DEV Community: MP Singh

I built a Drupal installer that tells you if your site is safe to ship

MP Singh — Fri, 17 Apr 2026 18:46:04 +0000

Most Drupal installers stop at "it's running."

Mine doesn't.

The problem nobody talks about

You follow the tutorial. You provision a server. You install Drupal. The site loads. You think you're done.

You're not.

Your trusted_host_patterns might be unconfigured — meaning any Host header gets accepted, opening you to cache poisoning. Your private file path might be unset — meaning files uploaded to private:// are publicly accessible via direct URL. Your Redis might be running but not actually wired as Drupal's cache backend. Your TLS cert might have 12 days left and you have no alert for it.

The site looks fine. The vulnerabilities are invisible.

Every Drupal developer I know has shipped something that looked fine and wasn't. Including me.

What I built

Actools is a Drupal 11 installer for Hetzner VPS. One command, complete stack — Caddy 2, PHP 8.3-FPM, MariaDB 11.4, Redis 7, XeLaTeX PDF worker, automated backups.

That part exists. There are other installers.

What's different is this:

$ actools audit

25 checks. Four categories. A score out of 10. Fix commands attached to every finding.

=== ACTOOLS DRUPAL AUDIT ===

[DRUPAL]
  PASS  Security advisories: none found
  PASS  trusted_host_patterns: configured
  PASS  Error display: hidden
  PASS  Private file path: configured and writable

[INTEGRATION]
  PASS  Redis: write/read/TTL confirmed
  PASS  Queue worker: enqueue test passed
  PASS  HTTP: Cache-Control header present

[STACK]
  PASS  Containers: all 5/5 running
  PASS  Site response: HTTP 200
  PASS  TLS: valid, 90 days remaining
  PASS  MariaDB: reachable
  PASS  Worker container: healthy

[SECURITY]
  PASS  HTTPS: HTTP redirects to HTTPS
  PASS  HSTS header: present
  PASS  X-Frame-Options header: present
  PASS  Server header: hidden

─────────────────────────────────────────
  PASS: 22   WARN: 5   FAIL: 1
  Audit score: 6/10
  Fix FAIL items before next deploy.

Not a dashboard. Not a Drupal module. A CLI tool that tells you the truth about your own server.

The line that started it

At the top of audit.sh there's a comment:

# The Drupal community has enough Report modules.
# What it lacks is a CLI tool that says:
# I found a problem. I won't let you deploy until you run this specific command to fix it.

That's the whole product philosophy in three lines. Written before a single check existed.

What it checks

Drupal layer

Security advisories via drush pm:security
trusted_host_patterns — reads settings.php and verifies it's active
Config drift — but only if the sync directory has a baseline (fresh installs get INFO, not false WARNING)
Error display mode
Session cookie security flags
Queue backlog

Integration layer

Redis behavioral test — not just "is it running" but write/read/TTL cycle
Redis as actual Drupal cache backend
HTTP cache headers
Queue worker — enqueues a test job and verifies processing
Private file path — verifiable and writable

Stack layer

All containers running
HTTP 200 response
TLS validity and days remaining
Disk usage
Memory available
Backup existence and age
MariaDB reachability
Worker container health

Security layer

HTTPS redirect
HSTS header
X-Frame-Options
X-Content-Type-Options
Server header hidden
Referrer-Policy
Docker image pinning

The honest score

Fresh install scores 6/10.

Not 10. Not "everything is perfect." Six. Because on a brand new server there's no backup yet, Redis isn't wired as the cache backend by default, and a few medium-priority items need operator attention.

That's honest. A tool that gives you 10/10 on a fresh install is lying to you.

The score goes up as you fix things. Run actools backup. Wire Redis. Pin your Docker images. Each fix moves the needle.

What I learned building it

Shell escaping across Docker layers is genuinely hard.

Injecting $settings['trusted_host_patterns'] into a PHP file through bash → docker exec → bash → heredoc — every layer eats escape characters differently. I went through printf, echo -e, inline quoting, and eventually landed on the only solution that actually works:

docker compose exec -T "$php_svc" bash -c "cat > /tmp/php_inject.php << 'EOF'
\$settings['trusted_host_patterns'] = array('^${domain_escaped}\$', '^.*\\.${domain_escaped}\$');
// trusted_host_patterns_active
EOF
cat /tmp/php_inject.php >> /path/to/settings.php
rm -f /tmp/php_inject.php"

Quoted heredoc inside the container. Write to temp file. Append. Delete. No escaping war.

Three AI systems independently converged on this exact pattern when I described the problem. That's usually a sign it's right.

Idempotency checks need to be precise.

My first idempotency check used grep -q file_private_path settings.php. It matched the commented-out default line # $settings['file_private_path'] = ''; and skipped the injection every time. The installer said "set" — nothing was actually written.

Fix: grep -q "^$settings\['file_private_path'\]" — anchor to the start of line, require the actual PHP assignment.

