Network Architecture¶

🌐 Network Diagram¶

                              INTERNET
                                 │
                                 │
            ┌────────────────────┴────────────────────┐
            │                                          │
            ▼                                          ▼
    ┌───────────────┐                        ┌───────────────┐
    │  Cloudflare   │                        │  Cloudflare   │
    │  (kua.cl)     │                        │  (Proxy)      │
    └───────┬───────┘                        └───────┬───────┘
            │                                        │
            │ HTTPS                                  │ HTTPS
            │                                        │
    ┌───────▼───────┐                        ┌───────▼───────┐
    │    KIMSUFI    │                        │   HETZNER     │
    │   Caddy:443   │                        │   Caddy:443   │
    │               │                        │               │
    │  144.217.76.53│                        │46.224.146.107 │
    └───────────────┘                        └───────────────┘
            │                                        │
            │         ┌──────────────┐               │
            │         │  TAILSCALE   │               │
            └────────►│   100.x.x.x  │◄──────────────┘
                      │   (WireGuard)│
                      └──────────────┘
                             │
                    ┌────────┴────────┐
                    │                 │
            ┌───────▼───┐       ┌─────▼─────┐
            │  Mac/PC   │       │  iPhone   │
            │100.x.x.x  │       │ Apple TV  │
            └───────────┘       └───────────┘

🔌 Port Configuration¶

Kimsufi Server¶

Port	Service	Binding	Accessible From
22	SSH	0.0.0.0	Anywhere (key only)
80	Caddy HTTP	0.0.0.0	Public
443	Caddy HTTPS	0.0.0.0	Public
32400	Plex	0.0.0.0	Public
7878	Radarr	127.0.0.1	Via Caddy only
8989	Sonarr	127.0.0.1	Via Caddy only
8686	Lidarr	127.0.0.1	Via Caddy only
5055	Overseerr	127.0.0.1	Via Caddy only

Hetzner VPS¶

Port	Service	Binding	Accessible From
22	SSH	0.0.0.0	Anywhere (key only)
80	Caddy HTTP	0.0.0.0	Public
443	Caddy HTTPS	0.0.0.0	Public
5432	PostgreSQL	Docker network	Containers only
6379	Redis	Docker network	Containers only
5678	n8n	Docker network	Via Caddy
8080	imgproxy	Docker network	Via Caddy
5000	KaviCloud	Docker network	Via Caddy

🛡️ Firewall Rules¶

UFW (Both Servers)¶

# Default policy
ufw default deny incoming
ufw default allow outgoing

# Allowed incoming
ufw allow 22/tcp    # SSH
ufw allow 80/tcp    # HTTP
ufw allow 443/tcp   # HTTPS
ufw allow 41641/udp # Tailscale

🔐 Tailscale Configuration¶

Devices on Network¶

Device	IP	Role
Kimsufi Server	100.81.231.36	Media server
Hetzner VPS	100.80.53.55	Web services
MacBook	100.x.x.x	Admin
iPhone	100.93.192.77	Client
Apple TV	100.91.20.13	Client

Features Enabled¶

✅ MagicDNS (use hostnames)
✅ SSH (direct SSH over Tailscale)
✅ Subnet routing: None needed

Access via Tailscale¶

# Using IP
ssh ubuntu@100.81.231.36
ssh kavi@100.80.53.55

# Using MagicDNS hostname
ssh ubuntu@kimsufi-plex
ssh kavi@cpx42-kavi-hetzner

🌍 DNS Configuration¶

Cloudflare Zone: kua.cl¶

Record	Type	Value	Proxied
`@`	A	(main site)	✅
`plex`	A	144.217.76.53	❌
`radarr`	A	144.217.76.53	✅
`sonarr`	A	144.217.76.53	✅
`cdn`	A	46.224.146.107	✅
`media`	A	46.224.146.107	✅
`n8n`	A	46.224.146.107	✅

Plex Not Proxied

Plex subdomain is NOT proxied through Cloudflare because: - Plex needs direct connection for remote streaming - Cloudflare would interfere with video streams