Nixway: Self-Hosted PaaS for Cloud App Deployment

College of Electronic Technology — Tripoli

GRADUATION PROJECT DEFENSE · SPRING 2026

Nixway

A Self-Hosted Platform-as-a-Service System for Automated Cloud Application Deployment and Infrastructure Orchestration

An Operating System for Your Servers.

Prepared by:

Tamer Mohamed · 211513

Othman Elhadi · 211471

Supervisor: Eng. Amal Alnuri

Department of Software Engineering

PROBLEM STATEMENT

The Deployment Problem in 2026

Deploying software requires mastering an entire ecosystem — each discipline with its own tools, its own learning curve, and its own failure modes.

Making them work together is often harder than building the application itself.

Git / Version Control

CI/CD Pipeline

Docker / Containers

Networking / TLS

Monitoring / Alerts

Secrets / Config

THE DILEMMA

Two Bad Options

Commercial PaaS

Heroku, Railway, Render, Vercel

Easy to use

Great DX

Expensive at scale

Vendor lock-in

Limited control

Proprietary black box

Bare VPS

Cheap

Full ownership

No lock-in

Requires DevOps expertise

Manual setup everything

Time-consuming maintenance

Security burden

The Gap — No good option exists

Cost

Control

Ownership

Operational Burden

LITERATURE REVIEW

Existing Solutions & Their Limits

Commercial PaaS (Heroku, Railway, Render, Vercel)

Excellent DX

High cost · Vendor lock-in

Kubernetes

Extremely powerful · Industry standard

Massive operational complexity · Not a PaaS

Docker Swarm

Simple setup

In maintenance mode · Limited features

Existing Self-Hosted PaaS (CapRover, Dokploy)

Free · Self-hosted

Built on Docker Swarm · Limited architecture · No modern features

No solution combines ownership, simplicity, and modern architecture.

Ownership & Control (Low → High)

Developer Experience (Low → High)

Heroku/Railway

Kubernetes

CapRover/Dokploy

Nixway

The Gap We Fill

THE SOLUTION

Nixway — Proposed Solution

A self-hosted, multi-tenant PaaS. Install once. Scale forever. Own everything.

Install on VPS

Add Servers

Create Cluster

Connect GitHub

Auto Deploy

Live on HTTPS

No Manual Work

No Docker configuration

No Traefik setup

No Certbot / TLS

No WireGuard config

Multi-Tenant Platform

Control Plane + Agents

Multiple servers

Private clusters

Team isolation

Production-Grade

Zero-downtime deploys

Auto HTTPS

Live logs & metrics

Autoscaling

An Operating System for Your Servers.

SYSTEM DESIGN

System Architecture

Web Dashboard

(React + TypeScript)

CLI Tool

(Go)

CONTROL PLANE

REST API

(Go HTTP)

gRPC Service

+ Agent Hub

Background Worker

PostgreSQL

Redis

MinIO (S3)

Traefik (Edge)

VictoriaMetrics

Server 1

Server 2

Server 3

Agent

WireGuard Mesh

Bidirectional gRPC Stream (outbound from agent)

KEY ENGINEERING DECISION

The gRPC Bidirectional Stream

The architectural choice that enables everything.

Why This Matters

No inbound ports on managed servers

Works behind NAT & firewalls

Real-time push from control plane

Multiplexed: build + deploy + terminal share one stream

Correlation IDs for concurrent operations

Private keys never leave the host (WireGuard)

Reduced attack surface

Worker (Control Plane)

Agent (Managed Server)

1. Register(token)

(one-shot enrolment)

2. RegisterResponse(identity)

3. Connect()

(open persistent stream)

4. Heartbeat (periodic)

5. BuildCommand

6. BuildOutput chunks (streaming)

7. DeployCommand

8. DeployOutput

9. WireGuardApply

10. MeshHealthReport

One TCP connection · Many concurrent operations · Correlation IDs separate them

BIDIRECTIONAL STREAM

METHODOLOGY

Development Methodology

Hybrid Waterfall + Agile · 22 Weeks · 2 Developers

Planning

Wk 1-2

Requirements

Wk 3-4

Research

Wk 5-6

System Design

Wk 7-9

Implementation

Wk 10-16

Testing

Wk 14-20

Documentation

Wk 18-21

Evaluation

Wk 21-22

Agile sprints inside each phase

22-Week Phased Rollout Timeline

Project Facts

Duration: 22 weeks

Team: 2 developers

Methodology: Hybrid Waterfall/Agile

Phases: 8 Distinct Stages

Tests: 173 automated

Iterative improvements throughout

TECHNOLOGY STACK

Technology Stack

Justified choices. Mature tools. Production-grade.

