Linux + Cloud Infrastructure Lab

A self-hosted, production-style infrastructure on four virtualized Ubuntu servers — built to prove, and defend in an interview, practical skills across Linux administration, networking, security, automation, monitoring and AWS integration. Built incrementally, module by module, versioned and documented from day zero.

Role
Design & build
Pattern
3-tier · self-hosted
Access
Bastion · SSH keys
Stack
Ubuntu · AWS · Cloudflare

System architecture

VirtualBox host · private LAN 10.10.10.0/24AWS · plannedUserinternetCloudflareTunnel · WAF · HTTPSplannedAdminSSH keybastionjump host · ProxyJumpweb-serverNginx→Gunicorn→Flaskdb-serverPostgreSQL · segmentedmonitor-serverPrometheus+GrafanaplannedIAMleast privilegeplannedS3offsite backupsplannedHTTPStunnelSSH keyProxyJumpquery · segmentedscrapebackups (AWS CLI)built (módulos 0–5)planned (6–11)

Four Ubuntu VMs on VirtualBox in a segmented private LAN (10.10.10.0/24): a bastion is the only SSH entry point (ProxyJump), the web tier reaches the database tier only over the segmented link, and a monitor node collects metrics. Cloudflare edge exposure and AWS (IAM · S3 backups) are on the roadmap.

What it is & why I built it

The lab simulates a small but real company infrastructure. It isn't an academic exercise: the goal is to demonstrate hands-on competence across the sysadmin and DevOps stack — and to be able to justify every technical decision.

Everything runs on local VMs (VirtualBox) integrated with managed AWS services, mirroring a common enterprise scenario: your own infrastructure that consumes the cloud for identity (IAM) and offsite backups (S3).

Highlights

  • Segmented private network — 4 VMs on an isolated internal LAN; the database is only reachable from the web server.
  • Bastion-only access — a single SSH jump host with key auth, hardening (no root, no password) and ProxyJump.
  • Layered application — Nginx (reverse proxy) → Gunicorn → Flask → PostgreSQL, with credentials kept out of the code.
  • Idempotent automation — Bash scripts, cron jobs and health-checks for disk, memory and services.
  • Versioned & documented — Git from day zero, each module with its own README and recorded decisions.

Key decisions

// why VirtualBox?

Local VMs over cloud VMs

Zero cost, snapshots before every change and spare hardware — the right sandbox to build and break safely.

// why a bastion?

Single SSH entry point

Internal hosts refuse SSH from outside the private LAN; all admin access flows through one hardened jump host via ProxyJump. Minimal exposure.

// why segmentation?

Defence in depth

The database tier is only reachable from the web tier (listen_addresses + pg_hba + firewall). A compromised web host still can't roam the network.

// why hybrid?

Local infra + managed AWS

A realistic enterprise pattern: own infrastructure that integrates the cloud for identity (IAM) and offsite backups (S3), kept at 0 € on the Free Tier.

Built module by module

The lab grows incrementally. What's built is production-grade; the rest is a clear, honest roadmap — which is exactly the kind of planning I want to show.

// built · modules 0–5

  • Fundamentals & version control
  • Users, groups & permissions (sudo, ACLs)
  • SSH, hardening & bastion
  • Networking & segmentation
  • Services: Nginx + PostgreSQL
  • Bash scripting & cron

// on the roadmap · modules 6–11

  • Logs & troubleshooting
  • Monitoring: Prometheus + Grafana
  • Backups & recovery (RTO/RPO)
  • AWS: IAM least-privilege + S3
  • Secure exposure: Cloudflare Tunnel
  • Capstone: docs, diagram & post-mortem

Stack & responsibilities

Technology Layer Responsibility
Ubuntu Server 24.04OSBase of the 4 VMs (LVM, snapshots, right-sizing).
SSH · bastionSecurityKey auth, hardening and single entry point (ProxyJump).
ufw · segmentationNetworkPrivate LAN and firewall; DB reachable only from web.
Nginx → Gunicorn → FlaskWebReverse proxy and application tier.
PostgreSQLDataSegmented database tier, credentials outside code.
Bash · cronAutomationIdempotent scripts, scheduled jobs and health-checks.
Prometheus · GrafanaMonitoringMetrics, dashboards and alerts. (roadmap)
AWS IAM · S3CloudLeast-privilege identity and offsite backups. (roadmap)
CloudflareEdgeTunnel, WAF and HTTPS exposure. (roadmap)
Git · GitHubVersioningEverything versioned and documented from day zero.

Want to walk through it?

The repo documents each module with its decisions and how to reproduce it — or get in touch to talk it through.