Claude Based Knowledge: Server-Infrastruktur
Vollständige technische Dokumentation des DevBox NSA Servers.
Server-Spezifikationen
| Eigenschaft | Wert |
|---|
| Hostname | vmd181486 |
| OS | Ubuntu 24.04 LTS (Kernel 6.8.0-71-generic) |
| CPU | 6 Cores |
| RAM | 11 GB |
| IPv4 | 207.180.207.183 |
| IPv6 | 2a02:c207:3018:1486::1 |
| Domain | devboxnsa.org |
| DNS | Cloudflare |
| User | nsa (UID 1000) |
Subdomains & Routing
Alle Subdomains werden über Nginx als Reverse Proxy terminiert. SSL wird über Let’s Encrypt (Certbot) bereitgestellt.
| Subdomain | → Upstream | Service | SSL-Zertifikat |
|---|
| jobs.devboxnsa.org | 127.0.0.1:3000 | Job Tracker Frontend | jobs.devboxnsa.org-0001 |
| git.devboxnsa.org | 127.0.0.1:3003 | Forgejo | git.devboxnsa.org |
| n8n.devboxnsa.org | 127.0.0.1:5678 | n8n | n8n.devboxnsa.org |
| rss.devboxnsa.org | 127.0.0.1:8080 | Miniflux | rss.devboxnsa.org |
| status.devboxnsa.org | 127.0.0.1:3001 | Uptime Kuma | status.devboxnsa.org |
| intel.devboxnsa.org | 127.0.0.1:3002 | Intel Platform | intel.devboxnsa.org |
| vault.devboxnsa.org | 127.0.0.1:3013 | Vaultwarden | vault.devboxnsa.org |
| wiki.devboxnsa.org | 127.0.0.1:6875 | BookStack | wiki.devboxnsa.org |
| vinyl.devboxnsa.org | 127.0.0.1:3012 | Outline | vinyl.devboxnsa.org |
| auth.devboxnsa.org | 127.0.0.1:9000 | Authentik | auth.devboxnsa.org |
| vpn.devboxnsa.org | 127.0.0.1:8085 | Headscale | vpn.devboxnsa.org |
| docs.devboxnsa.org | 127.0.0.1:6875 | BookStack | docs.devboxnsa.org |
| kb.devboxnsa.org | 127.0.0.1:8090 | MkDocs Material | kb.devboxnsa.org |
Docker-Container
Job Tracker Stack (~/projects/job-tracker/docker-compose.yml)
| Container | Image | Port | Netzwerk | Funktion |
|---|
| jobtracker-frontend | job-tracker-frontend | 3000 | host | Next.js 16 Frontend |
| jobtracker-app | job-tracker-tracker | 3005 | host | Express API + Puppeteer |
| jobtracker-db | postgres:16-alpine | 5432 | bridge | PostgreSQL Datenbank |
| jobtracker-n8n | n8nio/n8n:latest | 5678 | bridge | Workflow-Automation |
| Container | Image | Port | Funktion |
|---|
| intel-platform-frontend-1 | intel-platform-frontend | 3002 | Next.js Frontend |
| intel-platform-backend-1 | intel-platform-backend | 8002 | FastAPI Backend |
| intel-platform-postgres-1 | postgis/postgis:16-3.4 | 5433 | PostGIS Datenbank |
| intel-platform-redis-1 | redis:7-alpine | — | Cache |
| intel-platform-libretranslate-1 | libretranslate/libretranslate | — | Übersetzung |
Standalone Services
| Container | Image | Port | Funktion |
|---|
| forgejo | codeberg.org/forgejo/forgejo:9 | 3003 + SSH:2222 | Git Hosting |
| miniflux | miniflux/miniflux:latest | 8080 | RSS Reader |
| miniflux-db | postgres:15-alpine | — | Miniflux DB |
| uptime-kuma | louislam/uptime-kuma:1 | 3001 (host) | Monitoring |
| vaultwarden | vaultwarden/server:latest | 3013 | Passwort-Manager |
| bookstack | linuxserver/bookstack:latest | 6875 | Wiki |
| bookstack-db | linuxserver/mariadb:latest | — | BookStack DB |
| outline-app | outlinewiki/outline:latest | 3012 | Wiki |
| outline-db | postgres:16 | — | Outline DB |
| outline-minio | minio/minio:latest | 9002 | S3 Storage |
| outline-redis | redis:7 | — | Outline Cache |
| silverbullet | zefhemel/silverbullet:latest | 3010 | PKM |
| authentik-server | goauthentik/server:latest | 9000 | SSO/Auth |
| authentik-worker | goauthentik/server:latest | — | Background Worker |
| authentik-db | postgres:16 | — | Authentik DB |
| authentik-redis | redis:7 | — | Authentik Cache |
| headscale | headscale/headscale:latest | 8085/9090 | VPN Coordinator |
| portainer | portainer/portainer-ce:latest | 9443 | Container Management |
| mkdocs | squidfunk/mkdocs-material | 8090 | Diese Dokumentation |
