Why I Bypassed the Cloud Treadmill to Build a 100% Independent Self-Hosted Stack

为什么我跳过云端“跑步机”，构建了 100% 独立的自托管技术栈

Philosophy doesn’t mean much without execution. If I’m going to advocate for data sovereignty and owning your data, I need to show you exactly what my architecture stands on. My project, OWNTHESTACK.co, isn’t deployed to a massive managed web service, it doesn’t use third-party serverless infrastructure, and it doesn’t store media in an invisible corporate bucket. It runs entirely on an independent, flat-rate virtual private server (VPS) running minimal Linux. Here is the exact containerized layout and setup powering the application.

如果没有执行力，哲学理念就毫无意义。如果我要倡导数据主权和数据所有权，我就必须向大家展示我的架构究竟建立在什么基础之上。我的项目 OWNTHESTACK.co 没有部署在大型托管 Web 服务上，不使用第三方无服务器（Serverless）基础设施，也不将媒体文件存储在不可见的商业云存储桶中。它完全运行在一个独立的、固定费率的虚拟专用服务器（VPS）上，并搭载精简版 Linux 系统。以下是驱动该应用程序的具体容器化布局和设置。

The Design Philosophy

设计理念

The goal: maximum control, absolute data ownership, and strict network privacy. The host operating system remains completely clean. Everything is modular, portable, and tightly locked down inside isolated internal container environments.

目标是：最大程度的控制权、绝对的数据所有权以及严格的网络隐私。宿主机操作系统保持完全纯净。一切都是模块化、可移植的，并被严格锁定在隔离的内部容器环境中。

The Core Engine (.NET 8 & React)

核心引擎 (.NET 8 & React)

The backend processing engine is a clean .NET 8 application. Modern .NET is incredibly fast, memory-efficient, and runs flawlessly inside isolated Linux containers. It handles text payloads and securely encrypted administration sessions. The frontend uses lightweight static production assets served with near-zero resource overhead.

后端处理引擎是一个纯净的 .NET 8 应用程序。现代 .NET 速度极快，内存效率高，并且可以在隔离的 Linux 容器中完美运行。它负责处理文本负载和安全加密的管理会话。前端使用轻量级的静态生产资源，以近乎零资源开销的方式提供服务。

Personal Data Control (PostgreSQL 16)

个人数据控制 (PostgreSQL 16)

Every word of text, metadata tag, and background layout setting lives in a localized PostgreSQL 16 data engine running locally inside an isolated container with an explicit disk mount. Backups are raw, automated compressed files controlled by simple shell scripts that back up exactly what matters to an encrypted storage destination I control.

每一个文字、元数据标签和后台布局设置都存储在本地化的 PostgreSQL 16 数据引擎中，该引擎运行在带有明确磁盘挂载的隔离容器内。备份是原始的、自动化的压缩文件，由简单的 Shell 脚本控制，仅将关键数据备份到我所控制的加密存储目的地。

Independent Media Storage (MinIO)

独立媒体存储 (MinIO)

Inline graphics don’t stream from a generic public media host or a third-party asset SaaS. They stream straight out of a local MinIO storage vault container running on our hardware using secure, short-lived cryptographic links.

内嵌图片不会从通用的公共媒体主机或第三方资产 SaaS 流式传输。它们直接通过运行在我们硬件上的本地 MinIO 存储库容器，利用安全的、短期的加密链接进行传输。

Reversing the Firewall (Cloudflare Tunnels)

反向防火墙 (Cloudflare Tunnels)

This is the most critical privacy and security boundary. If you run an external network port scan on this server’s public IP address, port 80 and port 443 are completely closed. Instead of opening the server to the wide-open internet and constantly fighting off automated bot scans, the server runs a secure outbound tunnel daemon. It establishes an encrypted, outbound-only pipeline to the network edge. Web traffic routes securely down this outbound pipe straight to our internal container environment. If it doesn’t originate from this authenticated channel, it cannot touch our data.

这是最关键的隐私和安全边界。如果你对该服务器的公共 IP 地址进行外部网络端口扫描，你会发现 80 和 443 端口是完全关闭的。服务器没有向广域网开放，也不需要不断抵御自动化的机器人扫描，而是运行了一个安全的出站隧道守护进程。它建立了一条通往网络边缘的、仅限出站的加密管道。Web 流量通过这条出站管道安全地直接路由到我们的内部容器环境。如果流量不是来自这个经过身份验证的通道，它就无法触及我们的数据。

I am documenting my entire journey of migrating off corporate platforms, sharing raw configs, and analyzing self-hosted infrastructure. Follow along or subscribe to the raw logs at OwnTheStack.co.

我正在记录自己从企业平台迁移出来的全过程，分享原始配置，并分析自托管基础设施。欢迎关注或在 OwnTheStack.co 订阅原始日志。