codex-context/saturn/docs/hetzner-vps.md

# Hetzner VPS

## Description

This page documents facts received from the Codex session running on the Hetzner VPS / homelab server.

The relationship between this VPS and the Raspberry Pi 5 homelab is not yet clarified.

## Current configuration

- Hostname: `ubuntu-4gb-hel1-1`
- Public IPv4: `135.181.153.108`
- Public IPv6: `2a01:4f9:c014:98f0::1`
- Tailscale IP: `100.95.58.48`
- Incorrect Tailscale IP explicitly ruled out: `100.108.208.3`

Network interfaces reported:

- `docker0`: `172.17.0.1/16`, `DOWN`
- `br-b467702c0f28`: `172.18.0.1/16`, `DOWN`
- `br-40cc27c6ea24`: `172.19.0.1/16`, `DOWN`

Docker networks:

- `bridge`
- `host`
- `none`
- `npm_default`
- `proxy`
- Planned after Joplin start: `joplin-net`

Docker volumes:

- No Docker named volumes currently exist.
- Planned after Joplin start: `joplin_postgres_data`

Running containers:

- `npm`

## Known facts

- `npm` uses image `jc21/nginx-proxy-manager:latest`.
- `npm` status was reported as `Up about an hour`.
- `npm` Compose path is `/home/dockeruser/docker/npm`.
- `npm` uses `network_mode: host`.
- Because `npm` uses host networking, Nginx Proxy Manager binds directly to host ports.
- Nginx Proxy Manager admin UI responds `200 OK` internally at `http://127.0.0.1:81`.
- Nginx Proxy Manager HTTP listener responds `200 OK` internally at `http://127.0.0.1:80`.
- Nginx Proxy Manager responded `200 OK` at `http://100.95.58.48:81`.
- Nginx Proxy Manager responded `200 OK` at `http://135.181.153.108:81`.
- Nginx config test passes.
- Laptop-side diagnostics on 2026-04-15 verified:
  - `tailscale status` shows `ubuntu-4gb-hel1-1` at `100.95.58.48` as active.
  - `tailscale ping 100.95.58.48` returns pong responses through DERP relay `hel`.
  - `tailscale ping 100.95.58.48` reports direct connection not established.
  - `ping -c 4 100.95.58.48` returns 4 received, 0% packet loss.
  - `ping -c 4 135.181.153.108` returns 4 received, 0% packet loss.
  - `curl -v --connect-timeout 5 http://100.95.58.48:81` connects and returns `HTTP/1.1 200 OK`.
  - `curl -I --connect-timeout 5 http://100.95.58.48:81` returns `HTTP/1.1 200 OK`.
  - `curl -v --connect-timeout 5 http://135.181.153.108:81` connects and returns `HTTP/1.1 200 OK`.
  - `curl -I --connect-timeout 5 http://135.181.153.108:81` returns `HTTP/1.1 200 OK`.
- From a laptop/browser, the reported Nginx Proxy Manager admin UI URLs are:
  - `http://100.95.58.48:81` over Tailscale
  - `http://135.181.153.108:81` publicly if firewall allows it

Nginx Proxy Manager Compose file:

- Path: `/home/dockeruser/docker/npm/docker-compose.yml`
- Service:
  - `container_name: npm`
  - `image: jc21/nginx-proxy-manager:latest`
  - `restart: unless-stopped`
  - `network_mode: host`
  - `TZ: Europe/Warsaw`
  - Volumes:
    - `./data:/data`
    - `./letsencrypt:/etc/letsencrypt`

## Unknown / needs clarification

- Whether this Hetzner VPS is part of the homelab, a separate public edge, or both.
- Operating system version.
- Firewall rules.
- Whether port `81` is intentionally reachable on public IPv4.
- Whether ports `80` and `443` are publicly reachable from the internet.
- Why Tailscale direct connection is not established and traffic uses DERP relay `hel`.
- Whether any services other than `npm` are running outside Docker.
- Backup configuration.
- Monitoring and alerting configuration.
init 2026-05-04 20:28:20 +02:00			`# Hetzner VPS`

