Server Cleanup & Optimization - Documentation

📋 Overview

Server Host: Ubuntu Server @ Strato
IP Address: 85.215.149.45
Execution Date: January 2025
Objectives: Purge desktop GUI dependencies, optimize system packages, prepare for HTTPS proxy routing.

---

✅ Executed Actions

1. Complete Purging of Desktop Dependencies

• Uninstalled LXDE Desktop environment.
• Removed X-Server (xorg) utilities.
• Removed Lightdm (Display Manager).
• Cleaned up unneeded visual applications.

2. Pruned Orphaned Packages

• Purged Mesa (3D / GPU driver layers): mesa-vulkan-drivers, mesa-libgallium.
• Purged LLVM / Clang compiler libraries: libllvm20, libllvm18, libclang-cpp18.
• Completely removed Snapd (including Firefox Snap).
• Removed LXD Installer modules.

3. Executed System Cleaning

sudo apt autoremove --purge
sudo apt autoclean
sudo apt clean

4. Packages System Audits

• Confirmed zero broken dependencies.
• Confirmed zero held updates.
• Confirmed clean package database structures.

---

📊 Current System State

Performance Parameters

• Installed Packages: 1,046 (decreased from ~1,200+)
• Disk Footprint: 19 GB / 464 GB (5% allocated)
• Available Capacity: 446 GB
• Cleanup Yield: ~2 GB reclaimed space

Largest Deployed Packages (Top 10)

Package Name	Disk Footprint	Functional Purpose
containerd	140 MB	Container runtime execution layer
docker.io	107 MB	Docker engine runtime daemon
docker-ce	96 MB	Docker Community Edition core binaries
python3-botocore	92 MB	AWS SDK dependencies for Python systems
containerd.io	91 MB	Container runtime execution engines
linux-headers-6.8.0-90	84 MB	Linux Kernel development headers
docker-buildx-plugin	80 MB	Advanced Docker image build plugin
docker-ce-cli	43 MB	Docker command line interface client
linux-modules-6.8.0-90	38 MB	Linux Kernel runtime driver modules
vim-runtime	37 MB	Runtime dependencies for Vim text editor

Active Services

Native System Services

• Cockpit (Listening on port 9090): Server administration dashboard.

Active Docker Containers (Split-Stack Environment)

Core Infrastructure Stack (cfs-infra):

1. cfs-antigravity-ide: Cloud development environment and agent infrastructure.
2. Open WebUI: Chat front-end for AI models.
3. Ollama: LLM runtime engine for executing local open-source models.
4. cfs-db-local: Local MariaDB 10.11 database instance.
5. redis-cache: General purpose caching layer.
6. Portainer: Container management dashboard.
7. Traefik: Edge router and reverse proxy.

Platform Application Stack (cfs-platform):

8. cfs-database-prod: Production MariaDB 10.11 database instance.
9. cfs-database-staging: Staging MariaDB 10.11 database instance.
10. cfs-platform-core-portal-1: Production core portal application.
11. cfs-platform-event-planner-1: Production event planner application.
12. cfs-platform-core-portal-staging-1: Staging core portal application.
13. cfs-platform-event-planner-staging-1: Staging event planner application.

Networking Status

• Current State: HTTP transport protocol active (unencrypted).
• Access Method: Direct public IP binding (http://85.215.149.45:PORT).
• SSL/TLS Security: Deactivated.

---

🎓 Key Learnings

1. Headless Server vs. Desktop Deployments

• Server OS: Run headless setups (command line only), keeping footprint minimal (~600-1,000 packages).
• Desktop OS: Heavy graphic dependency trees (X11, display managers), demanding ~2,000-3,000 packages.
• Pruning Rule: Packages containing identifiers such as x11, gtk, qt, gnome, or kde should be avoided on pure server nodes.

2. Package Management Optimization

# Purge package configurations and dependencies
sudo apt purge <package_name>

# Autoremove unneeded dependency remnants
sudo apt autoremove --purge

# Clear out package caches to free space
sudo apt clean

# List packages sorted by footprint size
dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n | tail -20

3. Snap Package Management vs. Docker Containers

• Snap: Restrictive sandbox layers designed primarily for desktop distributions (Ubuntu specific).
• Docker: Highly portable container system designed for microservice execution across architectures.
• Guideline: Prefer Docker for server environments; purge Snapd to avoid unneeded resource consumption.

4. Systemd Socket Activation

• Cockpit Service: Configured to launch on-demand when traffic reaches port 9090.
• Benefit: Conserves CPU cycles and memory.
• Audit Command: sudo systemctl status cockpit.socket

5. Hosting Provider Integrations (Strato)

• SSL Certificates: Pre-issued provider certificates only support Strato subdomain patterns.
• Custom Domains: Connecting custom domains requires external DNS configuration and custom certificates (e.g., via Let's Encrypt).

