TheDocs

Exciting Data Center Design! 🌐

DataCenterInfrastructure.md Public

Dive into the dynamic infrastructure of Fell St and Rochester Data Centers! With a chic setup featuring reverse proxies and VM magic, it keeps internal networks secure while juggling a plethora of applications. Discover the brilliance behind user roles, SSH tunneling, and how they gracefully intertwine! πŸ’»βœ¨

Data Center Infrastructure

Fell St Data Center (FSDC)

The Fell St Data Center consists of a home router forwarding all inbound HTTP, HTTPS, and SSH traffic (ports 80, 443, and 22) directly to a reverse proxy server named maestro04. Maestro04 handles public exposure of internal services and performs routing using Nginx. Meastro04 runs Ubuntu.

Baisic arch of Virtual Machines behind maestro4

The VMs behind maestro04 are Ubuntu OS that run node.js and python apps. Most of the apps are web facing. I have a user that has admin sudo privileges named nick. It has a group. In the group we have an app_runner user that has limited access to /home/nick/ content, but not sudo or login acess. We also have a limited_user user that has a home/limited_user/ directory but no login and no sudo privileges.

Machines on FSDC

Internal machines include:

  • Ubuntu VM β€œAvatar08” (192.168.0.244) β€” Accessible via SSH and used for additional hosted applications or development services.

Remote access is achieved by SSH tunneling through maestro04. Maestro04 serves as the single public entry point, proxying traffic to the internal machines based on ports or hostnames (e.g., macmini.the404api.dashanddata.com for the Mac mini's port 8000 service). This setup centralizes exposure of LAN-hosted services while keeping the internal network private.

alias ssh_tunnel_Maestro04_to_Avatar08_9005="ssh -L 9005:192.168.0.244:22 nick@69.181.154.142 -p 22"

Then

alias ssh_localhost_9005="ssh nick@localhost -p 9005"

Rochester Data Center

The "Rochester Data Center" or the RDC is home to many VM's stored on my brother's server. It has the reverse proxy server called maestro06 that is exposed to the public internet using Nginx. Like all my VM's it is using Ubuntu. But this version is 20.04 LTS.

Behind the maestro06 server are many VM's. Some of them are running Ubuntu 20.04 LTS and some are running Ubuntu 24.04 LTS. There is Avatar04, nn10prod, and nn10dev. Running Ubuntu. I access these using a SSH tunnel through maestro06. For example my .zshrc file has the following aliases:

alias ssh_tunnel_Maestro_to_Avatar07_9000="ssh -L 9000:192.168.100.207:22 nick@69.207.163.8 -p 22"
alias ssh_tunnel_Maestro_to_nn10prod-08_9001="ssh -L 9001:192.168.100.241:22 nick@69.207.163.8 -p 22"
alias ssh_tunnel_Maestro_to_nn10dev-08_9002="ssh -L 9002:192.168.100.169:22 nick@69.207.163.8 -p 22"

Then

alias ssh_localhost_9000="ssh nick@localhost -p 9000"
alias ssh_localhost_9001="ssh nick@localhost -p 9001"
alias ssh_localhost_9002="ssh nick@localhost -p 9002"

General Server Architecture

The Virtual machines on in these data centers run Ubuntu 20.04 or 24.04 LTS server uses three users to separate administration from application runtime.

Users

nick

The primary admin user. Responsible for:

  • configuring the server (packages, nginx, fail2ban, firewall, etc.)
  • managing systemd service files in /etc/systemd/system/
  • managing sudoer permissions
  • cloning repositories and setting up application directories
  • running Claude Code and other dev tools

Nick's home directory is /home/nick/. The agent_resources/ folder inside it contains documentation and reference files for this server's setup.

limited_user

A system user with no login shell. Runs all production applications via systemd services. Its home directory at /home/limited_user/ is organized as follows:

  • applications/ β€” cloned app repositories
  • environments/ β€” Python virtual environments, one per app
  • databases/ β€” SQLite or other file-based databases
  • logs/ β€” application log files
  • project_resources/ β€” shared data or assets used by apps
  • _config_files/ β€” app-specific config files

app_runner

The app_runner is another user that has no home directory but is a limited user in the /home/nick/ directory. This user is being phased out but some older set ups still have it. It is in the nick group.

1. create user
  • create group: getent group nick
  • add user to group with no login ability, no home dir:
sudo useradd --system --no-create-home --shell /usr/sbin/nologin -G nick app_runner
2. set permissions
  • Set dir to group rwx and recursivly:
sudo chown -R nick:nick /home/nick/project_resources
sudo chmod -R g+w /home/nick/project_resources
sudo find /home/nick/project_resources -type d -exec chmod g+s {} \;

Service Files

Each application has a corresponding systemd service file in /etc/systemd/system/. Services run as limited_user and reference paths inside /home/limited_user/. Environment variables are loaded from a .env file inside the application directory.

Key Principle

Nick configures the server; limited_user runs the apps. This separation limits the blast radius of any compromised application process.