			`## Description`

			`This page documents facts received from the Codex session running on the Hetzner VPS / homelab server.`

			`The relationship between this VPS and the Raspberry Pi 5 homelab is not yet clarified.`

			`## Current configuration`

			- Hostname: `ubuntu-4gb-hel1-1`
			- Public IPv4: `135.181.153.108`
			- Public IPv6: `2a01:4f9:c014:98f0::1`
			- Tailscale IP: `100.95.58.48`
			- Incorrect Tailscale IP explicitly ruled out: `100.108.208.3`

			`Network interfaces reported:`

			- `docker0`: `172.17.0.1/16`, `DOWN`
			- `br-b467702c0f28`: `172.18.0.1/16`, `DOWN`
			- `br-40cc27c6ea24`: `172.19.0.1/16`, `DOWN`

			`Docker networks:`

			- `bridge`
			- `host`
			- `none`
			- `npm_default`
			- `proxy`
			- Planned after Joplin start: `joplin-net`

			`Docker volumes:`

			`- No Docker named volumes currently exist.`
			- Planned after Joplin start: `joplin_postgres_data`

			`Running containers:`

			- `npm`

			`## Known facts`

			- `npm` uses image `jc21/nginx-proxy-manager:latest`.
			- `npm` status was reported as `Up about an hour`.
			- `npm` Compose path is `/home/dockeruser/docker/npm`.
			- `npm` uses `network_mode: host`.
			- Because `npm` uses host networking, Nginx Proxy Manager binds directly to host ports.
			- Nginx Proxy Manager admin UI responds `200 OK` internally at `http://127.0.0.1:81`.
			- Nginx Proxy Manager HTTP listener responds `200 OK` internally at `http://127.0.0.1:80`.
			- Nginx Proxy Manager responded `200 OK` at `http://100.95.58.48:81`.
			- Nginx Proxy Manager responded `200 OK` at `http://135.181.153.108:81`.
			`- Nginx config test passes.`
			`- Laptop-side diagnostics on 2026-04-15 verified:`
			- `tailscale status` shows `ubuntu-4gb-hel1-1` at `100.95.58.48` as active.
			- `tailscale ping 100.95.58.48` returns pong responses through DERP relay `hel`.
			- `tailscale ping 100.95.58.48` reports direct connection not established.
			- `ping -c 4 100.95.58.48` returns 4 received, 0% packet loss.
			- `ping -c 4 135.181.153.108` returns 4 received, 0% packet loss.
			- `curl -v --connect-timeout 5 http://100.95.58.48:81` connects and returns `HTTP/1.1 200 OK`.
			- `curl -I --connect-timeout 5 http://100.95.58.48:81` returns `HTTP/1.1 200 OK`.
			- `curl -v --connect-timeout 5 http://135.181.153.108:81` connects and returns `HTTP/1.1 200 OK`.
			- `curl -I --connect-timeout 5 http://135.181.153.108:81` returns `HTTP/1.1 200 OK`.
			`- From a laptop/browser, the reported Nginx Proxy Manager admin UI URLs are:`
			- `http://100.95.58.48:81` over Tailscale
			- `http://135.181.153.108:81` publicly if firewall allows it

			`Nginx Proxy Manager Compose file:`

			- Path: `/home/dockeruser/docker/npm/docker-compose.yml`
			`- Service:`
			- `container_name: npm`
			- `image: jc21/nginx-proxy-manager:latest`
			- `restart: unless-stopped`
			- `network_mode: host`
			- `TZ: Europe/Warsaw`
			`- Volumes:`
			- `./data:/data`
			- `./letsencrypt:/etc/letsencrypt`

			`## Unknown / needs clarification`

			`- Whether this Hetzner VPS is part of the homelab, a separate public edge, or both.`
			`- Operating system version.`
			`- Firewall rules.`
			- Whether port `81` is intentionally reachable on public IPv4.
			- Whether ports `80` and `443` are publicly reachable from the internet.
			- Why Tailscale direct connection is not established and traffic uses DERP relay `hel`.
			- Whether any services other than `npm` are running outside Docker.
			`- Backup configuration.`
			`- Monitoring and alerting configuration.`