LinuxVPSDockerNginxHetznerPhase 1Security
Production Hetzner VPS for Under $6/Month: The Exact Bootstrap Script
5 min read
# Production Hetzner VPS for Under $6/Month
## Why Hetzner CX22 (€3.79/mo)
Genuinely cheap enough to run for 26 months without financial pressure.
## The Bootstrap Script Does
1. Install Docker, Nginx, certbot, ufw, htop, fail2ban
2. UFW: allow only ports 22, 80, 443
3. Disable password SSH auth — key-only from this point
4. Create a non-root `deploy` user in the Docker group
## Three Things It Forced Me to Actually Learn
**systemd service units.** Writing a health-check service with `Restart=on-failure` and `WantedBy=multi-user.target` taught me more than any tutorial.
**UFW is not just an on/off switch.** Scoping `ufw allow from VPC_CIDR` vs `ufw allow 5432` is the difference between a secure database and a breached one.
**fail2ban saves you from yourself.** A fresh VPS with SSH open will see 40–80 bot login attempts in the first 6 hours.
## The Nexus Connection
This VPS now serves ambooka.dev. Every Nexus phase adds a new Docker Compose service to this same server. The GitHub Actions deploy job SSHes in and runs `docker compose pull && docker compose up -d`.
*Script at `nexus/infrastructure/vps/vps_bootstrap.sh`*
## Why Hetzner CX22 (€3.79/mo)
Genuinely cheap enough to run for 26 months without financial pressure.
## The Bootstrap Script Does
1. Install Docker, Nginx, certbot, ufw, htop, fail2ban
2. UFW: allow only ports 22, 80, 443
3. Disable password SSH auth — key-only from this point
4. Create a non-root `deploy` user in the Docker group
## Three Things It Forced Me to Actually Learn
**systemd service units.** Writing a health-check service with `Restart=on-failure` and `WantedBy=multi-user.target` taught me more than any tutorial.
**UFW is not just an on/off switch.** Scoping `ufw allow from VPC_CIDR` vs `ufw allow 5432` is the difference between a secure database and a breached one.
**fail2ban saves you from yourself.** A fresh VPS with SSH open will see 40–80 bot login attempts in the first 6 hours.
## The Nexus Connection
This VPS now serves ambooka.dev. Every Nexus phase adds a new Docker Compose service to this same server. The GitHub Actions deploy job SSHes in and runs `docker compose pull && docker compose up -d`.
*Script at `nexus/infrastructure/vps/vps_bootstrap.sh`*