.png)
1 month ago
2
I set up my own VPS, documented every step, and ended up with a repeatable deployment pipeline. This is both a checklist for my future self and a guide for anyone curious about self-hosting. Along the way I'll explain why I picked Hetzner and Coolify, and how they compare with other options like DigitalOcean, AWS, Render, or Fly.io.
This comprehensive checklist covers every essential step for setting up a secure, production-ready VPS. Each section includes commands, verification steps, and troubleshooting tips based on real-world experience.
Pre-Setup Checklist
Before You Begin:
- Choose your VPS provider (Hetzner recommended for price/performance)
- Select server specifications (minimum 1GB RAM, 20GB storage)
- Note down server IP address and root credentials
- Prepare your local machine with SSH client
- Have a strong password generator ready
Picking the VPS provider
- Chose Hetzner Cloud (cheap, fast, reliable in Europe)
- Alternatives I considered:
- DigitalOcean → smoother onboarding, great docs, slightly more expensive
- AWS Lightsail → decent for small apps, but tied to AWS ecosystem (complex for beginners)
- Linode → reliable, but Hetzner wins on price/performance
- Render/Fly.io → easier PaaS, but more opinionated and costly at scale
Why Hetzner?
- 2–3x cheaper for the same specs compared to DO/AWS
- Strong European datacenter presence (latency advantage for my use case)
- Transparent pricing and no surprise bills
Initial Server Setup Checklist
First Login and System Updates
- Initial login as root
- Update package lists and upgrade system
apt update && apt upgrade -y
- Verify system information
uname -a cat /etc/os-release
Root Account Security
- Change root password
- Create secondary user account
- Add user to sudo group
usermod -aG sudo your-username
- Verify user groups
- Test sudo access
su - your-username sudo whoami
SSH Key Authentication Setup
- Generate SSH keys on LOCAL machine (not server)
#### Ed25519 (recommended) ssh-keygen -t ed25519 -C "[email protected]" ##### Or RSA if Ed25519 not supported ssh-keygen -t rsa -b 4096 -C "[email protected]"
- Display public key on local machine
cat ~/.ssh/id_ed25519.pub #### or cat ~/.ssh/id_rsa.pub
- Copy public key to clipboard
- Create .ssh directory on server (as your user, not root)
mkdir -p ~/.ssh chmod 700 ~/.ssh
- Create authorized_keys file
nano ~/.ssh/authorized_keys
- Set correct permissions
chmod 600 ~/.ssh/authorized_keys
- Test SSH key login (from local machine)
ssh your-username@your-server-ip
Disable Password Authentication
- Edit SSH configuration
sudo nano /etc/ssh/sshd_config
- Modify these settings:
PasswordAuthentication no PubkeyAuthentication yes
- Check cloud-init config if exists
sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf
- Test SSH configuration
- Restart SSH service
sudo systemctl restart ssh #### or sudo service ssh restart
- Verify service status
sudo systemctl status ssh
Disable Root Login
- Edit SSH configuration
sudo nano /etc/ssh/sshd_config
- Change root login setting
- Restart SSH service
sudo systemctl restart ssh
- Test root login is blocked (from another terminal)
Firewall Configuration Checklist
UFW (Uncomplicated Firewall) Setup
- Check UFW status
- Set default policies
sudo ufw default deny incoming sudo ufw default allow outgoing
- Allow SSH before enabling firewall
sudo ufw allow ssh #### or if you changed SSH port: sudo ufw allow 2022/tcp
- Allow HTTP and HTTPS for web apps
sudo ufw allow 80/tcp sudo ufw allow 443/tcp
- Enable firewall
- Verify firewall rules
Advanced Firewall Configuration
- Restrict SSH to your IP (optional but recommended)
sudo ufw allow from YOUR_IP_ADDRESS to any port 22 sudo ufw delete allow ssh
- Change default SSH port (optional security through obscurity)
sudo nano /etc/ssh/sshd_config
Automatic Updates Setup Checklist
Unattended Upgrades Configuration
- Install unattended-upgrades
sudo apt install unattended-upgrades apt-listchanges
- Enable automatic updates
sudo dpkg-reconfigure unattended-upgrades
- Configure update settings
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
- Uncomment security updates line
"${distro_id}:${distro_codename}-security";
- Configure email notifications (optional)
Unattended-Upgrade::Mail "[email protected]";
- Enable automatic reboots if needed
Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "02:00";
- Test configuration
