The IT infrastructure is based on a modern, containerized approach that prioritizes scalability, security, and maintainability. All services are managed as Infrastructure as Code (IaC).
1. Project Description
The project involves the operation and further development of my professional business IT infrastructure on a VPS (Virtual Private Server). The goal is to provide high-availability services for business operations, collaboration, and document management while adhering to strict security standards and data protection guidelines. The entire stack is organized modularly in Docker containers and secured by a central reverse proxy.
2. IT Architecture and Technologies
Base Infrastructure (VPS & Docker)
- Host System: Linux VPS, managed with Docker and Docker Compose.
- Orchestration: Each service (microservice architecture) resides in its own directory with a dedicated
compose.yaml. This decouples dependencies and simplifies updates. - Networking: A central Traefik network connects the containers, while internal services (databases, Redis) remain isolated.
- Ingress / Reverse Proxy: Traefik serves as the central entry point (edge router). It handles:
- Automatic routing based on Docker labels.
- SSL/TLS termination (automatic certificates via Let’s Encrypt).
- Middleware handling (security headers, HSTS, redirects).
Nextcloud & Talk (Performance Optimization)
Nextcloud serves as the central collaboration platform. For Nextcloud Talk, a high-performance connection is ensured by specific high-performance components:
- High Performance Backend (HPB) / Signaling Server:
- Use of the
aio-talkcontainer (signaling server). - Advantage: Relieves the Nextcloud PHP server of the signaling load for audio/video calls and enables significantly more simultaneous connections than the standard PHP backend.
- Use of the
- TURN/STUN Server:
- The Talk container exposes port 3478 (UDP/TCP) directly.
- Function: Enables WebRTC connections even behind strict firewalls or NAT (Network Address Translation), which is essential for reliable calls (relaying).
- High Performance Files (Notify Push):
- Use of the
notify_pushservice. - Function: Clients receive file changes and notifications in real-time via WebSockets instead of periodically polling the server. This massively reduces server load and increases responsiveness (“snappiness”).
- Use of the
- Caching: Redis ensures fast transactional file locking and caching.
Backup Strategy
Data backup follows a 3-2-1 rule approach and is fully automated:
- Tool: Borgmatic (wrapper for BorgBackup) in a Docker container.
- Process:
- Pre-backup Hooks: Automatic creation of database dumps (PostgreSQL
pg_dumpall, MySQL dumps) before the backup run. - Deduplication & Compression: Blobs are efficiently deduplicated, saving storage space and minimizing backup time.
- Encryption: All backups are client-side encrypted (repo-key).
- Target: Backup to external storage (e.g., Storage Box / Remote VPS) via SSH.
- Pre-backup Hooks: Automatic creation of database dumps (PostgreSQL
- Recovery: Documented restore processes (
howto.md) enable quick recovery of individual files or entire databases.
Security & Firewall (CrowdSec)
Security is proactively ensured through Intrusion Prevention (IPS):
- CrowdSec: Analyzes logs from Traefik, Nextcloud, and other services in real-time.
- How it works:
- Detects attack patterns (brute force, port scans, HTTP floods).
- Dynamically blocks malicious IPs at the network level (via iptables/nftables bouncer) or application level.
- Shares threat data with the community (community blocklist) to preemptively block known attackers.
- Configured via
acquis.yamland Docker labels.
Automation & Monitoring
The system state is continuously monitored (observability):
- Metrics (Prometheus & Node Exporter): Collects system metrics (CPU, RAM, Disk I/O) and container metrics (Traefik statistics).
- Visualization (Grafana): Dashboards for graphical evaluation of the load.
- Uptime Monitoring (Uptime Kuma): Checks the reachability of external services (HTTP/TCP checks) and alerts on failures.
- Cron-Job Monitoring (Healthchecks.io): Monitors whether scheduled tasks (e.g., the nightly backup run) ran successfully (“dead man’s switch”). If the “ping” is missing, an alert is triggered.
- GitOps Approach: Configurations are versioned in the Git repository, changes are documented and deployed.