Anish's Innovation Lab
Login
Part 3 - Production Deployment and Hardening
Published: Mar 7, 2026Views: ...

This chapter moves from architecture design to deployment reality. The objective is secure exposure, repeatable releases, and clear operational recovery paths across both Raspberry Pi and cloud environments.

Back: Part 2Continue: Part 4Back to Modern App Architecture Blogs
Production Flow: Cloudflare Domain to Tunnel to Containers

Recommended exposure model where inbound traffic enters Cloudflare and tunnel traffic stays outbound from your host

Internet Usersrequests to your domainCloudflare DomainDNS, TLS, WAF, edge controlscloudflared Tunneloutbound connector from hostDocker HostCaddyedge route splitWeb + PBapp and datano inbound router exposure required for app trafficroute / to web and /pb to PocketBase through Caddy
Cloudflare Domain and Tunnel Pattern

A practical production pattern is to point a public app domain to Cloudflare and terminate user traffic at the edge, then forward to your host through Cloudflare Tunnel.

  • Example public hostname: app.yourdomain.com
  • Optional admin hostname: admin.yourdomain.com protected with Cloudflare Access
  • Use tunnel ingress rules to forward traffic to Caddy and internal services
  • Keep sensitive surfaces restricted by policy, not only by obscurity
Tunnel Ingress Example
tunnel: personal-lab
credentials-file: /etc/cloudflared/<tunnel-id>.json

ingress:
  - hostname: app.yourdomain.com
    service: http://caddy:80
  - hostname: admin.yourdomain.com
    service: http://pocketbase:8090
  - service: http_status:404

In production, protect admin hostnames with Cloudflare Access policies and strong identity controls.

Caddy Routing Example for App plus PocketBase
app.yourdomain.com {
  encode zstd gzip

  handle_path /pb/* {
    reverse_proxy pocketbase:8090
  }

  handle {
    reverse_proxy web:3000
  }

  header {
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    Referrer-Policy "strict-origin-when-cross-origin"
  }
}
Operations Diagram: Release, Observe, Recover

Practical runbook model for CI/CD, backups, and failure response

CI/CD Releasebuild, deploy, smoke checksRuntime Healthuptime, latency, error ratesBackupspb_data and config snapshotsRecoveryrollback and restore drillsA production platform is not complete without tested failure recovery pathsrelease safety, observability, backups, and restore procedures should be automated where possible
Production Checklist
  • Use Cloudflare domain plus tunnel for controlled public entry
  • Store secrets outside source control and rotate credentials regularly
  • Protect admin surfaces with identity-aware access controls
  • Backup PocketBase data and media on a defined schedule
  • Track uptime, latency, and error rates with alert thresholds
  • Run restore drills so recovery procedures are verified, not assumed
Real-World Failure Scenarios and Mitigations
  • Misconfigured route in Caddy: use smoke tests after deploy and keep rollback tags
  • Tunnel interruption: define health checks and fallback runbook for quick recovery
  • Accidental data deletion: restore from snapshot and validate record integrity
  • Credential leakage risk: rotate tokens, invalidate sessions, and audit access logs
Continue: Part 4