Infrastructure dashboard — requires WireGuard for internal links — How it works →
Secrets & KV store. Stores TLS certificates at certificates/data/data/<domain>. AppRole auth enabled for Traefik.
Docker container management UI. Portainer agent deployed globally across all swarm nodes on port 9001.
VPN onlyJoxit registry UI fronting the private Docker registry on port 5000. Browse images, tags, and digests. Delete images enabled.
VPN onlyLive view of Traefik routers, services, middlewares, and TLS config. Any node works: :11, :12, or :13.
Runs as a global service on every swarm node. Terminates TLS using certificates rendered from Vault. HTTP → HTTPS redirect enabled. Uses file provider watching /certs/tls.yml.
Runs as a global service alongside Traefik. Authenticates via AppRole (traefik role), lists certificates/metadata/data/, writes .crt / .key pairs and tls.yml to the shared cert-shared-vol every 5 minutes.
WireGuard VPN gateway, NAT router, and Docker host for Vault, Portainer & Registry. Serves internal DNS for yolohodl.internal via Technitium DNS Server.
Internal DNS server for yolohodl.internal. Authoritative for all internal hosts, forwards public queries to 1.1.1.1. Admin password in /root/.technitium_admin_pass.
Hetzner LB — TCP passthrough to swarm nodes on ports 80 & 443.
PublicDocker Swarm manager node. Runs Traefik, Vault Agent, Portainer Agent.
VPN onlyDocker Swarm manager node. Runs Traefik, Vault Agent, Portainer Agent.
VPN onlyDocker Swarm manager node. Runs Traefik, Vault Agent, Portainer Agent.
VPN onlyStandalone MongoDB instance. Port 27017, private network only.
VPN onlyStandalone PostgreSQL instance. Port 5432, private network only. Auth: scram-sha-256.
VPN only