Skip to content

Admin Box Provisioning & Service Architecture

This document details the architectural decisions and implementation steps for the initial "Admin Box". This instance serves as the primary control plane for local operations and hosts the prototype application.

1. Architectural Decisions

Compute Layer: Proxmox LXC

  • Decision: Use Linux Containers (LXC) instead of Virtual Machines (VM).
  • Context: The host hardware is resource-constrained (Ryzen 5, limited RAM).
  • Justification: LXC containers share the host kernel, resulting in significantly lower memory overhead and faster boot times.

Process Management: Systemd

  • Decision: Manage the application using native Systemd Unit Files.
  • Justification:
    • Resilience: Automatic restart policies (Restart=on-failure) ensure high availability without external supervisors.
    • Observability: Native integration with journald captures stdout/stderr logs automatically.
    • Standardization: Uses the standard Linux init system, reducing dependency on third-party tools.

2. Implementation Details

User & Security Context

The application runs under a dedicated, unprivileged service user to adhere to the Principle of Least Privilege. * User: adminsetup * Home: /home/adminsetup * Authentication: SSH Key-only (Password authentication disabled via setup_me.sh).

Service Configuration

The FastAPI application is deployed within a Python Virtual Environment (.venv) to ensure dependency isolation from the system Python. File Path: /etc/systemd/system/status-api.service

[Unit]
Description=Status API
After=network.target

[Service]
# User & Group
User=adminsetup
Group=adminsetup

# Working Directory
WorkingDirectory=/home/adminsetup/infrastructure-lab

# env.
Environment="APP_ENV=production"

# Python-Interpreter  VENV
ExecStart=/home/adminsetup/infrastructure-lab/.venv/bin/python app.py

# Restart Logic
Restart=on-failure
RestartSec=5s
StartLimitIntervalSec=60
StartLimitBurst=5

# Security Hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/home/adminsetup/infrastructure-lab

[Install]
WantedBy=multi-user.target

3. Verification & Operational Status

To verify the correct deployment and operational state of the service.

Service Status

Verify that the Systemd unit is loaded and active.

Command: 

sudo systemctl status status-api

Output 

status-api.service - Status API
     Loaded: loaded (/etc/systemd/system/status-api.service; enabled; preset: enabled)
     Active: active (running) since Mon 2026-02-16 14:35:00 CET; 10min ago
   Main PID: 1823 (python)
      Tasks: 1 (limit: 37143)
     Memory: 45.2M
        CPU: 120ms
     CGroup: /system.slice/status-api.service
             └─1823 /home/adminsetup/infrastructure-lab/.venv/bin/python app.py

Application Response

The application expects the APP_ENV variable to be injected by Systemd. We verify this by curling the local endpoint.

Command 

curl localhost:8000

Output 

{"message":"Hello from the Infrastructure Lab!","env":"production"}