sudo unattended-upgrades --dry-run
- Check service status
sudo systemctl status unattended-upgrades
Production Application Deployment Checklist
Node.js Production Setup
- Install Node.js LTS
curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - sudo apt-get install -y nodejs
- Verify installation
node --version npm --version
- Install PM2 globally
- Upload your application files
scp -r ./your-app your-username@your-server-ip:~/
- Install dependencies
cd ~/your-app npm install --production
- Create production build
Process Manager Configuration
- Start application with PM2
NODE_ENV=production pm2 start app.js --name "your-app"
- Configure PM2 for clustering (optional)
pm2 start app.js -i max --name "your-app-cluster"
- Save PM2 configuration
- Enable PM2 startup
pm2 startup #### Run the command it outputs
- Test application restart
pm2 restart all pm2 status
Reverse Proxy Setup (Nginx)
- Install Nginx
- Create site configuration
sudo nano /etc/nginx/sites-available/your-app
- Basic Nginx configuration
server { listen 80; server_name your-domain.com; location / { proxy_pass http://localhost:3000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; } }
- Enable site
sudo ln -s /etc/nginx/sites-available/your-app /etc/nginx/sites-enabled/
- Test Nginx configuration
- Restart Nginx
sudo systemctl restart nginx
SSL Certificate Setup Checklist
Let's Encrypt with Certbot
- Install Certbot
sudo apt install certbot python3-certbot-nginx
- Obtain SSL certificate
sudo certbot --nginx -d your-domain.com
- Test automatic renewal
sudo certbot renew --dry-run
- Verify SSL grade
- Visit: https://www.ssllabs.com/ssltest/
- Should get A or A+ rating
Monitoring and Maintenance Checklist
Basic Monitoring Setup
- Install monitoring tools
sudo apt install htop iotop netstat-nat
- Check system resources
- Monitor logs
sudo tail -f /var/log/syslog sudo tail -f /var/log/auth.log
- Set up log rotation
sudo nano /etc/logrotate.d/your-app
Backup Strategy
- Create backup script
- Sample backup script
#!/bin/bash DATE=$(date +%Y%m%d_%H%M%S) tar -czf ~/backups/app_backup_$DATE.tar.gz ~/your-app #### Add database backup commands if needed
- Make script executable
- Set up automated backups
Troubleshooting Checklist
Common Issues and Solutions
SSH Connection Problems:
- Check firewall rules: sudo ufw status
- Verify SSH service: sudo systemctl status ssh
- Check SSH logs: sudo tail -f /var/log/auth.log
- Test from different network
Permission Denied Errors:
- Check file permissions: ls -la
- Verify user groups: groups username
- Check sudo configuration: sudo -l
Service Not Starting:
- Check service status: sudo systemctl status service-name
- View service logs: sudo journalctl -u service-name
- Check configuration files syntax
High Resource Usage:
- Identify processes: htop
- Check disk usage: df -h
- Monitor network: netstat -tulpn
- Review application logs
Final Verification Checklist
Security Verification
- Test SSH key authentication works
- Verify password authentication is disabled
- Confirm root login is blocked
- Check firewall is active and configured
- Verify automatic updates are working
- Test application runs in production mode
- Confirm SSL certificate is valid
- Verify backups are being created
Performance Testing
- Run basic load test
#### Install Apache Bench sudo apt install apache2-utils #### Test with 100 requests, 10 concurrent ab -n 100 -c 10 http://your-domain.com/
- Monitor resource usage during load
- Check application logs for errors
Quick Reference Commands
System Information:
htop # System monitor df -h # Disk usage free -h # Memory usage uname -a # System info
Process Management:
pm2 status # PM2 process status pm2 restart all # Restart all processes pm2 logs # View logs pm2 monit # Real-time monitoring
Security:
sudo ufw status # Firewall status sudo fail2ban-client status # Fail2ban status sudo lynis audit system # Security audit
Services:
sudo systemctl status nginx # Service status sudo systemctl restart nginx # Restart service sudo journalctl -u nginx # Service logs
Final thoughts
This checklist provides a complete approach to VPS setup and management. This isn’t just about saving money. It’s about control and understanding. By self-hosting with Hetzner + Coolify, I built muscle memory for devops that paid off in confidence and freedom.
If you’ve been meaning to try VPS hosting, consider this a nudge.
