5607b338ba
Aenderungen: - nginx: http2 Direktive aktualisiert (deprecated Syntax) - nginx: proxy_max_temp_file_size entfernt (Windows-inkompatibel) - nginx: Rate Limiting aktiviert Dokumentation: - Stolperfallen und Lessons Learned hinzugefuegt - Changelog aktualisiert mit allen Security-Massnahmen Getestet: - Alle Services erreichbar (Vaultwarden, Nextcloud, Gitea, Websites) - nginx Config validiert - Rate Limiting aktiv 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
198 lines
4.6 KiB
Markdown
198 lines
4.6 KiB
Markdown
# Proxmox Infrastruktur
|
|
|
|
Self-Hosted Services auf Proxmox VE mit Docker.
|
|
|
|
## Architektur
|
|
|
|
```
|
|
Internet
|
|
|
|
|
v
|
|
[Windows VPS: 217.154.65.205]
|
|
- nginx Reverse Proxy
|
|
- SSL (Let's Encrypt via win-acme)
|
|
- WireGuard Server
|
|
|
|
|
| WireGuard Tunnel (10.0.0.0/24)
|
|
v
|
|
[Proxmox: 192.168.178.111 / 10.0.0.2]
|
|
- Docker Host
|
|
- Alle Services als Container
|
|
```
|
|
|
|
## Services
|
|
|
|
| Service | Port | URL (Extern) | Beschreibung |
|
|
|---------|------|--------------|--------------|
|
|
| Nextcloud | 8081 | eckardt-cloud.duckdns.org | Cloud Storage |
|
|
| Vaultwarden | 8083 | eckardt-vault.duckdns.org/vault/ | Passwort Manager |
|
|
| n8n | 5678 | eckardt-vault.duckdns.org/n8n/ | Workflow Automation |
|
|
| Gitea | 3000 | eckardt-git.duckdns.org | Git Repository |
|
|
| Websites | 8082 | eckardt-vault.duckdns.org | Statische Websites |
|
|
| API | 8000 | eckardt-vault.duckdns.org/api/ | FastAPI Backend |
|
|
| Audiobookshelf | 13378 | (intern) | Audiobook Server |
|
|
|
|
## Quick Start
|
|
|
|
### Voraussetzungen
|
|
|
|
- Proxmox VE oder Debian/Ubuntu mit Docker
|
|
- WireGuard fuer externen Zugriff
|
|
- Min. 4GB RAM, 50GB Speicher
|
|
|
|
### Installation
|
|
|
|
```bash
|
|
# Repository klonen
|
|
git clone https://eckardt-git.duckdns.org/Martin/proxmox-infrastruktur.git
|
|
cd proxmox-infrastruktur
|
|
|
|
# Environment-Variablen konfigurieren
|
|
cp docker/.env.template docker/.env
|
|
nano docker/.env # Passwoerter anpassen!
|
|
|
|
# Deployment starten
|
|
sudo ./scripts/deploy.sh
|
|
```
|
|
|
|
## Verzeichnisstruktur
|
|
|
|
```
|
|
proxmox-infrastruktur/
|
|
├── docker/
|
|
│ ├── docker-compose.yml # Haupt-Konfiguration
|
|
│ ├── .env.template # Environment Template
|
|
│ └── .gitignore # Secrets ausschliessen
|
|
├── configs/
|
|
│ ├── nginx/
|
|
│ │ └── nginx.conf # VPS Reverse Proxy
|
|
│ └── wireguard/
|
|
│ └── wg0.conf.template # WireGuard Template
|
|
├── scripts/
|
|
│ ├── deploy.sh # Installations-Script
|
|
│ ├── backup.sh # Backup-Script
|
|
│ └── health-check.sh # Health-Check Script
|
|
├── docs/
|
|
│ ├── INSTALL.md # Detaillierte Installation
|
|
│ └── TROUBLESHOOTING.md # Problemloesungen
|
|
└── README.md # Diese Datei
|
|
```
|
|
|
|
## Wartung
|
|
|
|
### Health Check
|
