Self-Hosting implementation checklist

Modify /etc/ssh/sshd_config to set PasswordAuthentication to no and ensure only SSH keys are used for access.

Use UFW or iptables to block all incoming traffic except for ports 80, 443, and your custom SSH port.

Install the unattended-upgrades package and configure it to automatically apply security patches to the base OS.

Deploy Fail2ban with jails for SSH and any exposed web services to automatically ban IPs with multiple failed login attempts.

Verify that all Docker containers and system services are running as non-privileged users rather than root.

Configure Caddy, Traefik, or Nginx with Let's Encrypt to ensure automatic 90-day certificate rotation.

Verify that all port 80 traffic is redirected to port 443 with a 301 Permanent Redirect status code.

Add the Strict-Transport-Security header to all reverse proxy responses to prevent protocol downgrade attacks.

Ensure databases and backend services are on private Docker networks and not mapped to host ports via the 'ports' directive.

Lower DNS TTL to 300 seconds during initial migration to allow for rapid IP failover if the VPS fails.

Replace all ':latest' tags in docker-compose files with specific version numbers or SHA hashes to prevent breaking changes on restart.

Set 'cpus' and 'memory' limits in the compose file for every container to prevent a single service from crashing the host.

Implement the 'healthcheck' instruction in Docker files to allow the orchestrator to restart unresponsive containers.

Set up a cron job or systemd timer to run 'docker system prune' to prevent disk exhaustion from dangling images.

Set the Docker log-driver to 'json-file' with 'max-size' and 'max-file' limits to prevent logs from filling the disk.

Use Rclone, Borg, or Restic to sync volume data to an S3-compatible bucket or secondary server every 24 hours.

Verify that database backups are performed using native tools (e.g., pg_dump) rather than just copying live data files.

Perform a full restore of the application and database to a fresh VPS to verify backup integrity and documentation.

Ensure sensitive data volumes are stored on encrypted partitions (LUKS) if the VPS provider supports it.

Enable provider-level snapshots (e.g., Hetzner/DigitalOcean) as a secondary recovery layer for the entire OS.

Configure an external service like Uptime Kuma or BetterStack to ping the public endpoint and alert on 5xx errors.

Set up a script or agent to send a notification (Slack/Discord/Email) when disk usage exceeds 80%.

Configure log alerts for 'Out of Memory: Kill process' messages in dmesg to identify resource-starved containers.

Deploy a lightweight log aggregator like Dozzle or a Vector/Loki stack to view logs without SSH access.

Verify that your monitoring tool tracks the SSL certificate expiration date independently of the auto-renewal system.

Confirm that the VPS region is physically located within the EU or required jurisdiction for GDPR compliance.

Enable Two-Factor Authentication on all administrative panels (Coolify, Portainer, or application dashboards).

Move administrative tools behind a Wireguard or Tailscale tunnel so they are not reachable via the public internet.

Remove all plaintext passwords from docker-compose files and use .env files with restricted 600 permissions.

Update the application's privacy policy to reflect the specific self-hosted infrastructure and data sub-processors used.