The StackBehindmynuggets.dev
A privacy-first, self-hosted platform built with modern tooling. Next.js, FastAPI, Docker, and PostgreSQL — deployed to an Unraid home-lab with security hardening and automated pipelines.
Built for Privacy & Speed
Every architectural decision centers on protecting user data while maintaining developer experience and operational simplicity.
Unified Platform
Main, Tech, FitNuggys, Mental Health, Admin, and Analytics run as isolated Next.js apps alongside the Diabetes service — all on a shared Docker network.
Privacy by Design
No third-party analytics. Sensitive health data is stored only in your self-hosted database, and access is restricted per user/session.
Security Hardened
HSTS, CSP, XFO, nosniff, CORS/CSRF protection. Credentials never stored or logged on the server.
One-Command Deploy
Node-based deployer pushes to Unraid via SSH. Supports full or per-service incremental deploys with health checks.
System Overview
A layered architecture designed for separation of concerns, security boundaries, and operational simplicity.
Frontend Layer
App Router, static + dynamic rendering, strict typing across all apps.
Backend Services
Python microservice bridges LibreLinkUp API. Next.js API routes handle proxying and sanitization.
Data Layer
Postgres stores contact submissions, admin auth, diabetes users/accounts/readings, and the Analytics demo schema (seeded mock business data). No third‑party tracking; data stays self‑hosted.
Infrastructure
Multi-stage builds, unified stack, reverse proxy with security headers, self-hosted.
Defense in Depth
Multiple layers of protection at every level — from transport to storage, with privacy as the default, not an afterthought.
Zero Credential Storage
Credentials never hit our servers. LibreLinkUp login handled client-side with token-only session refresh.
Transport Security
HSTS max-age 1 year, strict CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin.
CORS & CSRF
No wildcard origins with credentials. Same-origin enforcement for admin APIs. Proper preflight handling.
Data Sanitization
Responses from LibreLinkUp stripped of device metadata, internal IDs, and PII before reaching the client.
Minimal Data Retention
Only contact submissions and aggregate metrics stored. No medical readings, no user health data on server.
Container Isolation
Multi-stage builds, non-root runtime users, standalone Next.js output, service-level network isolation.
The Full Stack
Every tool chosen for a reason — performance, security, developer experience, or operational simplicity.
Interested in a similar stack?
Whether you need a privacy-focused application, a self-hosted solution, or help with Docker and DevOps — let's chat.