Files

T

kennethreitz 9881906717 CPX41 upgrade; stash redeployed behind basicAuth

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-05 03:56:09 -04:00

Server: mercury

Last verified: 2026-06-04

Access


Hostname	`mercury`
Domain	`mercury.kennethreitz.org`
IP	`5.161.122.181` (Hetzner)
SSH	`ssh root@mercury.kennethreitz.org` (key auth)
Dokploy UI	https://mercury.kennethreitz.org


OS	Ubuntu 26.04 LTS
Kernel	7.0.0-15-generic
Server type	Hetzner Cloud CPX41 (upgraded from CPX31 2026-06-05; 8 vCPU, 15.6 GiB; root disk kept at 150 GB for downgrade flexibility) (id `136742397`, dc `ash-dc1`)
CPU	8 vCPU
RAM	15.6 GiB
Disk	150 GB (`/dev/sda1`)
Volume	`mercury-objects` (id `105925944`), 750 GB ext4 at `/mnt/objects` (fstab, nofail) — MinIO data
Swap	4 GB swapfile (`/swapfile`, swappiness 10) — added 2026-06-05 after Immich's arrival OOM-killed the Dokploy service (exit 137 loop → bad gateway). Immich server/ML now carry 2g/1.5g mem_limits.
Firewall	Hetzner Cloud Firewall `mercury-web` (id `11085164`): inbound 22/80/443tcp+udp/2222 + ICMP only. Blocks the otherwise-public Dokploy :3000 and Traefik dashboard :8080 (api.insecure). Manage via Hetzner API.

Docker 29.5.3 running in single-node Swarm mode (node mercury, manager/leader).

Service	Image	Notes
`dokploy`	`dokploy/dokploy:v0.29.7`	Swarm service, port 3000
`dokploy-postgres`	`postgres:16`	Swarm service, Dokploy's own DB
`dokploy-redis`	`redis:7`	Swarm service
`dokploy-traefik`	`traefik:v3.6.7`	Plain container; ports 80/443 (+443/udp for HTTP/3), 8080

Traefik terminates TLS for mercury.kennethreitz.org and proxies to the Dokploy UI.

See inventory.md. Currently:

httpbin — https://httpbin.kennethreitz.org (kennethreitz/httpbin)
poemsbysarah — https://poemsbysarah.com (built from kennethreitz/sarah-poems)
kjvstudy — https://kjvstudy.org (built from kennethreitz/kjvstudy.org)
kennethreitz.org — https://kennethreitz.org (built from kennethreitz/kennethreitz.org)
interpretations — https://interpretations.kennethreitz.org (built from kennethreitz/interpretations)
photos — https://photos.kennethreitz.org (compose: web + celery worker + postgres17 db, from kennethreitz/photos.kennethreitz.org)

Traefik's letsencrypt resolver uses the HTTP-01 challenge. All certs issued.

Lessons from the 2026-06-05 Fly migration (cost ~1.5h of cert warnings):

While DNS still pointed at Fly, every validation failed; 5 failed authorizations/hour/domain trips Let's Encrypt's rate limiter, and each retry during the stale window extends it — when this happens, stop retrying and wait out the window (exact expiry is in the 429 in Traefik logs).
After a rate-limit stall, Traefik does not retry on its own — restart the dokploy-traefik container to trigger fresh orders.
A DNS-01 attempt via DNSimple failed because lego requires an account token (dnsimple_a_…); user tokens (dnsimple_u_…) are rejected with "user tokens are not supported". With an account token, DNS-01 (set via settings.updateTraefikConfig + settings.writeTraefikEnv with DNSIMPLE_OAUTH_TOKEN) is immune to stale-DNS validation failures and enables wildcard certs.