Proxmox VE clusters
Initial design, three-node clusters with HA failover, Ceph or ZFS storage, automated backup with PBS. We have done VMware-to-Proxmox migrations end-to-end with rollback plans and verified restores.
— Practice / Infrastructure
The half of the stack that doesn't live in someone else's cloud.
Some workloads belong on the edge. Some belong on bare metal. We work both halves, and we treat the second one with the same engineering rigour as the first — Proxmox clusters, Linux servers, hardening, observability, and the boring operational discipline that keeps systems running for years instead of quarters.
— What we ship
A small set of patterns, deeply known.
Bare-metal & dedicated server provisioning
New colocation deployments, Hetzner / OVH / Latitude.sh dedicated machines, IPMI configuration, network segmentation. Proper DNS, proper firewalling, proper documentation.
Linux hardening to a baseline
CIS Benchmarks-aligned hardening: SSH key-only auth, fail2ban, unattended-upgrades, ufw / nftables, disabled services, audit logging. Every server gets the same baseline before workload deploy.
Self-hosted developer infrastructure
Gitea / Forgejo, Drone / Woodpecker CI, container registries, Vaultwarden, Nextcloud — the open-source equivalents of GitHub / GitLab CI / 1Password / Dropbox, run on your hardware.
Backup, monitoring, alerting
Borg / restic for filesystem backups, Proxmox Backup Server for VMs, off-site replication. Prometheus + Grafana + Alertmanager or Uptime Kuma — sized to the org, not the catalog.
Edge ↔ on-prem hybrid architectures
When the right answer is some-of-both — Cloudflare front, on-prem origin, secure tunnel between them — we design and operate the whole topology. Cloudflare Tunnel, WireGuard, Tailscale, mTLS. No public IPs, no NAT pain.
— Why this practice exists
Some software shouldn't live on someone else's cloud.
Cost.
A 64-core Proxmox node with 256 GB RAM at Hetzner is CA $200/month. Equivalent compute on AWS or GCP is 5 – 10× that, before egress. For workloads that don't need elasticity, on-prem or dedicated wins by a wide margin — provided someone competent runs it.
Sovereignty.
For regulated workloads, customer-data residency, or businesses that don't want to be a tenant on a hyperscaler, owning the substrate is the answer. PIPEDA-sensitive Canadian data, healthcare records, financial system-of-record — these belong somewhere you can audit and govern directly.
Skill gap.
Most teams that run their own servers learned to do it five years ago and haven't iterated. The result: stale Debian releases, manual deploys, no monitoring, backups that have never been restored. We fix that — bring the systems to a baseline that survives the next decade.
— Stack
The boring, durable toolkit.
Hypervisor
Proxmox VE · KVM · LXC
OS
Debian · Ubuntu LTS · Alpine · Rocky
Provisioning
Ansible · cloud-init · Terraform (where it fits)
Networking
WireGuard · Tailscale · Cloudflare Tunnel · pfSense / OPNsense
Storage
ZFS · Ceph · LVM · NFS · S3-compat (MinIO / Garage)
Backups
Proxmox Backup Server · Borg · restic · rsnapshot
Observability
Prometheus · Grafana · Loki · Alertmanager · Uptime Kuma
Containers
Docker · Podman · Compose · Nomad (for fleets)
Edge handoff
Cloudflare Tunnel · Caddy · nginx · Traefik
Hosts
Hetzner · OVH · Latitude.sh · in-house
— Best fit
Engagements where this practice earns its weight.
- You run a Proxmox or VMware fleet and need ongoing administration without hiring a dedicated sysadmin.
- You want to move off VMware before the Broadcom renewal and need a credible migration plan.
- You're standing up new self-hosted infrastructure — clusters, dev tooling, internal services.
- You have an aging Linux estate and need it brought to a security baseline before it bites you.
- You want a Cloudflare-front + on-prem-origin architecture designed properly, with the tunnel actually monitored.
— Not a fit
When we'll point you elsewhere.
- Tier-1 helpdesk / break-fix outside Atlantic Canada.
- Pure Microsoft 365 / Active Directory shops with no Linux footprint — there are specialists for that.
- Datacenter physical work — racking, cabling, hardware swap. We coordinate, we don't drive there.
- Single-server environments where managed hosting is cheaper than our retainer.
— See also
Where this practice connects.
Got servers that need a steadier hand?
Tell us the shape of the workload, the constraint, and the deadline. We respond in writing within one business day.