Merge #408: docs: [#407] submit UDP1 tracker to newTrackon — complete

2fd3a23 docs: [#407] mark newTrackon prerequisites and IPv6 UDP tracker issue as done (Jose Celano)
6c3b586 docs: [#407] add cloud-init netplan context and two-file structure explanation (Jose Celano)
f32e219 docs: [#407] update step 4 verification with actual netplan apply outputs (Jose Celano)
6063cd1 docs: [#407] persist policy routing via netplan - document step 4 with full details (Jose Celano)
8c65828 docs: [#407] udp1 tracker accepted on newtrackon - document full investigation and fix (Jose Celano)
cb1fd0b docs: [#407] document IPv6 UDP tracker issue and link from post-provision README (Jose Celano)
01d218a docs: [#407] document UDP1 submission attempt 1 — rejected with UDP timeout (Jose Celano)
68d37a3 docs: [#407] configure all four floating IPs via netplan and document Phase 3 completion (Jose Celano)
cc612ae docs: [#407] update DNS A/AAAA records for udp1 and document Phase 4 completion (Jose Celano)
4b10ef6 docs: [#407] add BEP 34 TXT records and verify resolution (Jose Celano)
b3606c6 docs: [#407] record DNS state before udp1 changes (Jose Celano)
5c61d44 docs: [#407] provision udp1 floating IPs and update newtrackon prerequisites (Jose Celano)
4b71b83 docs: [#407] rename floating IPs from torrust-tracker-demo-ipv{4,6} to http1-ipv{4,6} (Jose Celano)
c112319 docs: [#407] document newTrackon prerequisites and fix tracker registry (Jose Celano)

Pull request description:

  ## Summary

  Resolves #407 — UDP1 tracker is now listed on [newTrackon](https://newtrackon.com/).

  This PR documents the complete process: two newTrackon prerequisites that were missed, the
  networking blockers discovered during submission, and the full investigation and fix for each.

  ## What Was Done

  ### Phase 1 ✅ — BEP 34 DNS TXT Records

  newTrackon requires a `TXT` record on the tracker domain announcing its protocol and port
  ([BEP 34](https://www.bittorrent.org/beps/bep_0034.html)).

  - Added `http1.torrust-tracker-demo.com TXT "BITTORRENT TCP:443"`
  - Added `udp1.torrust-tracker-demo.com TXT "BITTORRENT UDP:6969"`
  - Verified with `dig TXT`

  ### Phase 2 ✅ — Provision New Floating IPs

  newTrackon enforces one unique IP per tracker. The UDP1 subdomain was sharing IPs with HTTP1.

  - Provisioned `udp1-ipv4`: `116.202.177.184`
  - Provisioned `udp1-ipv6`: `2a01:4f8:1c0c:828e::1`
  - Assigned both to the demo server

  ### Phase 3 ✅ — Configure All Floating IPs via Netplan

  All four floating IPs (existing HTTP1 + new UDP1) are now persistent in
  `/etc/netplan/60-floating-ip.yaml` with `valid_lft forever`.

  > **Finding**: Hetzner IPv6 floating IPs use `/64` prefix (not `/128`). Corrected in docs.

  ### Phase 4 ✅ — Update DNS A/AAAA for UDP1

  - Updated `udp1` A record: `116.202.176.169` → `116.202.177.184`
  - Updated `udp1` AAAA record: `2a01:4f8:1c0c:9aae::1` → `2a01:4f8:1c0c:828e::1`
  - Updated `dns-setup.md` to reflect the change

  ### Phase 5 ✅ — Submission Accepted (Attempt 3)

  Three submission attempts were required. Both IPv4 always worked fine; the issue was
  IPv6-specific.

  #### Attempts 1 & 2 — Rejected (UDP timeout)

  newTrackon probed via IPv6 (`2a01:4f8:1c0c:828e::1`) and received no response.

