Platform Engineer — Postgres / NixOS / Security
Posted on May 22, 2026 (about 2 hours ago)
Platform Engineer — Postgres / NixOS / Security
Remote · EU & nearby (UA, Balkans, UK, CH) · Full-time · €65–75k
Who we are
We are therapy-lift, a German-market healthcare platform for psychotherapists handling encrypted patient–therapist messaging, video consultations, appointments, billing, and clinical documentation. The platform is end-to-end encrypted; sensitive data is encrypted on the client before it reaches our backend. Everything is self-hosted, including an AI scribe running on our own Hetzner GPU using open-source models only. No third‑party LLM providers or analytics SaaS are used.
Tech stack
Key technologies and systems in use:
- Flutter multi-platform app (iOS/Android/Web/Windows/macOS/Linux) with Drift for offline-first local sync
- Self-hosted Supabase on NixOS (Postgres + PostgREST + GoTrue + Realtime + Storage) via docker-compose
- Node/TypeScript backend for integrations; selective porting to Rust possible
- NixOS on Hetzner (fleet of ~20 production hosts), declarative management and custom automation
- SOPS + Age for two-layer secret encryption; WireGuard for monitoring overlay
- LiveKit for E2EE-capable WebRTC video; daily nixos-unstable rollouts with auto-reboot
The role
You will be the third engineer owning the platform layer end-to-end: database, infrastructure, deployment, and security posture. You'll work closely with the founder and a senior Flutter/fullstack engineer and have real authority over production operations.
In the first 6 months you will:
- Own the self-hosted Supabase + Postgres stack: schema & index design, query optimization, autovacuum and partitioning, streaming replication, PITR backups and restore drills, and operate surrounding Supabase services in production
- Raise the infrastructure-as-code bar on the Hetzner/NixOS fleet; extend deploy and secrets-rotation tooling and introduce Terraform/OpenTofu where appropriate
- Evolve the secrets approach beyond SOPS+Age to include service-side dynamic secrets (Vault, OpenBao, agenix/sops-nix patterns) as needed for certification controls
- Take on backend work in the Node/TypeScript service and collaborate on potential Rust ports
- Strengthen security posture: threat modeling, audit logging, intrusion detection, and certification-ready artifacts
- Occasionally make small changes to the Flutter app when backend changes cross the wire
Who you are
Required and desired qualities:
- Deep, concrete experience designing and operating Postgres in production (EXPLAIN ANALYZE, pg_stat_statements, autovacuum tuning, partitioning, replication, PITR, long-running migrations)
- Experience running self-hosted Supabase in production is a strong bonus
- Comfortable with NixOS (flakes, modules, nixos-rebuild, deploy-rs, colmena or similar)
- Experience operating docker-compose-based service stacks in production
- Experience automating cloud infrastructure declaratively (Terraform, OpenTofu, Pulumi, or Nix-based equivalents)
- Experience with secrets managers in production (Vault, sops-nix, agenix, Doppler, etc.)
- Systems-engineering mindset, security-first instinct, interest in Rust, ability to read and edit Flutter/Dart, and strong asynchronous communication and documentation skills
Nice to have
German (any level), production Rust experience, regulated-industry or healthcare experience (DSGVO, HIPAA, ISO 27001, BSI Grundschutz), LiveKit/WebRTC operational experience, Kubernetes operational experience, open-source contributions in Nix or Rust.
What we offer
€65–75k/year (depending on experience and location), virtual share programme (discussable), fully remote within EU & nearby with direct employment in Germany or contractor/EOR for other locations, CET ±3h overlap, hardware and conference budget, 28 days vacation, and mission-focused early-stage ownership.
How to apply
Email [email protected] with the requested materials. First reply within 5 working days.
Application materials
Please include:
- A short note (5–10 sentences) on why this role fits — include one Postgres operational problem you've actually solved
- One improvement you proposed to your team in the last 6 months that nobody asked you to think about — describe what you noticed, what you suggested, and what happened
- Links: GitHub, blog, NixOS configs, or other relevant links
- Your NixOS setup in one sentence