Services-Übersicht — Hybrid-Setup (VPS + Raspberry Pi 5)

Stand: 28. März 2026 Architektur: Hybrid — CK-Monitoring auf Hetzner VPS, Smart Home auf Raspberry Pi 5

---

Systeme

System	IP	Rolle	Container
sck-debian-nbg (VPS)	178.104.125.96	CK-Monitoring, Gitea, HTTPS	17
raspip5 (Pi5)	192.168.178.199	Smart Home, lokale Exporter	11
rpp1	192.168.178.67	OpenVPN-Gateway, Syslog-Relay	0

Verbindung: WireGuard-Tunnel VPS (10.100.0.1) ↔ Pi5 (10.100.0.2), ~14 ms

---

VPS sck-debian-nbg — CK-Monitoring (17 Container)

Hardware: Hetzner CPX32 (4 vCPU AMD, 8 GB RAM, 160 GB NVMe), 10,99 €/Mo OS: Debian 13 (Trixie) Docker Compose: /data/docker/docker-compose.yml

Web-UIs (extern via HTTPS/Caddy)

Service	Extern	Intern (WireGuard)	Login
Grafana	https://anknorr.ddnss.de	http://10.100.0.1:3000	admin / admin
Gatus	https://gatus-anknorr.ddnss.de	http://10.100.0.1:8091	kein Login
Gitea	https://gitea-anknorr.ddnss.de	http://10.100.0.1:3003	ak / (1Password)

Interne Web-UIs (nur via WireGuard)

Service	URL	Login
Prometheus	http://10.100.0.1:9090	kein Login
Alertmanager	http://10.100.0.1:9093	kein Login
Homepage	http://10.100.0.1:3002	kein Login
ntfy	http://10.100.0.1:8090	kein Login
Oxidized	http://10.100.0.1:8888	kein Login

Container-Liste VPS

Container	Port	Funktion
prometheus	9090	Metriken-DB, 30 Tage Retention
grafana	3000	Dashboards (13 in 4 Ordnern)
caddy	80/443	HTTPS Reverse Proxy
loki	3100	Log-Aggregation
promtail	—	Log-Sammler (Docker + Sophos Syslog via Pi5)
alertmanager	9093	Alert-Routing → ntfy + GMX
alertmanager-ntfy-bridge	intern	Formatiert Alerts als lesbare Nachrichten
ntfy	8090	Push-Notifications (iOS)
blackbox-exporter	9115	HTTP/ICMP/DNS Probes (remote, direkt via OpenVPN)
sophos-central-exporter	9788	Sophos Central Cloud-API
dynamics365-exporter	9790	D365 CRM Performance
oxidized	8888	Sophos XGS Config-Backup
gatus	8091	Status-/SLA-Reporting
homepage	3002	Service-Dashboard
gitea	3003/2222	Git-Server (Doku, claude-sync)
node-exporter	9100	VPS Host-Metriken
watchtower	—	Auto-Image-Updates

Netzwerk-Anbindung VPS

Verbindung	Ziel	Zweck
OpenVPN	vpn.creative-kirche.de:7443	CK-Netze (10.128.x), VPN-IP 10.244.2.2
WireGuard	Pi5 (10.100.0.2)	Lokale Exporter (FritzBox, Sungrow, Blackbox, Node)

---

Raspberry Pi 5 raspip5 — Smart Home (11 Container)

Hardware: Raspberry Pi 5, 8 GB RAM, Samsung SSD 990 EVO Plus 1 TB (NVMe) OS: Raspberry Pi OS (Debian Bookworm, ARM64) Docker Compose: /data/docker/docker-compose.yml

Web-UIs

Service	URL	Login
Home Assistant	http://192.168.178.199:8123	eigener Login
Pi-hole	http://192.168.178.199:8080/admin	zaphod42
Zigbee2MQTT	http://192.168.178.199:8099	kein Login
Duplicati	http://192.168.178.199:8200	zaphod42

