Migrate from raspen prototype to heron live VPS

- Replace raspen references with heron in AGENTS.md
- Update nginx config for live domains (qmoln.se)
- Switch SSL certs to Let's Encrypt paths
- Update WireGuard config with heron's keys and passive listen
- WireGuard direction: agge connects out to heron
- Remove old ssl volume mount, mount /etc/letsencrypt instead

AGENTS.md

@@ -6,42 +6,50 @@
 |------|------|----|--------|-------|----------|
 | hector | Dev machine (this one) | Linux Mint Mate | — | — | — |
 | agge | Backend server | Ubuntu Server | 192.168.1.188 | 10.0.0.2 | tebarbi |
-| raspen | VPS / reverse proxy | Raspberry Pi OS Lite | 192.168.1.187 | 10.0.0.1 | rasput |
+| heron | VPS / reverse proxy | Ubuntu Server | 82.197.73.238 | 10.0.0.1 | qbert |
 
 ## Architecture
 
-All traffic goes through **raspen** (single entry point):
-- nginx in Docker (`vps/docker-compose.yml`) terminates SSL and reverse proxies
+All traffic goes through **heron** (single entry point, public IP `82.197.73.238`):
+- nginx in Docker (`vps/docker-compose.yml`) terminates SSL (Let's Encrypt) and reverse proxies
 - WireGuard sidecar container encrypts traffic to agge
+- agge connects *out* to heron (agge is behind residential NAT, heron listens passively)
 - All backend services bind to `10.0.0.2` only (tunnel-only access)
 
 ## Services
 
-| Domain | Service | Backend | Via raspen |
-|--------|---------|---------|------------|
-| git.home | Gitea | agge:10.0.0.2:3000 (HTTP), :2222 (SSH) | HTTPS :443, TCP :2222 |
-| nc.home | Nextcloud | agge:10.0.0.2:8080 | HTTPS :443 |
-| pg.home | PostgreSQL | agge:10.0.0.2:5432 | TCP :5432 |
-| raspen.home | Static page | Served directly by nginx | HTTP/HTTPS |
+| Domain | Service | Backend | Via heron |
+|--------|---------|---------|-----------|
+| git.qmoln.se | Gitea | agge:10.0.0.2:3000 (HTTP), :2222 (SSH) | HTTPS :443, TCP :2222 |
+| nc.qmoln.se | Nextcloud | agge:10.0.0.2:8080 | HTTPS :443 |
+| pg.qmoln.se | PostgreSQL | agge:10.0.0.2:5432 | TCP :5432 |
+| qmoln.se | Static page | Served directly by nginx | HTTP/HTTPS |
 
 ## Repo structure
 
 - `backend/docker-compose.yml` — agge stack (postgres, nextcloud, gitea, postgres_remote)
-- `vps/docker-compose.yml` — raspen stack (wireguard sidecar + nginx)
+- `vps/docker-compose.yml` — heron stack (wireguard sidecar + nginx)
 - `vps/nginx/conf.d/` — HTTP/HTTPS proxy configs
 - `vps/nginx/stream.d/` — TCP stream proxy configs (postgres, gitea ssh)
 - `vps/wireguard/wg_confs/` — WireGuard tunnel config
 - `.env.example` — template for secrets (real `.env` is gitignored)
 
-## Git remote
+## WireGuard keys
+
+- agge public key: `02k4BaH3iZTQnPZe7zifcaS9n8xxrwCLyIOLTBWLdgk=`
+- heron public key: `4BtJlUWOzBtvrRu3llQbD0GPvlXgTwLq79iBth3uOSo=`
+- agge connects out to heron at `82.197.73.238:51820`
+- heron's WG private key is in `vps/wireguard/wg_confs/wg0.conf`
+
+## Git remote (via tunnel — only reachable when tunnel is up)
 
 ```
-ssh://git@git.home:2222/scoot/selfhosted2.git
+ssh://git@git.qmoln.se:2222/scoot/selfhosted2.git
 ```
 
 ## Conventions
 
-- The machines `agge` and `raspen` require `sudo` for most commands. Do **not** attempt to execute commands requiring sudo via SSH — present the command to the user and let them run it manually.
+- The machines `agge` and `heron` require `sudo` for most commands. Do **not** attempt to execute commands requiring sudo via SSH — present the command to the user and let them run it manually.
 
 ## Password management