DEV Community: Igor Bumba The latest articles on DEV Community by Igor Bumba (@igorbumba). https://dev.to/igorbumba https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3968232%2F2a908f34-478d-4d70-a746-fc988b82a8c8.jpg DEV Community: Igor Bumba https://dev.to/igorbumba en I built one self-hosted boilerplate and now I ship everything on it Igor Bumba Sun, 07 Jun 2026 12:40:41 +0000 https://dev.to/igorbumba/i-built-one-self-hosted-boilerplate-and-now-i-ship-everything-on-it-39o8 https://dev.to/igorbumba/i-built-one-self-hosted-boilerplate-and-now-i-ship-everything-on-it-39o8 <p>Every time I started a side project, I rebuilt the same five things before I wrote a single line of the actual idea: auth, a database, file uploads, a deploy pipeline, and TLS. Different domain, same plumbing. By the third project I was copy-pasting my own <code>docker-compose.yml</code> from a folder two repos over and renaming things until they stopped erroring.</p> <p>So I stopped. I froze that plumbing into one boilerplate — <strong>PocketBase + Next.js + Caddy on a single cheap VPS</strong> — and now I ship every side project on it. Same shape every time: clone, rename, write the part that's actually new, push.</p> <p>The thing I care about most isn't the speed, though. It's that I stopped paying for it. A handful of real projects now run on this setup for <strong>a few euros a month, total</strong> — not a stack of per-service SaaS bills that each want $25 here and $20 there before you've shipped anything. No Vercel seat, no managed Postgres, no Auth-as-a-Service, no object-storage line item.</p> <p>Here's the whole thing.</p> <h2> Why this stack </h2> <p>The trick that makes the cost collapse is <strong>PocketBase</strong>. It's a single Go binary that gives you, in one process:</p> <ul> <li> <strong>Auth</strong> — email/password, OAuth, the works, with a real users collection</li> <li> <strong>A database</strong> — SQLite, with a schema you manage from an admin UI</li> <li> <strong>Realtime</strong> — subscribe to collection changes over SSE</li> <li> <strong>File storage</strong> — uploads handled, with on-the-fly thumbnails</li> <li> <strong>An admin dashboard</strong> — at <code>/_/</code>, for free</li> </ul> <p>That's four or five separate SaaS products collapsed into one binary that runs anywhere and stores everything in a folder. Compared to wiring up Supabase or Firebase, the mental model is tiny: it's one process and one data directory. Back up the directory and you've backed up the entire app — database, uploaded files, auth tokens, all of it.</p> <p>For the front I use <strong>Next.js</strong> (App Router, React Server Components) because that's where I'm fastest, and <strong>Caddy</strong> as the reverse proxy because it gets you automatic HTTPS with zero config — it provisions and renews Let's Encrypt certificates on its own.</p> <p>And it all lives on <strong>one small VPS</strong> (Hetzner, in my case, but any box works). Not serverless, not a managed platform — a plain Linux box I can SSH into. That's the part people get nervous about, so let me show you it's less scary than it sounds.</p> <h2> The shape of the boilerplate </h2> <p>Every project has the same three top-level pieces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>my-app/ ├── apps/web/ # Next.js (App Router, output: 'standalone') ├── pocketbase/ │ ├── pb_migrations/ # schema, as committed JS — version controlled │ └── pb_data/ # SQLite + uploaded files — gitignored, the only state └── infra/ # Caddyfile, deploy + backup scripts, systemd units, Docker </code></pre> </div> <p>Two ideas in there do most of the work.</p> <p><strong><code>pb_data/</code> is the only stateful thing in the entire system.</strong> It's gitignored. Everything else — code, schema, infra — is in the repo and reproducible. That single boundary is what makes the whole stack easy to reason about and trivial to back up.</p> <p><strong>Schema is code.</strong> PocketBase lets you click a schema together in the admin UI, but it can export every change as a timestamped JS migration. I commit those, and PocketBase auto-applies them on startup. So the schema travels with the repo and a fresh box rebuilds itself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">/// &lt;reference path="../pb_data/types.d.ts" /&gt;</span> <span class="nf">migrate</span><span class="p">(</span> <span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// up — create a collection with access rules</span> <span class="kd">const</span> <span class="nx">notes</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Collection</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">base</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">notes</span><span class="dl">'</span><span class="p">,</span> <span class="na">listRule</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@request.auth.id != ""</span><span