The Challenge
Managing dozens of services without losing control
Running a software company means running infrastructure. Not just for client projects, but for the company itself: team communication, email, project management, SSO, version control, CI/CD, monitoring, documentation, automation, and security tooling. Each one is a service that needs to be deployed, updated, monitored, and secured.
The challenge was not deploying 60 services — any sysadmin can run Docker containers. The challenge was doing it in a way that is secure, observable, maintainable, and doesn't require a full-time ops team. Every service needed to be behind SSO, monitored for uptime and anomalies, backed up, and protected from external and internal threats.
The Solution
Docker orchestration with defense-in-depth
We architected a centralized infrastructure platform on Hetzner Cloud, using Docker Compose for service orchestration, Caddy as the reverse proxy, and Cloudflare Tunnels for zero-trust network access. Every service is containerized, every endpoint is authenticated, and every log is centralized.
The key architectural decision was choosing Cloudflare Tunnels instead of exposing services directly to the internet. No ports are opened on the server. All traffic flows through encrypted tunnels, authenticated at the edge by Cloudflare Access before it ever reaches the application layer. This eliminates entire categories of attack vectors.
"Zero open ports. Every request authenticated at the edge. That's not aspirational — that's how the production server runs right now."
Infrastructure
The server and its architecture
The primary corporate server runs on a Hetzner CPX52 instance — 12 vCPU cores, 22 GB RAM, and 451 GB SSD. This single machine runs 62+ Docker containers, each isolated with resource limits and health checks.
Services
What runs on this infrastructure
- Authentik (SSO): Centralized single sign-on for every internal service. SAML, OIDC, and LDAP support. Every team member uses one identity across all tools.
- Mattermost (Team Chat): Self-hosted team communication with channels, threads, file sharing, and integrations. No data leaves the company's servers.
- Mailcow (Email): Full email server with 17 mailboxes and 6 aliases on the company domain. SPF, DKIM, and DMARC configured for maximum deliverability.
- Gitea (Git): Self-hosted Git with CI/CD runners, package registry, and issue tracking. All source code stays on company-controlled infrastructure.
- n8n (Automation): Visual workflow automation connecting internal services, triggering alerts, processing webhooks, and automating repetitive operations tasks.
- Graylog (Log Management): Centralized log aggregation from all 62+ containers. Structured search, dashboards, and alerting rules for anomaly detection.
- Wazuh (IDS/SIEM): Host-based intrusion detection system monitoring file integrity, detecting rootkits, analyzing logs, and correlating security events in real-time.
- Beszel (Monitoring): Real-time resource monitoring for all containers and the host system. CPU, memory, disk, and network metrics with historical data and alerting.
- Kimai (Time Tracking): Project time tracking and reporting for the team. Integrated with project management for accurate billing and resource allocation.
- Docmost (Documentation): Internal knowledge base and documentation platform. Team wikis, technical docs, and runbooks — all version-controlled and searchable.
Security
Defense-in-depth, not security theater
- Cloudflare Access: Zero-trust network access. Every request is authenticated at Cloudflare's edge before reaching the server. No service is accessible without identity verification.
- fail2ban: Automated IP banning for brute-force attempts on SSH and exposed endpoints. Configured across all servers with shared ban lists.
- Wazuh IDS: File integrity monitoring (FIM), rootkit detection, log-based intrusion detection, and real-time alerting for security events.
- AIDE: Advanced Intrusion Detection Environment for filesystem integrity checking. Detects unauthorized changes to system files and configurations.
- UFW + DOCKER-USER iptables: Custom firewall rules that work correctly with Docker's network stack. UFW alone is insufficient because Docker bypasses it — DOCKER-USER chain rules enforce network policy at the container level.
- SSH hardening: Key-only authentication, disabled root login, non-standard ports, and connection rate limiting. Every SSH session is logged and monitored.
Results
Stable, secure, and fully observable
The infrastructure maintains 99.99% uptime with 25 active monitors tracking every service. Real-time alerting catches issues before they affect the team. Centralized logging provides complete audit trails for security and compliance. Automated backups run on schedule with verified restore procedures.
The entire stack is managed by a small team without dedicated operations staff. Docker Compose files are version-controlled, updates follow a tested deployment procedure, and rollbacks are a single command. This is enterprise-grade infrastructure without enterprise-grade overhead.
Related Services