Skip to content
YYefrixLab

Case study · Infrastructure & DevOps

Bastion: a hardened self-hosted app fleet

One mini PC running a production fleet: reverse proxy, automatic TLS, 2FA gateway, monitoring, alerting, backups and a dozen apps, at 99.9% uptime.

Industry
Platform engineering
Timeline
ongoing operation
Year
2026
Services
DevOps, Security hardening, Monitoring

The problem

The default answer to “where do we run this” has become a stack of cloud subscriptions, each billing monthly, each holding a slice of your data, each a separate security story. For a fleet of internal tools and products, that is rented complexity. The alternative everyone warns you about, self-hosting, fails in practice for one reason: it is usually done as a hobby, not as operations.

What we built

A production-grade platform on owned hardware, operated like it matters. Every application deploys the same way and inherits the same security and observability baseline:

  • One front door. A Traefik reverse proxy terminates TLS for every app with automatic Let’s Encrypt issuance and renewal, HSTS, security headers and rate limiting applied fleet-wide by middleware, not per-app goodwill.
  • Defense in depth. Key-only SSH with fail2ban jails, a Telegram-code 2FA gateway in front of admin surfaces, per-app network isolation so databases are never reachable from the proxy network, and secrets confined to per-app env files.
  • Monitoring that assumes failure. Three independent layers: host metrics with alerting, black-box uptime checks on every service, and a security monitor sweeping for brute-force attempts, resource exhaustion and dead containers every five minutes. Everything escalates to Telegram within moments.
  • Deploys as a pattern, not an art. Each app is a git repo with a compose file and a production overlay. Deployment is pull, build, up. The pattern is documented well enough that an AI agent executes it unassisted.

Outcome

Measured 99.9% uptime, monthly hosting cost near the electricity bill, and a compounding asset: every new product launches into an environment where TLS, auth, monitoring and backups already exist. This fleet is also our proof of competence: when we say “we will deploy and operate it”, this is what operation means.

Got a project that "just needs to ship"?

Tell me what you are building, what is blocking it, and when you need it live. You will get an honest answer about scope, cost, and timeline within 24 hours. No discovery-call theater.