Aethar Production

A production VPS runs several FastAPI services, each in its own container, against a shared Postgres and Redis on a dedicated Docker network. Caddy fronts them: API traffic routes via path-prefix matching, static web bundles are served directly. An isolated staging stack runs alongside production on the same host - same config, different domain - so deploys can be verified before they go live.

A separate, smaller VPS carries the self-hosted GitHub Actions runner, a log receiver, and an Uptime Kuma status page. Keeping tooling off the production box means the thing that monitors and deploys production is not itself on the production machine. The runner deploys to the production VPS over the Tailscale overlay network - never a public IP.

Nightly restic backups run to off-site storage for both hosts. Canary/smoke checks run on deploy. SSH is reachable only over Tailscale. Availability is Uptime Kuma's job; anything threat-shaped routes to Wazuh on the home server.