Infrastructure lab / ongoing project

A production-minded cloud, running on Hetzner.

ByteGeist is where I test infrastructure decisions for real: identity, observability, deployments, security, and recovery. It currently runs 26 Docker containers on Ubuntu at scale.

See how it works Browse the Git server ↗

ByteGeist operations dashboard in Grafana — Live operations view Grafana / Prometheus / cAdvisor

0126 containersdeployed with Compose

02Central identitySSO and 2FA via Authentik

03Full observabilitymetrics, logs, and uptime

04Documented recoverytested restore procedures

01 / Architecture

One server, treated like a platform.

Public traffic terminates at Nginx Proxy Manager. Authentik handles identity before requests reach protected services. Metrics, logs, CI, and backups remain separate concerns, so each can fail or change without taking the whole stack with it.

Detailed ByteGeist infrastructure architecture diagram — Current architecture — updated as services are added or retired.

Access

Authenticate once

OIDC where supported; forward auth for services that do not speak it natively.

Operations

Make failures visible

Host and container metrics, centralized logs, and independent uptime checks.

Recovery

Assume the host is replaceable

Configuration lives in Git. Persistent data is backed up with rebuild notes.

02 / Selected systems

The parts I spend time on.

Not a catalog of logos—a record of what is running, why it exists, and what I learned building it.

Observability

Useful signals before pretty dashboards.

Prometheus collects host and container metrics while Loki receives logs through Grafana Alloy. The dashboards answer practical questions: what is down, what changed, and which container is consuming the host.

Grafana
Prometheus
Loki
Alloy

Grafana infrastructure metrics dashboard

Identity & security

One identity layer, fewer exposed edges.

Authentik provides SSO, OIDC, forward auth, and 2FA across eleven applications. CrowdSec watches hostile traffic and creates firewall decisions alongside key-only SSH, UFW, and TLS.

Authentik
CrowdSec
UFW
Let's Encrypt

Development

Code and delivery stay in-house.

Gitea stores infrastructure code and documentation. Woodpecker runs repository-linked pipelines, including the build and deployment path for this site.

Gitea
Woodpecker CI
Docker
Git

Platform & recovery

The boring work is part of the system.

Dashy keeps service access legible. The wiki records inventory, DNS, restore order, backup validation, and the steps required to rebuild the environment from a clean host.

Dashy
Wiki.js
Restic
Runbooks

03 / Lessons

What actually took work.

OIDC is mostly careful bookkeeping.

Redirect URIs, claims, group mapping, and user provisioning all need to agree across both ends.

Backups are unfinished until restore is documented.

I track data location, dependencies, restore order, DNS, certificates, and validation—not just archive jobs.

Observability has to support a decision.

A smaller dashboard that explains an incident is more useful than a wall of metrics nobody checks.

Convenience can weaken the boundary.

Every exposed service has a cost. SSO, least privilege, and fewer public endpoints keep that cost explicit.

Project notes

This environment is still changing.

I use ByteGeist to practice the parts of infrastructure work that tutorials tend to skip: upgrades, failure modes, access policy, noisy logs, and recovery.

Open the documentation ↗