auto-save 2026-07-13
This commit is contained in:
@@ -40,6 +40,22 @@ All service data stays on the home server. The VPS only runs nginx + certbot + T
|
||||
- Tailscale account with home server already on the tailnet
|
||||
- DuckDNS domain (or any domain with API-updatable DNS)
|
||||
|
||||
### Finding VPS access when you don't remember the IP/SSH config
|
||||
|
||||
If `~/.ssh/config` has no entry and you can't remember the VPS IP, discover it from the home server via Tailscale:
|
||||
|
||||
```bash
|
||||
tailscale status
|
||||
# Look for the linux machine that is NOT your home server
|
||||
# Example output:
|
||||
# 100.86.68.23 vps-f37a7b70 mani8994@ linux active; direct 51.81.84.34:41641
|
||||
# 100.93.253.36 rayserver mani8994@ linux -
|
||||
|
||||
ssh ubuntu@100.86.68.23 # SSH via Tailscale IP (OVH uses 'ubuntu' user)
|
||||
```
|
||||
|
||||
The VPS typically has the public IP shown after `direct` in the status output. Use its Tailscale IP for SSH — no ports need to be open on the VPS firewall for SSH when using the tailnet.
|
||||
|
||||
## Step 1: Provision VPS
|
||||
|
||||
Order the cheapest instance with 4GB+ RAM. OVH VPS Starter or Contabo VPS S are ~$5/mo. Note the public IPv4 address.
|
||||
@@ -334,9 +350,16 @@ ssh ubuntu@<vps-ip> 'sudo certbot certonly --nginx --non-interactive --agree-tos
|
||||
# 3. Reload nginx on the VPS
|
||||
ssh ubuntu@<vps-ip> 'sudo systemctl reload nginx'
|
||||
|
||||
# 4. Add the new subdomain to the HOME server's nginx server_name
|
||||
# (on the home server, edit the service's nginx config)
|
||||
sudo nginx -t && sudo systemctl reload nginx
|
||||
# 4. Update the service's own config on the home server (if applicable)
|
||||
# For services behind home nginx: add the subdomain to server_name
|
||||
# For direct Docker services (Immich:2283, SparkyFitness:3004, etc.):
|
||||
# update the service's environment variables with the new public URL
|
||||
# (e.g., SPARKY_FITNESS_FRONTEND_URL, IMMICH__SERVER__EXTERNAL_ORIGIN)
|
||||
# then recreate containers: docker compose up -d
|
||||
#
|
||||
# Docker compose restart does NOT pick up .env changes — use up -d
|
||||
# so containers are recreated with fresh env vars.
|
||||
sudo nginx -t && sudo systemctl reload nginx # only if behind home nginx
|
||||
```
|
||||
|
||||
**Pitfall:** The `--expand` flag is required when adding domains to an existing cert, NOT `--force-renewal` or bare `certonly`. Without `--expand`, certbot creates a separate cert file instead of extending the existing one. The nginx `ssl_certificate` paths remain the same (certbot updates the live symlink), so no config changes needed.
|
||||
@@ -347,6 +370,25 @@ sudo nginx -t && sudo systemctl reload nginx
|
||||
|
||||
**Pitfall:** For custom domains (graj-media.com), the VPS cert is a multi-domain cert (NOT a wildcard). Each new subdomain requires an explicit certbot expand. DNS wildcard records (`*.graj-media.com`) handle routing but NOT certificate coverage — certbot must still list every subdomain in the `-d` flags.
|
||||
|
||||
**Pitfall — proxy_pass protocol: HTTP vs HTTPS in the cert expansion template:** The template above uses `proxy_pass https://...` with `proxy_ssl_verify off`, which assumes the service is behind the home server's nginx (SSL). For **direct Docker HTTP services** (SparkyFitness on :3004, Immich on :2283, Audiobookshelf on :13378), omit the SSL directives and use plain HTTP:
|
||||
|
||||
```nginx
|
||||
location / {
|
||||
proxy_pass http://100.93.253.36:<port>; # HTTP, not HTTPS
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_read_timeout 86400;
|
||||
proxy_buffering off;
|
||||
}
|
||||
```
|
||||
|
||||
The service table under Step 5 tells you which pattern applies — services marked "direct" use HTTP proxy, services marked "home nginx SSL" use HTTPS proxy. Check the service type before writing the config.
|
||||
|
||||
## Step 8: ShopProQuote LLM proxy
|
||||
|
||||
If ShopProQuote calls `/llm/` to a local Ollama on the home server, add a location block to the ShopProQuote nginx config on the VPS:
|
||||
|
||||
Reference in New Issue
Block a user