VSP Settings
Description of the current infrastructure (as-is)
1. Overall architecture
The infrastructure is built on a single VPS (Hetzner) using Docker + Docker Compose and divided into logical zones:
Internet
|
Cloudflare (DNS, TLS, Proxy*)
|
Traefik (reverse proxy, SSL)
|
Docker networks
├─ proxy
└─ monitoring
├─ Grafana
├─ Prometheus
├─ Node Exporter
├─ cAdvisor
└─ Blackbox Exporter
2. Docker networks
proxy
Purpose: public access
Uses Traefik
All services that have domains (*.workflo.space) connect here
monitoring
Purpose: internal monitoring
Services see each other by DNS names of containers
Not accessible from outside directly
3. Reverse Proxy — Traefik
Traefik v3.x
Functions:
Reverse proxy
Automatic SSL certificates (Let’s Encrypt)
DNS-01 challenge via Cloudflare
Docker provider (labels)
EntryPoints
:80 → web
:443 → websecure
Certificates
Resolver: cf
DNS challenge via Cloudflare API Token
Certificates are stored in acme.json
4. Monitoring Stack
Prometheus
Collects metrics from:
node-exporter
cadvisor
blackbox
prometheus (self)
Scrape interval: 15s
Grafana
UI for metrics
Datasource: Prometheus
Access via domain grafana.workflo.space
Works through Traefik
Node Exporter
Host metrics (CPU, RAM, Disk, Load)
cAdvisor
Metrics of Docker containers
Blackbox Exporter
Checks HTTP / TCP / ICMP (uptime)
5. Security
UFW
Only allowed: 22, 80, 443
Fail2Ban
SSH protection
Docker socket
Accessible only to the Traefik container
1. Overall architecture
The infrastructure is built on a single VPS (Hetzner) using Docker + Docker Compose and divided into logical zones:
Internet
|
Cloudflare (DNS, TLS, Proxy*)
|
Traefik (reverse proxy, SSL)
|
Docker networks
├─ proxy
└─ monitoring
├─ Grafana
├─ Prometheus
├─ Node Exporter
├─ cAdvisor
└─ Blackbox Exporter
2. Docker networks
proxy
Purpose: public access
Uses Traefik
All services that have domains (*.workflo.space) connect here
monitoring
Purpose: internal monitoring
Services see each other by DNS names of containers
Not accessible from outside directly
3. Reverse Proxy — Traefik
Traefik v3.x
Functions:
Reverse proxy
Automatic SSL certificates (Let’s Encrypt)
DNS-01 challenge via Cloudflare
Docker provider (labels)
EntryPoints
:80 → web
:443 → websecure
Certificates
Resolver: cf
DNS challenge via Cloudflare API Token
Certificates are stored in acme.json
4. Monitoring Stack
Prometheus
Collects metrics from:
node-exporter
cadvisor
blackbox
prometheus (self)
Scrape interval: 15s
Grafana
UI for metrics
Datasource: Prometheus
Access via domain grafana.workflo.space
Works through Traefik
Node Exporter
Host metrics (CPU, RAM, Disk, Load)
cAdvisor
Metrics of Docker containers
Blackbox Exporter
Checks HTTP / TCP / ICMP (uptime)
5. Security
UFW
Only allowed: 22, 80, 443
Fail2Ban
SSH protection
Docker socket
Accessible only to the Traefik container
Lutsk 
Available for hire
Offer work