The latest articles on Forem by anitaalicloud (@anitaalicloud). https://forem.com/anitaalicloud https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3901516%2F3aeb27ec-d326-4295-bcd7-bc103e1aa263.png https://forem.com/anitaalicloud en anitaalicloud Wed, 06 May 2026 19:28:10 +0000 https://forem.com/anitaalicloud/how-i-built-swiftdeploy-a-tool-that-writes-its-own-infrastructure-dma https://forem.com/anitaalicloud/how-i-built-swiftdeploy-a-tool-that-writes-its-own-infrastructure-dma <p><em>A deep dive into declarative deployments, OPA policy gates, and chaos engineering from Stage 4A to 4B</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdlgs2pjh8kydui19g0ku.jpeg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdlgs2pjh8kydui19g0ku.jpeg" alt=" " width="800" height="533"></a></p> <h2> Introduction </h2> <p>Most DevOps tasks ask you to configure infrastructure manually. This one asked me to build the tool that does it for me.</p> <p>The result is <strong>SwiftDeploy</strong> which is a CLI tool that reads a single <code>manifest.yaml</code> file and generates your entire deployment stack from it. Nginx configs, Docker Compose files, policy checks, live metrics dashboards are all derived from one source of truth.</p> <p>This post covers the full journey: the design decisions, the guardrails, the chaos, and the lessons learned.</p> <h2> The Architecture </h2> <p>Here is how all the pieces connect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────────┐ │ manifest.yaml │ │ (single source of truth) │ └──────────────────────┬──────────────────────────────┘ │ ▼ ./swiftdeploy init │ ┌────────────┴────────────┐ ▼ ▼ nginx.conf docker-compose.yml (generated) (generated) │ │ ▼ ▼ ┌─────────────────────────────────────────────────────┐ │ Docker Stack │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Nginx │───▶│ App │ │ OPA │ │ │ │ :8080 │ │ :3000 │ │ :8181 │ │ │ └──────────┘ └──────────┘ └──────────┘ │ │ (public) (internal) (internal) │ └─────────────────────────────────────────────────────┘ │ ▲ ▼ │ curl :8080 CLI queries OPA (your browser) before deploy/promote </code></pre> </div> <p>The key insight: <strong>you only ever touch <code>manifest.yaml</code></strong>. The tool handles everything else.</p> <h2> Part 1 — The Design: A Tool That Writes Its Own Files </h2> <h3> The Problem with Handwritten Config </h3> <p>When you write <code>nginx.conf</code> and <code>docker-compose.yml</code> by hand, you introduce drift. Change a port in one place and forget to update it in another. After a few weeks, nobody knows which file is the source of truth.</p> <p>SwiftDeploy solves this with a three-layer system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>manifest.yaml → templates/*.tmpl → generated files (VALUES) (STRUCTURE) (VALUES + STRUCTURE) </code></pre> </div> <p>The <code>manifest.yaml</code> holds all the values — ports, image names, modes, timeouts. The templates hold the structure — how nginx.conf and docker-compose.yml should look. The CLI combines them at runtime.</p> <h3> How <code>swiftdeploy init</code> Works </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Read manifest into a Python dict </span><span class="n">m</span> <span class="o">=</span> <span class="n">yaml</span><span class="p">.</span><span class="nf">safe_load</span><span class="p">(</span><span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">manifest.yaml</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># Build a replacements map </span><span class="n">replacements</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">{{NGINX_PORT}}</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">m</span><span class="p">[</span><span class="sh">"</span><span class="s">nginx</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">port</span><span class="sh">"</span><span class="p">]),</span> <span class="sh">"</span><span class="s">{{SERVICE_PORT}}</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">m</span><span class="p">[</span><span class="sh">"</span><span class="s">services</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">port</span><span class="sh">"</span><span class="p">]),</span> <span class="c1"># ... etc </span><span class="p">}</span> <span class="c1"># Read template, replace placeholders, write output </span><span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">templates/nginx.conf.tmpl</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">for</span> <span class="n">placeholder</span><span class="p">,</span> <span class="n">value</span> <span class="ow">in</span> <span class="n">replacements</span><span class="p">.