bunkr

Harden a VPS and deploy apps in one command

GoDockerCaddyTailscaleSSH
github

the problem

every time you spin up a fresh VPS, it's the same ritual. disable root login, set up a firewall, configure fail2ban, install docker, set up a reverse proxy, deal with SSL certs. it takes an hour if you remember the steps, longer if you don't.

what happens when you run bunkr init

  1. connects to your fresh VPS over SSH
  2. locks down SSH. disables root login, password auth, switches to key-only
  3. sets up UFW firewall, fail2ban, kernel hardening, swap, unattended upgrades
  4. creates a non-root user and transfers your SSH keys
  5. reconnects as the new user (bunkr detects the hardened state automatically)
  6. installs docker and sets up caddy as a reverse proxy with automatic HTTPS

after that, bunkr deploy uptime-kuma pulls the app, configures the container, and wires it up to caddy. live with HTTPS in under a minute.

public vs private apps

not everything should be on the public internet. bunkr integrates with tailscale. apps can be deployed as public (caddy handles HTTPS) or private (only accessible over your tailnet). same deploy command, just a flag.

the app catalog

ships with support for uptime kuma, ghost, plausible, and openclaw. adding a new app is just a config file. docker image, ports, env vars, and whether it's public or private.

← back home