Container-Liste Pi5

Container	Port	Funktion
homeassistant	8123	Smart-Home-Plattform (network_mode: host)
zigbee2mqtt	8099	Zigbee-Gateway (Sonoff Dongle Plus V2)
mosquitto	1883	MQTT-Broker
matter-server	host	Matter/Thread Bridge
pihole	53/8080	DNS-Blocker
sungrow-exporter	9789	PV-Wechselrichter (Modbus/TCP)
fritzbox-exporter	9787	FritzBox-Statistiken
node-exporter	9100	Pi5 Host-Metriken + NVMe SMART
blackbox-exporter	9115	Referenz-Standort-Probes (HTTP/ICMP/DNS aus Heimnetz)
samba-timemachine	445	Time Machine Backup für macOS
duplicati	8200	Backup nach OneDrive

Systemdienste (kein Container)

Dienst	Funktion
snmp-tunnel.service	autossh-Tunnel zu SaltoServer (SNMP, Blackbox, Salto Metrics)
salto-metrics-proxy.service	Normalisiert Salto-Metriken (CRLF→LF)
syslog-relay (rpp1)	Sophos XGS-40 Syslog weiterleiten
rsyslog (10-sophos.conf)	Empfängt Sophos Syslog (UDP 1514, TCP 5514)
smartctl-prom.timer	NVMe SMART → textfile_collector (jede Minute)
speedtest-prom.timer	Speedtest → textfile_collector (alle 6h)
secrets-refresh.timer	1Password → .env-Dateien (täglich 02:00)
pi5-config-backup.timer	Config-Git-Backup (täglich 03:00)
claude-sync.timer	Claude Code Sync via Gitea (alle 5 Min)

---

Prometheus Scrape-Jobs (80 Targets, alle UP)

Job	Targets	Exporter-Standort	Beschreibung
prometheus	1	VPS	Prometheus selbst
node	2	VPS + Pi5	Host-Metriken + NVMe SMART
fritzbox	1	Pi5 (10.100.0.2)	FritzBox-Statistiken
sophos-central	1	VPS	Sophos Central Cloud-API
sophos-xgs-*	6	VPS (via SSH-Tunnel→Pi5)	SNMP: Interfaces, Firewall, System
blackbox-http-remote	7	VPS	HTTP-Probes via OpenVPN
blackbox-http-local	7	Pi5	HTTP-Probes Referenz-Standort
blackbox-icmp-remote	4	VPS	Ping via OpenVPN
blackbox-icmp-local	5	Pi5	Ping Referenz-Standort
blackbox-ap-ping	13	VPS	WLAN APs (40er + 30er Netz)
blackbox-dns-remote	2	VPS	DNS Sophos XGS (direkt via VPN)
blackbox-dns-local	2	Pi5	DNS Referenz-Standort
blackbox-dns-ms-*	10+10	VPS + Pi5	Microsoft 365 DNS (5 Domains × 2 Standorte)
blackbox-dns-pihole	1	Pi5	Pi-hole DNS-Check
salto	1	VPS (via WireGuard→Pi5→SSH-Tunnel)	Salto ProAccess Metriken
sungrow	1	Pi5	PV-Wechselrichter
finance	1	Pi5	Finanzdaten (Gold, Aktien)
speedtest	1	Pi5	Internetgeschwindigkeit (6h)

---

Grafana Dashboards (13)

Ordner	UID	Name
KLV	ck-netze-klv-2026	CK Netze KLV (Reporting)
Netzwerk	3ecb07d2	Sophos XGS Firewall
Netzwerk	c288445e	Sophos WLAN Access Points
Netzwerk	sophos-syslog-2026	Sophos XGS Syslog
Netzwerk	fritzbox-wan-monitoring	Fritz!Box WAN Monitoring
Netzwerk	872ed3a0	Netzwerk-/Cloud-Latenzmonitoring CK
Standorte	netz-vroak-2026	Netz vroak
Standorte	services-vroak-2026	Services vroak
System	nvme-smart-2026	NVMe SMART
System	Pi-hole-Exporter	Pi-hole
System	speedtest-2026	Internetgeschwindigkeit
System	909b3358	Photovoltaik Sungrow
System	salto-proaccess-2026	Salto ProAccess Space

Tag: CreativeKirche

---

Erstellt: 24.02.2026 | Aktualisiert: 28.03.2026 (Hybrid-Split VPS/Pi5)