Tech stack

This infrastructure is hybrid: personal services self-hosted on a home ARM64 VM, portfolio site deployed on a Scaleway VPS. Every tool is fully open source — auditable, free from proprietary lock-in, and representative of real-world industry standards. Cloud hosting runs on Scaleway, a European provider: a deliberate trade-off between data sovereignty and cost control. This page documents the architecture and the choices behind it.

Overview

Internet
  │
  ├── kiwinet.me → Scaleway VPS (Traefik + Astro/Nginx, GitHub Actions CI/CD)
  │
  └── freebox.kiwinet.me → VM Traefik (reverse proxy + SSL Let's Encrypt)
           ├── status.kiwinet.me    → Uptime Kuma
           ├── grafana.kiwinet.me   → Grafana
           ├── plex.kiwinet.me      → Plex Media Server
           ├── hub.kiwinet.me       → Home Assistant
           ├── calibre.kiwinet.me   → Calibre-Web
           ├── komga.kiwinet.me     → Komga
           └── traefik.kiwinet.me   → Traefik Dashboard (auth-basic)
  │
  └── minecraft.kiwinet.me:25565 (TCP passthrough Traefik)

The infrastructure is hybrid: kiwinet.me is hosted on a Scaleway VPS (European sovereignty, automated CI/CD), while all personal services and observability run on a self-hosted VM. Traefik handles routing, automatic SSL and service isolation on the VM side. Minecraft goes through Traefik in TCP passthrough mode — traffic is routed without TLS termination.

Detailed architecture

Internet
  │
  ├── :80/:443  → kiwinet.me → Scaleway VPS
  │                                 └── Traefik → Container kiwinet-web (Astro/Nginx)
  │
  ├── :80/:443  → freebox.kiwinet.me → VM Traefik
  │                                        ├── status.kiwinet.me      → Container uptime-kuma
  │                                        ├── grafana.kiwinet.me     → Container grafana
  │                                        ├── plex.kiwinet.me        → Container plex (Plex Media Server)
  │                                        ├── hub.kiwinet.me         → Home Assistant (network_mode: host)
  │                                        ├── calibre.kiwinet.me     → Container calibre-web
  │                                        ├── komga.kiwinet.me       → Container komga
  │                                        └── traefik.kiwinet.me     → Traefik Dashboard (auth-basic)
  │
  ├── :25565    → minecraft.kiwinet.me → Container minecraft (raw TCP, Traefik passthrough)
  ├── :22       → SSH (VM access, ed25519 key)
  └── :XXXXX    → WireGuard VPN (encrypted LAN access, one key per device)

Access to the Freebox admin interface is not publicly exposed. It goes exclusively through a WireGuard tunnel — zero attack surface, key-based authentication, one key per device.

Stack layers

Infrastructure

Hybrid architecture: self-hosted Debian GNU/Linux ARM64 VM for personal services, Scaleway VPS (fr-par-1) for the portfolio site. Traefik as the single reverse proxy on each host, automatic Let's Encrypt SSL via HTTP Challenge. WireGuard for secure access to the local network. Automated provisioning via Ansible (dual-target VM + VPS) and Terraform for Scaleway cloud infrastructure.

TraefikLet's EncryptDockerWireGuardDebian ARM64AnsibleTerraformScaleway
kiwinet-infra-ansible · kiwinet-infra-cloud
CI/CD

GitHub Actions pipeline: Astro build → linux/amd64 Docker image → push to GHCR → SSH deployment on Scaleway VPS (dedicated port) → Docker Compose. Migrated from ARM64 to AMD64 as part of the VPS migration — the architecture change is documented as a deliberate technical decision.

GitHub ActionsDocker BuildxGHCRSSH deploylinux/amd64
kiwinet-web
Observability

Two distinct layers: public status (Uptime Kuma, live badges, Discord alerts) and internal observability (Prometheus, cAdvisor, Node Exporter, Loki, Promtail, Grafana). The external/internal separation is a deliberate DevOps maturity choice.

Uptime KumaPrometheusGrafanaLokicAdvisor
kiwinet-status · kiwinet-monitoring

Tools summary

Role Tool Why this choice Repo
Reverse proxy Traefik v3 Native Docker, auto SSL, container standard kiwinet-services
SSL Let's Encrypt Free, automatic, universally trusted kiwinet-services
VPN WireGuard Zero exposure, one key per device kiwinet-infra-ansible
VM/VPS provisioning Ansible Idempotent, dual-target VM + VPS, DevOps standard kiwinet-infra-ansible
Cloud infrastructure Terraform + Scaleway Reproducible IaC, European sovereignty kiwinet-infra-cloud
Frontend Astro Static output, lightweight, ~15 MB Docker image kiwinet-web
File server Nginx Alpine Minimal, multi-stage build kiwinet-web
Registry GHCR GitHub ecosystem coherence kiwinet-web
CI/CD GitHub Actions + SSH Auditable, secrets management kiwinet-web
Public status Uptime Kuma Public page + Discord alerts kiwinet-observability
Metrics Prometheus + cAdvisor + Node Exporter Industry standard kiwinet-observability
Logs Loki + Promtail Grafana Labs coherence kiwinet-observability
Dashboards Grafana Unified visualisation kiwinet-observability
View all repos on GitHub →

Service status

kiwinet.me kiwinet.me status
traefik.kiwinet.me traefik.kiwinet.me status
status.kiwinet.me status.kiwinet.me status
grafana.kiwinet.me grafana.kiwinet.me status
plex.kiwinet.me plex.kiwinet.me status
minecraft.kiwinet.me minecraft.kiwinet.me status
hub.kiwinet.me hub.kiwinet.me status
komga.kiwinet.me komga.kiwinet.me status
calibre.kiwinet.me calibre.kiwinet.me status

Live badges — real-time status from Uptime Kuma.