Philosophy doesn't mean much without execution. If I’m going to advocate for data sovereignty and owning your data, I need to show you exactly what my architecture stands on.
My project, OWNTHESTACK.co, isn't deployed to a massive managed web service, it doesn't use third-party serverless infrastructure, and it doesn't store media in an invisible corporate bucket. It runs entirely on an independent, flat-rate virtual private server (VPS) running minimal Linux.
Here is the exact containerized layout and setup powering the application.
The Design Philosophy
The goal: maximum control, absolute data ownership, and strict network privacy. The host operating system remains completely clean. Everything is modular, portable, and tightly locked down inside isolated internal container environments.
- The Core Engine (.NET 8 & React)
The backend processing engine is a clean .NET 8 application. Modern .NET is incredibly fast, memory-efficient, and runs flawlessly inside isolated Linux containers. It handles text payloads and securely encrypted administration sessions. The frontend uses lightweight static production assets served with near-zero resource overhead.
- Personal Data Control (PostgreSQL 16)
Every word of text, metadata tag, and background layout setting lives in a localized PostgreSQL 16 data engine running locally inside an isolated container with an explicit disk mount. Backups are raw, automated compressed files controlled by simple shell scripts that back up exactly what matters to an encrypted storage destination I control.
- Independent Media Storage (MinIO)
Inline graphics don't stream from a generic public media host or a third-party asset SaaS. They stream straight out of a local MinIO storage vault container running on our hardware using secure, short-lived cryptographic links.
- Reversing the Firewall (Cloudflare Tunnels)
This is the most critical privacy and security boundary. If you run an external network port scan on this server's public IP address, port 80 and port 443 are completely closed. Instead of opening the server to the wide-open internet and constantly fighting off automated bot scans, the server runs a secure outbound tunnel daemon. It establishes an encrypted, outbound-only pipeline to the network edge. Web traffic routes securely down this outbound pipe straight to our internal container environment. If it doesn't originate from this authenticated channel, it cannot touch our data.
I am documenting my entire journey of migrating off corporate platforms, sharing raw configs, and analyzing self-hosted infrastructure. Follow along or subscribe to the raw logs at OwnTheStack.co
Top comments (0)