The Work You'll Never See

Two weeks of work. No hero features. No launch post, no feature banner, no "we're thrilled to announce." And yet — loads of stuff shipped. This is what fully managed actually looks like under the hood.

Start with what you'll see. The firewall's been there since day one, but only as infrastructure — hardcoded, iptables-based, secure but untouchable; the kind of "put something sensible in place and fix it later" decision you make early and live with. This sprint, the fix landed. New nftables-based implementation, aware of what each service exposes, with sensible defaults so you don't have to choose, and a UI on top for when you want control.

The part we're opinionated about: because strackt servers live on Nebula, you don't actually need SSH exposed to the public internet. If you still want it open — fair, you want to be able to log in without a VPN — you can now lock port 22 to a source allowlist. SSH only from your laptop's IP; closed to everyone else.

Inside the app itself, the service picker, the source picker, the connect modal grew up in parallel, each solving the same problem in slightly different shapes. This sprint we aligned them: one picker across confirm, edit, and connect. The visible change is a smoother experience; the underlying change is that we took away a lot of exceptions and standardised what's actually happening.

Underneath the UI, the quiet work: live service configuration — database users, credentials, settings — now runs over SSH, fast and direct, while the actual provisioning stays on NixOS where it belongs; service connections went TCP-only, which sounds small but is what makes migrations between servers clean instead of requiring a re-provision; server names got consistent across the app, so the name you see in the dashboard matches the name you'd type in your terminal; and we pinned databases to one running version of MariaDB's LTS line — no MySQL option, no version sprawl, one opinionated choice. These are the building blocks of keeping a system like strackt steady.

This is the boring reconfiguration work we do so you don't have to — the LTS upgrades you don't need to track, the server names you don't need to reconcile, the connection model you don't need to maintain. The kind of work that would otherwise pull you out of your code. That's the gap we close, with two weeks like this one. The majority of what strackt does, you'll never see — and when you come back to your server, this is the work that keeps it smooth.