Skip to content

Latest commit

 

History

History
146 lines (102 loc) · 4.1 KB

File metadata and controls

146 lines (102 loc) · 4.1 KB

Houston Server

Houston is my main public server, running on a Hetzner VPS. It serves as the central hub for authentication, monitoring, and various web applications.

Infrastructure

Instance Specifications

  • Provider: Hetzner Cloud
  • Instance Type: CX32
  • CPU: 4 Intel vCPU cores
  • RAM: 8 GB
  • Storage: 80 GB SSD
  • Bandwidth: 20TB included traffic
  • Location: Nuremberg, Germany
  • IPv4: 91.99.130.127

Services Overview

Houston provides three main categories of services:

view the services provided by Houston

Authentication Infrastructure

  • 📑 Authelia: Single Sign-On (SSO) authentication portal
  • 📑 LLDAP: Lightweight LDAP directory service for user management

Monitoring & Observability

  • 📑 Grafana: Visualization and analytics platform for metrics
  • 📑 Reaction: Alert reaction system
  • ⚙️ Telegraf: Metrics collection agent
  • 📑 Vector: Observability data pipeline
  • 📑 VictoriaMetrics: Time series database

Applications

Service Details

Authentication & SSO

All services are protected by Authelia, which provides:

  • Two-factor authentication (2FA)
  • Single Sign-On across all applications
  • Integration with LLDAP for centralized user management

Deployment Strategy

Houston uses a hybrid deployment approach:

  • NixOS Services: Most services run as native NixOS services for better integration
  • Podman Containers: Some services (DokuWiki, Linkding, LLDAP, Shaarli) run in containers because:
    • NixOS packages are non-existent or partially functional
    • Isolation from system updates
    • Easier version management

Firewall & Security Stack

Houston implements an automated defense system against attacks (port scans, brute force, exploits, etc.).

Grafana attacks dashboard

How it works:

  1. Vector: Collects and analyzes logs from SSH, nginx, and iptables. Detects suspicious patterns (failed logins, port scans, HTTP exploits, AI bots) and classifies them by risk level.

  2. Reaction: Automatically bans malicious IPs in iptables (3 attempts in 4h → 7 days ban). Supports IPv4/IPv6 with temporary bans and whitelisting.

  3. VictoriaMetrics: Stores attack metrics for visualization in Grafana (attack trends, geographic distribution, ban effectiveness).

Network diagram

Initial deployment

  1. Add new machine
just machine-add houston
  1. Get Device ID and edit machines/houston/configuration.nix and change host IP and installation disk destination disko.devices.disk.main.device (ex: /dev/disk/by-id/xxx or /dev/sda)
just machine-get-disk-id 192.168.254.137

Terraform

nix run .#terraform

Update deployment

Update host installation

clan machines update houston

Redeploy

nix run .#terraform
nix run .#terraform.terraform -- apply -replace "hcloud_server.houston"

Destroy

nix run .#terraform
nix run .#terraform.terraform -- destroy -target "hcloud_server.houston"

Update deployment

clan machines update houston