VPS role
Terminate public TLS, answer for the domain, and proxy only the chosen hostnames.
Public Edge / Private Core
adamchdz.com
The Hetzner VPS is the public front door. The actual services stay on the private intranet stack behind Tailscale, and the edge only forwards the routes that are intentionally exposed.
Backend path
Traffic leaves the VPS over Tailscale and lands on the private service VM instead of the public internet.
Policy
Default private. Add public hostnames deliberately, keep the rest of the stack on the tailnet.
Ground Control
Godhand is the authenticated command center for runtime health, alerts, and curated operator actions.
This page is intentionally small. The real intranet stays behind the edge.