auto-save 2026-07-13

This commit is contained in:
Ray
2026-07-13 02:00:15 -04:00
parent dab5a4ebc6
commit 473729267c
14 changed files with 579 additions and 38 deletions
+45 -3
View File
@@ -40,6 +40,22 @@ All service data stays on the home server. The VPS only runs nginx + certbot + T
- Tailscale account with home server already on the tailnet
- DuckDNS domain (or any domain with API-updatable DNS)
### Finding VPS access when you don't remember the IP/SSH config
If `~/.ssh/config` has no entry and you can't remember the VPS IP, discover it from the home server via Tailscale:
```bash
tailscale status
# Look for the linux machine that is NOT your home server
# Example output:
# 100.86.68.23 vps-f37a7b70 mani8994@ linux active; direct 51.81.84.34:41641
# 100.93.253.36 rayserver mani8994@ linux -
ssh ubuntu@100.86.68.23 # SSH via Tailscale IP (OVH uses 'ubuntu' user)
```
The VPS typically has the public IP shown after `direct` in the status output. Use its Tailscale IP for SSH — no ports need to be open on the VPS firewall for SSH when using the tailnet.
## Step 1: Provision VPS
Order the cheapest instance with 4GB+ RAM. OVH VPS Starter or Contabo VPS S are ~$5/mo. Note the public IPv4 address.
@@ -334,9 +350,16 @@ ssh ubuntu@<vps-ip> 'sudo certbot certonly --nginx --non-interactive --agree-tos
# 3. Reload nginx on the VPS
ssh ubuntu@<vps-ip> 'sudo systemctl reload nginx'
# 4. Add the new subdomain to the HOME server's nginx server_name
# (on the home server, edit the service's nginx config)
sudo nginx -t && sudo systemctl reload nginx
# 4. Update the service's own config on the home server (if applicable)
# For services behind home nginx: add the subdomain to server_name
# For direct Docker services (Immich:2283, SparkyFitness:3004, etc.):
# update the service's environment variables with the new public URL
# (e.g., SPARKY_FITNESS_FRONTEND_URL, IMMICH__SERVER__EXTERNAL_ORIGIN)
# then recreate containers: docker compose up -d
#
# Docker compose restart does NOT pick up .env changes — use up -d
# so containers are recreated with fresh env vars.
sudo nginx -t && sudo systemctl reload nginx # only if behind home nginx
```
**Pitfall:** The `--expand` flag is required when adding domains to an existing cert, NOT `--force-renewal` or bare `certonly`. Without `--expand`, certbot creates a separate cert file instead of extending the existing one. The nginx `ssl_certificate` paths remain the same (certbot updates the live symlink), so no config changes needed.
@@ -347,6 +370,25 @@ sudo nginx -t && sudo systemctl reload nginx
**Pitfall:** For custom domains (graj-media.com), the VPS cert is a multi-domain cert (NOT a wildcard). Each new subdomain requires an explicit certbot expand. DNS wildcard records (`*.graj-media.com`) handle routing but NOT certificate coverage — certbot must still list every subdomain in the `-d` flags.
**Pitfall — proxy_pass protocol: HTTP vs HTTPS in the cert expansion template:** The template above uses `proxy_pass https://...` with `proxy_ssl_verify off`, which assumes the service is behind the home server's nginx (SSL). For **direct Docker HTTP services** (SparkyFitness on :3004, Immich on :2283, Audiobookshelf on :13378), omit the SSL directives and use plain HTTP:
```nginx
location / {
proxy_pass http://100.93.253.36:<port>; # HTTP, not HTTPS
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_buffering off;
}
```
The service table under Step 5 tells you which pattern applies — services marked "direct" use HTTP proxy, services marked "home nginx SSL" use HTTPS proxy. Check the service type before writing the config.
## Step 8: ShopProQuote LLM proxy
If ShopProQuote calls `/llm/` to a local Ollama on the home server, add a location block to the ShopProQuote nginx config on the VPS: