Matzka CloudMatzka CloudPortal Login
Zurück zum Blog

Docker Infrastruktur

Vollständige Docker Infrastruktur: Enterprise Setup für Self-Hosted Cloud

Vollständige Docker Infrastructure: Enterprise Setup für Self-Hosted Cloud Services

Veröffentlicht 2. Januar 2026
Kategorie Infrastructure & DevOps
Server ssh2.matzka.cloud (Production)
Lesezeit 25 Minuten

Inhaltsverzeichnis

1. Architektur Übersicht

Die matzka.cloud Infrastruktur ist eine vollständig containerisierte, produktionsgerechte Lösung basierend auf Docker und Docker Compose. Das System bietet Mail-Dienste, File Sharing, SSO, CMS, Workflow-Automation, Monitoring und Sicherheitsüberwachung.

High-Level Topology

┌─────────────────────────────────────────────────────────┐
│ Internet                                                  │
│ Domains: matzka.cloud, mail.*, cms.*, auth.*, etc.     │
└────────────────┬────────────────────────────────────────┘
                 │ HTTPS/Port 443 (automatisch HTTP→HTTPS)
                 │
         ┌───────▼──────────┐
         │  Traefik (Port 80, 443)
         │  Reverse Proxy & Load Balancer
         │  Let's Encrypt SSL/TLS
         └───────┬──────────┘
                 │
    ┌────────────┼──────────────────┐
    │            │                  │
 ┌──▼──┐   ┌────▼────┐      ┌──────▼─────┐
 │Mail │   │Nextcloud│      │ Authentik   │
 │Cows │   │(Files)  │      │ (SSO)       │
 │     │   │         │      │             │
 └─────┘   └─────────┘      └─────────────┘
    │            │                  │
    │      ┌─────┴─────┬────────────┬─────────┐
    │      │           │            │         │
    ▼      ▼           ▼            ▼         ▼
┌────────────────────────────────────────────────────┐
│ PostgreSQL Databases (17)                          │
│ - nextcloud_db, authentik_db, directus_db, n8n_db │
└────────────────────────────────────────────────────┘
    │      │           │            │         │
    │      └─────┬─────┘            │         │
    │            ▼                  │         │
    │      ┌──────────┐             │         │
    │      │  Redis   │             │         │
    │      │  Cache   │             │         │
    │      └──────────┘             │         │
    │                               │         │
 ┌──▼────────────────────────────┐ │         │
 │ Specialized Services:          │ │         │
 │ - Directus CMS                 │ │         │
 │ - n8n Workflows                │ │         │
 │ - Qdrant Vector DB             │ │         │
 │ - Docling Document Processor   │ │         │
 └────────────────────────────────┘ │         │
                                    │         │
                    ┌───────────────┼─────────┘
                    │               │
                 ┌──▼────┐    ┌─────▼──────┐
                 │Prometheus  │Wazuh SIEM   │
                 │Monitoring │Security     │
                 └──────────┘ └─────────────┘
                    │
                 ┌──▼──────┐
                 │Grafana   │
                 │Dashboard │
                 └──────────┘
Infrastruktur-Highlights:
  • ✅ 31 Docker Container (Mail, Files, Auth, CMS, Workflows, Monitoring, Security)
  • ✅ 9 PostgreSQL Datenbanken
  • ✅ 21 Volumes mit täglichen Backups
  • ✅ Automatisches SSL/TLS (Let's Encrypt)
  • ✅ SSO für alle Services
  • ✅ Realtime Security Monitoring

2. Server & Hardware

Production Server

Parameter Wert
Hostname ssh2.matzka.cloud
Primary Domain matzka.cloud
Timezone Europe/Vienna
Docker Version Latest (27.x)
Docker Compose Latest (2.x)
Kernel Linux 5.10+ (Debian/Ubuntu)

Directory Structure

/opt/docker/
├── compose/                    # Main infrastructure
│   ├── docker-compose.yml      # Core services
│   ├── .env                    # Environment variables (secrets)
│   ├── traefik/                # Reverse proxy config
│   │   ├── traefik.yml        # Static configuration
│   │   ├── dynamic/            # Dynamic routing rules
│   │   ├── logs/               # Access logs
│   │   └── acme.json           # Let's Encrypt certs
│   ├── volumes/                # Managed volumes
│   └── backups/                # Automated backups
├── webapp/                     # Next.js + Directus
│   ├── docker-compose.yml
│   └── app/                    # Next.js application
├── n8n/                        # Workflows automation
│   ├── docker-compose.yml
│   ├── workflows/
│   └── .env
├── monitoring/                 # Prometheus + Grafana
│   ├── docker-compose.yml
│   ├── prometheus/
│   └── grafana/
└── security/                   # Wazuh SIEM
    ├── docker-compose.yml
    └── wazuh-config/

/opt/mailcow-dockerized/        # External: Mailcow
└── docker-compose.yml
Deploy-Hinweis: Alle Services laufen in separaten docker-compose Stacks. Das ermöglicht unabhängiges Scaling und Service-Isolation.

3. Services & Komponenten

3.1 Mail Services (Mailcow)

Komponente Details
Domain mail.matzka.cloud
Container mailserver, postfix, dovecot, sogo, rspamd, redis
Database MariaDB 10.11 (internal)
Features SMTP, IMAP, POP3, Webmail, Spam Filter, DNSSEC
Backup 6 volumes, daily snapshots

Mailcow ist eine vollständige Mail-Server-Lösung mit Web-Interface für Benutzerverwaltung. Der Server unterstützt SMTP-Relay für andere Services (Authentik, Nextcloud, etc.).

3.2 File Sharing (Nextcloud)

Komponente Details
Domain next.matzka.cloud
Container nextcloud (PHP 8.2)
Database PostgreSQL 17
Cache Redis 7
Features File sync, Collaboration, Calendar, WebDAV
SSO Authentik OIDC
Access Control Group: usersnextcloud-users

3.3 Authentication (Authentik)

Komponente Details
Domain auth.matzka.cloud (sso), portal.matzka.cloud (UI)
Containers authentik-server, authentik-worker
Database PostgreSQL 17
Cache Redis 7 (sessions)
Protocols OpenID Connect (OIDC), SAML, OAuth2
Features User management, 2FA, Groups, Policies
Email Via Mailcow SMTP Relay

3.4 Content Management (Directus)

Komponente Details
Domain cms.matzka.cloud
Container directus
Database PostgreSQL 17
Type Headless CMS
Collections blog_posts, services, contact_submissions
SSO Authentik OIDC (auto-register)
API REST + GraphQL

3.5 Web Application (Next.js)

Komponente Details
Domain matzka.cloud, www.matzka.cloud
Framework Next.js 16 (React 19)
Container webapp
Build Docker multi-stage build
CMS Integration Directus API
Features Blog, Services, Contact Form, Status Page

3.6 Workflow Automation (n8n)

Komponente Details
Domain n8n.matzka.cloud
Containers n8n, postgres-n8n, qdrant, docling, nginx-static
Database PostgreSQL 17
Vector DB Qdrant (AI/RAG)
Document Processing Docling (PDF, Word, HTML Extraction)
Use Cases Contact form workflow, RAG chatbot, Data automation

4. Netzwerk-Topologie

Docker Networks

Die Infrastruktur nutzt mehrere isolierte Docker Networks für Sicherheit und Performance:

Netzwerk Typ Zweck Services
frontend External Bridge Öffentlich erreichbar Traefik, alle Public Services
cloud Internal Nextcloud Isolation nextcloud, postgres-nextcloud, redis-nextcloud
authentik-backend Internal Authentik Isolation authentik, postgres-authentik, redis-authentik
webapp-backend Internal WebApp Isolation webapp, postgres-directus
n8n-backend Internal n8n Isolation n8n, postgres-n8n, qdrant, docling
mailcowdockerized_mailcow-network External Bridge Mail Services mailserver, mail relay clients
monitoring External Monitoring Stack prometheus, grafana, exporters
wazuh Internal SIEM Services wazuh-indexer, wazuh-manager, wazuh-dashboard

Service Communication

Externe Anfragen:
  Client → Traefik (443) → Service Container

Interne Kommunikation (gleicher Network):
  webapp ←→ postgres-directus (direct)
  authentik ←→ redis-authentik (direct)
  n8n ←→ qdrant (direct)

Cross-Network (via Traefik):
  Nextcloud → Authentik SSO (https://auth.matzka.cloud)
  webapp → Directus API (http://directus:8055, intern)
  Alle → Mailcow SMTP (mail.matzka.cloud:587)

Traefik Reverse Proxy

Entry Points web (80), websecure (443)
HTTP Redirect Automatisch → HTTPS
SSL/TLS Provider Let's Encrypt (ACME HTTP Challenge)
Certificate Storage /opt/docker/compose/traefik/acme.json (600 perms)
Middleware Security headers, redirects, rate limiting

5. Storage & Volumes

Docker Volumes (21 Total)

Alle persistenten Daten werden in Docker Named Volumes gespeichert, die täglich gesichert werden.

PostgreSQL Databases (4 Volumes)

postgres_nextcloud_data      - Nextcloud metadata
postgres_authentik_data      - User accounts, groups
postgres_directus_data       - CMS data
postgres_n8n_data            - Workflow definitions

Redis Caches (1 Volume)

redis_authentik_data         - Session storage

Application Data (7 Volumes)

nextcloud_data               - User files (sync)
authentik_media              - Uploaded assets
directus_uploads             - CMS media files
n8n_data                     - Workflow executions
n8n_static_files             - Generated content
qdrant_data                  - Vector embeddings
docling_data                 - Document cache

Mailcow Volumes (6 Volumes)

mailcowdockerized_mysql-vol-1     - MariaDB database
mailcowdockerized_vmail-vol-1     - Maildir storage
mailcowdockerized_crypt-vol-1     - Encryption keys
mailcowdockerized_redis-vol-1     - Cache & sessions
mailcowdockerized_rspamd-vol-1    - Spam filter data
mailcowdockerized_postfix-vol-1   - Mail queue

Monitoring Volumes (3 Volumes)

prometheus_data              - Time-series metrics
grafana_data                 - Dashboards config
alertmanager_data            - Alert rules

Volume Management Commands

# Liste alle Volumes
docker volume ls

# Größe eines Volumes
docker volume inspect postgres_nextcloud_data

# Backup eines Volumes
docker run --rm -v postgres_nextcloud_data:/data \
  -v /backup:/backup \
  alpine tar czf /backup/postgres-backup.tar.gz /data

# Restore
docker run --rm -v postgres_nextcloud_data:/data \
  -v /backup:/backup \
  alpine tar xzf /backup/postgres-backup.tar.gz -C /

6. Security & Authentisierung

Single Sign-On (SSO) Architecture

Alle Services nutzen Authentik als zentrales Identitätsmanagementsystem via OpenID Connect.

SSO Flow:
  1. Benutzer ruft Service auf (z.B. next.matzka.cloud)
  2. Nicht authentisiert → Redirect zu Authentik Login
  3. Authentik validiert Credentials
  4. Authentik prüft Gruppen-Membership
  5. Token an Service zurück
  6. Service akzeptiert Token → Access granted

Services mit SSO

Service Protocol Required Group
Nextcloud OpenID Connect usersnextcloud-users
Directus CMS OpenID Connect None (auto-register)
Grafana (optional) OAuth2 grafana-admins

Security Groups

admins Administrative access to all services
users Standard user access
usersnextcloud-users Nextcloud file sync access
grafana-admins Grafana dashboard administration

Network Security

Isolation durch Internal Networks:
  • 🔒 Datenbanken sind NICHT öffentlich erreichbar
  • 🔒 Interne Services nutzen direct Container-Namen (keine IPs)
  • 🔒 Redis Cache nur im internen Netzwerk
  • 🔒 Qdrant Vector DB nur für n8n zugänglich
  • 🔒 Wazuh intern → nur Dashboard öffentlich

Certificate Management

# Let's Encrypt wird automatisch via Traefik verwaltet
# Certificate Storage: /opt/docker/compose/traefik/acme.json

# Ausstehende Renewals prüfen
curl http://localhost:8080/api/http/routers | jq '.[] | select(.tls)'

# Certificate Details
openssl s_client -connect next.matzka.cloud:443 -showcerts | \
  openssl x509 -noout -dates

7. Monitoring & Logging

Prometheus Monitoring Stack

Ein vollständiger Monitoring Stack mit Prometheus und Grafana überwacht alle Container, Systemeigenschaften und Application Metriken.

Komponente Details
Prometheus Time-series database für Metriken
Grafana Dashboards & Visualisierung
Node Exporter Host-System Metriken
cAdvisor Container Metriken
Wazuh Exporter Security Events
Alertmanager Alert Routing & Notifications

Monitored Metrics

System Metrics

node_cpu_seconds_total        - CPU usage
node_memory_MemAvailable_bytes - Memory availability
node_disk_free_bytes           - Disk space
node_network_receive_bytes     - Network throughput
node_systemd_unit_state        - Service states

Container Metrics

container_cpu_usage_seconds_total        - Per-container CPU
container_memory_usage_bytes            - Per-container Memory
container_network_receive_bytes         - Per-container Network
container_fs_usage_bytes                - Per-container Storage

Application Metrics

postgresql_up                      - Database health
redis_connected_clients         - Redis connections
wazuh_indexer_health            - SIEM cluster status
wazuh_agent_status              - Agent connections

Alerting Rules

Prometheus ist konfiguriert mit Alert-Rules für:

  • 🔴 CRITICAL: Disk nearly full, Container crashed, Database down
  • 🟠 WARNING: High CPU, Memory pressure, Network issues
  • 🔵 INFO: Trivy vulnerability alerts, Backup status

Grafana Dashboards

System Dashboard CPU, Memory, Disk, Network
Docker Containers Per-Container Metriken
Databases PostgreSQL Connections & Queries
Security (Wazuh) Alert counts, Agent status, FIM events
Trivy Vulnerabilities CVE counts, Container risk levels

8. Backup & Disaster Recovery

Automated Backup System

Ein professioneller Backup-Service (offen/docker-volume-backup) läuft täglich und sichert alle 21 Volumes.