</span><span class="nf">items</span><span class="p">():</span> <span class="n">content</span> <span class="o">=</span> <span class="n">content</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="n">placeholder</span><span class="p">,</span> <span class="n">value</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">"</span><span class="s">nginx.conf</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">w</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">content</span><span class="p">)</span> </code></pre> </div> <p>Simple string replacement. No Jinja2, no templating engine — just Python's built-in <code>str.replace()</code>. The grader can delete <code>nginx.conf</code> and <code>docker-compose.yml</code>, run <code>./swiftdeploy init</code>, and they regenerate perfectly every time.</p> <h3> The API Service </h3> <p>The API is a Python HTTP server using only the standard library — no Flask, no FastAPI. This keeps the Docker image under 60MB (well under the 300MB limit).</p> <p>It runs in two modes controlled by a <code>MODE</code> environment variable injected by Docker Compose:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>stable mode → normal behaviour canary mode → adds X-Mode: canary header + activates /chaos endpoint </code></pre> </div> <p>The same image runs both modes. The only difference is the environment variable.</p> <h3> The Nginx Reverse Proxy </h3> <p>Nginx sits in front of the app and adds:</p> <ul> <li> <code>X-Deployed-By: swiftdeploy</code> header on every response</li> <li>JSON error bodies on 502/503/504 (instead of ugly HTML)</li> <li>Structured access logs in the required format</li> <li>Forwards <code>X-Mode</code> header from the upstream app</li> </ul> <p>Critically, <strong>the app port is never exposed directly</strong>. Only Nginx's port is mapped to the host. All traffic must flow through it.</p> <h2> Part 2 — The Guardrails: OPA Policy Enforcement </h2> <h3> Why OPA? </h3> <p>The task required that the CLI never make allow/deny decisions itself. All logic must live in OPA (Open Policy Agent).</p> <p>This matters because it separates concerns cleanly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>CLI → collects data, calls OPA, surfaces the result OPA → owns all decision logic, never called by the app </code></pre> </div> <p>If you want to change a policy, you edit a <code>.rego</code> file. You never touch the CLI. If you want to change a threshold, you edit <code>data.json</code>. You never touch the Rego files.</p> <h3> Policy Structure </h3> <p>Each policy domain owns exactly one question:</p> <p><strong>Infrastructure policy</strong> — <em>Is the host healthy enough to deploy?</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">infrastructure</span> <span class="ow">import</span> <span class="n">rego</span><span class="p">.</span><span class="n">v1</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">count</span><span class="p">(</span><span class="n">violations</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">}</span> <span class="n">violations</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span> <span class="o">&lt;</span> <span class="n">data</span><span class="p">.</span><span class="n">infrastructure</span><span class="p">.</span><span class="n">min_disk_free_gb</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"Disk free (%.1fGB) is below minimum threshold (%.1fGB)"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">disk_free_gb</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">infrastructure</span><span class="p">.</span><span class="n">min_disk_free_gb</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> <span class="n">violations</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">cpu_load</span> <span class="o">&gt;</span> <span class="n">data</span><span class="p">.</span><span class="n">infrastructure</span><span class="p">.</span><span class="n">max_cpu_load</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"CPU load (%.2f) exceeds maximum threshold (%.2f)"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">cpu_load</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">infrastructure</span><span class="p">.</span><span class="n">max_cpu_load</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Canary safety policy</strong> — <em>Is the canary healthy enough to promote?</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">canary</span> <span class="ow">import</span> <span class="n">rego</span><span class="p">.</span><span class="n">v1</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">count</span><span class="p">(</span><span class="n">violations</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">}</span> <span class="n">violations</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">error_rate</span> <span class="o">&gt;</span> <span class="n">data</span><span class="p">.</span><span class="n">canary</span><span class="p">.