  #### Attempt 3 — Accepted ✅

  ```
  URL:      udp://udp1.torrust-tracker-demo.com:6969/announce
  IP:       2a01:4f8:1c0c:828e::1
  Result:   ✅ Accepted
  Response: {'interval': 300, 'leechers': 0, 'peers': [], 'seeds': 1}
  ```

  ## Root Causes Fixed

  ### Root Cause 1 — ufw blocking IPv6 UDP 6969 (primary)

  `tcpdump` during a probe showed packets arriving at `eth0` but no replies leaving — meaning the
  container never processed them. Checking ufw revealed `6969/udp` was absent from the allow list.

  Docker bypasses the iptables `INPUT` chain for IPv4 published ports via DNAT rules — which is
  why IPv4 always worked. But Docker does **not** manage `ip6tables`, so ufw's
  `default: deny (incoming)` silently dropped all IPv6 UDP 6969 packets.

  Fix:

  ```bash
  sudo ufw allow 6969/udp
  ```

  The `ufw` rule is persistent — stored in `/etc/ufw/` and survives reboot.

  ### Root Cause 2 — asymmetric routing (secondary)

  Without policy-based routing, the kernel routes replies via the default route — packets leave
  via the primary server IP, not the floating IP the probe arrived on. newTrackon discards replies
  with a mismatched source.

  Fix — two custom routing tables, one per floating IP:

  ```bash
  # IPv4 (table 100)
  ip route add default via 172.31.1.1 dev eth0 table 100
  ip rule add from 116.202.177.184 table 100

  # IPv6 (table 200) — was already present from an earlier attempt
  # ip -6 route add default via fe80::1 dev eth0 table 200
  # ip -6 rule add from 2a01:4f8:1c0c:828e::1 table 200
  ```

  These were initially applied at runtime, then persisted via netplan (see below).

  ### Persisting Policy Routing via Netplan

  The server has two netplan files:

  | File | Managed by | Purpose |
  |------|-----------|---------|
  | `50-cloud-init.yaml` | cloud-init (auto) | Primary interface, DHCP4, primary IPv6, default routes |
  | `60-floating-ip.yaml` | manually | Floating IPs + policy routing rules |

  The `routing-policy` and per-table `routes` stanzas were added to `60-floating-ip.yaml`:

  ```yaml
  routing-policy:
    - from: 116.202.177.184
      table: 100
    - from: 2a01:4f8:1c0c:828e::1
      table: 200
  routes:
    - to: default
      via: 172.31.1.1
      table: 100
    - to: default
      via: fe80::1
      table: 200
  ```

  Applied with `sudo netplan apply`. Rules verified active with `ip rule list` / `ip -6 rule list`.

  Full investigation: [`ipv6-udp-tracker-issue.md`](docs/deployments/hetzner-demo-tracker/post-provision/ipv6-udp-tracker-issue.md)

  ## Files Changed

  | File | Change |
  |------|--------|
  | `docs/deployments/hetzner-demo-tracker/post-provision/ipv6-udp-tracker-issue.md` | New — full investigation, tcpdump/ufw/iptables evidence, confirmed root causes, all fixes including netplan persistence with cloud-init context |
  | `docs/deployments/hetzner-demo-tracker/post-provision/newtrackon-prerequisites.md` | New — full fix plan, step-by-step with actual outputs and all 3 submission attempts |
  | `docs/deployments/hetzner-demo-tracker/post-provision/dns-setup.md` | Updated — udp1 A/AAAA records, Step 4 section |
  | `docs/deployments/hetzner-demo-tracker/post-provision/README.md` | Updated — new entries in post-deployment table |
  | `docs/deployments/hetzner-demo-tracker/tracker-registry.md` | Updated — both trackers listed, final state screenshot |
  | `docs/deployments/hetzner-demo-tracker/README.md` | Updated — link to newtrackon-prerequisites.md |
  | `docs/deployments/hetzner-demo-tracker/prerequisites.md` | Updated — floating IP names |
  | `docs/issues/407-submit-udp1-tracker-to-newtrackon.md` | New — issue spec, all tasks complete |
  | `docs/deployments/hetzner-demo-tracker/media/newtrackon-submitted-udp1-accepted.png` | New — screenshot of acceptance |
  | `docs/deployments/hetzner-demo-tracker/media/newtrackon-home-three-trackers-listed.png` | New — screenshot of newTrackon homepage listing 3 trackers |
  | `project-words.txt` | Added `newtrackon`, `ulnp`, `UNCONN`, `tcpdump`, `flowlabel`, `hlim`, `DNAT`, `macaddress` |

