Table of Contents

• Architecture overview
• Deploy
• Deploy steps
• Static sites and bots
• Logs and rebuild
• Security
• Conclusion

I built tinchost.uz a while back. People were using it. It was just for hosting static sites. I was experimenting and built this system out of my idle laptop just to make use of it. Nowadays tinchost.uz is on pause. But back then I really liked it.

Now I decided to take it further. I wanted a proper cloud platform. Not just static sites — I wanted to support backend projects, bots, anything that can run in a container-like environment.

That's how shitob.cloud was born.

Architecture overview

The whole system runs on a single NixOS server. NixOS is perfect for this because the entire system configuration is declarative and reproducible. The stack:

• NixOS — base operating system, declarative config
• systemd — process management + sandboxing
• nginx — reverse proxy, SSL termination
• Git — deploy via git push
• Custom API — orchestration layer

Deploy

Every project gets its own systemd service. When a user pushes their code, the system:

1. Pulls the latest code from the git repo
2. Detects the project type (static, Python, Node, etc.)
3. Builds the project
4. Creates/updates a systemd service
5. Configures nginx to proxy the subdomain to the service

Deploy steps

The deploy pipeline is straightforward:

git push → webhook → detect type → build → create systemd unit → reload nginx

Each service runs in its own systemd sandbox with restricted filesystem access, no root privileges, and limited network capabilities.

Static sites and bots

For static sites, the build output is served directly by nginx. No running process needed — just files on disk behind a reverse proxy.

For bots (like Telegram bots), the system creates a long-running systemd service that stays alive and restarts on failure.

Logs and rebuild

All build logs and runtime logs are captured through journald. Users can view their logs through the dashboard. Rebuilds can be triggered manually or automatically on git push.

Security

Each project runs in a sandboxed systemd unit with:

• DynamicUser=yes — ephemeral user per service
• ProtectSystem=strict — read-only filesystem
• PrivateTmp=yes — isolated /tmp
• NoNewPrivileges=yes — no privilege escalation
• Restricted network access and capabilities

Conclusion

Shitob Cloud currently hosts 150+ websites from 50+ users. The NixOS + systemd combination gives you a surprisingly powerful platform without needing Docker, Kubernetes, or any complex orchestration. Sometimes the simplest tools are the most effective.