The Traefik label set I put on every service

labels:
  - traefik.enable=true
  - "traefik.http.routers.APP.rule=Host(`app.example.com`)"
  - traefik.http.routers.APP.entrypoints=websecure
  - traefik.http.routers.APP.tls.certresolver=le
  - traefik.http.services.APP.loadbalancer.server.port=PORT
  - traefik.http.routers.APP.middlewares=crowdsec@file,sec-headers@file

CrowdSec + the Traefik bouncer

CrowdSec runs as its own container reading Traefik's access logs; the bouncer (a forward-auth middleware) checks each request against CrowdSec's decisions plus the community blocklist, pulled in stream mode so blocking is near-instant.

The egress firewall (the part people skip)

# Block an untrusted container network from reaching prod, metadata, and SMTP
iptables -I DOCKER-USER -s 172.30.0.0/24 -d 169.254.169.254 -j DROP   # cloud metadata
iptables -I DOCKER-USER -s 172.30.0.0/24 -p tcp --dport 25 -j DROP    # SMTP
iptables -I DOCKER-USER -s 172.30.0.0/24 -d 172.18.0.0/16 -j DROP     # prod network
iptables -A DOCKER-USER -s 172.30.0.0/24 -j ACCEPT                    # allow the rest

Adapt the subnets to your own networks. Questions? contact@paulhitt.com.

The layout

Each app is a container; Traefik routes them by subdomain; a shared Postgres backs the data; Let's Encrypt handles every cert. The whole suite lives in version-controlled compose files, so the box is reproducible.

Isolation where it counts

"One box" doesn't mean "one blast radius." Untrusted or experimental workloads get their own network segments and egress rules, so a problem in one place can't wander into another. Prod apps, the media stack, and the retro lab share metal but sit in separate lanes.

Operationally calm

One place to deploy, one to back up, one to look when something's off. Vertical beats horizontal until you genuinely outgrow the machine — and a modern VPS holds a lot before you do.

The least glamorous architecture decision I've made, and one of the best.

The principle

Never point BI at your app's main database user. Create a dedicated role that can read and nothing else:

CREATE ROLE metabase_ro LOGIN PASSWORD '********';
GRANT USAGE ON SCHEMA public TO metabase_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO metabase_ro;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT ON TABLES TO metabase_ro;

The row-level-security wrinkle

My tables have row-level security policies written for the app's auth context, not a reporting role — so a plain read-only role would see almost nothing. Granting the role BYPASSRLS lets it read every row for analytics while still being unable to write. A deliberate trade: the BI role sees all data, but physically cannot mutate it.

Connecting

Metabase runs in its own container with its own metadata database and connects out as metabase_ro. Dashboards build against real data; a compromised Metabase can, at worst, read.

What's play-by-mail?

PBM had a golden age from roughly 1983 to 1995 — games like Alamaze, VENOM, and Land of Karrus, played by submitting written orders each week and receiving a narrative report of what happened across the whole world. Slow, social, deeply strategic. Nothing digital has quite replaced it.

What Ironfall is

Twelve to twenty-four players, one of eight asymmetric factions each (the Iron Legion, the Stormcallers, the Duskborn, and more), thirty-plus weekly turns. Each turn you submit orders — where armies move, what your Heroes quest for, who you ally with, what daring special action you attempt — and the GM (human or AI-assisted) resolves everyone's orders simultaneously and writes you a story back. A living, procedurally-seeded map, fog of war, ancient vaults, and an Ironfall Clock ticking toward world-reshaping Cataclysms. Win by Conquest, Ascension, Accord, or Legacy.

A real design pedigree

It's distilled from a deep dive through Paper Mayhem archives — the leading PBM magazine of the genre's golden age — borrowing the best ideas from the classics and tuning them for modern email and, eventually, a web portal.

Want to play?

The design is complete and ready to playtest. A seat in a live Ironfall campaign is the top membership tier — see the Join page. Command a faction, send your orders, and find out what the patient, narrative style of PBM does that no app can.

Exporting from WordPress

The cleanest path is the official @tryghost/migrate tool, which reads the WordPress REST API and produces a Ghost-importable bundle — posts, pages, tags, authors, and downloaded images:

migrate wp-api --url https://example.com --pages true

First gotcha: the tool needs Node 22+ (it uses the built-in node:sqlite module). Node 20 throws ERR_UNKNOWN_BUILTIN_MODULE.

Importing into Ghost

Second gotcha: don't feed the zip to Ghost's importer — extract the ghost-import.json and POST that to /ghost/api/admin/db/. The zip silently imports nothing. Images get copied into Ghost's content folder separately.

The 2FA wall

Ghost 5 emails a verification code on admin sign-in. With no SMTP configured yet, the session endpoint just returns 500. If you're automating against a fresh install, disable staffDeviceVerification until mail is wired up.

The rest — editing posts and pages — is all ?source=html on the Admin API, which converts your HTML into Ghost's native format. Past the gotchas, Ghost is a genuinely pleasant thing to script against.

It's slow by modern standards: one hero, one enemy at a time, lots of grinding levels in the fields outside Tantegel Castle. But it taught a generation the loop — fight, gain levels, buy better gear, push a little farther — and the joy of finally being strong enough to face the Dragonlord.

It walked so Final Fantasy could run. A foundational cartridge, and a clever giveaway that paid off for decades.

It forces you to think about movement completely differently, and once it clicks, the swinging feels incredible. The game is also surprisingly dark for its era, with a famously explosive ending involving a certain WWII dictator that the localization didn't entirely sand off.

Inventive, tough, and unlike anything else on the system. The no-jump gimmick should have been a limitation; instead it's the whole appeal.

Share the foundation

Every product sits on the same foundation: a common auth and data layer, a shared component library, one deployment pipeline. A new product isn't a new stack — it's a new app on rails that already exist.

One box, many fronts

They all run as containers on the same infrastructure (the stack), each routed by hostname. Adding a product is a compose service and a subdomain, not a new server.

Boring on purpose

The only way to hold this much surface area solo is to be ruthless about consistency — same patterns, same libraries, same conventions everywhere — so switching between products is cheap. The interesting work goes into the products; the plumbing is deliberately uniform.

Shared foundations turn "ten products" into "one platform with ten faces."

By 1994 the NES was well past its prime — the SNES had long since taken over — so this sequel arrived quietly, a late entry many players missed entirely. That makes it a neat curio: a polished continuation of the cult original, released almost out of time.

It keeps the top-down action-adventure feel of the first game while sending Mike everywhere from ancient Egypt to the Wild West. A charming, overlooked footnote to the NES story.

And then there was Bo Jackson. His in-game stats were so absurd that a skilled player could reverse-field the entire defense and run for a touchdown every single play. "Tecmo Bo" is a legend unto himself.

Deep, replayable, and endlessly argued over at sleepovers. People still run Tecmo Super Bowl leagues today. That's staying power.