Cache matters more than you think.

Settings written to settings.php aren't visible to Drupal until the cache is rebuilt. The installer now runs drush cr immediately after both injections. Obvious in hindsight. Invisible until you're staring at an audit that says CRITICAL on something you just fixed.

The stack

Drupal 11 + PHP 8.3-FPM
Caddy 2 (automatic HTTPS, security headers, rate limiting)
MariaDB 11.4
Redis 7
XeLaTeX worker (PDF generation, self-contained)
GitHub Actions CI (bats + shellcheck + Trivy + CodeQL)
Hetzner CX22 — €10/month

MIT license. No lock-in. The installer is free. What you install today stays yours. Future modules are optional.

Try it

git clone https://github.com/actools-pl/actoolsDrupal.git
cd actoolsDrupal
cp actools.env.example actools.env && nano actools.env
sudo ./actools.sh
actools audit

You need a Hetzner VPS running Ubuntu 24.04 and a domain pointed at it. That's it.

First tester feedback welcome at GitHub Issues.

Built with Claude. For Claude.

Drupal Developers: I Need You to Break This

MP Singh — Tue, 14 Apr 2026 11:34:32 +0000

I built something I want to stress-test properly.

A one-command installer that deploys a full Drupal 11 production stack on a €10 VPS. Not a demo. Not a toy. A real stack with backups, recovery, observability, and preview environments.

Now I need people who will actually try to break it.

What it deploys

git clone https://github.com/actools-pl/actoolsDrupal.git
cd actoolsDrupal
cp actools.env.example actools.env
sudo ./actools.sh

In under 30 minutes on a fresh Ubuntu 24.04 server:

Drupal 11 + PHP 8.3-FPM
Caddy 2.8 — automatic HTTPS, HTTP/3
MariaDB 11.4 — binary logging, point-in-time recovery
Redis 7 — session and page caching
XeLaTeX worker — containerised PDF generation
Prometheus + Grafana — full observability
Automated encrypted backups
Preview environments per branch
Self-healing health checks

Total cost: €10/month on a Hetzner CX22 (2 vCPU, 4GB RAM).

What stays free forever

Everything above. MIT licensed. No feature gates. No licence keys. No phone-home. Every line readable at github.com/actools-pl/actoolsDrupal.

Why this exists

If you have worked with Acquia, Pantheon, or felt the pain of BOA's complexity — you already know the gap. This tries to close it. Full control. Predictable behaviour. Low cost.

What I need

I am not looking for cheerleaders.

I want:

Install failures
Confusing steps
Broken assumptions
Anything that makes you hesitate to use this on a client project

Run it on a fresh server. Try to use it like real work. Then send a short email to hello@feesix.com answering:

Did it install without errors?
What was confusing or unclear?
What broke or behaved unexpectedly?
What would you need before using this on a client site?

No forms. No account. Just an honest email.

Post it publicly if you prefer — that is even better.

What you get

Early access to Phase 4.5 enterprise features when released
Your feedback shapes the roadmap directly
Credit in the changelog if you want it

The honest part

I am a physics teacher building infrastructure tools on pocket money. The installer has been stress-tested, CI is green, security scanning is automated — but real-world testing by real Drupal developers is what it needs now.

Try it. Break it. Tell me how to fix it.

GitHub: https://github.com/actools-pl/actoolsDrupal
Site: https://feesix.com
Email: hello@feesix.com

Replaced Acquia (€134/month) with a €10 Hetzner VPS. One bash script. Full enterprise Drupal stack. XeLaTeX, S3, preview environments, Grafana — all included. Here is exactly how.

MP Singh — Sun, 12 Apr 2026 05:53:20 +0000

How I Replaced Acquia (€134/month) with a €10 Hetzner VPS — and Beat It on Every Feature - DEV Community

I run a Drupal 11 production site. For years, managed Drupal hosting meant one thing: pay Acquia,...

dev.to

How I Replaced Acquia (€134/month) with a €10 Hetzner VPS — and Beat It on Every Feature

MP Singh — Sun, 12 Apr 2026 05:41:52 +0000

I run a Drupal 11 production site. For years, managed Drupal hosting meant one thing: pay Acquia, Pantheon, or Platform.sh a significant monthly fee and hope nothing breaks.

Last month I built Actools — a single-command enterprise Drupal installer that runs on a €10/month Hetzner VPS. It now handles everything my managed hosting used to do, plus things it never did.

Here is the honest comparison.

What Managed Hosting Gives You

Acquia Cloud starts at around €134/month for a basic production environment. For that you get:

Managed Drupal hosting
Automated backups
A CDN
SSH access
A deployment pipeline (basic)
Support tickets

What you do not get: control. You cannot touch the server. You cannot customise the stack. You cannot add a XeLaTeX worker for PDF generation. You cannot run your own Redis configuration. You pay for their infrastructure decisions.

