Self-hosting our deploys

A Vercel-style workflow — on infrastructure we own

live, self-hosted · preview deploy

Why not Vercel, Railway, or Render?

	Self-hosted PaaS	Managed cloud
Cost	Flat VPS bill	Per-seat + bandwidth + invocations
Lock-in	Our Docker, our box	Proprietary platform
Data residency	We pick region & provider	Their regions

The building blocks

Every PaaS is the same five roles — Coolify and Dokploy just pick the tools.

Container runtime

Docker

Packages each app with its dependencies and runs it isolated from the others on one host.

Builder

Nixpacks

Turns plain source into a runnable image — no Dockerfile to write or maintain.

Reverse proxy

Traefik

One public entry point; routes each domain to its container and terminates TLS.

Control plane

Coolify / Dokploy

The orchestrator + UI that holds desired state and drives the other four.

Deploy trigger

GitHub App

Git is the interface — a push is the deploy command.

Container runtime: an image is read-only layers stacked together; a container adds a writable layer on top. Isolation comes from Linux namespaces & cgroups — apps share the kernel but not each other's filesystem, processes or network.
Builder: replaces the Dockerfile with auto-detection. Nixpacks reads the lockfile, infers the toolchain, and emits a reproducible image — the source→image contract.
Reverse proxy: Traefik is the single front door: one public IP on port 443. It looks at the hostname of each incoming request and routes it to the right container, handles all the HTTPS encryption so the apps don't have to, and automatically gets and renews free TLS certificates from Let's Encrypt.
Control plane: the brain — Coolify/Dokploy. You declare “this repo runs at this domain,” and it makes reality match and keeps it that way, restarting and reconfiguring as needed. It's the one stateful piece, so it keeps a Postgres/Redis database of everything it's managing.
Deploy trigger: git as the deploy API. Webhook on push → clone → build → swap. No separate CI to wire.

You're looking at it

🔒https://deck.dokploy.theoriekennis.com

A Next.js app in a GitHub repo, deployed on our self-hosted box — served from this URL with automatic Let's Encrypt SSL.

What's running on the box

UsersHTTPS · Let's Encrypt

↓

Hetzner VPS · Docker

Traefik — reverse proxyterminates SSL · routes by domain

↓

Next deckdemo.…

TanStack deckdemo2.…

PR previewpr-123.demo.…

PaaS control plane

coolify / dokploypostgresredis

How a push becomes a deploy

Three open pieces do the work — no Dockerfile, no CI to wire.

GitHub App

the trigger

Installed on the repo. Every push or PR fires a webhook; the PaaS clones with a short-lived token — no deploy keys or personal access tokens to manage.

Nixpacks

the build

Inspects the repo, detects pnpm from the lockfile, and builds a container image — zero-config, no Dockerfile to write or maintain. Default builder on both platforms.

Traefik

the front door

Shared reverse proxy used by both Coolify and Dokploy. Routes each domain to the right container and terminates TLS, auto-issuing & renewing Let's Encrypt certs.

git push → build → deploy → HTTPS — each step handed to one open-source piece.

Coolify vs Dokploy

Axis	Coolify	Dokploy
DX / UI	Feature-rich dashboard; 200+ one-click services	Clean, focused UI; built-in monitoring & alerting; Docker Swarm clustering
Maturity / community	~57 k GitHub stars · v4.1.2 (Jun 2026) · backed by Coollabs + sponsors	~35 k GitHub stars · v0.29.8 (Jun 2026) · community-backed; faster release cadence
License	Apache 2.0 — fully open, no resale restrictions	Source-available — some features can't be resold as a service; paid Enterprise tier

Both share Traefik, GitHub App, Nixpacks, PR previews, live logs, and web terminal — the table shows where they diverge.

Trade-offs

Trade-off	Mitigation
We own uptime, patching & backups	Managed backups; automated health checks
One box is a single point of failure	Add a second node; PaaS handles routing
No global edge CDN out of the box	Put a CDN in front (Cloudflare) when needed