miuOps: GitOps for Bare Metal Docker Infrastructure

Small and medium-sized development teams face a pervasive architectural bloat. Even before business logic is validated, developers often rush to introduce etcd, the API server, and complex CNI plugins. This cargo-culting of Kubernetes significantly raises the operational barrier; core components consume a disproportionate amount of resources in small clusters and introduce invisible failure modes.

miuOps offers a flattened infrastructure management solution. It leverages the maturity of Docker Compose and the automation of Ansible to build production-grade environments on a single bare metal server.

Design Path & Lifecycle

During initialization, miuOps uses Ansible to atomically configure firewall policies, the Docker engine, the Traefik gateway, and the Cloudflare Tunnel. Once the environment is bootstrapped, the infrastructure layer steps aside.

User ──> Cloudflare ──(Tunnel)──> [cloudflared]
                                       │
                                       ▼ (127.0.0.1:443)
[Firewall: DROP INPUT]             [Traefik]
                                   /       \
                             [Stack A]   [Stack B]

Subsequent application deployments are driven entirely by GitOps logic. GitHub Actions monitors repository changes, synchronizes configuration files to the target server via SSH and rsync, and executes docker compose up directly. By eliminating resident agents and centralized control planes, there is no performance overhead or risk of component crash—maintenance costs are pushed down to the protocol layer.

Zero Exposure & Multi-Dimensional Isolation

Security is built on multiple layers of isolation. miuOps forces all inbound traffic through a Cloudflare Tunnel. The bare metal server requires no open ports (80 or 443) on the public internet, and the default iptables policy is strictly set to DROP all input.

At the container network level, a three-tier physical isolation model is enforced. Each application stack has an independent Ingress network with inter-container communication disabled, effectively blocking potential lateral movement attacks. Backend services are locked within an Internal network, stripped of outbound internet access and invisible to other stacks. The CI system automatically scans network configurations before deployment to ensure the integrity of this isolation logic.

[ Traefik ] 
     │
     ├──(Ingress A)──> [Web A] ──(Internal)──> [DB A]
     │
     └──(Ingress B)──> [Web B] ──(Internal)──> [DB B]
             ^
        (NO CROSS-TALK)

Data Persistence & Immutable Backups

For core components like PostgreSQL, miuOps integrates WAL-G. It supports point-in-time recovery (PITR) down to the minute through continuous archiving and scheduled full backups.

Backup files written to S3 buckets are protected by Object Lock (Governance Mode). Within the preset 30-day retention period, no credential—even compromised admin keys—can delete existing backups. This physical-level locking mechanism provides a final line of defense for disaster recovery, ensuring data integrity even under extreme attack scenarios.

The Economics of Vertical Scaling

Hardware dividends from Moore’s Law are often negated by inefficient software abstractions. On modern hardware, even accounting for the overhead of Cloudflare Tunnel encryption and Docker networking, the throughput of a single-core CPU at the ingress layer far exceeds the computational capacity of most business logic. This makes the reverse proxy one of the least resource-intensive links in the entire chain.

As demonstrated by 37signals, returning to bare metal and adhering to vertical scaling can significantly reduce operational costs. We explicitly accept the limitations of single-server environments regarding extreme high availability. By adjusting the availability target from 99.99% to 99.9%, miuOps trades for a 90% reduction in complexity. In the event of hardware failure, the entire infrastructure can be rebuilt on a new machine in minutes using the bootstrap tool and immutable S3 backups.

Implementation Path

Server initialization is completed with a single command via the bootstrap script. Developers can build private repositories based on the provided application templates, triggering automated pipelines with a simple git push.

The project is currently in its early stages, and builders are welcome to try it out. Code and documentation are hosted on GitHub:

• miuops
• miuops-stack-template