Production VPS Security Architecture for Node.js & Web3 Backends (WireGuard + auditd + Grafana Alerts)

MASUD SUHANDI — Wed, 01 Apr 2026 22:21:56 +0000

I recently documented my hardened VPS security architecture used for deploying production Node.js and Web3 backend services as a solo operator.

The goal of this setup was simple:

reduce attack surface

isolate administrative access

improve monitoring visibility

and keep infrastructure manageable without Kubernetes complexity

Repository:

https://github.com/messut35/secure-nodejs-vps-architecture

Architecture Overview

This VPS setup uses a layered security model:

Internet
↓
Cloudflare (WAF + TLS + origin protection)
↓
Nginx reverse proxy
↓
Node.js services (PM2)

Administrative access is separated using a private WireGuard access plane:

Operator device
↓
WireGuard tunnel (10.77.0.0/24)
↓
Grafana / dashboards / internal services

Monitoring Pipeline

Security visibility is implemented using:

auditd
→ promtail
→ Loki
→ Grafana
→ Telegram alerts

This allows detecting:

unexpected binary execution

privilege escalation attempts

configuration tampering

service access anomalies

Database Exposure Strategy

Databases are not exposed publicly.

PostgreSQL and Redis are bound to:

localhost only

This prevents lateral movement from external network surfaces.

Reverse Proxy Security Role

Nginx acts as a segmentation layer between:

public APIs
and
private infrastructure services

Cloudflare origin protection ensures the VPS IP is not directly exposed.

Threat Model Considerations

This architecture mitigates common VPS risks:

SSH brute force attacks

exposed admin dashboards

database exposure risks

reverse proxy misconfiguration

silent privilege escalation attempts

Why this setup?

This architecture is designed for:

solo operators

self-hosted SaaS builders

Node.js backend developers

Web3 payment infrastructure deployments

who want production-level security without introducing orchestration complexity.

If you're running Node.js services directly on a VPS, I'd be curious how others structure their monitoring and admin-plane isolation strategies.

How to Accept USDC Payments in Node.js Using Web3indo (Stripe-Style Crypto Checkout)

MASUD SUHANDI — Sun, 29 Mar 2026 02:51:04 +0000

How to Accept USDC Payments in Node.js Using Web3indo (Stripe-Style Crypto Checkout)

Accepting crypto payments in backend applications is still harder than it should be.

If you try to build it yourself, you usually need to:

– generate deposit wallets

– monitor blockchain transfers

– confirm ERC-20 events

– manage RPC reliability

– send webhook notifications

– sweep funds safely to treasury wallets

This quickly turns into infrastructure work instead of product work.

So I built Web3indo — a crypto payment infrastructure API designed for developers.

This article shows how to accept USDC payments in a Node.js backend using a Stripe-style workflow.

What Web3indo does

Web3indo provides:

– per-invoice deposit addresses

– automatic ERC-20 payment detection

– signed webhook delivery

– automatic treasury sweep

– project-scoped API keys

Currently supported:

Ethereum (ETH)

USDC

USDT

Step 1 — Create an API key

After creating a project inside the dashboard:

https://web3indo.com

generate a project-scoped API key.

Each project gets its own isolated API credentials.

Step 2 — Create an invoice

Example Node.js request:

import fetch from "node-fetch";

const response = await fetch("https://api.web3indo.com/v1/invoices", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    "x-api-key": "YOUR_API_KEY"
  },
  body: JSON.stringify({
    chain: "sepolia",
    token: "USDC",
    amount: "0.01"
  })
});

const data = await response.json();

console.log(data);

Response includes:

– invoice ID

– deposit address

– payment status

– block tracking info

Step 3 — Wait for blockchain confirmation

Web3indo monitors ERC-20 transfer events automatically.

Invoice status transitions:

pending → paid

Step 4 — Receive webhook notification

Example webhook payload:

{
  "type": "invoice.paid",
  "invoiceId": "abc123",
  "chain": "sepolia",
  "token": "USDC",
  "amount": "0.01"
}

This allows your backend to react instantly:

unlock features

activate subscription

confirm order

Step 5 — Automatic treasury sweep

After payment confirmation:

funds are automatically transferred to your treasury wallet.

No manual wallet management required.

Supported workflow

Typical integration looks like:

create project

generate API key

create invoice

wait for payment

receive webhook

funds swept automatically

Example use cases

Web3indo works well for:

SaaS subscriptions

digital product checkout

developer tools billing

API usage payments

automation platforms

Why I built Web3indo

Most crypto payment integrations today still require managing wallets manually or running custom blockchain listeners.

Web3indo abstracts that complexity into a simple developer API.

Try it here

Landing page:

https://web3indo.com

Demo video:

https://youtu.be/Z83AlNK2Gxw

Feedback welcome

I’m actively improving Web3indo and would love feedback from other developers building crypto-enabled products.

Example repo:
https://github.com/messut35/web3indo-nodejs-example

DEV Community: MASUD SUHANDI

Production VPS Security Architecture for Node.js & Web3 Backends (WireGuard + auditd + Grafana Alerts)

Architecture Overview

Monitoring Pipeline

Database Exposure Strategy

Reverse Proxy Security Role

Threat Model Considerations

Why this setup?

How to Accept USDC Payments in Node.js Using Web3indo (Stripe-Style Crypto Checkout)

How to Accept USDC Payments in Node.js Using Web3indo (Stripe-Style Crypto Checkout)

What Web3indo does

Step 1 — Create an API key

Step 2 — Create an invoice

Step 3 — Wait for blockchain confirmation

Step 4 — Receive webhook notification

Step 5 — Automatic treasury sweep

Supported workflow

Example use cases

Why I built Web3indo

Try it here

Feedback welcome