Cloud VPS Deployment¶
Deploy Omakase on cloud Virtual Private Servers for remote access and scalability.
Overview¶
VPS deployment provides cloud-hosted infrastructure with public accessibility.
Advantages: - No home internet requirements - Professional uptime/connectivity - Easy to scale - Global access - No hardware maintenance
Disadvantages: - Monthly costs - Data transfer limits - Privacy concerns - Compliance considerations
Provider Selection¶
Recommended Providers¶
Hetzner Cloud: - Excellent price/performance - European data centers - Fast networking - Snapshot support - From €4.51/month
DigitalOcean: - Easy to use - Good documentation - Global locations - From $6/month
Linode (Akamai): - Reliable performance - Excellent support - Good networking - From $5/month
Vultr: - Many locations - Competitive pricing - Good performance - From $6/month
Selection Criteria¶
Consider: - Price: Fits budget - Performance: Adequate CPU/RAM - Location: Close to users - Network: Bandwidth/transfer limits - Backup: Snapshot support - Support: Quality of support
Sizing¶
Small Deployment (5-10 services)¶
Specifications: - 4 vCPU cores - 8GB RAM - 160GB SSD - 4TB transfer
Cost: ~$24-36/month
Providers: - Hetzner CPX31 - DigitalOcean Basic Droplet - Linode 8GB
Medium Deployment (10-20 services)¶
Specifications: - 8 vCPU cores - 16GB RAM - 320GB SSD - 8TB transfer
Cost: ~$48-72/month
Providers: - Hetzner CPX41 - DigitalOcean CPU-Optimized - Linode 16GB
Large Deployment (20+ services)¶
Specifications: - 16 vCPU cores - 32GB RAM - 640GB SSD - 16TB transfer
Cost: ~$96-144/month
Providers: - Hetzner CPX51 - DigitalOcean CPU-Optimized - Linode 32GB
Initial Setup¶
1. Create VPS¶
Hetzner example: 1. Sign up at https://hetzner.cloud 2. Create project 3. Add server: - Location: Nuremberg - Image: Ubuntu 24.04 - Type: CPX31 - Volume: Optional additional storage 4. Add SSH key 5. Create server
2. Initial Access¶
3. Basic Security¶
# Update system
apt update && apt upgrade -y
# Create user
adduser omakase
usermod -aG sudo omakase
# Configure SSH
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
# Set up firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
# Install fail2ban
apt install fail2ban -y
4. Install Docker¶
# Install Docker
curl -fsSL https://get.docker.com | sh
usermod -aG docker omakase
# Install Docker Compose
apt install docker-compose-plugin -y
# Install Infisical
curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo -E bash
apt-get update && apt-get install -y infisical
5. Configure Storage¶
# Optional: Attach block storage volume
# Format and mount
mkfs.ext4 /dev/sdb
mkdir -p /mnt/storage
echo "/dev/sdb /mnt/storage ext4 defaults,noatime 0 2" >> /etc/fstab
mount -a
# Set ownership
chown -R omakase:omakase /mnt/storage
Deploy Omakase¶
# Switch to user
su - omakase
# Clone repository
git clone https://github.com/yourusername/omakase.git
cd omakase
# Configure environment
export DATA_DIR=/mnt/storage/omakase # Or /home/omakase/omakase-data
export DOMAINNAME=yourdomain.com
export PUID=$(id -u)
export PGID=$(id -g)
# Configure Infisical
infisical login
# Deploy
make up
DNS Configuration¶
Domain Setup¶
Point domain to VPS:
Propagation takes 1-24 hours.
Cloudflare (Recommended)¶
Benefits: - DDoS protection - CDN - Free SSL - Analytics
Setup: 1. Add domain to Cloudflare 2. Update nameservers at registrar 3. Add DNS records 4. Enable proxy (orange cloud)
Caution: Cloudflare proxy incompatible with HTTP challenge for Let's Encrypt. Use DNS challenge instead.