What I Built Instead

One bash script. One config file. One command:

sudo ./actools.sh

What it deploys in under 10 minutes on a fresh Hetzner VPS:

Drupal 11 — production-isolated with PHP 8.3-FPM
Caddy 2.8 — automatic HTTPS, custom rate-limiting plugin
MariaDB 11.4 — with binary logging for point-in-time recovery
Redis 7 — session caching, page caching
XeLaTeX worker — PDF generation fully containerised
S3 storage — works with AWS, Backblaze, Wasabi, Cloudflare R2, MinIO
Preview environments — actools branch feature-x spins up a full isolated environment
CI/CD pipeline — GitHub Actions integration built in
Prometheus + Grafana — full observability stack
Automated backups — encrypted, offsite, with restore testing
Self-healing health checks — containers restart on failure
Zero-downtime migrations — database migrations without taking the site down

Total cost: €10/month for a Hetzner CX22 (2 vCPU, 4GB RAM).

The XeLaTeX Part

This is the detail that matters if you generate PDFs from Drupal content.

Every managed host I tried either did not support XeLaTeX at all, or required a separate server, or had it as an expensive add-on. With Actools, the XeLaTeX worker lives inside a Docker container. It builds once, caches, and is available to every environment:

actools pdf-test          # Verifies XeLaTeX is working
actools storage-info      # Shows S3 config and PDF mode

PDFs generated by Drupal go directly to S3. No local storage. No egress fees with Cloudflare R2.

The Preview Environments Part

This one still surprises people when I show them.

actools branch feature-redesign
# → Creates: dev-feature-redesign.yourdomain.com
# → Full database clone
# → Full files clone
# → Isolated PHP-FPM container
# → Own Redis namespace
# → Automatic HTTPS

actools branch --list
actools branch --destroy feature-redesign

Pantheon charges extra for multidev environments. Acquia limits them by plan. With Actools they are unlimited and take about 90 seconds to spin up.

The Observability Part

actools health
# → Checks: web, database, cache, worker, storage
# → Returns: green/yellow/red per component
# → Auto-restarts failed containers

actools logs --tail 100
actools drush status

Grafana dashboards are available at grafana.yourdomain.com with Drupal-specific metrics out of the box.

The Backup Part

actools backup
# → Dumps database
# → Archives files
# → Encrypts with age
# → Uploads to S3
# → Tests restore in isolation
# → Reports: backup verified

actools restore-test
# → Pulls latest backup
# → Restores to isolated environment
# → Runs smoke tests
# → Confirms data integrity

Most managed hosts say "we take backups." Actools proves the backup works every time it runs.

What It Cannot Do (Honest)

Managed hosts have large support teams. If something goes wrong at 3am, you can file a ticket.

With Actools you are the support team. The health checks, the observability, the self-healing containers — they reduce the 3am events significantly. But they do not eliminate the possibility. If you are not comfortable being the operator of your own infrastructure, managed hosting is still the right answer for you.

Actools is for teams and individuals who want control, want cost efficiency, and are comfortable running a VPS.

The Numbers

	Acquia Basic	Pantheon Performance	Actools + Hetzner
Monthly cost	~€134	~€179	€10
Preview environments	Limited	Extra cost	Unlimited
XeLaTeX / custom workers	No	No	Yes
Full server access	No	No	Yes
Observability (Grafana)	Extra	Extra	Included
Restore testing	Manual	Manual	Automated
S3 provider choice	Locked	Locked	Any

Getting Started

The installer and full documentation are available at feesix.com.

Requirements:

A Hetzner VPS (CX22 or larger, €10/month)
Ubuntu 24.04
A domain pointing at the server

# Clone into a dedicated directory — important
# The installer uses the directory it runs from as the project root
git clone https://github.com/actools-pl/actoolsDrupal.git
cd actoolsDrupal

# Configure
cp actools.env.example actools.env
nano actools.env
# Required: BASE_DOMAIN, DRUPAL_ADMIN_EMAIL
# Everything else auto-generates

# Install
sudo ./actools.sh

That is it. Drupal 11 with the full enterprise stack, running in under 10 minutes.

One important note: Always clone into a subdirectory as shown above. The installer creates all project files — docker-compose.yml, Caddyfile, docroot/, logs/, backups/ — relative to wherever actools.sh lives. If you run it from your home directory directly, everything lands there. Clone first, then run.

What is Coming

Phase 4.5 is in progress: encrypted offsite backups, Cloudflare Tunnel for zero-trust networking, multi-user RBAC with audit trails, and a DNA/resurrection system that rebuilds a complete server from a single JSON snapshot in under 15 minutes.

The goal is a platform that any serious Drupal team can run confidently without a managed hosting bill.

Built on a €10 server. Running in production. Replacing a €134/month bill.

Questions or feedback? Reach me at hello@feesix.com or leave a comment below.