DEV Community

Juan Diego Isaza A.
Juan Diego Isaza A.

Posted on

Self Host Docker Guide on a VPS (Secure + Simple)

#docker #selfhosting #vps #devops

Self host docker guide: if you’ve been copy-pasting docker run commands on your laptop, you’re one reboot away from losing something important. A small VPS is the cleanest upgrade—stable IP, predictable uptime, and a place where your containers can live like they’re supposed to.

Pick a VPS you won’t hate managing

For Docker self-hosting, you don’t need “cloud architecture.” You need a boring Linux box with enough RAM and a provider that won’t surprise you.

My practical baseline:

  • 1 vCPU / 1–2 GB RAM: one or two light services (Uptime Kuma, small API, personal dashboard).
  • 2 vCPU / 4 GB RAM: comfortable for a few web apps + a database.
  • 20–40 GB SSD: container images + volumes add up fast.

Provider notes (opinionated):

  • digitalocean is beginner-friendly: simple UI, sane defaults, good docs. You pay a little for convenience.
  • hetzner is hard to beat on price/performance in many regions; great if you’re comfortable being more hands-on.
  • If you care about DDoS shielding, caching, and DNS ergonomics, cloudflare is often part of the setup—even if your VPS is elsewhere.

Whatever you choose: pick a region close to your users, enable backups (or do your own), and don’t underbuy RAM.

Harden the server before you run containers

Most “Docker got hacked” stories are actually “server was wide open.” Do the basics first.

Minimum checklist:

  • Create a non-root user, disable password SSH, use SSH keys.
  • Turn on a firewall (UFW on Ubuntu is fine).
  • Keep the OS updated.

On Ubuntu/Debian, UFW can be as simple as:

  • allow SSH
  • allow HTTP/HTTPS
  • deny everything else

Also: don’t publish databases to the internet. If you need Postgres/MySQL, keep them on an internal Docker network and access through your app or a VPN.

Use Docker Compose like an adult (and keep data safe)

A self-host setup lives or dies by: repeatability (Compose) and persistence (volumes).

Here’s an actionable example using Traefik as a reverse proxy + whoami as a test service. It’s not the only way, but it scales nicely as you add more apps.

# docker-compose.yml
services:
  traefik:
    image: traefik:v3.0
    command:
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --certificatesresolvers.le.acme.email=you@example.com
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
    restart: unless-stopped

  whoami:
    image: traefik/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.example.com`)
      - traefik.http.routers.whoami.entrypoints=websecure
      - traefik.http.routers.whoami.tls.certresolver=le
    restart: unless-stopped

volumes:
  letsencrypt:
Enter fullscreen mode Exit fullscreen mode

Run it:

  • docker compose up -d

Key takeaways:

  • Volumes persist certificates and app data.
  • restart: unless-stopped makes your services survive reboots.
  • Labels let you add new apps without manually editing proxy config.

DNS, TLS, and updates: keep it boring

If you want self-hosting to stay fun, make maintenance predictable.

DNS + TLS

  • Point A/AAAA records to your VPS.
  • Put your DNS at cloudflare if you want easy records, proxying options, and quick changes. You can still use Traefik/Let’s Encrypt for TLS on the box.

Updates

  • Update the server monthly at minimum.
  • For containers, I prefer intentional updates over “auto-update everything.” But if you’re running low-risk personal services, a tool like Watchtower can be acceptable—just understand it can break things when upstream images change.

Backups

  • Back up volumes, not images. Images are re-downloadable; your data isn’t.
  • Test restores. A backup you’ve never restored is a hope, not a plan.

When to outgrow the single VPS (soft landing)

A single VPS running Docker is the sweet spot for personal projects, prototypes, and small production apps. It’s also a great way to learn the fundamentals without pretending you need Kubernetes.

When you start caring about multi-region failover, strict compliance, or complex networking, you may move to managed services or split components (DB elsewhere, apps on the VPS, object storage, etc.). Until then, a straightforward VPS from digitalocean or hetzner plus sane DNS/TLS via cloudflare is a pragmatic, low-drama path to shipping.

Some links in this article are affiliate links. We may earn a commission at no extra cost to you if you make a purchase through them.

Top comments (0)