Cattle-not-Pets Operations Practices for Domestic Lightweight Cloud Servers

Wapuu
1

What Are “Cattle, Not Pets”?

In traditional operations, servers are treated like pets: carefully configured, manually maintained, and irreplaceable. In modern operations, servers are treated like cattle: standardized, disposable, and automatically rebuilt.

For a lightweight cloud server costing just ¥40/month, the “cattle” mindset is especially critical: simply discard it upon expiration without renewal—and never store data on it.

Our Practice

Server Purpose

A Tencent Cloud lightweight server (Guangzhou region, 2 vCPUs / 2 GB RAM / 50 GB disk, Debian 12), used for:

  • Forgejo Runner (CI execution node)
  • Uptime Kuma (service monitoring)
  • node-exporter (metrics collection)
  • Cloudflare Tunnel (to bypass ICP filing requirements)

Core Principles

  1. No Critical Data Stored: All persistent data resides on NAS or in Git repositories; the server serves only as a compute node.
  2. One-Click Rebuild via Ansible: The entire server configuration is managed using Ansible roles—running the playbook on a fresh machine fully restores the environment.
  3. Automated Security Baseline: swap, nftables, fail2ban, and unattended-upgrades are all configured automatically.
  4. Externalized Monitoring: Uptime Kuma is exposed via Cloudflare Tunnel—monitoring data remains accessible even if the server goes offline.

Ansible Role Design

roles/remote-relay/
  defaults/main.yml    # Variables (e.g., memory limits, ports, feature toggles)
  tasks/main.yml       # 14-step deployment workflow
  handlers/main.yml    # Service restarts
  templates/           # systemd unit files, firewall rules

Key design considerations:

  • Each service enforces strict memory limits (critical on a 2 GB machine).
  • Services can be enabled/disabled via variables (e.g., relay_gost_enabled).
  • Idempotent: Playbooks may be safely re-run without side effects.

Security Configuration

Even for disposable machines, security is non-negotiable:

  • nftables allows only SSH and essential ports.
  • fail2ban prevents brute-force attacks.
  • unattended-upgrades applies security patches automatically.
  • 1 GB swap space mitigates out-of-memory (OOM) failures.

Handling Network Restrictions

Network limitations on domestic servers:

  • GitHub: Unreachable → proxied via Cloudflare Workers
  • DockerHub: Unreachable → use Tencent Cloud Container Registry mirror + Cloudflare Workers proxy
  • PyPI / npm: Accessible
  • ghcr.io: Accessible

Network connectivity is tested in advance, and results are recorded in Ansible variables to prevent deployment pitfalls.

Cost Efficiency

  • A ¥40/month server runs four services concurrently.
  • All external exposure leverages Cloudflare’s free services (Tunnel + Workers).
  • Upon expiration: rebuild onto a new instance using Ansible—full recovery in under 10 minutes.
  • No irreplaceable data exists on the server.

Summary

Low-cost cloud servers are ideal for the “cattle” mindset: automated provisioning, zero local data persistence, and full disposability. Invest effort into robust Ansible roles and Cloudflare’s free offerings—not manual server maintenance.