Self-Host Archon v3 on Hetzner VPS with Docker
Provision Hetzner VPS, apply cloud-init YAML for auto-setup of Archon v3 with Caddy HTTPS reverse proxy, Postgres DB, then configure .env secrets and optional form auth for secure 24/7 access via subdomain.
Automate VPS Provisioning for One-Click Archon Deployment
Hetzner VPS (CX11 at €2.50/month, pay-per-hour) handles Archon v3 basics: Caddy for HTTPS/Let's Encrypt, Postgres DB, Docker stack. Create firewall opening ports 22 (SSH), 80 (HTTP), 443 (HTTPS). Use pre-built cloud-init.yaml from tasklist.smartcode.diy/list/archon-v3-cloud-setup—it runs apt upgrade, installs Docker/Compose, clones Archon repo (github.com/coleam00/Archon), copies .env.example and Caddyfile.example, creates 'archon' user. Paste YAML into Hetzner server create dialog (Ubuntu 22.04, SSH keys, Nuremberg location). Server boots in minutes; monitor with cloud-init status --long or watch cloud-init status. SSH as root (e.g., via MobaXterm with Pageant keys), su - archon, verify /opt/archon exists. Trade-off: Basic setup, not production-hardened—add WAF (Hetzner), IP whitelisting, or VPN.
Point subdomain (e.g., archon.yourdomain.com) A record to VPS public IP. Verify propagation: dig archon.yourdomain.com or nslookup. DNS resolves in seconds on United Domains.
Secure .env with Tokens and Domain for Production Access
Edit /opt/archon/.env minimally:
GLOBAL_AUTH=false(initially; enable later).CLOUD_OAUTH_TOKEN: Runnpx @11ty/eleventy@latest --cloud-tokenon local machine.GH_TOKENorGITHUB_TOKEN: GitHub Settings > Developer Settings > Personal Access Tokens (Classic) > Generate new (repo scope, no expiration for testing).DOMAIN=archon.yourdomain.com(line ~126).
Optional integrations (Telegram/Slack): Rasmus's video covers. Start stack: docker compose --profile db,cloud,auth up -d. Check: docker compose ps (all healthy), curl https://archon.yourdomain.com/health (returns OK), browser loads Web UI with auto-SSL. Exposes endpoints 24/7.
Add Form-Based Auth and Lock Down Access
Generate bcrypt hash: htpasswd -bnBC 10 "" yourpass | tr -d ':\n' (e.g., username 'archon', pass 'archon'). Hex secret: openssl rand -hex 32. Add to .env (line ~145):
AUTH_USER=archon
AUTH_PASS=$2y$10$92ixRDXWuX[hash]
AUTH_COOKIE_SECRET=yourhexsecret
Replace Caddyfile with tasklist version (uncomments form auth reverse_proxy). Restart: docker compose --profile db,cloud,auth up -d --force-recreate auth (first-time) or --force-recreate caddy later. Logs: docker compose logs caddy. Test incognito: Login screen blocks unauth access.
Extra security: Hetzner WAF + static IP/VPN whitelist. Blocks public access effectively.
Update, Restart, and Stop Without Downtime
Maintenance via archon user:
- Update:
git pull && docker compose --profile db,cloud,auth down && docker compose --profile db,cloud,auth up --build -d. - Restart:
docker compose --profile db,cloud,auth restart. - Stop:
docker compose --profile db,cloud,auth down(includes DB/Caddy).
Cloud-init skips manual steps (Option B in tasklist). External DB (Supabase/Neon): Set DATABASE_URL in .env, omit 'db' profile. Full docs: archon.diy/book. Scales for testing; monitor costs (delete VPS post-test saves €€€).