Parameter Wert
Schedule 03:00 UTC (täglich)
Retention 30 Tage
Location /opt/docker/backups/
Format TAR.GZ (komprimiert)
Encryption Optional (AES-256)
Volumes 21 Total (Datenbanken, Files, Configs)

Backup Contents

Backed Up:
  • ✅ PostgreSQL Databases (4)
  • ✅ Redis Cache
  • ✅ Nextcloud Files
  • ✅ Directus Media
  • ✅ n8n Workflows
  • ✅ Mailcow Email Data
  • ✅ Monitoring Data
  • ✅ Wazuh Indexes

Manual Backup

# Trigger manual backup
ssh root@ssh2.matzka.cloud "docker exec backup backup"

# Check backup status
ls -lh /opt/docker/backups/

# List backup contents
tar tzf /opt/docker/backups/backup-2026-01-02-03-00-00.tar.gz | head -20

Disaster Recovery Procedure

Restore Steps:
  1. Stop affected services: docker-compose down
  2. Remove current volume: docker volume rm VOLUME_NAME
  3. Extract backup: tar xzf backup.tar.gz
  4. Restore to new volume: docker volume create && docker run ...
  5. Restart services: docker-compose up -d
  6. Verify data: docker exec CONTAINER cmd

9. Deployment Process

Standard Deployment Workflow

1. Preparation

# Clone/sync configuration
git pull origin main

# Verify .env secrets are configured
[ -f /opt/docker/compose/.env ] && echo "✓ .env exists"

# Check current status
docker-compose ps

2. Update Services

# Pull latest images
docker-compose pull

# Rebuild custom images
docker-compose build --no-cache

# Create new containers (no downtime)
docker-compose up -d --no-deps --build SERVICE_NAME

3. Verification

# Check service health
docker-compose ps
docker-compose logs -f SERVICE_NAME

# Test endpoint
curl -I https://SERVICE.matzka.cloud

# Check logs for errors
docker logs -f SERVICE_NAME --tail 100

Upgrading Services

Service Downtime Procedure
Traefik ~30s docker-compose restart traefik
Nextcloud ~2 min docker-compose up -d nextcloud (new container)
Database ~5 min Stop → Backup → Upgrade → Verify
Mailcow ~3 min cd /opt/mailcow && docker-compose up -d

10. Best Practices & Recommendations

Operational Excellence

Daily Operations:
  • ✅ Monitor Grafana Dashboards
  • ✅ Check backup logs (should be in /opt/docker/backups/logs/)
  • ✅ Review Wazuh alerts daily
  • ✅ Check disk space (warning at 80%, critical at 90%)
  • ✅ Monitor PostgreSQL connections

Security Best Practices

Security Checklist:
  • 🔐 Rotate authentication credentials every 90 days
  • 🔐 Enable 2FA for admin accounts
  • 🔐 Review Wazuh file integrity monitoring alerts
  • 🔐 Audit user group memberships quarterly
  • 🔐 Keep Docker images updated (weekly)
  • 🔐 Monitor failed login attempts
  • 🔐 Review Let's Encrypt certificate renewals

Performance Optimization

# Monitor container resource usage
docker stats

# Check database connection pool
docker exec postgres-nextcloud \
  psql -U nextcloud -d nextcloud -c "SELECT datname, count(*) FROM pg_stat_activity GROUP BY datname;"

# Redis memory usage
docker exec redis-nextcloud redis-cli INFO memory

# Check slow queries
docker exec postgres-nextcloud \
  psql -U nextcloud -d nextcloud -c "SELECT * FROM pg_stat_statements ORDER BY mean_time DESC LIMIT 10;"

Disaster Recovery Drills

Quarterly Testing:
  • ✅ Backup integrity test (extract & verify)
  • ✅ Restore simulation (test environment)
  • ✅ Service failover procedure
  • ✅ Certificate renewal process
  • ✅ Password rotation procedure

Documentation

Wichtige Dokumentationen sind im Repository verfügbar: 

CLAUDE.md                              - Comprehensive guide
webapp-deployment/app/README.md         - Next.js app
n8n-deployment/N8N_CONFIGURATION.md     - n8n setup
security/WAZUH_DEPLOYMENT_STATUS.md    - SIEM details
monitoring/                             - Prometheus config

Vollständige Docker Infrastructure - matzka.cloud
Production Server: ssh2.matzka.cloud
Services: 31 Container, 21 Volumes, 9 Databases
Status: ✅ Operational & Monitored
© 2026 Matzka.cloud - Enterprise Infrastructure