Gesamt: ~27 Container
systemd-Services
Neben Docker laufen folgende relevante systemd-Services:
| Service | Funktion |
|---|
| nginx | Reverse Proxy, SSL Termination |
| docker | Container Runtime |
| ssh | Remote Access |
| tailscaled | Tailscale VPN Agent |
| fail2ban | Brute-Force-Schutz |
| containerd | Container Runtime (low-level) |
| cron | Scheduled Tasks |
| systemd-resolved | DNS |
| systemd-timesyncd | NTP |
| unattended-upgrades | Auto Security Updates |
Datenbanken
| Datenbank | Engine | Container | Port | Genutzt von |
|---|
| jobtracker | PostgreSQL 16 | jobtracker-db | 5432 | Job Tracker Frontend + Backend |
| intel-platform | PostGIS 16 | intel-platform-postgres-1 | 5433 | Intel Platform |
| miniflux | PostgreSQL 15 | miniflux-db | — | Miniflux |
| outline | PostgreSQL 16 | outline-db | — | Outline Wiki |
| authentik | PostgreSQL 16 | authentik-db | — | Authentik SSO |
| bookstack | MariaDB | bookstack-db | — | BookStack Wiki |
Verzeichnisstruktur
/home/nsa/
├── projects/
│ ├── job-tracker/ # Mono-Repo (Git: nsa/job-tracker-mono)
│ │ ├── frontend/ # Next.js 16 (Submodule: nsa/job-tracker)
│ │ ├── tracker/ # Express API + Puppeteer
│ │ ├── docker-compose.yml
│ │ └── .env
│ ├── intel-platform/ # OSINT Platform (Git: nsa-lg/intel-platform)
│ │ ├── frontend/ # Next.js
│ │ ├── backend/ # FastAPI
│ │ └── docker-compose.yml
│ ├── dotfiles/ # Shell-Configs
│ │ ├── server/
│ │ └── laptop/
│ ├── uptime-kuma/ # Kuma Data + docker-compose
│ └── MASTER-DESIGN.md # Design-System (Catppuccin Mocha + Tokyo Night)
├── mkdocs/ # Diese Dokumentation
│ ├── docs/
│ ├── mkdocs.yml
│ └── docker-compose.yml
├── bin/ # Eigene Scripts (job.sh, cmd.sh, devbox-session.sh)
└── archive/2026-02-06/ # 11 archivierte Projekte
Git-Repositories (Forgejo)
| Repo | Sichtbarkeit | Beschreibung |
|---|
| nsa/job-tracker | Private | Frontend Submodule (Next.js) |
| nsa/job-tracker-mono | Private | Parent Repo (Frontend + Tracker + Docker) |
| nsa/devbox-docs | Private | Infrastruktur-Dokumentation |
| nsa-lg/intel-platform | Public | OSINT Intelligence Platform |
Forgejo API: http://localhost:3003/api/v1
Forgejo SSH: ssh://git@localhost:2222/
Sicherheit
- SSL: Alle Subdomains über Let’s Encrypt (auto-renew via Certbot)
- Binding: Alle Services binden auf 127.0.0.1 (außer SSH, Nginx, Portainer)
- Fail2Ban: Aktiv für SSH
- VPN: Headscale + Tailscale für sicheren Remote-Zugang
- Auth: Authentik als zentraler Identity Provider
- Passwörter: Vaultwarden (Bitwarden-kompatibel)
- Firewall: Nur Ports 22, 80, 443, 2222, 9443 öffentlich
Claude Kontext
Dieser Abschnitt dient als Prompt-Kontext für Claude in neuen Chat-Sessions.
Schnell-Referenz für Claude
Server: Ubuntu 24.04, 6 Cores, 11 GB RAM
User: nsa, Home: /home/nsa
Domain: devboxnsa.org (Cloudflare DNS)
Docker: ~27 Container, verwaltet über mehrere docker-compose.yml
Nginx: Reverse Proxy für alle Subdomains auf 127.0.0.1:PORT
SSL: Let's Encrypt via Certbot
Wichtige Pfade:
- Job Tracker: ~/projects/job-tracker/ (docker-compose)
- Intel Platform: ~/projects/intel-platform/ (docker-compose)
- Nginx Configs: /etc/nginx/sites-available/*.devboxnsa.org
- SSL Certs: /etc/letsencrypt/live/*.devboxnsa.org/
- Design System: ~/projects/MASTER-DESIGN.md
- Memory Files: ~/.claude/projects/*/memory/
Forgejo API: http://localhost:3003/api/v1
Token: in ~/.claude/projects/*/memory/forgejo.md
Bekannte Fallstricke:
- sudo braucht Passwort (nicht aus Claude Code nutzbar ohne User)
- Forgejo SSH Host-Key ändert sich bei Docker-Restart
- Uptime Kuma braucht network_mode: host
- Miniflux bindet nur auf 127.0.0.1
- Node.js bevorzugt IPv6 → immer 127.0.0.1 statt localhost
- NIEMALS docker volume prune (PostgreSQL-Daten!)