The platform behind the portfolio

Every game, web app, and SaaS prototype on this site is deployed by one person to a self-operated production cluster. This page describes the platform that makes that sustainable.

2K3s clusters
16+deployed services
~30public hostnames
1command to deploy

Operating posture

Production runs on a single Hetzner VPS with K3s + Traefik + cert-manager. A second mirrored K3s cluster on a staging laptop, reachable over WireGuard, is a true pre-production environment — same container images, same Kubernetes manifests, same observability stack. Differs only in hostnames and certificates.

One-command deploys

manage.sh deploy <service> builds, pushes, digest-pins, and rolls out to both clusters. The git manifest, the server manifest, and the running pod always show the same SHA.

Cluster parity check

manage.sh sync diffs every deployment, ConfigMap, secret, and ingress between staging and production. Zero-drift is the default state, not the goal.

Immutable image registry

Self-hosted Docker registry with htpasswd auth. Every push is content-addressed; rollbacks are a single kubectl set image away.

Disaster recovery

Encrypted, round-trip-tested backups synced nightly to a second machine. Bootstrap from bare metal is two commands.

Quality automation

The cost of solo-operating this many services is paid by automation: end-to-end tests run nightly inside the cluster against production, results land in my inbox before 7am.

In-cluster E2E canary

Playwright suite runs from inside each cluster every night at 04:00 UTC. Sidesteps every dev-machine networking limitation. Reports upload to in-cluster object storage; summary emails go out automatically.

Cross-portfolio smoke tests

Every deployed web app gets a smoke probe against production every morning. Failures email me a paste-block with enough context to triage without opening a browser.

Daily environment report

A single email at 06:30 UTC summarizes cluster health, last night's E2E pass/fail, alert state, cluster-parity drift, and overdue credentials.

Per-service quality gates

Lint, unit tests, security audits, and YAGNI dead-code checks all run via shared local infrastructure with a feedback loop — no commit is shipped without them green.

Observability

Prometheus + Grafana + Loki stack, deployed via the standard kube-prometheus-stack chart. Dashboards are provisioned from version-controlled ConfigMaps — including custom ones for E2E canary activity, cluster-parity diffs, and the live cron schedule.

Security & credential hygiene

A YAML credential inventory tracks every secret in the stack — DB passwords, API keys, Keycloak admin, NuGet publish tokens, mailbox passwords, infrastructure SSH. Each has a rotation cadence and an executable rotation command. A weekly cron emails when anything is overdue.

Why solo?

The platform is intentionally one person's responsibility. Every choice — single-command deploys, mirrored clusters, automated daily reports, executable runbooks — exists because there is no on-call rotation to absorb operational friction. Engineering decisions optimize for "future me, at 6am, with no context" rather than for a team that doesn't exist.

The result: prod uptime is high enough that I haven't been paged at night in months. New services ship in an afternoon. When something does break, the daily report tells me about it before I open my laptop.

Curious about a specific piece? Email me.
No live operational data is exposed on this page by design. Internal monitoring lives on the cluster.