case study · infrastructure
Linux + Cloud Infrastructure Lab
A self-hosted, production-style infrastructure on four virtualized Ubuntu servers — built to prove, and defend in an interview, practical skills across Linux administration, networking, security, automation, monitoring and AWS integration. Built incrementally, module by module, versioned and documented from day zero.
architecture
System architecture
Four Ubuntu VMs on VirtualBox in a segmented private LAN (10.10.10.0/24): a bastion is the only SSH entry point (ProxyJump), the web tier reaches the database tier only over the segmented link, and a monitor node collects metrics. Cloudflare edge exposure and AWS (IAM · S3 backups) are on the roadmap.
overview
What it is & why I built it
The lab simulates a small but real company infrastructure. It isn't an academic exercise: the goal is to demonstrate hands-on competence across the sysadmin and DevOps stack — and to be able to justify every technical decision.
Everything runs on local VMs (VirtualBox) integrated with managed AWS services, mirroring a common enterprise scenario: your own infrastructure that consumes the cloud for identity (IAM) and offsite backups (S3).
Highlights
- Segmented private network — 4 VMs on an isolated internal LAN; the database is only reachable from the web server.
- Bastion-only access — a single SSH jump host with key auth, hardening (no root, no password) and ProxyJump.
- Layered application — Nginx (reverse proxy) → Gunicorn → Flask → PostgreSQL, with credentials kept out of the code.
- Idempotent automation — Bash scripts, cron jobs and health-checks for disk, memory and services.
- Versioned & documented — Git from day zero, each module with its own README and recorded decisions.
engineering decisions
Key decisions
// why VirtualBox?
Local VMs over cloud VMs
Zero cost, snapshots before every change and spare hardware — the right sandbox to build and break safely.
// why a bastion?
Single SSH entry point
Internal hosts refuse SSH from outside the private LAN; all admin access flows through one hardened jump host via ProxyJump. Minimal exposure.
// why segmentation?
Defence in depth
The database tier is only reachable from the web tier (listen_addresses + pg_hba + firewall). A compromised web host still can't roam the network.
// why hybrid?
Local infra + managed AWS
A realistic enterprise pattern: own infrastructure that integrates the cloud for identity (IAM) and offsite backups (S3), kept at 0 € on the Free Tier.
build status
Built module by module
The lab grows incrementally. What's built is production-grade; the rest is a clear, honest roadmap — which is exactly the kind of planning I want to show.
// built · modules 0–5
- Fundamentals & version control
- Users, groups & permissions (sudo, ACLs)
- SSH, hardening & bastion
- Networking & segmentation
- Services: Nginx + PostgreSQL
- Bash scripting & cron
// on the roadmap · modules 6–11
- Logs & troubleshooting
- Monitoring: Prometheus + Grafana
- Backups & recovery (RTO/RPO)
- AWS: IAM least-privilege + S3
- Secure exposure: Cloudflare Tunnel
- Capstone: docs, diagram & post-mortem
tech stack
Stack & responsibilities
| Technology | Layer | Responsibility |
|---|---|---|
| Ubuntu Server 24.04 | OS | Base of the 4 VMs (LVM, snapshots, right-sizing). |
| SSH · bastion | Security | Key auth, hardening and single entry point (ProxyJump). |
| ufw · segmentation | Network | Private LAN and firewall; DB reachable only from web. |
| Nginx → Gunicorn → Flask | Web | Reverse proxy and application tier. |
| PostgreSQL | Data | Segmented database tier, credentials outside code. |
| Bash · cron | Automation | Idempotent scripts, scheduled jobs and health-checks. |
| Prometheus · Grafana | Monitoring | Metrics, dashboards and alerts. (roadmap) |
| AWS IAM · S3 | Cloud | Least-privilege identity and offsite backups. (roadmap) |
| Cloudflare | Edge | Tunnel, WAF and HTTPS exposure. (roadmap) |
| Git · GitHub | Versioning | Everything versioned and documented from day zero. |
Want to walk through it?
The repo documents each module with its decisions and how to reproduce it — or get in touch to talk it through.