This platform is a private multi-app hosting environment built to keep custom and third-party applications easy to deploy, inspect, update, and recover. The goal was a lean operating model: infrastructure described in version-controlled config, apps isolated in containers, and routine maintenance handled by repeatable scripts instead of a heavyweight hosting panel.
Kamal provides the deployment layer. Each application has a small destination config that defines its Docker image, runtime command, health check, persistent volumes, secrets, proxy host rules, and any supporting database or cache accessories. Web traffic enters through one proxy layer, while app containers, PostgreSQL, MySQL, and Valkey services stay on internal Docker networks unless they explicitly need a public route.
The release workflow is intentionally simple: build or pull a pinned image, deploy over SSH, let health checks decide whether the new container should receive traffic, and keep logs, shells, rollbacks, proxy status, and accessory management available through short documented commands. The same pattern works for thin wrappers around upstream images and for custom applications with their own Dockerfiles.
Security and observability are handled as part of the platform rather than as afterthoughts. The host uses a hardened Linux baseline, UFW, fail2ban, custom web-probe and login-abuse filters, real-client-IP handling behind a CDN, scanner detection, repeat-offender bans, and daily security reports delivered into a private notification channel. Separate update checks watch pinned upstream releases and host package updates so maintenance work is visible before it becomes urgent.
The backup and maintenance layer is custom because generic container backups usually miss important operational details. A Bash backup script discovers running container mounts, collects host and Docker metadata, stops each data-bearing container only long enough to archive its bind mounts or volumes, restarts it, compresses the result, and hands it off for off-site storage. Shutdown and unattended-reboot hooks coordinate with the backup lock so automated maintenance does not interrupt a running backup.
The result is a practical single-server application platform that is fast to operate without hiding the important mechanics. It reduces firewall and proxy complexity, keeps persistent data paths understandable, supports health-checked app deploys, documents recovery and rebuild steps, and makes ongoing maintenance manageable for a mixed stack of custom software, packaged services, and WordPress-origin workloads.