Backend

Go 1.25

Concurrency + static binary

Protocol Buffers

Efficient data serialization

PostgreSQL 16

Relational data + structured JSON

Redis 7

High-speed caching & state

Frontend

React 19

Component-driven UI

TypeScript

Strict type safety

TanStack Router

Type-safe routing

Tailwind CSS

Utility-first styling

Infrastructure

Docker Engine

Container orchestration

Traefik v3

Dynamic edge routing

MinIO

S3-compatible object storage

VictoriaMetrics

High-performance TSDB

Networking

WireGuard

Modern VPN, private keys on host

CoreDNS

Internal service discovery

Let's Encrypt

Automated TLS certificates

Build Engines

Nixpacks

Automated app builds

Buildpacks

Cloud-native OCI images

Railpack

Fast, minimal image builds

Dockerfile

Custom environment control

SYSTEM DESIGN

System Design — Data & Behaviour

How Requirements Were Gathered

Personal development experience

Comparative platform analysis

Informal engineer interviews

Open-source codebase review

49 PostgreSQL<br>Tables

across 12 forward-only migrations

End-to-End Workflow

Install Platform

Add Server via SSH

Create Cluster

Connect GitHub

Push Code → Build

Auto Deploy

Live on HTTPS

Monitor & Scale

IMPLEMENTATION

Implementation Highlights

A working, production-grade system.

Build Engines

4 supported builders:

Dockerfile

Nixpacks (auto-detect)

Cloud Native Buildpacks

Railpack

Deployment Strategies

Zero-downtime deploys:

Rolling (health-gated)

Blue-Green (traffic layer)

Canary (weighted splits)

Autoscaling

Automatic scaling on:

CPU threshold

Memory usage

Request rate

Disk usage — with cooldown & bounded replicas

Secret Management

Envelope encryption:

NaCl Secretbox (XSalsa20)

HKDF key derivation

Context-bound (per-team)

Private keys never leave host (WireGuard)

Encrypted Mesh

Automatic WireGuard mesh

Full-mesh topology

Private keys generated on-host

Internal DNS resolution

Cross-cluster isolation

Observability

Live log streaming (SSE)

VictoriaMetrics time-series

In-browser terminal (xterm.js)

Real-time deployment timeline

Alert rules + notifications

ROADMAP

Future Work

A realistic roadmap beyond v1.

Automated Performance Benchmarking

Load testing framework · Repeatable benchmarks

v1.1

Template Marketplace Expansion

More one-click templates · Multi-service stacks

v1.2

Additional Build Engines

More language/framework support · Custom builders

v1.3

More Managed Databases

Additional DB engines · Geo-replicated options

v2.0

Multi-Operator Support

Production-grade multi-operator · Enterprise hardening

v2.1

Infrastructure Provisioning

Direct cloud provider APIs · Elastic capacity

v3.0

The platform works today. These extensions make it production-hardened.

CONCLUSION

Conclusion & Contributions

All Objectives — Achieved

What This Project Proves

O1

Centralised Control Plane

O2

Secure Agent-Based Architecture

O3

Automated CI/CD Pipeline

O4

Dynamic Resource Elasticity

S1

Unified Database Management

S2

Encapsulated Networking

S3

One-Click Marketplace

Two developers can build a modern self-hosted PaaS using mature open-source tools.

The platform is competitive with commercial offerings — while preserving full ownership and control.

An academic reference documenting architectural decisions rarely disclosed by commercial providers.

Nixway transforms a Linux server into a modern application platform.

THANK YOU

?

Questions?

We welcome your questions and discussion.

Tamer Mohamed (211513) · Othman Elhadi (211471)

Supervisor: Eng. Amal Alnuri

College of Electronic Technology — Tripoli · Spring 2026

Backup slides available:

Complete ER Diagram

Security Model

Autoscaling Logic

Database Schema