SSL Certificates¶
Let's Encrypt HTTP Challenge¶
Default configuration works if ports 80/443 accessible.
DNS Challenge (for Cloudflare proxy)¶
Update Traefik configuration:
certificatesResolvers:
letsencrypt:
acme:
email: ${ACME_EMAIL}
storage: /letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
environment:
CF_API_EMAIL: ${CLOUDFLARE_EMAIL}
CF_API_KEY: ${CLOUDFLARE_API_KEY}
Security Hardening¶
Rate Limiting¶
Add Traefik middleware:
IP Whitelist (Optional)¶
Restrict admin services to your IP:
CrowdSec¶
Ensure CrowdSec is active and enrolled in CAPI for threat intelligence.
Backup Firewall¶
Use provider's cloud firewall if available: - Only allow ports 22, 80, 443 - Restrict SSH to your IP if possible
Monitoring¶
Resource Usage¶
Monitor VPS resources:
Network Transfer¶
Track bandwidth usage via provider dashboard.
Costs¶
Monitor spending: - Check provider billing - Watch for unexpected charges - Set billing alerts
Backups¶
VPS Snapshots¶
Use provider snapshots: - Hetzner: Enable backup (20% additional cost) - DigitalOcean: Enable automatic backups - Linode: Enable backups
Omakase Backups¶
Use built-in Restic backup to Backblaze B2 or similar.
Configuration Backup¶
Backup Omakase configuration:
Store off-server.
Disaster Recovery¶
VPS Failure¶
- Create new VPS from snapshot
- Update DNS A records
- Verify services
Data Corruption¶
- Restore from Restic backup
- Restore from VPS snapshot
- Deploy services
Cost Optimization¶
Right-Sizing¶
Monitor resource usage: - Downsize if underutilized - Upgrade if constrained
Storage¶
Use object storage for backups instead of expensive block storage: - Backblaze B2 - Wasabi - Provider object storage
Network Transfer¶
Optimize to stay within limits: - Compress responses - Cache content - Limit media streaming
Scaling¶
Vertical Scaling¶
Upgrade VPS: 1. Shutdown services 2. Resize VPS (via provider dashboard) 3. Restart services
Usually zero downtime.
Horizontal Scaling¶
Add additional VPS for specific services: - Media server on separate VPS - Database on dedicated instance
Load Balancing¶
Use provider load balancer or Cloudflare for distribution.
Provider-Specific Notes¶
Hetzner Cloud¶
Volumes: Attach additional storage via Cloud Volumes Snapshots: Manual snapshots, no automatic backups IPv6: Free IPv6 address included Network: Very fast (up to 20 Gbps)
DigitalOcean¶
Spaces: Object storage for backups Monitoring: Built-in metrics Firewall: Cloud Firewalls available 1-Click Apps: Can use Docker droplet
Linode¶
Volumes: Block storage available NodeBalancer: Load balancer option Backups: Automatic backup service Longview: Free monitoring
Compliance¶
Data Privacy¶
Consider: - GDPR (EU users) - Data residency requirements - Provider's privacy policy
Data Location¶
Choose server location based on: - User location - Legal requirements - Performance needs
Troubleshooting¶
High Network Usage¶
Check logs:
Identify bandwidth-heavy service.
VPS Performance¶
Check: - CPU steal time (hypervisor overhead) - Disk I/O performance - Network latency
Consider upgrading or changing provider.
SSH Connection Issues¶
Migration¶
Between Providers¶
- Deploy new VPS
- Set up Omakase
- Restore data from backup
- Update DNS
- Test thoroughly
- Destroy old VPS
From Home to Cloud¶
- Backup home installation
- Deploy to VPS
- Restore backup
- Update DNS
- Test access
Best Practices¶
- Enable automatic backups - Worth the cost
- Use cloud firewall - Additional security layer
- Monitor costs - Set billing alerts
- Regular snapshots - Before major changes
- Keep DNS TTL low - Easier migration
- Document IP addresses - For firewall rules
- Use object storage - For large backups
- Monitor bandwidth - Avoid overage charges