</span><span class="n">max_error_rate</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"Error rate (%.2f%%) exceeds maximum threshold (%.2f%%)"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">error_rate</span> <span class="o">*</span> <span class="m">100</span><span class="p">,</span> <span class="n">data</span><span class="p">.</span><span class="n">canary</span><span class="p">.</span><span class="n">max_error_rate</span> <span class="o">*</span> <span class="m">100</span><span class="p">]</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Threshold values live in <code>data.json</code> — never hardcoded in Rego:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"infrastructure"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"min_disk_free_gb"</span><span class="p">:</span><span class="w"> </span><span class="mf">10.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_cpu_load"</span><span class="p">:</span><span class="w"> </span><span class="mf">16.0</span><span class="p">,</span><span class="w"> </span><span class="nl">"min_mem_free_percent"</span><span class="p">:</span><span class="w"> </span><span class="mf">10.0</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"canary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"max_error_rate"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.01</span><span class="p">,</span><span class="w"> </span><span class="nl">"max_p99_latency_ms"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> The Hard Gate in Action </h3> <p>When the CPU load exceeded the threshold, <code>swiftdeploy deploy</code> was blocked:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[deploy] Running OPA pre-deploy policy checks... Host stats: disk=80.08GB free, cpu_load=12.88, mem_free=50.0% [policy] Checking Infrastructure... [BLOCK] Infrastructure policy FAILED: x CPU load (12.88) exceeds maximum threshold (2.00) [deploy] BLOCKED by policy. Fix violations above before deploying. </span></code></pre> </div> <p>The deploy never started. The CLI surfaced the exact violation reason from OPA — no guessing required.</p> <h3> OPA Isolation </h3> <p>OPA is intentionally isolated from public Nginx ingress. It runs on port 8181 inside the Docker network. It is NOT behind Nginx, and its port is only accessible to the CLI running on the host. A user hitting <code>localhost:8080</code> cannot reach OPA.</p> <h3> Failure Handling </h3> <p>The CLI handles every distinct OPA failure mode differently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">except</span> <span class="n">urllib</span><span class="p">.</span><span class="n">error</span><span class="p">.</span><span class="n">URLError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># OPA unreachable — warn but don't crash </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">violations</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">OPA unreachable: </span><span class="si">{</span><span class="n">e</span><span class="p">.</span><span class="n">reason</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> <span class="k">except</span> <span class="n">json</span><span class="p">.</span><span class="n">JSONDecodeError</span><span class="p">:</span> <span class="c1"># OPA returned garbage — different message </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">violations</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">OPA returned invalid JSON</span><span class="sh">"</span><span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># Catch-all — still doesn't crash </span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">allowed</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">,</span> <span class="sh">"</span><span class="s">violations</span><span class="sh">"</span><span class="p">:</span> <span class="p">[],</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Unexpected OPA error: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p>The CLI never crashes or hangs when OPA is unavailable. It warns the operator and continues.</p> <h2> Part 3 — The Chaos: Breaking Things on Purpose </h2> <h3> The /metrics Endpoint </h3> <p>The API exposes a <code>/metrics</code> endpoint in Prometheus text format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight prometheus"><code><span class="c"># HELP http_requests_total Total HTTP requests</span> <span class="c"># TYPE http_requests_total counter</span> <span class="n">http_requests_total</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">status_code</span><span class="o">=</span><span class="s2">"200"</span><span class="p">}</span> <span class="mi">42</span> <span class="c"># HELP http_request_duration_seconds Request latency</span> <span class="c"># TYPE http_request_duration_seconds histogram</span> <span class="n">http_request_duration_seconds_bucket</span><span class="p">{</span><span class="na">method</span><span class="o">=</span><span class="s2">"GET"</span><span class="p">,</span><span class="na">path</span><span class="o">=</span><span class="s2">"/"</span><span class="p">,</span><span class="na">le</span><span class="o">=</span><span class="s2">"0.005"</span><span class="p">}</span> <span class="mi">38</span> <span class="c"># HELP app_mode Current deployment mode (0=stable, 1=canary)</span> <span class="c"># TYPE app_mode gauge</span> <span class="n">app_mode</span> <span class="mi">1</span> <span class="c"># HELP chaos_active Current chaos state (0=none, 1=slow, 2=error)</span> <span class="c"># TYPE chaos_active gauge</span> <span class="n">chaos_active</span> <span class="mi">0</span> </code></pre> </div> <p>No third-party libraries — pure Python calculating histogram buckets manually.