---

🔧 Deployed Topology Details

Purged Desktop Packages

lxde, lxde-core, lxde-common
xorg, xserver-xorg-core, xserver-xorg-video-*
lightdm, lightdm-gtk-greeter
x11-common, x11-utils, x11-xserver-utils

Purged Libraries

mesa-vulkan-drivers, mesa-libgallium
libllvm20, libllvm18, libclang-cpp18, libclang1-18
snapd, libsnapd-glib-2-1

Docker Container Stack Diagram

Traefik (Reverse Proxy, Ports 80/443)
       |
       |--- cfs-platform-core-portal
       |--- cfs-platform-event-planner
       |--- Open WebUI (Port 3000) ---> Ollama
       |--- Portainer (Port 9000)
       
Background Services:
- cfs-database (prod & staging) / cfs-db-local (MariaDB 10.11)
- cfs-antigravity-ide (Development Workspace)

System Synergies:

• Traefik securely routes traffic to the staging portals and web interfaces.
• Open WebUI provides a clean chat interface for interactively prompting Ollama models.
• Portainer simplifies monitoring container health and service states.
• Cockpit provides direct visibility of overall host memory and CPU utilization.

Diagnostic Commands

# Verify no GUI residues remain
dpkg -l | grep -E 'x11|xorg|lxde|lightdm'

# Verify Snap daemon remnants are purged
dpkg -l | grep snap

# Check for broken package configurations
dpkg -l | grep ^..r

# Verify active container states
docker ps -a

---

🚀 Target Next Steps: HTTPS Configuration

Objective

Expose all local HTTP system services securely behind encrypted HTTPS routing.

Prerequisites

• ✅ Custom domains mapped to DNS configuration portals.
• ✅ Clear host IP target: 85.215.149.45.
• ✅ Services mapped to listening ports:
  • Cockpit: 9090
  • Portainer: 9000
  • Open WebUI: 3000

Current Architecture: Traefik (Dockerized)

Traffic Flow:

Client Requests ---> Domain Entry ---> Server IP: 85.215.149.45
                                               │
                                   Traefik Container (Port 80/443)
                                               │
                               Let's Encrypt TLS Security Checks
                                               │
                               Internal Proxy Forwarding (Docker Network)
                                               │
                    ├─ Portainer (Port 9000)
                    ├─ Open WebUI (Port 3000)
                    ├─ cfs-platform-core-portal
                    └─ cfs-platform-event-planner

Benefits:

• ✅ Automated provisioning of Let's Encrypt SSL/TLS certificates.
• ✅ Automated 90-day certificate renewal sweeps.
• ✅ Deep Docker integration (auto-discovers containers via labels).
• ✅ Secure HTTPS endpoints for all platform services.

Planned Target Domains Mapping

cockpit.domain.de   ---> https://85.215.149.45:9090
portainer.domain.de ---> https://85.215.149.45:9000
webui.domain.de     ---> https://85.215.149.45:3000
core.domain.de      ---> cfs-platform-core
events.domain.de    ---> cfs-platform-event-planner

---

📝 Commands Reference Cheat Sheet

Host Diagnostics

# Query active disk space allocations
df -h /

# Query count of currently registered packages
dpkg -l | wc -l

# List largest packages by size footprint
dpkg-query -Wf '${Installed-Size}\t${Package}\n' | sort -n | tail -20

# Audit running systemd services
sudo systemctl list-units --type=service --state=running

# Query listening sockets and ports
sudo ss -tulpn | grep LISTEN

Package Management

# Query package registries
apt search <package_name>

# Display package parameters
apt show <package_name>

# Purge a package including configurations
sudo apt purge <package_name>

# Prune unneeded package files
sudo apt autoremove --purge

Docker Operations

# List all containers
docker ps -a

# Stream container console logs
docker logs -f <container_name>

# Inspect container settings
docker inspect <container_name>

# Stream live container resource utilization
docker stats

---

🔒 Security Recommendations

Security Vulnerabilities (HTTP active)

⚠️ Unencrypted traffic transmission.

• System credentials and API keys are transmitted in plain text.
• High vulnerability to Man-in-the-Middle (MitM) attacks.

Hardened State (Post-HTTPS Deployment)

✅ Encrypted communication tunnels.

• Modern TLS 1.2 / 1.3 protocol standards enforced.
• Domain certificate validations.

Ongoing Hardening Steps

• [ ] Enforce strict UFW firewall policies.
• [ ] Deploy Fail2Ban to block brute-force attempts.
• [ ] Disable SSH password authentication (force SSH Key-Auth).
• [ ] Schedule regular automated security update checks.