Self-Hosted AI Infrastructure for Small Businesses — Part 2 of 5
Free series. All open-source. No DevOps background required. Estimated hands-on time: 45–90 minutes.
Most servers are insecure not because people don’t care — but because they expose things they don’t even realize are visible.
In this part, we eliminate that entirely.
What You Will Complete in This Part
A VPS you fully control
A domain routed through Cloudflare
A Zero Trust layer with identity-based access
A server with only two open ports (80/443)
Five independent security layers active
The Principle: Nothing Should Be Public by Default
Most setups start like this:
Open port 22 for SSH
Add services
Try to secure later
This guide does the opposite.
👉 Nothing is exposed unless explicitly required
Step 1: Provision Your VPS (Vultr)
Choose:
Ubuntu 24.04 LTS
2 vCPU / 4GB RAM (~$24/month recommended)
This is your private machine in the cloud.
👉 Think of it as your own server — not rented SaaS.
Step 2: Domain + Cloudflare
You need a domain for clean routing:
cloud.yourdomain.com
ai.yourdomain.com
remote.yourdomain.com
Route everything through Cloudflare.
👉 This becomes your security perimeter
Step 3: Zero Trust (Core of the Architecture)
Instead of exposing ports:
👉 The server connects outward to Cloudflare
This creates:
No exposed SSH port
No exposed admin interface
Identity-based access only
Users authenticate via email OTP.
👉 No passwords. No VPN.
Step 4: Lock Down the Server
We apply layered security:
Firewall (UFW)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
👉 Only 2 ports open.
Intrusion Protection
sudo apt install -y fail2ban
Automatic Security Updates
sudo apt install -y unattended-upgrades
Kernel Hardening
Disable:
redirects
source routing
unnecessary forwarding
👉 Reduce attack surface at OS level
Hardware Firewall (Vultr)
Add:
Allow: 80 / 443
Block: everything else
👉 Double-layer firewall
Step 5: Prepare for AI Layer
Install Node.js:
curl -fsSL https://deb.nodesource.com/setup_24.x | sudo -E bash -
sudo apt install -y nodejs
👉 Required for Part 3
Security State (What You Just Built)
Layer Status
Cloudflare WAF ✓
Identity Access (OTP) ✓
Hardware Firewall ✓
UFW Firewall ✓
fail2ban ✓
👉 No public SSH
👉 No exposed admin panel
Why This Matters
Typical SaaS stack:
Expensive
Data external
Limited control
This system:
Low cost
Fully controlled
Security-first
What Comes Next (Part 3)
We install the actual working system:
Nextcloud (private cloud)
Collabora (documents)
Unified AI interface
OpenClaw (AI agent system)
👉 This is where it becomes usable
Final Thought
Security is not something you add later.
It is something you design first — or you don’t have it at all.
Part 3 is next.
— Kusunoki
Top comments (0)