = EFp3S6XsMQEEM8o6KJBNv5gybTfS28xnO/XwWSLue2k= +ListenPort = 51820 [Peer] PublicKey = 02k4BaH3iZTQnPZe7zifcaS9n8xxrwCLyIOLTBWLdgk= -Endpoint = 192.168.1.188:51820 AllowedIPs = 10.0.0.2/32 PersistentKeepalive = 25