class="dl">'</span><span class="p">,</span> <span class="na">viewRule</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@request.auth.id != ""</span><span class="dl">'</span><span class="p">,</span> <span class="na">createRule</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@request.auth.id != ""</span><span class="dl">'</span><span class="p">,</span> <span class="na">fields</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">title</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">,</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">body</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">editor</span><span class="dl">'</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">save</span><span class="p">(</span><span class="nx">notes</span><span class="p">);</span> <span class="p">},</span> <span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// down — idempotent rollback</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">app</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">app</span><span class="p">.</span><span class="nf">findCollectionByNameOrId</span><span class="p">(</span><span class="dl">'</span><span class="s1">notes</span><span class="dl">'</span><span class="p">));</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{}</span> <span class="p">},</span> <span class="p">);</span> </code></pre> </div> <p>Those <code>listRule</code>/<code>viewRule</code>/<code>createRule</code> strings are PocketBase's access control. Authorization lives <em>in the data layer</em>, evaluated on every request, instead of being scattered through app middleware. <code>@request.auth.id != ""</code> means "must be logged in"; you can get as specific as <code>@request.auth.role = "admin" || owner = @request.auth.id</code>. For most apps I write almost no custom server code — the rules are the security model.</p> <h2> How Next.js actually talks to PocketBase </h2> <p>This is the part I'd have wanted to read three projects ago, so I'll go slow here.</p> <p>PocketBase has a JS SDK, but Next.js runs in two worlds — the server (Server Components, route handlers) and the browser — and they need different clients. So the boilerplate has a small <code>lib/</code> with a clear split.</p> <p><strong>Shared constants.</strong> The server-side URL is read at runtime and never baked into the client bundle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/pb.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">PB_URL</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PB_URL</span> <span class="o">??</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_PB_URL</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">http://localhost:8090</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">PB_COOKIE</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">pb_auth</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <p><strong>The server client</strong> reads the auth cookie out of the request and refreshes the session on each call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/pb.server.ts</span> <span class="k">import</span> <span class="dl">'</span><span class="s1">server-only</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">PocketBase</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">pocketbase</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">cookies</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/headers</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PB_URL</span><span class="p">,</span> <span class="nx">PB_COOKIE</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./pb</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getServerPb</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pb</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PocketBase</span><span class="p">(</span><span class="nx">PB_URL</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">cookies</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">cookie</span> <span class="o">=</span> <span class="nx">store</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">PB_COOKIE</span><span class="p">)?.</span><span class="nx">value</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">cookie</span><span class="p">)</span> <span class="p">{</span> <span class="nx">pb</span><span class="p">.</span><span class="nx">authStore</span><span class="p">.</span><span class="nf">loadFromCookie</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">PB_COOKIE</span><span class="p">}</span><span class="s2">=</span><span class="p">${</span><span class="nx">cookie</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">pb</span><span class="p">.</span><span class="nx">authStore</span><span class="p">.</span><span class="nx">isValid</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">pb</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">).</span><span class="nf">authRefresh</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nx">pb</span><span class="p">.