</p> <h3> Injecting Chaos </h3> <p>After promoting to canary mode, chaos was injected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Slow mode — every request sleeps 3 seconds</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "slow", "duration": 3}'</span> <span class="c"># Error mode — 50% of requests return HTTP 500</span> curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "error", "rate": 0.5}'</span> </code></pre> </div> <h3> The Status Dashboard Capturing the Failure </h3> <p>With error mode active at 50%, the status dashboard showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>======================================================= SwiftDeploy Status Dashboard 2026-05-06T14:18:43Z ======================================================= Mode: CANARY Uptime: 892s Req/s: 2.40 P99 Latency: 250ms Error Rate: 48.20% Policy Compliance: + Infrastructure: PASSING x Canary Safety: FAILING -&gt; Error rate (48.20%) exceeds maximum threshold (1.00%) </code></pre> </div> <p>The canary safety policy immediately flagged the failure. Attempting to promote to stable at this point would have been blocked by OPA.</p> <h3> Recovery </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode": "recover"}'</span> </code></pre> </div> <p>Within one scrape cycle the dashboard showed error rate back to 0% and canary safety back to PASSING.</p> <h2> Part 4 — The Audit Trail </h2> <p>Every significant event is written to <code>history.jsonl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"event"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deploy_success"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T13:53:39Z"</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="nl">"event"</span><span class="p">:</span><span class="w"> </span><span class="s2">"promote_success"</span><span class="p">,</span><span class="w"> </span><span class="nl">"target"</span><span class="p">:</span><span class="w"> </span><span class="s2">"canary"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T14:01:22Z"</span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="nl">"event"</span><span class="p">:</span><span class="w"> </span><span class="s2">"status_scrape"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"canary"</span><span class="p">,</span><span class="w"> </span><span class="nl">"error_rate"</span><span class="p">:</span><span class="w"> </span><span class="mf">0.482</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T14:18:43Z"</span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Running <code>./swiftdeploy audit</code> parses this file and generates a clean Markdown report:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## Timeline</span> | Timestamp | Event | Details | |---|---|---| | 2026-05-06T13:53:39Z | Deploy | Stack deployed successfully | | 2026-05-06T14:01:22Z | Promote | Mode switched to canary | <span class="gu">## Policy Violations</span> | Timestamp | Policy | Reason | |---|---|---| | 2026-05-06T14:18:43Z | Canary Safety | error_rate=48.20%, p99=250ms | </code></pre> </div> <h2> Lessons Learned </h2> <p><strong>1. Single source of truth is worth the extra complexity</strong><br> It felt like overkill to build a template engine just to generate two config files. But when the grader deletes your generated files and reruns <code>init</code>, you're grateful every value comes from one place.</p> <p><strong>2. OPA's syntax changes between versions</strong><br> The latest OPA image requires <code>import rego.v1</code> and the <code>if</code>/<code>contains</code> keywords. Older Rego syntax silently fails to load. Always check your OPA container logs first.</p> <p><strong>3. Start OPA before running policy checks</strong><br> OPA is part of the stack, so it doesn't exist before <code>docker compose up</code>. The fix was to start OPA first as a separate step, wait 3 seconds for it to load policies, then run the pre-deploy check.</p> <p><strong>4. Chaos engineering reveals what metrics matter</strong><br> Before injecting chaos, the <code>/metrics</code> endpoint felt like box-ticking. After watching the error rate spike to 48% in real time on the status dashboard while OPA simultaneously flagged the canary safety policy — the value became obvious.