TL;DR Bring me to the documentation.
You want to self-host. Maybe you left Heroku after the pricing changes. Maybe you care about data sovereignty. Maybe you just want a €4/month server instead of a $25/month platform.
Your options:
- PaaS-in-a-box (Coolify, CapRover) — Click buttons, don't look under the hood, accept that what you get is as good as it gets.
- Kubernetes — Spend months learning, over-engineer everything, feel clever
- Wing it — SSH in, edit some configuration files, run docker-compose up, forget how you set it up, dread the next server
None of these feel right.
A fourth option: proper infrastructure-as-code, but approachable.
- Terraform provisions your server (Hetzner, cheap and European)
- Ansible configures it (Docker, security hardening, Traefik and more)
- SOPS encrypts your secrets (committed to Git, no need for a secrets manager service)
- docker compose runs your apps (the format you already know)
Everything is code. Everything is versioned. Nothing is magic.
Build your own server and deploy you app by running a few commands.
- Hardened server — SSH keys only, fail2ban intrusion prevention, automatic security updates.
- Deploy your apps — Be in full control of what version is running.
- Private Docker registry — Push your application image from GitHub Actions.
- Traefik reverse proxy — HTTPS with Let's Encrypt, automatic routing via Docker labels.
- OpenObserve — Logs and metrics, no SaaS dependencies.
- Prefect — Schedule tasks and workflows on the server.
- Restic — App backups (local repo and optional Storage Box). See
docs/backups.md. - Secrets in Git — SOPS-encrypted, no need for an external secrets manager.
Work from a DevContainer — All tools like Task, Ansible, Terraform, SOPS and more come pre-installed and configured to work together.
All configuration and encrypted secrets live in your application repository under .iac/.
- Learners — Understand IaC properly, not through a GUI
- Small teams — Deploy 2-5 apps without a platform team
- Indie hackers — Ship your side project on a €4/month VPS
- Privacy-conscious developers — Your data, your servers, your jurisdiction
- Teams that need auto-scaling (use Kubernetes)
- People who don't want to touch a terminal (use Coolify)
- Enterprises with compliance requirements (hire a platform team)
Teach, don't hide. Every decision is documented. When you outgrow this, you'll understand what you're moving to.
Opinionated defaults. Hetzner. DevContainers. Docker Registry. Traefik. SOPS. OpenObserve. You can change them, but you don't have to decide.
Single server, done well. Many projects don't need a cluster. They need one reliable server, properly configured.
One place to work. Open the workspace, Reopen in Container, all tooling and services are wired to work together, ready when you are.