Deployment guides, BGP walkthroughs, security hardening, and self-hosting patterns for engineers running real KVM workloads.
38
Published guides
Build an automated Restic backup routine with retention, integrity checks, restore drills, and credentials that do not leak into shell history.

Expose useful Linux host metrics safely, scrape them with Prometheus, and alert on disk, memory, load, and filesystem pressure.

Monitor HTTP, TCP, DNS, and certificate expiry from a small VPS, with notifications and a public status page.

Turn a development Compose file into a predictable production stack with pinned images, health checks, limits, secrets, logging, and recoverable data.

Run a Node.js service without a process-manager dependency, proxy it through Nginx, deploy releases atomically, and roll back quickly.

Run a Python FastAPI service in a locked-down virtual environment, supervise it with systemd, and add automatic HTTPS through Caddy.

Keep Redis private, add authentication and ACLs, set memory policy, persist intentionally, and verify that public access is impossible.

A conservative MariaDB tuning method for buffer pools, connections, temporary tables, slow queries, and durability without copying a mystery config.

Create consistent PostgreSQL logical backups, retain roles and schema, verify archives, and rehearse recovery into a disposable database.

Configure A, AAAA, CNAME, MX, TXT, CAA, and reverse DNS records correctly, then verify the authoritative answer before debugging the application.

Configure a static IPv6 address and default route, firewall it properly, publish AAAA records, and test the complete path from outside.

Lower TTLs at the right time, copy changing data, test the new origin before launch, switch records, and keep rollback available.

Replace ad-hoc firewall commands with a readable dual-stack nftables policy for SSH, web traffic, loopback, and established connections.

Reach private servers through one hardened jump host using ProxyJump, agent-safe key handling, restricted firewalls, and auditable SSH configuration.

Configure unattended upgrades, control package origins, schedule a maintenance window, detect required reboots, and verify update failures.

Make journald persistent, cap disk usage, query services efficiently, vacuum old data, and forward important logs off the server.

Recover space safely, find deleted-but-open files, identify runaway logs and Docker layers, then prevent the same disk incident from returning.

Find which process the kernel killed, distinguish memory leaks from cache, add safe swap, set service limits, and fix the workload instead of guessing.

Vaultwarden is a tiny Rust reimplementation of the Bitwarden server. Same official clients, same UX, no monthly bill. Setup with Docker, Caddy, and proper backups.

Production-ready WordPress on Ubuntu 24.04: Nginx, PHP 8.3 FPM, MariaDB, Let's Encrypt. The whole stack in under thirty minutes.

A working WireGuard VPN with one peer config you can scan into your phone. No third-party clients, no telemetry, no monthly bill.

A short security pass that stops 99% of the brute-force noise on a public-IP VPS. SSH keys only, fail2ban, port choice, and what not to bother with.

From cold VPS to a Minecraft server your friends can join, with proper systemd, automated backups, and tuned JVM flags.

Shared hosting is cheap and easy. VPS is more powerful but you run it. The honest decision tree, with real numbers and a bias check.

Replace Dropbox, Google Drive, and Office 365 with one self-hosted Nextcloud instance on a small VPS. Full setup with PostgreSQL, Redis, and proper backups.

Harden a fresh Ubuntu 24.04 VPS in ten minutes. New user, SSH keys, firewall, automatic security updates.

Immich gives you a polished mobile app, AI-powered face and object search, and full control over your photos. Setup with Docker, Postgres, and Caddy on a VPS.

Pi-hole is not just for Raspberry Pis. Running it on a VPS gives you network-wide ad-blocking that works on cellular and away-from-home, via WireGuard.

Caddy gives you HTTPS with no Certbot dance, multi-app reverse proxy in five lines of config, and HTTP/3 by default. Here is the setup we run.

KVM virtualisation runs a real Linux kernel, so Docker behaves like it does on bare metal. Here is the setup that holds up under load.

A working single-user or small-server Mastodon install with Docker, Postgres, Redis, and the federation gotchas that nobody warns you about.

A clean Nginx + Certbot setup that auto-renews, scores A+ on SSL Labs, and survives the next protocol deprecation.

Stop running your bot in tmux. A proper systemd service for a Node.js or Python Discord bot, with logs, restarts, atomic deploys, and instant rollbacks.

From requesting a session to announcing your own ASN's prefix. The non-mystical version, written for engineers running their first BGP edge.

Run your own Tailscale coordination server with Headscale. Same client, same UX, no third-party control plane, no per-seat pricing.

A tuned Postgres 16 install with PgBouncer transaction pooling. The setup that takes a one-developer side project to several thousand connections without changing application code.

Latency is rarely the only thing that matters. A short framework for picking a region: users, regulation, peering, and disaster geography.

Both are excellent. Both come pre-installed on most VPS providers. The differences are real but smaller than the internet pretends. Here is the practical breakdown.