2.8 KiB
2.8 KiB
Server: mercury
Last verified: 2026-06-04
Access
| Hostname | mercury |
| Domain | mercury.kennethreitz.org |
| IP | 5.161.122.181 (Hetzner) |
| SSH | ssh root@mercury.kennethreitz.org (key auth) |
| Dokploy UI | https://mercury.kennethreitz.org |
Specs
| OS | Ubuntu 26.04 LTS |
| Kernel | 7.0.0-15-generic |
| Server type | Hetzner Cloud CPX31 (id 136742397, dc ash-dc1) |
| CPU | 4 vCPU |
| RAM | 7.6 GiB |
| Disk | 150 GB (/dev/sda1) |
| Volume | mercury-objects (id 105925944), 250 GB ext4 at /mnt/objects (fstab, nofail) — MinIO data |
Stack
Docker 29.5.3 running in single-node Swarm mode (node mercury, manager/leader).
Core services (Dokploy platform)
| Service | Image | Notes |
|---|---|---|
dokploy |
dokploy/dokploy:v0.29.7 |
Swarm service, port 3000 |
dokploy-postgres |
postgres:16 |
Swarm service, Dokploy's own DB |
dokploy-redis |
redis:7 |
Swarm service |
dokploy-traefik |
traefik:v3.6.7 |
Plain container; ports 80/443 (+443/udp for HTTP/3), 8080 |
Traefik terminates TLS for mercury.kennethreitz.org and proxies to the Dokploy UI.
Deployed applications
See inventory.md. Currently:
- httpbin — https://httpbin.kennethreitz.org (
kennethreitz/httpbin) - poemsbysarah — https://poemsbysarah.com (built from
kennethreitz/sarah-poems) - kjvstudy — https://kjvstudy.org (built from
kennethreitz/kjvstudy.org) - kennethreitz.org — https://kennethreitz.org (built from
kennethreitz/kennethreitz.org) - interpretations — https://interpretations.kennethreitz.org (built from
kennethreitz/interpretations) - photos — https://photos.kennethreitz.org (compose: web + celery worker + postgres17 db, from
kennethreitz/photos.kennethreitz.org)
TLS / ACME
Traefik's letsencrypt resolver uses the HTTP-01 challenge. All certs issued.
Lessons from the 2026-06-05 Fly migration (cost ~1.5h of cert warnings):
- While DNS still pointed at Fly, every validation failed; 5 failed authorizations/hour/domain trips Let's Encrypt's rate limiter, and each retry during the stale window extends it — when this happens, stop retrying and wait out the window (exact expiry is in the 429 in Traefik logs).
- After a rate-limit stall, Traefik does not retry on its own — restart the
dokploy-traefikcontainer to trigger fresh orders. - A DNS-01 attempt via DNSimple failed because lego requires an account
token (
dnsimple_a_…); user tokens (dnsimple_u_…) are rejected with "user tokens are not supported". With an account token, DNS-01 (set viasettings.updateTraefikConfig+settings.writeTraefikEnvwithDNSIMPLE_OAUTH_TOKEN) is immune to stale-DNS validation failures and enables wildcard certs.