pez-infra/docs/hosts/nuremberg-a.md
Rasmus Wejlgaard 361133ec7e docs: catch up with the Cloudflare to Hetzner DNS move, fix secrets/terraform drift
The docs still described Cloudflare as DNS + CDN in front of helsinki-a,
but that was dropped in #90 - pez.sh lives on Hetzner DNS via Terraform
now and records point straight at the origin. Updated README,
architecture, networking, getting-started and the nuremberg-a host doc
to match, and noted that pez.solutions still resolves via Cloudflare
outside Terraform.

Also fixed while I was in there:
- terraform/README: PagerDuty provider is ~> 3.32 (table said ~> 2.2),
  and the B2 secret keys are backblaze_keyID/backblaze_applicationKey
- secrets docs: group_vars secrets file is .enc.yaml, dropped the
  FreeBSD install steps, the long-gone .sops.yaml placeholder note and
  the ANSIBLE_VAULT_PASS migration note, swapped the cloudflare_record
  example for hcloud
- getting-started referenced ansible/scripts/sops-setup.sh which
  doesn't exist
- added naveen.pez.sh to the subdomain tables and a note about the
  DNS-only records (mail, minecraft, wow, public)
2026-06-10 19:35:53 +01:00

1.5 KiB

nuremberg-a

Dedicated mail server. One job, does it well.

Overview

Location Hetzner Cloud (Nuremberg)
OS Debian 13 (Trixie)
Tailscale IP 100.70.180.24
Role Mail server (poste.io)
Provider Hetzner Cloud VPS

Services

Service Ports Deployment
poste.io 25, 80, 110, 143, 443, 465, 587, 993, 995 Docker

poste.io is a batteries-included mail server that bundles postfix, dovecot, rspamd, and webmail into a single Docker container. No juggling separate containers for each mail component.

The compose definition lives at ansible/services/poste-io/docker-compose.yml and is deployed via the docker_services Ansible role (see ansible/inventory/host_vars/nuremberg-a.yml).

Why a separate server

Mail lives on its own VPS to isolate its IP reputation. If the IP gets flagged for any reason, it doesn't affect the rest of the infrastructure. And if something else gets flagged, it doesn't affect mail deliverability.

DNS

Mail-related DNS records are managed in Hetzner DNS (Terraform, terraform/hetzner/dns.tf):

  • MX record for inbound mail routing
  • SPF for sender verification
  • DKIM for message signing
  • DMARC for policy enforcement

Firewall

Managed by Hetzner Cloud firewall rules (Terraform, terraform/hetzner/firewall.tf). Mail ports are exposed via Docker port mappings in ansible/services/poste-io/docker-compose.yml.