</p> <p><strong>5. Policy as code beats policy as documentation</strong><br> A README saying "don't deploy if CPU load is above 2.0" gets ignored. A Rego file that blocks the deploy enforces it automatically.</p> <h2> The Full Subcommand Reference </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./swiftdeploy init <span class="c"># generate nginx.conf + docker-compose.yml</span> ./swiftdeploy validate <span class="c"># 5 pre-flight checks</span> ./swiftdeploy deploy <span class="c"># OPA check + start stack + health wait</span> ./swiftdeploy promote canary <span class="c"># switch to canary mode</span> ./swiftdeploy promote stable <span class="c"># switch back to stable</span> ./swiftdeploy status <span class="c"># live metrics + policy compliance dashboard</span> ./swiftdeploy audit <span class="c"># generate audit_report.md</span> ./swiftdeploy teardown <span class="c"># stop all containers</span> ./swiftdeploy teardown <span class="nt">--clean</span> <span class="c"># stop + delete generated files</span> </code></pre> </div> <h2> Source Code </h2> <p>The full project is available on GitHub: <a href="https://github.com/AnitaAliCloud/hng4-devops" rel="noopener noreferrer">https://github.com/AnitaAliCloud/hng4-devops</a></p> <p><em>Built as part of the HNG DevOps Track — Stage 4A and 4B</em></p> automation devops showdev tooling anitaalicloud Tue, 28 Apr 2026 03:56:36 +0000 https://forem.com/anitaalicloud/how-i-built-an-anomaly-detection-engine-for-ddos-protection-1ibg https://forem.com/anitaalicloud/how-i-built-an-anomaly-detection-engine-for-ddos-protection-1ibg <p>Introduction<br> Imagine you run a busy website. On a normal day, about 50 people visit per second. Then suddenly, 5,000 requests flood in every second from a single IP address. Your server crashes. Your real users can't access anything. This is a DDoS (Distributed Denial of Service) attack.<br> In this post, I'll explain how I built a tool that watches incoming traffic in real time, learns what "normal" looks like, and automatically blocks attackers before they can cause damage.</p> <p>What Does the Tool Do?<br> My anomaly detection engine does 6 things automatically:</p> <p>Watches every HTTP request coming into the server<br> Learns what normal traffic looks like over time<br> Detects when traffic becomes abnormal<br> Blocks the attacker using the Linux firewall<br> Alerts me on Slack within 10 seconds<br> Unbans the IP automatically after a timeout</p> <p>The Architecture<br> Internet Traffic<br> ↓<br> Nginx (logs every request as JSON)<br> ↓<br> Nextcloud (the actual app)</p> <p>Detector Daemon reads Nginx logs<br> ↓<br> Sliding Window → tracks request rates<br> Rolling Baseline → learns normal traffic<br> Z-score Detection → spots anomalies<br> iptables → blocks attackers<br> Slack → sends alerts<br> Dashboard → shows live metrics</p> <p>Part 1 — How the Sliding Window Works<br> Think of the sliding window like a 60 second camera 🎥<br> Every request that comes in gets a timestamp. We store these timestamps in a Python deque (double-ended queue) — one for each IP address and one for global traffic.</p> <p>from collections import deque<br> import time</p> <h1> One deque per IP </h1> <p>ip_windows = {}</p> <p>def record_request(ip):<br> now = time.time()</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>if ip not in ip_windows: ip_windows[ip] = deque() # Add this request ip_windows[ip].append(now) # Remove requests older than 60 seconds from the LEFT cutoff = now - 60 while ip_windows[ip] and ip_windows[ip][0] &lt; cutoff: ip_windows[ip].popleft() # Current rate = how many requests in last 60 seconds current_rate = len(ip_windows[ip]) / 60 return current_rate </code></pre> </div> <p>from collections import deque<br> import time</p> <h1> One deque per IP </h1> <p>ip_windows = {}</p> <p>def record_request(ip):<br> now = time.time()</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>if ip not in ip_windows: ip_windows[ip] = deque() # Add this request ip_windows[ip].append(now) # Remove requests older than 60 seconds from the LEFT cutoff = now - 60 while ip_windows[ip] and ip_windows[ip][0] &lt; cutoff: ip_windows[ip].popleft() # Current rate = how many requests in last 60 seconds current_rate = len(ip_windows[ip]) / 60 return current_rate </code></pre> </div> <p>The magic is the eviction — old timestamps get removed from the left side of the deque automatically. So the deque always contains only the last 60 seconds of requests. The current rate is simply the length of the deque divided by 60.</p> <p>Part 2 — How the Baseline Learns from Traffic<br> The baseline answers one question: "What is normal?"<br> We can't hardcode this because every website is different. A news site might normally get 1000 req/s. A small blog might get 2 req/s. So we let the system learn.