Server & Infrastructure: Ubuntu, Docker, monitoring – set up, hardened, handed over

What does the server setup cover?

We set up your server – hardware selection, OS installation, firewall, Docker, reverse proxy with SSL, monitoring and backup. Hardened to current standards, documented, handed to you. The server runs on your account (Hetzner, DigitalOcean or another EU provider of your choice), not on ours. This is part of the data-protection promise: we have no co-account, no master password, no back door.

The standard build includes: Ubuntu 24.04 LTS (server edition), UFW firewall with restrictive defaults, Fail2ban against SSH brute force, CrowdSec with community threat intel, Docker and Docker Compose, nginx as reverse proxy, Let's Encrypt certificates via Certbot with auto-renewal, automatic security updates (unattended-upgrades), and on request a monitoring stack (Prometheus, Grafana, Loki or Uptime Kuma).

Variants: Basic (CHF 1,200) with the baseline build and docs. Plus monitoring (CHF 1,700) with a Grafana dashboard and Telegram or email alerts. Plus offsite backup (CHF 2,200) with encrypted daily backup to a second location. Hardening & security audit (CHF 1,400) as a separate module when the server already runs and only an inspection is needed.

Server rental costs run directly on your account – typically CHF 30 to 120 per month depending on size. We recommend, advise and configure – but the invoice goes from Hetzner to you, not via us.

Why owned infrastructure

Three reasons stand behind the "own server" recommendation over a pure SaaS cloud.

First: data location. Hetzner data centres sit in Falkenstein and Nuremberg (EU-DE), Helsinki (EU-FI) and newly Singapore. DigitalOcean offers Amsterdam and Frankfurt. Anyone processing client data or bound by professional secrecy (fiduciary, lawyer, doctor) can sidestep the revDSG data-export debate with an EU server. Not with a US SaaS solution.

Second: cost control. A dedicated Hetzner AX42 (8-core AMD Ryzen 7, 64 GB RAM, 2 NVMe) costs around EUR 50 per month. A comparable cloud VM with equivalent load would be three to five times that at AWS or Azure. For AI workloads – which need lots of RAM and CPU – the gap is dramatic.

Third: vendor lock-in. A server on Ubuntu with Docker is portable. If you switch from Hetzner to OVH or Infomaniak tomorrow, we move the containers in half a day. A SaaS solution: you have it, or you do not – switching is a re-project.

And finally: hardening. A freshly installed Hetzner server stands open on the internet and faces SSH login attempts within minutes. Without Fail2ban and CrowdSec that is an open door. CrowdSec has been collecting attack IPs across its community network since 2020 and shares them – your server benefits from attacks others have already blocked.

How the setup runs

The setup runs in five blocks, across two to five days depending on the variant.

Block 1 – Hardware and provider: We jointly set the server size – typically a Hetzner AX line for AI workloads, an EX line for low-overhead setups, or a DigitalOcean droplet for small pilots. You order the server on your account; we receive setup access.

Block 2 – Base install: Ubuntu 24.04 LTS freshly installed, automatic security updates active, root login disabled, SSH key authentication enforced, password login off, a new admin user with sudo. UFW firewall: closed by default except SSH (moved to a non-standard port), HTTP and HTTPS.

Block 3 – Security layer: Fail2ban against SSH brute force (3 failed tries, 24h ban). CrowdSec with the nginx bouncer and SSH scenario. Cron-driven auto-updates of CrowdSec hub scenarios. Optional Cloudflare connection with origin cert, so the Hetzner server never answers the world directly.

Block 4 – Application layer: Docker and Docker Compose installed, nginx configured as reverse proxy, Certbot with Let's Encrypt and auto-renewal set up. Logrotate, cron, systemd timers. A health-check endpoint per service, pinged externally by Uptime Kuma.

Block 5 – Monitoring and handover: For the "+ monitoring" variant: Prometheus with node_exporter, Grafana with pre-built dashboards (CPU, RAM, disk, network, container health), Loki for log aggregation, alerts via Telegram or email. Handover: documentation PDF with credentials, architecture diagram, runbook for the most common incidents.

Setup workflow in 6 steps

1. 01Pick provider and hardware: Hetzner AX/EX/GEX or DigitalOcean, by RAM and CPU need.
2. 02Server ordered on your account, access window granted for the setup.
3. 03Base install: Ubuntu 24.04 LTS, SSH key-only, UFW firewall, new admin user.
4. 04Security layer: Fail2ban, CrowdSec with community threat intel, automatic security updates.
5. 05Application layer: Docker, nginx, Certbot with Let's Encrypt, reverse-proxy config.
6. 06Monitoring and handover: Grafana dashboards (optional), docs PDF, runbook, credentials in your vault.

When to use owned infrastructure

Owned infrastructure pays off when (a) you process sensitive data that should not go to a US SaaS provider, (b) you run AI workloads with an unclear cost shape (LLM inference, vector DB, embedding pipelines), (c) you want to combine several services (RAG, n8n, bot backend, document store), or (d) you need a controlled environment for compliance requirements.

Concrete cases: a fiduciary with a RAG pilot on client files – data must stay in the EU, the data flow must be documentable. An SME with 30 n8n workflows – on n8n Cloud the workflow count is a pricing factor, self-hosted it does not matter. A law firm with professional-secrecy data – a US SaaS is delicate here under Art. 321 SCC, an EU server with encryption is far more controllable.

For AI workloads the rule is: from roughly 50 GB RAM upwards, cloud becomes expensive. Hetzner offers up to 1,024 GB RAM in the GEX line at costs that would be 4 to 6 times higher at AWS/Azure. Anyone running a local language model (Ollama, vLLM) or a large vector DB has no real path past dedicated hardware.

When not

Owned infrastructure is the wrong choice when (a) you only want a pure SaaS solution and no layer of your own, (b) your data volume is so small that a cloud function is enough (e.g. 5 GB of documents, 50 queries per day), or (c) you have no one in-house who fundamentally understands SSH and Docker.

The third point is the most common. An owned server needs someone in the business who reads the docs and can react in an emergency – or a managed-service contract that takes on that role. Anyone with neither is better off with a curated SaaS solution. "Put the server up and forget" does not work.

Equally wrong is the owned server when you need top-tier availability (99.99 percent, multi-region failover). A single Hetzner dedicated server delivers around 99.9 percent – that is 9 hours of downtime per year in the worst case. Anyone who cannot accept that needs a cloud with auto-failover or a multi-server setup with load balancing – a different price tier.

Trade-offs

FAQ

Related topics

Sources

1. Hetzner Community – Installing and setting up CrowdSec to protect SSH · 2026-02
2. Hetzner Community – Centralized CrowdSec Management with Web UI · 2026-03
3. Daniel Tenner – Setting up and hardening a Hetzner server · 2026-01
4. OneUptime – Installing Ubuntu Server on a Dedicated Server from Hetzner/OVH · 2026-03
5. CrowdSec – Official documentation · 2026-04