Overview / Infrastructure

Infrastructure · the backbone

The whole company runs on two small servers and a laptop.

A Mac, two VPS hosts in different datacentres, Cloudflare in front of everything, and a secrets broker in the middle. No on-premise rack, no bloated cloud bill — just the surface area you actually need, locked down properly.

zero-trust access secrets vaulted two servers no open ports lean by design

The topology

Two servers and a laptop, wired by Cloudflare.

The Mac is where work is authored; Cloudflare is the front door (tunnels, zero-trust access, DNS); the servers and public sites sit behind it; the vault brokers every secret. Hover any node to trace how it's wired.

Your machine The front door Servers & sites

Your machine

Local Mac
↓ via secure tunnel

The front door

Cloudflare
↓ fronts

Servers & sites

VPS1 · Hostinger VPS2 · Hetzner Cloudflare Pages Agent Vault

01 — The hosts

Five pieces. One coherent system.

Every service lives in exactly one place. The colour dots below match the node colours in the architecture diagram on the Overview page.

Local Mac

The dev cockpit

Where all work is authored and orchestrated. Every AI session, every deployment, every tunnel to the servers originates here.

  • Claude Code — the primary authoring environment
  • MCP tool connectors — gives the AI direct access to every business system
  • Obsidian wikis — eight hand-authored knowledge bases, git-synced to GBrain hourly
  • Secure tunnels out to the VPS hosts (via Cloudflare)
  • Automatic daily credential renewal — tokens rotate without manual effort
VPS1 · Hostinger

The app host

A dedicated, cost-effective host for the company's primary internal application. Kept deliberately single-purpose.

  • Joinery Billing — the construction division's quoting and billing app (Docker + Traefik + Postgres)
  • Frozen rollback copy of the secrets vault — maintained during the 2026 migration soak as a safety net
VPS2 · Hetzner

The AI workhorse

The busier server. It runs the intelligence layer — everything that thinks, remembers, reviews, or brokers.

  • GBrain — the company brain (semantic search + knowledge graph)
  • Hermes — the always-on assistant and asset pipeline
  • Directus DAM — the described, searchable asset library at dam.huxapps.com
  • Proof — the Markdown review editor at proof.huxapps.com
  • Agent Vault — the secrets broker (all credentials live here)
  • Company Feed — the internal metric feed
Cloudflare

The front door

Cloudflare sits in front of everything. Services are exposed safely to the internet — or locked to authenticated users — without touching server firewall rules.

  • Tunnels — expose internal services without opening a single inbound port
  • Access — zero-trust login layer on every private tool
  • Pages — serves all public static sites, including this one
  • DNS — canonical authority for all huxapps.com subdomains

Vercel handles the brand-facing marketing sites separately.

Agent Vault · the secrets broker

One place for every credential.

Every API key, service password, and token lives in Agent Vault on VPS2. Apps and AI agents request credentials on demand — nothing sits in code, nothing sits in scattered .env files, nothing is passed as a plain argument. Tokens rotate automatically on a daily schedule. A local tunnel keeps the vault reachable from the Mac at all times, surviving reboots.

automatic rotation brokered on demand never in code allowlist-only

02 — How it's wired

Zero open ports. All tunnels.

The connection model is simple: everything outbound, nothing inbound. The firewall never needs touching.

Step 1 · access

Humans + agents start from the Mac

Every session — whether a human opening a browser or an AI making an API call — begins on the Mac. The Mac dials out; nothing dials in to it.

Step 2 · routing

Cloudflare zero-trust in the middle

Connections to both servers flow through Cloudflare Access. Private tools require authentication; no raw inbound port is ever exposed to the public internet.

Step 3 · serving

Services surface on huxapps.com

Cloudflare Tunnels on each VPS push services out to their public subdomain. The servers themselves never open a public port.

Public subdomains

brain.huxapps.com proof.huxapps.com dam.huxapps.com bi.huxapps.com vault.huxapps.com ai.huxapps.com

Each subdomain is a Cloudflare Tunnel endpoint. The server behind it never directly touches the internet.

The payoff. Secure — zero-trust on every private tool, all secrets brokered through a single vault, tokens rotated automatically. Lean — two small servers, predictable monthly cost, nothing that needs a dedicated ops team. Reproducible — the architecture is documented, the credentials are managed, and every service runs in a container you can redeploy in minutes.

03 — Design principles

Constraints that keep it maintainable.

Principle · security

Zero-trust by default

No service is open to the internet without authentication. Cloudflare Access gates every private tool. Secrets never leave the vault in plaintext.

Principle · cost

Right-sized, not over-provisioned

Two small VPS instances handle everything the company currently needs. Vertical scaling is one click; horizontal adds a third node only if the work justifies it.

Principle · resilience

Single-purpose hosts

VPS1 runs one app. VPS2 runs the intelligence layer. A problem on one server doesn't take the other down. The frozen vault copy on VPS1 is there for exactly this reason.

Keep exploring

The company brainGBrain The assistantHermes & Asset Ops Built on topApps & automations