9837d82199
- Removed system/ directory, merged applications into users/geir.nix - Simplified fonts.nix to bare minimum (users can add more) - Moved transmission.nix to sleeper-service/services/ (machine-specific) - Organized grey-area services into services/ directory - Updated import paths and tested all configurations - Added research documentation for deploy-rs and GNU Stow
1.6 KiB
1.6 KiB
Reverse Proxy Server
Machine Overview
also known as vps1 Ip information: enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether fa:16:3e:d5:da:20 brd ff:ff:ff:ff:ff:ff altname enxfa163ed5da20 tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 100.96.189.104/32 scope global tailscale0
Role
- Primary Function: Reverse proxy and SSL/TLS termination
- Secondary Functions: Load balancing, external access gateway
- Network Position: Edge server handling external connections
Services
- Nginx or Traefik reverse proxy
- Let's Encrypt SSL certificate management
- Fail2ban security protection
- Basic system monitoring
- Firewall management for external access
Architecture Notes
- Headless operation (no desktop environment)
- SSH-only access
- Minimal attack surface
- High availability requirements
- SSL/TLS offloading for internal services
Routing Configuration
Routes external traffic to internal services:
grey-area(Forgejo, web applications)sleeper-service(file sharing, if exposed externally)congenital-optimist(development services, if needed)
Security Considerations
- First point of contact for external traffic
- Rate limiting and DDoS protection
- Automated security updates
- Log monitoring and alerting
- Certificate renewal automation
Network Configuration
- Static IP assignment
- Firewall rules for ports 80, 443, 22
- Internal network access to other machines
- Tailscale integration for management