  ## Acceptance Criteria Status

  - [x] BEP 34 TXT records present and verified with `dig`
  - [x] Two new floating IPs provisioned and assigned
  - [x] All four floating IPs configured via netplan
  - [x] `udp1.torrust-tracker-demo.com` resolves to new IPs
  - [x] `udp://udp1.torrust-tracker-demo.com:6969/announce` listed on newTrackon
  - [x] `newtrackon-prerequisites.md` documents prerequisites clearly
  - [x] `tracker-registry.md` updated with final submission status
  - [x] Policy routing rules persisted in netplan
  - [x] Pre-commit checks pass — pending final push

ACKs for top commit:
  josecelano:
    ACK 2fd3a23

Tree-SHA512: 576022f9b83ebe247003b0362a0fc9e79a50cd2ef1c904bc6f782ebc1dd655426ddb664bfcea0fde7078cd6d39a86ace55e813f68b40cb0b4e09bd118ea8d8bf

Author: josecelano

docs/deployments/hetzner-demo-tracker/README.md

@@ -42,7 +42,9 @@ Deploy a public Torrust Tracker demo instance to Hetzner Cloud and document ever
 8. [Observations](observations.md) — cross-cutting insights and learnings about the deployer
 9. [Maintenance](maintenance/README.md) — post-deployment operational tasks:
    - [Secrets rotation](maintenance/secrets-rotation.md) — rotate all secrets after AI-assisted deployment
-10. [Tracker Registry](tracker-registry.md) — submit the tracker to public registries (newTrackon)
+10. [Tracker Registry](tracker-registry.md) — submit the tracker to public registries (newTrackon):
+    - [newTrackon Prerequisites](post-provision/newtrackon-prerequisites.md) — BEP 34 DNS TXT records and
+      unique-IP policy required by newTrackon (needed to list the UDP1 tracker, see [issue #407](https://github.com/torrust/torrust-tracker-deployer/issues/407))
 11. [Bugs](bugs.md) — all deployer bugs discovered during this deployment (11 bugs, 1 fixed)
 12. [Improvements](improvements.md) — all improvement recommendations collected in one place (13 items)
 

docs/deployments/hetzner-demo-tracker/media/hetzner-console-all-four-floating-ips.png

@@ -13,6 +13,15 @@ on the server via SSH.
 | 2. Volume Setup    | [volume-setup.md](volume-setup.md)       | ✅ Done |
 | 3. Hetzner Backups | [hetzner-backups.md](hetzner-backups.md) | ✅ Done |
 
+## Post-Deployment Steps
+
+Steps performed after the tracker is running and during ongoing operations:
+
+| Step                        | Guide                                                      | Status  |
+| --------------------------- | ---------------------------------------------------------- | ------- |
+| 4. newTrackon Prerequisites | [newtrackon-prerequisites.md](newtrackon-prerequisites.md) | ✅ Done |
+| 5. IPv6 UDP Tracker Issue   | [ipv6-udp-tracker-issue.md](ipv6-udp-tracker-issue.md)     | ✅ Done |
+
 ## Why Before `configure`?
 
 - **DNS**: The `configure` command installs Caddy as a TLS reverse proxy. Caddy uses

docs/deployments/hetzner-demo-tracker/media/hetzner-console-dns-config-after-udp1-changes.png

@@ -184,20 +184,20 @@ in the Cloud Console are only accessible via the **Hetzner Cloud API** — the o
 
