Guides

Building Self-hosted application directories with Docker...

This guide provides a structured approach to setting up a self-hosted environment using Docker, Traefik, and VPS infrastructure, focusing on security, automation, and compliance with European data sovereignty requirements.

2-3 hours5 steps
1

Configure VPS firewall and OS hardening

Set up UFW firewall rules to allow SSH, HTTP, HTTPS, and required application ports. Disable root login and update system packages.

ufw allow OpenSSH
ufw allow http
ufw allow https
ufw enable
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config

⚠ Common Pitfalls

  • Forgetting to allow specific application ports
  • Leaving root login enabled
2

Install Traefik with Let's Encrypt integration

Deploy Traefik as a reverse proxy with automatic SSL certificate generation using Let's Encrypt. Configure domain routing.

docker-compose-traefik.yml
version: '3.8'
services:
  traefik:
    image: traefik:v2.9
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /etc/traefik:/etc/traefik
      - /var/run/docker.sock:/var/run/docker.sock
    command:
      - --api.insecure=true
      - --providers.docker=true
      - [email protected]
      - --certificatesresolvers.le.acme.storage=/etc/traefik/acme.json

⚠ Common Pitfalls

  • Incorrect ACME email configuration
  • Forgetting to persist acme.json
3

Deploy application with Docker Compose

Create a Docker Compose file for a sample application (e.g., WordPress) with Traefik routing and environment variables for database credentials.

docker-compose-wordpress.yml
version: '3.8'
services:
  wordpress:
    image: wordpress:latest
    ports:
      - "8080:80"
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: user
      WORDPRESS_DB_PASSWORD: password
    labels:
      - "traefik.http.routers.wordpress.rule=Host(`app.example.com`)")

⚠ Common Pitfalls

  • Exposing container ports without Traefik routing
  • Hardcoding credentials in Docker Compose
4

Set up automated container updates

Use Watchtower to monitor and update containers. Configure it to restart containers after updates.

docker-compose-watchtower.yml
version: '3.8'
services:
  watchtower:
    image: containrrr/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: --watch-stopped --no-pull

⚠ Common Pitfalls

  • Not testing updates in staging environments
  • Forgetting to restart services after updates
5

Implement backup strategy with BorgBackup

Configure BorgBackup to create incremental backups of critical data. Set up retention policies and remote storage.

borg init --encryption=repokey /backup/repo
borg create /backup/repo::{hostname}-$(date +'%Y-%m-%d') /var/www /etc/traefik

⚠ Common Pitfalls

  • Not testing backup restoration procedures
  • Storing backups in same physical location as primary data

What you built

This setup provides a secure, automated self-hosted infrastructure with core components for application deployment, security, and maintenance. Regularly review logs, update dependencies, and validate backups to ensure reliability.