<br> Every second we record how many requests came in. Every 60 seconds we look at the last 30 minutes of data and calculate:</p> <p>import math</p> <p>def recalculate_baseline(per_second_counts):<br> # Calculate average requests per second<br> mean = sum(per_second_counts) / len(per_second_counts)</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Calculate how much it normally varies variance = sum((x - mean) ** 2 for x in per_second_counts) / len(per_second_counts) stddev = math.sqrt(variance) # Apply floors to prevent false alarms on quiet traffic effective_mean = max(mean, 1.0) effective_stddev = max(stddev, 1.0) return effective_mean, effective_stddev </code></pre> </div> <p>We also maintain per-hour slots — the system prefers the current hour's data when it has enough samples. This means the baseline adapts to time-of-day patterns. Rush hour traffic looks different from 3 AM traffic!</p> <p>Part 3 — How the Detection Logic Makes a Decision<br> Once we have the baseline we use a Z-score to decide if current traffic is anomalous.<br> The Z-score answers: "How many standard deviations away from normal is this?"</p> <p>def is_anomalous(current_rate, mean, stddev):<br> # Z-score calculation<br> z_score = (current_rate - mean) / stddev</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Rate multiplier rate_multiplier = current_rate / mean # Flag as anomalous if EITHER condition fires if z_score &gt; 3.0: return True, "z-score exceeded 3.0" if rate_multiplier &gt; 5.0: return True, "rate exceeded 5x baseline" return False, None </code></pre> </div> <p>Example:</p> <p>Normal traffic: 50 req/s (mean=50, stddev=10)<br> Attack traffic: 5000 req/s from one IP<br> Z-score = (5000 - 50) / 10 = 495<br> 495 &gt; 3.0 → ANOMALY DETECTED! 🚨</p> <p>We also detect error surges — if an IP is getting lots of 404/500 errors it might be scanning for vulnerabilities. In that case we tighten the thresholds automatically.</p> <p>Part 4 — How iptables Blocks an IP<br> iptables is Linux's built-in firewall. It runs in the kernel and can drop packets before they even reach your application.<br> When we detect an attack:</p> <p>import subprocess</p> <p>def ban_ip(ip):<br> # Add a DROP rule — silently discard all packets from this IP<br> subprocess.run([<br> "iptables", "-A", "INPUT", <br> "-s", ip, <br> "-j", "DROP"<br> ])<br> print(f"Banned {ip}")</p> <p>def unban_ip(ip):<br> # Remove the DROP rule<br> subprocess.run([<br> "iptables", "-D", "INPUT",<br> "-s", ip,<br> "-j", "DROP"<br><br> ])<br> print(f"Unbanned {ip}")<br> The -j DROP means "jump to DROP action" — the packet is silently discarded. The attacker doesn't even get an error message back. From their perspective the server just stopped responding.<br> Bans lift automatically on a backoff schedule:</p> <p>1st offence → 10 minutes<br> 2nd offence → 30 minutes<br> 3rd offence → 2 hours<br> 4th+ → permanent</p> <p>Part 5 — The Live Dashboard<br> The dashboard is a simple web page that refreshes every 3 seconds showing:</p> <p>Global requests per second<br> Currently banned IPs<br> Top 10 source IPs<br> CPU and memory usage<br> Current baseline mean and stddev<br> System uptime</p> <p>It's built using Python's built-in http.server — no web framework needed!</p> <p>Part 6 — Slack Alerts<br> When an IP gets banned, a Slack message arrives within 10 seconds:<br> 🚨 IP BANNED<br> IP: 192.168.1.100<br> Condition: Anomalous request rate<br> Current Rate: 450.00 req/s<br> Baseline: 12.00 req/s<br> Ban Duration: 10 minutes<br> Timestamp: 2026-04-28 03:22:36 UTC<br> And when the ban expires:<br> ✅ IP UNBANNED<br> IP: 192.168.1.100<br> Reason: ban-expired<br> Timestamp: 2026-04-28 03:32:36 UTC</p> <p>What I Learned<br> Building this project taught me:</p> <p>Z-scores are powerful — a simple maths formula can detect attacks that would be impossible to catch with hardcoded thresholds<br> Baselines must be dynamic — hardcoding "block if &gt; 100 req/s" is wrong because normal traffic varies by time of day<br> iptables is incredibly fast — kernel-level packet dropping happens before the request even reaches Python<br> Threading needs care — shared data structures need locks to prevent race conditions<br> Deques are perfect for sliding windows — O(1) append and popleft make them ideal for real-time rate tracking</p> <p>Try It Yourself<br> The full source code is available at:<br> <a href="https://github.com/AnitaAliCloud/hng-stage3-devops" rel="noopener noreferrer">https://github.com/AnitaAliCloud/hng-stage3-devops</a><br> The live dashboard is running at:<br> <a href="http://anitacloud.duckdns.org:8080" rel="noopener noreferrer">http://anitacloud.duckdns.org:8080</a></p> <p>Built as part of the HNG14 DevOps internship programme </p> monitoring networking security showdev