</span><span class="nx">authStore</span><span class="p">.</span><span class="nf">clear</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">pb</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>The browser client</strong> is a singleton that syncs its auth state to a cookie, and — importantly — talks to <em>its own origin</em> by default:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/pb.client.ts</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">PocketBase</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">pocketbase</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">_browserPb</span><span class="p">:</span> <span class="nx">PocketBase</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">getBrowserPb</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">_browserPb</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// No explicit URL in prod: talk to our own origin and let the proxy</span> <span class="c1">// route /api &amp; /_/ to PocketBase. Keeps the image domain-agnostic.</span> <span class="kd">const</span> <span class="nx">browserUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_PB_URL</span> <span class="o">||</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">;</span> <span class="nx">_browserPb</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PocketBase</span><span class="p">(</span><span class="nx">browserUrl</span><span class="p">);</span> <span class="nx">_browserPb</span><span class="p">.</span><span class="nx">authStore</span><span class="p">.</span><span class="nf">loadFromCookie</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">);</span> <span class="nx">_browserPb</span><span class="p">.</span><span class="nx">authStore</span><span class="p">.</span><span class="nf">onChange</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span> <span class="o">=</span> <span class="nx">_browserPb</span><span class="o">!</span><span class="p">.</span><span class="nx">authStore</span><span class="p">.</span><span class="nf">exportToCookie</span><span class="p">({</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">_browserPb</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Notice <code>window.location.origin</code>. The browser never hardcodes where PocketBase is — it just calls <code>/api/...</code> on the same domain. That's the move that makes the whole thing portable, and it's why the next piece matters so much.</p> <h3> The same-origin Caddy split </h3> <p>Auth is a plain cookie named <code>pb_auth</code>. The browser SDK and the server both read it. For that to Just Work — no CORS, no cross-domain cookie headaches — the Next.js app and PocketBase have to look like <strong>one origin</strong>. Caddy makes that happen by routing on path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>your-app.com { encode zstd gzip # PocketBase owns its API + admin UI on the same origin (cookies stay simple). # But /api/auth/* is owned by Next.js — exclude it from the PB matcher. @pb { path /api/* /_/* not path /api/auth/* } reverse_proxy @pb 127.0.0.1:8090 # Everything else → Next.js. reverse_proxy 127.0.0.1:3000 header { Strict-Transport-Security "max-age=31536000; includeSubDomains" X-Content-Type-Options "nosniff" Referrer-Policy "strict-origin-when-cross-origin" } } </code></pre> </div> <p>Read that matcher carefully, because it's the cleverest line in the whole stack: <strong><code>/api/*</code> and <code>/_/*</code> go to PocketBase — <em>except</em> <code>/api/auth/*</code>, which Next.js keeps.</strong> Login and logout are my own route handlers (I want to set the cookie with my own flags), but every other data call falls straight through to PocketBase. One domain, one cookie, no CORS, ever.</p> <h3> Login, and "no middleware" </h3> <p>The login handler authenticates against PocketBase and hands the browser back a cookie:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/auth/login/route.ts</span> <span class="kd">const</span> <span class="nx">pb</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PocketBase</span><span class="p">(</span><span class="nx">PB_URL</span><span class="p">);</span> <span class="k">await</span> <span class="nx">pb</span><span class="p">.</span><span class="nf">collection</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">).</span><span class="nf">authWithPassword</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="c1">// Not httpOnly on purpose: the in-browser SDK needs to read it for realtime + writes.</span> <span class="kd">const</span> <span class="nx">cookieValue</span> <span class="o">=</span> <span class="nx">pb</span><span class="p">.</span><span class="nx">authStore</span><span class="p">.</span><span class="nf">exportToCookie</span><span class="p">({</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Lax</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">pb</span><span class="p">.