scoot/selfhosted2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
selfhosted2/AGENTS.md
T
scoot c13bcb3efa Migrate from raspen prototype to heron live VPS 
- Replace raspen references with heron in AGENTS.md
- Update nginx config for live domains (qmoln.se)
- Switch SSL certs to Let's Encrypt paths
- Update WireGuard config with heron's keys and passive listen
- WireGuard direction: agge connects out to heron
- Remove old ssl volume mount, mount /etc/letsencrypt instead
2026-05-28 05:49:05 +02:00

2.4 KiB
Raw Permalink Blame History

selfhosted2

Machines

Name Role OS LAN IP WG IP SSH user
hector Dev machine (this one) Linux Mint Mate
agge Backend server Ubuntu Server 192.168.1.188 10.0.0.2 tebarbi
heron VPS / reverse proxy Ubuntu Server 82.197.73.238 10.0.0.1 qbert

Architecture

All traffic goes through heron (single entry point, public IP 82.197.73.238):

  • nginx in Docker (vps/docker-compose.yml) terminates SSL (Let's Encrypt) and reverse proxies
  • WireGuard sidecar container encrypts traffic to agge
  • agge connects out to heron (agge is behind residential NAT, heron listens passively)
  • All backend services bind to 10.0.0.2 only (tunnel-only access)

Services

Domain Service Backend Via heron
git.qmoln.se Gitea agge:10.0.0.2:3000 (HTTP), :2222 (SSH) HTTPS :443, TCP :2222
nc.qmoln.se Nextcloud agge:10.0.0.2:8080 HTTPS :443
pg.qmoln.se PostgreSQL agge:10.0.0.2:5432 TCP :5432
qmoln.se Static page Served directly by nginx HTTP/HTTPS

Repo structure

  • backend/docker-compose.yml — agge stack (postgres, nextcloud, gitea, postgres_remote)
  • vps/docker-compose.yml — heron stack (wireguard sidecar + nginx)
  • vps/nginx/conf.d/ — HTTP/HTTPS proxy configs
  • vps/nginx/stream.d/ — TCP stream proxy configs (postgres, gitea ssh)
  • vps/wireguard/wg_confs/ — WireGuard tunnel config
  • .env.example — template for secrets (real .env is gitignored)

WireGuard keys

  • agge public key: 02k4BaH3iZTQnPZe7zifcaS9n8xxrwCLyIOLTBWLdgk=
  • heron public key: 4BtJlUWOzBtvrRu3llQbD0GPvlXgTwLq79iBth3uOSo=
  • agge connects out to heron at 82.197.73.238:51820
  • heron's WG private key is in vps/wireguard/wg_confs/wg0.conf

Git remote (via tunnel — only reachable when tunnel is up)

ssh://git@git.qmoln.se:2222/scoot/selfhosted2.git

Conventions

  • The machines agge and heron require sudo for most commands. Do not attempt to execute commands requiring sudo via SSH — present the command to the user and let them run it manually.

Password management

See .env.example for required variables. Real .env lives on hector and a copy on agge (chmod 600). To rotate: generate with openssl rand -base64 18, update .env, run ALTER USER in the container.

Reference in New Issue View Git Blame Copy Permalink