Skip to content

Work / Cloud and Infra / On-Demand Deployment

Recruiter-friendly · Cost-controlled

Recruiter clicks. VM lives.
Receipt mailed.

Recruiters open your portfolio link. The demo VM is asleep, was deleted, or costs forty dollars a month to keep alive forever. Pick one. This orchestrator picks none. A click spins up a GCP spot VM, the recruiter's name and email become the audit trail, the VM dies in two hours. Total cost: under a dollar a month.

View source How it works The bill

project-orchestrator · journalctl -f

[14:02:18] request project=kisanmind name="Aisha K." email=[email protected] [14:02:18] recaptcha score=0.92 verified [14:02:18] rate-limit global=2/3 · ip=1/5 [14:02:19] policy existing VM detected · kisanmind-prev [14:02:19] terminate kisanmind-prev · ok [14:02:21] create e2-medium spot us-east1-b [14:02:53] boot cloud-init complete · 32s [14:03:14] app listening :3000 · healthy [14:03:14] audit [email protected] → kisanmind-9f3b live [14:03:14] ttl auto-destroy in 02:00:00 [--:--:--]

1click to live VM

3/hGlobal VM cap (anti-abuse)

1Active VM at a time, max

~2hSpot lifetime, then auto-destroy

<$1Per month, all-in

Act I · The Problem

"My demo is live" is a lie most engineers tell.

The portfolio link works. The demo behind it does not. The VM is asleep, expired, deleted, or costs more than it earns. Recruiters click once, see a 502, never come back. Most engineers respond by either abandoning live demos or by paying forty dollars a month to keep one running. There is a third option.

Sleeping VMs are still expensive.

An idle e2-medium that you "forgot about" is still billable. Multiply by every project. Most portfolios go silent because the wallet caught up.

Public credentials are not safe.

Many demo portals ask the recruiter to log in. Either they bounce, or you handed out credentials to strangers.

Bots will find you.

An open "click to deploy" endpoint is a coin-mining invitation. Without rate limits, captcha and one-VM-at-a-time, the cloud bill arrives in a week.

"How did this get spun up" is not optional.

Without an audit trail of who triggered which VM, you cannot review abuse, cannot answer questions, cannot improve the funnel.

Act II · The Sequence

Click to live, in about ninety seconds.

A recruiter visits your projects page. Picks a project. Types a name and email. The orchestrator validates them, runs through every safety rail, then provisions and boots. The page polls until the VM is healthy, then redirects. Honest, observable, auditable.

00:00

Recruiter submits the form.

Name and email only. No password. reCAPTCHA Enterprise (invisible, score-based) runs in the background.

00:01

reCAPTCHA score and rate limit checked.

Score below threshold? Rejected. Above 3 VMs in the last hour globally? Waitlisted. Above 5 requests per minute per IP? Rejected.

00:02

Existing VM, if any, is killed.

One-VM-at-a-time policy. The new request kills the previous instance before spinning a fresh one. No cost overlap, no two-of-a-kind.

00:05

GCP spot VM is created.

e2-class spot instance, US region. Lower price, suitable for short-lived demos. Cloud-init runs the project's autoconfig.sh from the target repo.

00:55

Boot complete, app starts.

Cloud-init finishes, the project's start command runs, the configured port begins accepting traffic.

01:30

Health check passes, recruiter is redirected.

The page that submitted the form has been polling the orchestrator. It sees the green light, redirects to the live URL. Audit row written.

02:00:00

Auto-destroy fires.

The VM is reaped. The audit row gets a closed-at timestamp. Total wall time of one live demo: two hours. Total spot cost: about a cent and a half.

Act III · The Safety Rails

Six layers between the click and your wallet.

Layer 01 · Validation

reCAPTCHA Enterprise

Invisible, score-based (0.0 - 1.0). Below threshold = silently rejected. No checkbox, no friction for humans.

Layer 02 · Identity

Name and email audit

Every spin-up logs name, email, IP and (if provided) company. Closed loop. No anonymous deploys.

Layer 03 · Rate limit

3 VMs / hour global · 5 req / min per IP

Global cap protects the wallet. Per-IP cap protects the orchestrator. Both stored in deployment_log.json.

Layer 04 · Concurrency

One active VM, total

New request kills the previous VM before booting. There can be at most one demo VM alive at any moment.

Layer 05 · Network

Cloudflare Flexible SSL

Cloudflare proxies HTTPS, hides the orchestrator's real IP. Cloudflare DNS, free plan. The VM never sees the open internet directly.

Layer 06 · Host

UFW, Fail2Ban, non-root

Standard hardening on the e2-micro orchestrator itself. Application runs as a service user. Systemd-managed. Restartable.

Act IV · The Bill

Recruiter-friendly. Wallet-friendly.

The orchestrator runs forever, free, on a GCP always-free e2-micro. Spot VMs run only when requested, and only for two hours. Cloudflare is free. The total cost of running this for a portfolio with five demos a day is under a dollar a month.

<$1per month, total

Orchestrator VM (e2-micro)FREE

Spot VM, only when requested (~2h)~$0.007 / hr

Bandwidth (within free tier)FREE

Cloudflare DNS / SSL (free plan)FREE

Total · ~5 demos / day< $1.00 / mo

Act V · The Stack

What is inside.

Python 3.8+
Flask / Gunicorn
nginx
systemd
GCP Compute Engine (e2-micro free tier)
GCP Spot VMs
reCAPTCHA Enterprise
Cloudflare DNS / Flexible SSL
UFW + Fail2Ban
cloud-init
Bash autoconfig.sh

Act VI · Proof

One bash. Production hardened.

autoconfig.sh · one command install

sudo ./autoconfig.sh creates a 4GB swap, installs Python, nginx, gunicorn, configures the systemd service, sets up the security hardening, and wires Cloudflare-friendly headers.

Adding a project · one dictionary entry

Add a project by appending to the PROJECTS dictionary. Name, description, GitHub URL, autoconfig script, port, env vars. Done. The project shows on the demos page.

Audit log · deployment_log.json

Every deploy: timestamp, project, recruiter name, recruiter email, recruiter IP, score, decision. Greppable. Backup-friendly. The whole history of every demo a recruiter ever launched.

Source · divyamohan1993/on-demand-project-deployment

Public source. README walks through GCP setup, reCAPTCHA setup, Cloudflare setup, troubleshooting (the redirect-loop trap and the credentials trap, both real).

Want a portfolio that actually demos, without paying for it forever?

I build cost-aware deployment orchestrators that respect both the cloud bill and the recruiter's time. No spinners. No sleeping VMs. No coin-miners.

Hire me Back to work