|
|
|
```bash
|
|
# Alle Services pruefen
|
|
/opt/scripts/health-check.sh
|
|
|
|
# Einzelnen Container pruefen
|
|
docker inspect --format='{{.State.Health.Status}}' nextcloud
|
|
```
|
|
|
|
### Backup
|
|
|
|
```bash
|
|
# Vollstaendiges Backup
|
|
/opt/scripts/backup.sh all
|
|
|
|
# Einzelner Service
|
|
/opt/scripts/backup.sh nextcloud
|
|
|
|
# Automatisches Backup (crontab -e)
|
|
0 3 * * * /opt/scripts/backup.sh all >> /var/log/backup.log 2>&1
|
|
```
|
|
|
|
### Updates
|
|
|
|
```bash
|
|
cd /opt/docker
|
|
|
|
# Alle Container aktualisieren
|
|
docker compose pull
|
|
docker compose up -d
|
|
|
|
# Einzelnen Container aktualisieren
|
|
docker compose pull nextcloud
|
|
docker compose up -d nextcloud
|
|
```
|
|
|
|
### Logs
|
|
|
|
```bash
|
|
# Alle Container
|
|
docker compose logs -f
|
|
|
|
# Einzelner Container
|
|
docker logs -f nextcloud
|
|
|
|
# Letzte 100 Zeilen
|
|
docker logs --tail 100 nextcloud
|
|
```
|
|
|
|
## Sicherheit
|
|
|
|
### Implementierte Massnahmen
|
|
|
|
- **Isolierte Netzwerke**: Jeder Service hat sein eigenes Docker-Netzwerk
|
|
- **Resource Limits**: CPU und Memory Limits pro Container
|
|
- **Health Checks**: Automatische Ueberwachung aller Services
|
|
- **Rate Limiting**: nginx begrenzt Anfragen pro IP
|
|
- **TLS 1.2+**: Nur sichere Verschluesselung
|
|
- **Security Headers**: X-Frame-Options, X-Content-Type-Options, etc.
|
|
|
|
### Zu beachten
|
|
|
|
- `.env` Datei NIEMALS committen
|
|
- Admin-Tokens regelmaessig rotieren
|
|
- Backups extern speichern
|
|
- Updates zeitnah einspielen
|
|
|
|
## Netzwerk
|
|
|
|
### WireGuard Tunnel
|
|
|
|
```
|
|
VPS (Server) Proxmox (Client)
|
|
10.0.0.1 <--> 10.0.0.2
|
|
217.154.65.205 192.168.178.111
|
|
```
|
|
|
|
### Ports
|
|
|
|
| Port | Service | Zugriff |
|
|
|------|---------|---------|
|
|
| 51820/UDP | WireGuard | VPS extern |
|
|
| 80 | nginx HTTP | VPS extern |
|
|
| 443 | nginx HTTPS | VPS extern |
|
|
| 3000 | Gitea Web | Proxmox intern |
|
|
| 2222 | Gitea SSH | Proxmox intern |
|
|
|
|
## Troubleshooting
|
|
|
|
Siehe [docs/TROUBLESHOOTING.md](docs/TROUBLESHOOTING.md) fuer:
|
|
|
|
- Container startet nicht
|
|
- Permission denied Fehler
|
|
- Netzwerk-Probleme
|
|
- SSL-Zertifikat Fehler
|
|
- Backup-Probleme
|
|
|
|
## Changelog
|
|
|
|
### 2025-12-28
|
|
- Initial Setup mit allen Services
|
|
- Gitea auf eigener Subdomain (eckardt-git.duckdns.org)
|
|
- Security Hardening:
|
|
- Fail2Ban (SSH: 3 Versuche = 24h Ban)
|
|
- SSH Key-Only Authentication
|
|
- UFW Firewall
|
|
- Automatische Security Updates
|
|
- Docker no-new-privileges
|
|
- nginx Rate Limiting
|
|
- Vaultwarden Registration disabled
|
|
- Gitea Registration disabled
|
|
- Isolierte Docker-Netzwerke pro Service
|
|
- Resource Limits (CPU/Memory) pro Container
|
|
- Logging mit Rotation (10MB, 3 Files)
|