 ### Records to Create
 
-| Subdomain | Type | Value                   |
-| --------- | ---- | ----------------------- |
-| `http1`   | A    | `116.202.176.169`       |
-| `http1`   | AAAA | `2a01:4f8:1c0c:9aae::1` |
-| `http2`   | A    | `116.202.176.169`       |
-| `http2`   | AAAA | `2a01:4f8:1c0c:9aae::1` |
-| `api`     | A    | `116.202.176.169`       |
-| `api`     | AAAA | `2a01:4f8:1c0c:9aae::1` |
-| `grafana` | A    | `116.202.176.169`       |
-| `grafana` | AAAA | `2a01:4f8:1c0c:9aae::1` |
-| `udp1`    | A    | `116.202.176.169`       |
-| `udp1`    | AAAA | `2a01:4f8:1c0c:9aae::1` |
-| `udp2`    | A    | `116.202.176.169`       |
-| `udp2`    | AAAA | `2a01:4f8:1c0c:9aae::1` |
+| Subdomain | Type | Value                   | Notes                           |
+| --------- | ---- | ----------------------- | ------------------------------- |
+| `http1`   | A    | `116.202.176.169`       |                                 |
+| `http1`   | AAAA | `2a01:4f8:1c0c:9aae::1` |                                 |
+| `http2`   | A    | `116.202.176.169`       |                                 |
+| `http2`   | AAAA | `2a01:4f8:1c0c:9aae::1` |                                 |
+| `api`     | A    | `116.202.176.169`       |                                 |
+| `api`     | AAAA | `2a01:4f8:1c0c:9aae::1` |                                 |
+| `grafana` | A    | `116.202.176.169`       |                                 |
+| `grafana` | AAAA | `2a01:4f8:1c0c:9aae::1` |                                 |
+| `udp1`    | A    | `116.202.177.184`       | Updated 2026-03-06 (issue #407) |
+| `udp1`    | AAAA | `2a01:4f8:1c0c:828e::1` | Updated 2026-03-06 (issue #407) |
+| `udp2`    | A    | `116.202.176.169`       |                                 |
+| `udp2`    | AAAA | `2a01:4f8:1c0c:9aae::1` |                                 |
 
 ### API Approach
 
@@ -297,6 +297,28 @@ udp1: A=116.202.176.169  AAAA=2a01:4f8:1c0c:9aae::1
 udp2: A=116.202.176.169  AAAA=2a01:4f8:1c0c:9aae::1
 ```
 
+## Step 4: Update DNS Records for UDP1 (2026-03-06)
+
+As part of issue #407 (submitting the UDP1 tracker to newTrackon), the `udp1` A and AAAA records
+were updated to point to the new dedicated floating IPs:
+
+| Subdomain | Type | Old value               | New value               |
+| --------- | ---- | ----------------------- | ----------------------- |
+| `udp1`    | A    | `116.202.176.169`       | `116.202.177.184`       |
+| `udp1`    | AAAA | `2a01:4f8:1c0c:9aae::1` | `2a01:4f8:1c0c:828e::1` |
+
+Verified with `dig` (2026-03-06):
+
+```text
+$ dig A udp1.torrust-tracker-demo.com +short
+116.202.177.184
+
+$ dig AAAA udp1.torrust-tracker-demo.com +short
+2a01:4f8:1c0c:828e::1
+```
+
+✅ `udp1.torrust-tracker-demo.com` now resolves exclusively to the UDP1 floating IPs.
+
 ✅ All 12 records resolve correctly globally.
 
 > DNS propagation with Hetzner's nameservers (`helium.ns.hetzner.de`, `hydrogen.ns.hetzner.com`,
@@ -305,8 +327,11 @@ udp2: A=116.202.176.169  AAAA=2a01:4f8:1c0c:9aae::1
 
 ## Outcome
 
-✅ All subdomains resolve to `116.202.176.169` (A) and `2a01:4f8:1c0c:9aae::1` (AAAA). DNS
-setup is complete. The next step is [volume-setup.md](volume-setup.md).
+✅ All subdomains resolve correctly. After the 2026-03-06 update, `udp1.torrust-tracker-demo.com`
+resolves to the dedicated `udp1` floating IPs (`116.202.177.184` / `2a01:4f8:1c0c:828e::1`)
+while all other subdomains continue to resolve to `116.202.176.169` (A) and
+`2a01:4f8:1c0c:9aae::1` (AAAA). DNS setup is complete.
+The next step is [volume-setup.md](volume-setup.md).
 
 ## Problems