# Self-Hosting ## Infrastructure Overview ### Current Stack **VPS** (public): - Cloudflare Tunnel + Traefik (reverse proxy) - authentik (auth provider) - joplin, gitea (to be migrated) **Proxmox** (macbook pro 2017, private): - Running VMs/CTs for future services **Dell R710** (2010, private): - restic backup server - Pi-hole (DNS) - Home Assistant **Synology DS218+** (NAS, 2x 18TB): - NFS mounts → main storage provider - Plex - Synology stack (Surveillance Station, etc.) --- ## Self-Hosted Apps Wishlist > Things Claudio wants to self-host or has explored ### Priority / Active - [ ] Migrate Gitea from VPS → Proxmox - [ ] Migrate Joplin from VPS → Proxmox - [ ] Set up proper backup system (restic already on Dell, needs orchestration) - [ ] Cloudflare Tunnel management (move off VPS?) ### Considered / Explored - [ ] Linkding (bookmarks) - [ ] FreshRSS (RSS reader) - [ ] Vaultwarden (password manager) - [ ] Home Assistant (already running on Dell) - [ ] Nextcloud (file sync — already has Synology though) - [ ] Uptime Kuma (monitoring) - [ ] Glances (system monitoring) - [ ] AdGuard Home (alternative to Pi-hole) --- ## Backup Strategy (TODO) - Restic server already running on Dell - Synology is primary storage - Need to define backup rotation for: - Gitea data - Joplin data - PostgreSQL DBs - Config files --- ## Notes - VPS hosts critical infrastructure (auth, proxy) — keep it minimal - Proxmox is for ephemeral/experimental services - Dell is for always-on base services (DNS, backups, HA) - Synology is bulk storage + media ## Pangolin reverse proxy notes - Pangolin runs in Docker, so when exposing a service that is running directly on the VPS host, the backend must be reachable from the container network, not just from the host itself. - For Pangolin public resources that forward to host-level services, use the Docker-to-host reachable IP (`172.17.0.1`) rather than `127.0.0.1`. - `127.0.0.1` inside the Pangolin container refers to the container loopback, not the VPS host loopback. - If a VPS service is bound only to `127.0.0.1:`, Pangolin cannot reach it from the isolated Docker network. - For example, Gitea did not work when forwarded to `127.0.0.1:3000`; removing the `127.0.0.1` bind and exposing the service on a host-reachable interface made it work. - Practical rule: when a reverse proxy lives in Docker but the upstream service lives on the host, confirm both the host IP and the bind address are reachable from the container namespace.