Skip to content

Infrastructure

Infrastructure strategy for internal services and client projects.

Current State

Cloudflare (Production)

  • Static site hosting (Pages)
  • DNS and CDN
  • Object storage (R2) for state files
  • Email routing
  • WAF and DDoS protection

Cost: $0/month (free tier)

Strategy: Three-Tier Approach

Tier 1: Cloudflare

Use for: Static sites, edge functions, DNS, CDN, object storage

Why: Zero compute cost, global distribution, automatic SSL/TLS

Tier 2: Hetzner VPS

Use for: Internal tools, staging environments, small databases, background workers

Why: Cost-effective (€4.50-8/month), EU-based (GDPR compliant), simple management

Planned services: - Self-hosted analytics - Monitoring stack - CI/CD runners - Development databases

Tier 3: AWS

Use for: Client production workloads, compliance-heavy applications, high-scale systems

Why: Industry standard, managed services, compliance certifications

When to use: - Client mandates AWS - Global multi-region required - Need managed services (RDS, Lambda, etc.) - Compliance requirements (SOC2, HIPAA, PCI-DSS)

Infrastructure as Code

All infrastructure managed via OpenTofu (Terraform fork).

Tools: - OpenTofu (via mise) - 1Password CLI (secrets) - gh CLI (GitHub)

Security

Current

  • Cloudflare WAF enabled
  • DDoS protection
  • Automatic HTTPS
  • Email SPF/DKIM configured

Planned (Hetzner)

  • VPN access (Cloudflare Tunnel or Tailscale)
  • UFW firewall
  • Automated security updates
  • Fail2ban
  • Automated backups to R2

Future (AWS)

  • IAM roles and policies
  • VPC with private subnets
  • Security groups
  • CloudTrail audit logging

Backup Strategy

Static sites: Git as source of truth

Databases: - Daily automated backups - 30-day retention - Encrypted at rest - Stored in Cloudflare R2

Configuration: OpenTofu state in R2, all code in Git