Skip to content

VPS: Tunnel & Docs

Hetzner Cloud server ubuntu-4gb-hel1-8. Managed at Hetzner Console.

Responsibilities

  • Dev tunnels — Reverse proxies tunnel{1,2,3}.mpltr.app to expose local dev servers via serve_app. Handles SSL termination, nginx reverse proxy, and the VPS side of the SSH tunnel over Tailscale.
  • Documentation — Serves docs.mpltr.app as a static site from /var/www/docs. Deployed via GitHub Actions on push to main.

Network

  • Public IP: 65.21.243.161
  • Tailscale IP: 100.75.34.115 (Tailnet under mpltr GitHub account)

Users

User Purpose
tunnels Dedicated account for SSH tunnels via serve_app
deploy GitHub Actions deploys docs site via rsync

Deployment

Docs site deployed via GitHub Actions on push to main. The workflow builds with mkdocs-material, connects to the server over Tailscale SSH (OIDC federation, tag:ci), and rsyncs the static output to /var/www/docs. See GitHub Actions Deploy via Tailscale SSH.

Services

Nginx

Reverse proxies tunnel{1,2,3}.mpltr.app to localhost ports for serve_app. Serves docs.mpltr.app as static files from /var/www/docs. HTTP requests are redirected to HTTPS. SSL terminated with Let's Encrypt certificates managed by Certbot.

Path Purpose
/etc/nginx/sites-available/tunnels.conf Reverse proxy config for tunnel{1,2,3}.mpltr.app
/etc/nginx/sites-available/docs.mpltr.app Static site config for docs.mpltr.app
/etc/nginx/sites-enabled/ Symlinks to active configs
/etc/letsencrypt/live/ SSL certificates per domain

Tailscale

Tagged as tag:server on the Tailnet under the mpltr GitHub account.

  • Tailscale SSH — Enabled (tailscale set --ssh). All SSH access to this server goes through Tailscale, not the public IP. ACLs control who can connect and as which user.
  • Dev tunnelsserve_app opens reverse SSH tunnels from local machines to this server via the Tailscale IP (100.75.34.115). The tunnels user accepts these connections.
  • CI/CD deploy — GitHub Actions joins the Tailnet as an ephemeral tag:ci node via OIDC federation and rsyncs to this server as the deploy user. See GitHub Actions Deploy via Tailscale SSH.