Hetzner dedicated server configuration and Traefik reverse proxy.
Hardware¶
| Spec | Value |
|---|---|
| Model | Hetzner EX44 (dedicated) |
| CPU | Intel Core i5-13500 (6P + 8E cores) |
| RAM | 64 GB DDR4 |
| Storage | 2x 512 GB NVMe SSD (RAID 1) |
| Network | 1 Gbit/s uplink |
| IP | 136.243.124.138 (fixed) |
| OS | Ubuntu 22.04 LTS |
| Location | Hetzner Falkenstein, Germany |
Traefik Reverse Proxy¶
Traefik handles all HTTPS routing, TLS termination, and service discovery.
Configuration method: File-based dynamic config (not Docker labels). Config files live at /var/lib/devpush/traefik/ on the server.
Why file-based: devpush's Docker socket proxy doesn't expose containers from external Compose projects, so Docker label-based discovery doesn't work for Docker Compose services.
Entrypoints:
| Name | Port | Purpose |
|---|---|---|
web |
80 | HTTP (redirects to HTTPS) |
websecure |
443 | HTTPS |
TLS: Let's Encrypt certificates via ACME (certResolver: le). Certificates are requested automatically when a new router is added.
Config File Structure¶
Each service has its own Traefik config file:
| File | Service |
|---|---|
authentik.yml |
Authentik SSO + forward auth middleware + outpost router |
storage.yml |
MinIO console + S3 API (two routers) |
relay.yml |
Centrifugo relay |
dashboard.yml |
Grafana |
uptime.yml |
Kuvasz uptime monitoring |
api.yml |
API gateway |
devpush-managed services (stream, docs, UWD editors) get their Traefik config auto-generated by devpush.
Docker Networks¶
| Network | Purpose | Services |
|---|---|---|
devpush_default |
Shared network for Traefik routing | All services join this |
authentik-internal |
Authentik to PostgreSQL/Redis | auth only |
monitoring |
Prometheus to exporters | dashboard stack |
kuvasz-internal |
Kuvasz to PostgreSQL | uptime only |
All services must join devpush_default to be reachable by Traefik. Internal networks isolate databases and other components that don't need external access.
Key Server Paths¶
| Path | Purpose |
|---|---|
/opt/spacemusic/ |
Root for all Docker Compose services |
/opt/spacemusic/auth/spacemusic-auth/ |
Authentik SSO |
/opt/spacemusic/dashboard/spacemusic-dashboard/ |
Grafana monitoring stack |
/opt/spacemusic/storage/spacemusic-storage/ |
MinIO object storage |
/opt/spacemusic/relay/spacemusic-relay/ |
Centrifugo relay |
/opt/spacemusic/uptime/spacemusic-uptime/ |
Kuvasz uptime |
/opt/spacemusic/api/spacemusic-api/ |
API gateway |
/var/lib/devpush/traefik/ |
Traefik dynamic config files |
/usr/local/bin/devpush-auth-patch.sh |
Authentik middleware patcher |
SSH Deploy Keys¶
Each Docker Compose service has its own SSH deploy key for GitHub Actions:
| Service | Key Alias | Config File |
|---|---|---|
| Auth | github-auth |
/root/.ssh/config |
| Dashboard | github-dashboard |
/root/.ssh/config |
| Storage | github-storage |
/root/.ssh/config |
| Relay | github-relay |
/root/.ssh/config |
| Uptime | github-uptime |
/root/.ssh/config |
| API | github-api |
/root/.ssh/config |
Each key is an ed25519 deploy key with write access to its respective GitHub repository. GitHub Actions secrets (DEPLOY_HOST, DEPLOY_USER, DEPLOY_SSH_KEY) are configured per-repo (GitHub free plan doesn't support org-level secrets).
Server Backups¶
Config backups are stored in the backups/ directory of the master repo, organized by service. Secrets are redacted, and .env.example templates are provided. The /backup-server Claude Code skill automates backup collection.