kb://infrastructure/blal-de-serverstable2026-05-21

blal.de — the lab's primary server

infrastructurehetznerservertraefiknetworking

blal.de is the single Hetzner host that runs the entire lab today. Migration to this host completed 2026-03-22. EU-native, GDPR-structural, Schrems-II-clean — these are operating principles, not marketing claims.

Hardware

  • CPU: AMD Ryzen 5 3600 — 6 cores / 12 threads
  • RAM: 62 GB
  • Disk: 464 GB NVMe
  • GPU: none
  • OS: Ubuntu 24.04.4 LTS

No GPU is a real constraint. Live-streaming has to support no-GPU server-side rendering (Xvfb + Chromium for OBS Browser Source) plus offload-to-user's-machine fallback for compute-heavy paths.

Public ports — fixed, nothing else exposed

22   — SSH
80   — Traefik → redirect to 443
443  — Traefik → routes by subdomain with Let's Encrypt TLS

Every service is reached via a subdomain through Traefik. Zero host ports beyond those three. Adding a new service = adding a Traefik router label, never opening a port on the firewall.

Subdomain routing examples

atlas.blal.pro      → atlas-web:3031 (Next.js) → atlas-api:3030 (axum)
alice.blal.pro      → openalice:8080
persona.blal.pro    → openalice-persona-server
grafana.blal.pro    → grafana:3000

Docker network architecture

Per-project isolation. Each project owns its own network. All connect to the shared proxy network for Traefik visibility.

proxy        — Traefik sees every service
monitoring   — Prometheus + Grafana + node-exporter + cAdvisor
atlas        — atlas-api + atlas-web + atlas-db
openalice    — Alice + Chromium/Xvfb + future deps

Per-project databases: each service owns its own Postgres / Redis in its own network. No shared instances. Isolation outranks convenience.

Resource constraints worth knowing

  • 12 threads, 62 GB RAM: cap cargo at -j 4 (see kb://infrastructure/cargo-j4-discipline)
  • 464 GB disk: cargo target/ dirs are the biggest disk eater — ~5-15 GB per project. cargo clean -p CRATE is safe; rebuilds in minutes.
  • Outbound TCP/25 + TCP/465 blocked by Hetzner: use 587/STARTTLS or 2465/2587 for SMTP.

Cleanup

~/projects/_shared/scripts/cleanup.sh runs weekly. The --aggressive flag is reserved for monthly sweeps. Last 95% disk incident: kb://incidents/2026-05-21-target-disk-95-percent.

Why EU + Hetzner specifically

GDPR-native by construction. EU AI Act (landing 2026-2027) treats EU data residency as a structural advantage against US-cloud-locked LLM providers — material in healthcare, banking, and public-sector procurement. The claim that agent data never leaves Europe is a real differentiator the lab makes architectural rather than marketing.