</span><span class="nx">authStore</span><span class="p">.</span><span class="nx">record</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="dl">'</span><span class="s1">Set-Cookie</span><span class="dl">'</span><span class="p">,</span> <span class="nx">cookieValue</span><span class="p">);</span> <span class="k">return</span> <span class="nx">res</span><span class="p">;</span> </code></pre> </div> <p>That <code>httpOnly: false</code> is a deliberate trade-off, not a bug: the browser SDK has to read the token to open realtime subscriptions and make authenticated writes. You pay for it by being disciplined about XSS (no <code>dangerouslySetInnerHTML</code> with untrusted input, a sane CSP), and the rest of your access control lives in PocketBase's collection rules anyway, server-side, where a stolen token still can't exceed the user's permissions.</p> <p>And I don't use Next.js middleware for auth. I gate pages right where they render:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/auth.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">requireUser</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getServerUser</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="nf">redirect</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>A protected page or layout just calls <code>await requireUser()</code> at the top. Server Components do the reads (<code>pb.collection('x').getList(...)</code>), Client Components do the mutations and open realtime subscriptions (<code>pb.collection('x').subscribe('*', ...)</code>). For public, unauthenticated writes — a contact form, a signup — there's a third tiny client authed as a superuser that runs only on the server. Three small files, and the auth story is done. No library, no provider, no $0.00-until-it-isn't pricing page.</p> <h2> Shipping it — two ways </h2> <p>Here's where "self-hosting" usually loses people. It shouldn't. I ship the exact same app two ways depending on the project, and both are boring in the good way.</p> <p>Both rely on one Next.js setting — <code>output: 'standalone'</code>, which traces a self-contained Node server so you don't ship <code>node_modules</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// next.config.ts</span> <span class="kd">const</span> <span class="nx">nextConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">output</span><span class="p">:</span> <span class="dl">'</span><span class="s1">standalone</span><span class="dl">'</span><span class="p">,</span> <span class="na">reactStrictMode</span><span class="p">:</span> <span class="kc">true</span> <span class="p">};</span> </code></pre> </div> <h3> Way 1 — one Docker container </h3> <p>For anything I want to be portable (run it on a NAS, hand it to someone, move it between hosts), the whole app is <strong>a single image</strong>: PocketBase + Next.js + Caddy in one container, with <code>supervisord</code> keeping the processes alive and piping all their logs to <code>docker logs</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># supervisord.conf (trimmed) </span><span class="nn">[program:pocketbase]</span> <span class="py">command</span><span class="p">=</span><span class="s">/usr/local/bin/pocketbase serve --http=127.0.0.1:8090 --dir=/pb/pb_data --migrationsDir=/pb/pb_migrations</span> <span class="nn">[program:web]</span> <span class="py">command</span><span class="p">=</span><span class="s">node /app/apps/web/server.js</span> <span class="py">environment</span><span class="p">=</span><span class="s">NODE_ENV="production",PORT="3000",HOSTNAME="127.0.0.1",PB_URL="http://127.0.0.1:8090"</span> <span class="nn">[program:caddy]</span> <span class="py">command</span><span class="p">=</span><span class="s">/usr/local/bin/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile</span> </code></pre> </div> <p>The compose file is almost nothing, because the image <em>is</em> the app and <code>pb_data</code> is the only volume:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">my-app:amd64</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pb_data:/pb/pb_data</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">pb_data</span><span class="pi">:</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <p>That's it — the app is live. Optionally I add a Cloudflare Tunnel (a token env var) so I don't even open a port on the host; Cloudflare terminates TLS and routes straight into the container's Caddy. Great for putting something on the public internet from a box behind a home router.