# selfhosted2

## Machines

| Name | Role | OS | LAN IP | WG IP | SSH user |
|------|------|----|--------|-------|----------|
| hector | Dev machine (this one) | Linux Mint Mate | — | — | — |
| agge | Backend server | Ubuntu Server | 192.168.1.188 | 10.0.0.2 | tebarbi |
| heron | VPS / reverse proxy | Ubuntu Server | 82.197.73.238 | 10.0.0.1 | qbert |

## Architecture

All traffic goes through **heron** (single entry point, public IP `82.197.73.238`):
- nginx in Docker (`vps/docker-compose.yml`) terminates SSL (Let's Encrypt) and reverse proxies
- WireGuard sidecar container encrypts traffic to agge
- agge connects *out* to heron (agge is behind residential NAT, heron listens passively)
- All backend services bind to `10.0.0.2` only (tunnel-only access)

## Services

| Domain | Service | Backend | Via heron |
|--------|---------|---------|-----------|
| git.qmoln.se | Gitea | agge:10.0.0.2:3000 (HTTP), :2222 (SSH) | HTTPS :443, TCP :2222 |
| nc.qmoln.se | Nextcloud | agge:10.0.0.2:8080 | HTTPS :443 |
| pg.qmoln.se | PostgreSQL | agge:10.0.0.2:5432 | TCP :5432 |
| qmoln.se | Static page | Served directly by nginx | HTTP/HTTPS |

## Repo structure

- `backend/docker-compose.yml` — agge stack (postgres, nextcloud, gitea, postgres_remote)
- `vps/docker-compose.yml` — heron stack (wireguard sidecar + nginx)
- `vps/nginx/conf.d/` — HTTP/HTTPS proxy configs
- `vps/nginx/stream.d/` — TCP stream proxy configs (postgres, gitea ssh)
- `vps/wireguard/wg_confs/` — WireGuard tunnel config
- `.env.example` — template for secrets (real `.env` is gitignored)

## WireGuard keys

- agge public key: `02k4BaH3iZTQnPZe7zifcaS9n8xxrwCLyIOLTBWLdgk=`
- heron public key: `4BtJlUWOzBtvrRu3llQbD0GPvlXgTwLq79iBth3uOSo=`
- agge connects out to heron at `82.197.73.238:51820`
- heron's WG private key is in `vps/wireguard/wg_confs/wg0.conf`

## Git remote (via tunnel — only reachable when tunnel is up)

```
ssh://git@git.qmoln.se:2222/scoot/selfhosted2.git
```

## Conventions

- The machines `agge` and `heron` require `sudo` for most commands. Do **not** attempt to execute commands requiring sudo via SSH — present the command to the user and let them run it manually.

## Password management

See `.env.example` for required variables. Real `.env` lives on hector and a copy on agge (`chmod 600`). To rotate: generate with `openssl rand -base64 18`, update `.env`, run `ALTER USER` in the container.