# Helsinki / Nuremberg

These are my Hetzner Cloud servers — the public-facing edge of the infrastructure.

## Servers

### helsinki-a

Primary public-facing server. Runs Ubuntu/Debian on Hetzner Cloud. Tailscale IP: 100.67.6.27. Uptime: 182+ days. Disk at ~50%.

This is the traffic gateway for everything exposed to the internet. All public subdomains terminate here via Caddy, which proxies traffic back to the appropriate server over Tailscale.

Runs:
- Caddy (reverse proxy — see [principles/caddy](../principles/caddy))
- Authelia (SSO — see [workloads/authelia](../workloads/authelia))
- Bitwarden (self-hosted — see [workloads/bitwarden](../workloads/bitwarden))
- LDAP (user directory, used by Authelia)

### nuremberg-a

Dedicated mail server. Runs Debian on Hetzner Cloud. Tailscale IP: 100.117.235.28. Disk at ~25%.

Runs:
- poste.io (full mail stack in Docker)

Handles inbound and outbound mail for pez.sh. DNS records (MX, SPF, DKIM, DMARC) managed via Cloudflare.

## Public Services

All subdomains are DNS-proxied through Cloudflare and terminate at helsinki-a. Traffic is forwarded over Tailscale to the appropriate backend server.

| Subdomain | Backend | Auth |
|---|---|---|
| auth.pez.sh | helsinki-a:9091 | — |
| bitwarden.pez.sh | helsinki-a:8443 | — |
| status.pez.sh | helsinki-a:/srv/status | — |
| apps.pez.sh | helsinki-a:/srv/apps | Authelia |
| grafana.pez.sh | london-a:3000 | Authelia |
| prometheus.pez.sh | london-a:9090 | Authelia |
| jellyfin.pez.sh | london-b:8096 | — |
| plex.pez.sh | london-b:32400 | — |
| request.pez.sh | london-b:5055 | — |
| cloud.pez.sh | london-b:11000 | — |
| music.pez.sh | london-b:4533 | — |
| radarr.pez.sh | london-b:7878 | Authelia |
| sonarr.pez.sh | london-b:8989 | Authelia |
| lidarr.pez.sh | london-b:8686 | Authelia |
| readarr.pez.sh | london-b:8787 | Authelia |
| prowlarr.pez.sh | london-b:9696 | Authelia |
| soulseek.pez.sh | london-b:5030 | Authelia |
| download.pez.sh | london-b:9091 | Authelia |