</p> <h3> Way 2 — native on the VPS </h3> <p>For the always-on projects I run PocketBase and Next.js directly under <strong>systemd</strong>, with Caddy on the host doing HTTPS. No Docker layer, nothing between the binary and the kernel. The PocketBase unit is the whole "database server":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># /etc/systemd/system/pocketbase.service (trimmed) </span><span class="nn">[Service]</span> <span class="py">User</span><span class="p">=</span><span class="s">pocketbase</span> <span class="py">ExecStart</span><span class="p">=</span><span class="s">/opt/pocketbase/pocketbase serve </span><span class="se">\ </span> <span class="s">--http=127.0.0.1:8090 </span><span class="se">\ </span> <span class="s">--dir=/var/lib/pocketbase/pb_data </span><span class="se">\ </span> <span class="s">--migrationsDir=/opt/pocketbase/pb_migrations</span> <span class="py">Restart</span><span class="p">=</span><span class="s">always</span> <span class="py">NoNewPrivileges</span><span class="p">=</span><span class="s">true</span> <span class="py">ProtectHome</span><span class="p">=</span><span class="s">true</span> <span class="py">ProtectSystem</span><span class="p">=</span><span class="s">full</span> </code></pre> </div> <p>A one-time <code>bootstrap.sh</code> provisions a bare Ubuntu box (creates the users, installs Node and the PocketBase binary, writes the systemd units and the Caddyfile, sets up the firewall and a backup cron). After that, deploys are a <code>git push</code> away — GitHub Actions runs the same script I run by hand:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># deploy.sh (the essence)</span> rsync <span class="nt">-avz</span> <span class="nt">--delete</span> apps/web/.next/standalone/ <span class="s2">"</span><span class="nv">$TARGET</span><span class="s2">:/opt/app-web/"</span> rsync <span class="nt">-avz</span> <span class="nt">--delete</span> apps/web/.next/static/ <span class="s2">"</span><span class="nv">$TARGET</span><span class="s2">:/opt/app-web/.next/static/"</span> rsync <span class="nt">-avz</span> <span class="nt">--delete</span> pocketbase/pb_migrations/ <span class="s2">"</span><span class="nv">$TARGET</span><span class="s2">:/opt/pocketbase/pb_migrations/"</span> ssh <span class="s2">"</span><span class="nv">$TARGET</span><span class="s2">"</span> <span class="s2">"sudo systemctl restart app-web &amp;&amp; sudo systemctl restart pocketbase"</span> </code></pre> </div> <p>Build, rsync the standalone bundle, sync the migrations, restart two services. PocketBase applies any new migrations on the restart. The whole deploy is five lines and a few seconds.</p> <h2> Living with it </h2> <p>A boilerplate is only worth keeping if it survives contact with real use. A few things I've learned:</p> <ul> <li> <strong>Backups are just a tarball.</strong> Because <code>pb_data/</code> is the entire application state, the backup script is a nightly <code>tar</code> with 14-day retention — that's the whole disaster-recovery story: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">tar</span> <span class="nt">-czf</span> <span class="s2">"pb_data-</span><span class="si">$(</span><span class="nb">date</span> +%Y%m%d-%H%M%S<span class="si">)</span><span class="s2">.tar.gz"</span> <span class="nt">-C</span> /var/lib/pocketbase pb_data find /var/backups/pocketbase <span class="nt">-name</span> <span class="s1">'pb_data-*.tar.gz'</span> <span class="nt">-mtime</span> +14 <span class="nt">-delete</span> </code></pre> </div> <p>The catch nobody tells you: a backup you've never restored isn't a backup. Test the restore. I learned that the boring way.</p> <ul> <li><p><strong>SQLite wants local disk.</strong> Do not park <code>pb_data</code> on an NFS/SMB share to feel safe — SQLite's file locking misbehaves over the network and you'll get cursed, intermittent corruption. Local disk, then back <em>up</em> off-box.</p></li> <li><p><strong>A bad migration can take the app down on deploy</strong>, since they auto-apply on restart. Keeping the <code>down()</code> half real and idempotent has saved me more than once.</p></li> <li><p><strong>One box is a single point of failure</strong>, and for side projects I've decided I'm fine with that. It restarts on crash, it's backed up nightly, and the cost of "real" HA isn't worth it for projects with tens of users. Know which projects that's <em>not</em> true for.</p></li> </ul> <p>The honest "what I'd change": continuous SQLite replication (something like Litestream streaming <code>pb_data</code> to object storage) would turn my nightly tarball into near-zero data loss. I keep meaning to wire it in. For now, the tarball has never let me down — partly because I tested the restore.</p> <h2> Takeaways </h2> <p>The boring summary: most side projects don't need a platform. They need auth, a database, file storage, and a way to get on the internet with HTTPS — and you can have all of that in one Go binary, one Next.js app, and one Caddy config on a box that costs less than a coffee a month. Freeze it once. Stop rebuilding it. Spend the saved time on the part that's actually new.</p> <p>What does your "clone-and-go" stack look like? I'm always looking for the next thing to stop rebuilding.</p> webdev nextjs docker selfhosting