HostSSH is one control plane for the whole life of a server: Files, DB, Workers and Storage on day one, the first push to production, and the 3am recovery you hope never comes — with integrity drills so you don't hope, you know the backup repo is readable.
Most tools dump a database and call it a backup. HostSSH captures the entire server — the platform brain and its master key, every database, all Docker volume data (any file type — uploads, media, SQLite, WordPress), system config and the sidecars that glue them together — into a single encrypted .hsi image.
That image is the unit of everything: restore it in place, clone it to a staging twin, or relocate it to a brand-new VPS. A deterministic IP-rewrite pass flips every public reference, while internal services ride a stable WireGuard overlay — so a moved box just works on arrival.
A backup you've never restored is a rumour. HostSSH runs scheduled integrity drills: it verifies the backup repository is readable and restorable (restic check) and rolls health into the fleet view — so you get alerted when a backup stops being trustworthy.
Full throwaway-sandbox restores with row-by-row database verify are on the roadmap. Until then, the engine proof (capture → restore across our own fleet) and integrity drills keep recovery honest.
Push a repo and HostSSH takes it to a live, TLS-terminated URL. HostPack inspects the code and builds a lean OCI image — no Dockerfile, no Nix. Docker runs it as a supervised container with health checks, secret injection and zero-downtime rollouts.
Traefikbinds your domain, issues and renews Let's Encrypt certificates, and load-balances traffic. Routes are declarative, so a relocated box re-binds them automatically — the deploy layer and the disaster-recovery layer are the same layer.
Need a target box? Queue one. HostSSH provisions fresh VPSes on Hostingertoday (with bring-your-own machines always supported), installs the base stack, and hands back a ready node — whether it's the destination of a migration or just more capacity. Hetzner, DigitalOcean, Vultr and AWS drivers expand the same queue.
The queue tracks each provision through to a healthy, reachable server, retries transient provider failures, and surfaces the result in the same fleet view as everything else.
HostSSH ships a Model Context Protocol server so an AI agent can operate the fleet in plain language: deploy a service, provision a box, kick off a backup, run a restore-drill, or migrate a server — all through the same authenticated, license-gated actions a human uses.
Because the MCP rides the real control-plane API, agents inherit the same RBAC and audit trail. No shadow path, no extra blast radius.
One click provisions a database engine beside your apps — Postgres with pgvector, MariaDB (MySQL-compatible), or Redis. Credentials are generated and sealed; apps reach them on the internal network.
Every database is included in full-server .hsi capture and restore. Per-database dump schedules and point-in-time restore are on the roadmap — today you recover the whole box (or restore the image) when you need the data back.
Named Docker volumes survive redeploys. When you capture, HostSSH snapshots the bytes inside those volumes — uploads, images, video, PDFs, SQLite, WordPress wp-content, MinIO object dirs — binary-safe, not MIME-filtered. Declare --volume name:/path so stateful apps stay in scope.
Background workers use the same HostPack → Docker path as web apps: pass a --command, skip the public proxy, keep Slot caps and sealed secrets. On-demand workers also spin from MCP (hostssh_spin_worker).
Backup storage is yours: point HostSSH at R2, S3, B2, Wasabi, MinIO, SFTP or local disk. Encrypted .hsi images land in your bucket — zero-egress restores on R2, emergency restore even if a license expires.
Need app object storage? Deploy the one-click MinIO template beside your apps. Dashboard Connections create/test is still shipping — wire the bucket via CLI today and the control plane will catch up.
Fleet Copilot diagnoses live state and proposes human-gated actions (redeploy, harden, restore). The MCP server lets agents drive the same authenticated control plane.
Hosted inference— llama.cpp, whisper, embeddings, TTS on the fleet plus ComfyUI / LTX-2 / Wan2GP on external GPU — is planned as HostSSH Apps behind an OpenAI-compatible gateway. It ships after the Coolify exit; we won't market model serving until it's real.
Features unlock per tier through ed25519 license tokens the agent verifies locally — so capabilities are enforced even offline, and an expired license never blocks an emergency restore.
The control plane keeps every agent and server in one fleet view — health, backups, deploys and drills — regardless of which provider each box lives on. One pane of glass for a multi-cloud fleet.
One command installs the agent, prompts for your license key, and unlocks Files, DB, Workers, Storage, the deploy pipeline, backup, clone, relocate & Web-SSH.
$ curl -fsSL https://get.hostssh.com | sh