I've just finished up a massive rework of how my server infra is set up!!! I'm so tired, but also invigorated? It feels great to solve problems that would have stumped me a year ago, and this latest project is a culmination of a lot of growth over a long period of time.
Converting the adhoc Docker containers that I had set up, gotten to barely work, and was too scared to touch, into proper Docker Compose .yml files. The big advantage here is that I finally have a way to self-document how containers are structured and are linked together, as well as taking advantage of Docker's internal networking. For example, before I'd have to expose Prometheus to the public so that my public instance of Grafana could make pull data from it. Of course, neither of those things should be public in the first place.
And a special shoutout to fully containerizing my observability (o11y) stack. It was barely working and very fragile with the prior setup. Now it's in a Git repo and fully internally networked together.
I've gotten tailscale containers that are networked into each of the application stacks described in the Compose .yml files, and handles generating a unique internal URL for each of the services. Tailscale is an incredibly smart wrapper around Wireguard VPN, and does some magic to create an internal mesh network and a DNS server that automatically generates entries for members of the internal network.
A caveat however, is that when serving data into the internal network, each host can only serve one application, which is why each application stack needs it's own container that handles running the tailscale instance. Something fun is that I've been able to continue my tradition of naming servers after characters from Jojo's Bizarre Adventures, with names like Jolyne, Giorno, Jodio, and Gappy.
The third big upgrade (that's a direct consequence of the second upgrade) is that I now have a proper internal network! Before I'd have services like Jenkins and Grafana exposed to the wider internet- simply because I didn't know how to allow only myself to access these resources (beyond manually whitelisting my IP (which changes cuz of DHCP)). Now only machines on my tailnet (the mesh network tailscale generates) can access these resources.
I have an internal instance of vaultwarden running. Now my phone and my laptop are using the same password manager, and I can better deal with the hundreds of workday accounts clogging up my password autosuggests.
No more solving the same problem twice, or racking my brains for how I set up a service. Now I have an internal instance of a documentation server with Bookstack. Whenever I solve a problem or set anything up, I force myself to create an entry into the documentation server for it. This also includes pitfalls, tooling oddities, discoveries, and notes for next steps on any given project. It also has a list of some of my active hosts serving apps in my network, such as:
Now that everything is streamlined, I can't wait to dive even deeper into automation and monitoring- and know that I'm not going to break anything in the process.