2.5 KiB
2.5 KiB
Self-Hosting
Infrastructure Overview
Current Stack
VPS (public):
- Cloudflare Tunnel + Traefik (reverse proxy)
- authentik (auth provider)
- joplin, gitea (to be migrated)
Proxmox (macbook pro 2017, private):
- Running VMs/CTs for future services
Dell R710 (2010, private):
- restic backup server
- Pi-hole (DNS)
- Home Assistant
Synology DS218+ (NAS, 2x 18TB):
- NFS mounts → main storage provider
- Plex
- Synology stack (Surveillance Station, etc.)
Self-Hosted Apps Wishlist
Things Claudio wants to self-host or has explored
Priority / Active
- Migrate Gitea from VPS → Proxmox
- Migrate Joplin from VPS → Proxmox
- Set up proper backup system (restic already on Dell, needs orchestration)
- Cloudflare Tunnel management (move off VPS?)
Considered / Explored
- Linkding (bookmarks)
- FreshRSS (RSS reader)
- Vaultwarden (password manager)
- Home Assistant (already running on Dell)
- Nextcloud (file sync — already has Synology though)
- Uptime Kuma (monitoring)
- Glances (system monitoring)
- AdGuard Home (alternative to Pi-hole)
Backup Strategy (TODO)
- Restic server already running on Dell
- Synology is primary storage
- Need to define backup rotation for:
- Gitea data
- Joplin data
- PostgreSQL DBs
- Config files
Notes
- VPS hosts critical infrastructure (auth, proxy) — keep it minimal
- Proxmox is for ephemeral/experimental services
- Dell is for always-on base services (DNS, backups, HA)
- Synology is bulk storage + media
Pangolin reverse proxy notes
- Pangolin runs in Docker, so when exposing a service that is running directly on the VPS host, the backend must be reachable from the container network, not just from the host itself.
- For Pangolin public resources that forward to host-level services, use the Docker-to-host reachable IP (
172.17.0.1) rather than127.0.0.1. 127.0.0.1inside the Pangolin container refers to the container loopback, not the VPS host loopback.- If a VPS service is bound only to
127.0.0.1:<port>, Pangolin cannot reach it from the isolated Docker network. - For example, Gitea did not work when forwarded to
127.0.0.1:3000; removing the127.0.0.1bind and exposing the service on a host-reachable interface made it work. - Practical rule: when a reverse proxy lives in Docker but the upstream service lives on the host, confirm both the host IP and the bind address are reachable from the container namespace.