portfolio · v3 · 2026

Self-Hosted. Independent. Relentless.

I rent metal and configure it myself. No managed services, no abstraction layers — just systemd, nftables, and a lot of late nights reading logs.

Open channel ↓ scroll · ./stack

01 · synopsis

About

Some background. Less marketing, more specifics.

bio.txt

I’m 19, based in Germany, and I’ve been running my own infrastructure since I was 14 — back then it was a Minecraft server on a hand-me-down desktop in my bedroom. Today it’s one dedicated server plus a handful of VMs scattered across hosters, running everything I care about: my mail, my files, my chat backends, and this site.

The reason I run my own stack isn’t ideology — it’s that managed services keep surprising me. Pricing pages change. Free tiers disappear. APIs deprecate without notice. My setup hasn’t surprised me in a year.

What I actually enjoy: tracing a slow request from the edge through nginx, into the container, into postgres, and finding out it was a missing index the whole time. That’s the part nobody outsources.

years · operator

Black-box services are just outages you haven’t noticed yet.

based · germany

since 2018

fully self-hosted infrastructure

online

02 · stack

Technologies

What’s actually running on node01 right now.

Linux

Debian

stable. no surprise upgrades.

os · base layer →

Proxmox VE

KVM + LXC

kvm + lxc on one host. no enterprise lock-in.

hypervisor →

Docker

containers

isolation without a vm per service.

runtime →

Portainer

orchestration UI

i forget docker compose flags. ui solves that.

control plane →

Nginx

tls + routing

configs i can read out loud. no caddy magic.

reverse proxy →

Cloudflare

dns + waf

free ddos shield. no contract.

edge layer →

Git

scm

version control for /etc, not just code.

version control →

PostgreSQL

/ MySQL

mysql for legacy. pg for everything new.

primary store →

Redis

in-memory kv

when i need cache and queue from one process.

cache · queue →

WireGuard

kernel · udp

openvpn is dead. kernel-level mesh.

vpn · tunnel →

Fail2Ban

log scan

~300 banned ips/day on ssh alone.

brute-force shield →

Let’s Encrypt

certbot · acme

certbot in cron. never expired.

tls automation →

Grafana

+ influxdb

without a dashboard the setup is flying blind.

observability →

tls 1.3· systemd· ipv6· zfs / btrfs· nftables· ssh hardening· cron / systemd-timers· rsync· borg· http/3 quic· let’s encrypt· dnssec· tailscale / headscale· ansible· oci · oci-runtime· uptime monitoring· tls 1.3· systemd· ipv6· zfs / btrfs· nftables· ssh hardening· cron / systemd-timers· rsync· borg· http/3 quic· let’s encrypt· dnssec· tailscale / headscale· ansible· oci · oci-runtime· uptime monitoring·

03 · approach

Philosophy

Three things I’ve learned the hard way.

Boring infrastructure wins.

My stack looks unimpressive on paper: Debian, systemd, nginx, postgres. Nothing webscale, nothing trending. It’s also the stack I haven’t had to wake up for in eight months. That’s not a coincidence — it’s the whole point.

Less code, less work, eventually.

Every service I add is a thing I’ll have to update, back up, monitor, debug at 2am. Before installing anything new, I check whether a cron job and 20 lines of bash would do it. About half the time, they would. The other half I usually regret.

Logs only help if you read them.

fail2ban blocks attempts. nginx logs requests. influxdb stores metrics. None of that protects me if I’m not looking. Once a week I go through the WARN-and-above lines — that’s where the next incident is hiding, three days before it pages me.

04 · channels

Contact

Pick a transport. Click any line to copy.

~/contact — zsh — 80×24

ariazonaa@node01 : ~/contact $ contact --list

▸ email contact@ariazonaa.net click to copy ▸ discord @ariazonaa click to copy ▸ telegram @tcpsus click to copy

ariazonaa@node01 : ~/contact $