features

Deploy it, protect it, move it — without lock-in.

HostSSH is one control plane for the whole life of a server: Files, DB, Workers and Storage on day one, the first push to production, and the 3am recovery you hope never comes — with integrity drills so you don't hope, you know the backup repo is readable.

capture · restore · relocate

The whole box, in one encrypted image

Most tools dump a database and call it a backup. HostSSH captures the entire server — the platform brain and its master key, every database, all Docker volume data (any file type — uploads, media, SQLite, WordPress), system config and the sidecars that glue them together — into a single encrypted .hsi image.

That image is the unit of everything: restore it in place, clone it to a staging twin, or relocate it to a brand-new VPS. A deterministic IP-rewrite pass flips every public reference, while internal services ride a stable WireGuard overlay — so a moved box just works on arrival.

  • Brain, databases, volume data (binary-safe), config & sidecars — captured together
  • Offline image, peer-to-peer transfer, or fully managed migration
  • New IP rewritten everywhere it hides; TLS re-issued, routes re-bound
restore-drills

Backups that prove themselves

A backup you've never restored is a rumour. HostSSH runs scheduled integrity drills: it verifies the backup repository is readable and restorable (restic check) and rolls health into the fleet view — so you get alerted when a backup stops being trustworthy.

Full throwaway-sandbox restores with row-by-row database verify are on the roadmap. Until then, the engine proof (capture → restore across our own fleet) and integrity drills keep recovery honest.

  • Repository integrity drills on a schedule
  • Backup-health score across the whole fleet
  • Sandbox row-verify — next; engine round-trips already proven
deploy pipeline

HostPack → Docker → Traefik

Push a repo and HostSSH takes it to a live, TLS-terminated URL. HostPack inspects the code and builds a lean OCI image — no Dockerfile, no Nix. Docker runs it as a supervised container with health checks, secret injection and zero-downtime rollouts.

Traefikbinds your domain, issues and renews Let's Encrypt certificates, and load-balances traffic. Routes are declarative, so a relocated box re-binds them automatically — the deploy layer and the disaster-recovery layer are the same layer.

  • Buildpack-style detection for Node, Python, Go, Rust, static & more
  • Versioned, reversible deploys with one-click rollback
  • Automatic HTTPS on every service, re-bound after a move
provisioning

A provisioning queue across providers

Need a target box? Queue one. HostSSH provisions fresh VPSes on Hostingertoday (with bring-your-own machines always supported), installs the base stack, and hands back a ready node — whether it's the destination of a migration or just more capacity. Hetzner, DigitalOcean, Vultr and AWS drivers expand the same queue.

The queue tracks each provision through to a healthy, reachable server, retries transient provider failures, and surfaces the result in the same fleet view as everything else.

  • One queue, many providers — or bring your own machine
  • Base stack pre-installed; node returned ready to deploy
  • Tracked to a healthy, reachable server with retries
mcp for ai agents

Your fleet, drivable by an AI agent

HostSSH ships a Model Context Protocol server so an AI agent can operate the fleet in plain language: deploy a service, provision a box, kick off a backup, run a restore-drill, or migrate a server — all through the same authenticated, license-gated actions a human uses.

Because the MCP rides the real control-plane API, agents inherit the same RBAC and audit trail. No shadow path, no extra blast radius.

  • Deploy, provision, back up & operate core fleet actions by asking
  • Same RBAC and audit log as human operators
  • One Go binary & CLI underneath it all
databases

Managed Postgres, MariaDB & Redis

One click provisions a database engine beside your apps — Postgres with pgvector, MariaDB (MySQL-compatible), or Redis. Credentials are generated and sealed; apps reach them on the internal network.

Every database is included in full-server .hsi capture and restore. Per-database dump schedules and point-in-time restore are on the roadmap — today you recover the whole box (or restore the image) when you need the data back.

  • One-click provision from the dashboard, CLI, or MCP
  • Generated creds + sealed-secret delivery to linked Apps
  • Included in whole-server capture — not a separate backup product
files · workers

Volumes that keep every file type — and workers that share the pipeline

Named Docker volumes survive redeploys. When you capture, HostSSH snapshots the bytes inside those volumes — uploads, images, video, PDFs, SQLite, WordPress wp-content, MinIO object dirs — binary-safe, not MIME-filtered. Declare --volume name:/path so stateful apps stay in scope.

Background workers use the same HostPack → Docker path as web apps: pass a --command, skip the public proxy, keep Slot caps and sealed secrets. On-demand workers also spin from MCP (hostssh_spin_worker).

  • .hsi = any file type in named volumes — not SQL dumps only
  • Workers = same pipeline, no Traefik route
  • App-level cron schedules — on the roadmap
storage

BYO backup bucket — plus MinIO for your apps

Backup storage is yours: point HostSSH at R2, S3, B2, Wasabi, MinIO, SFTP or local disk. Encrypted .hsi images land in your bucket — zero-egress restores on R2, emergency restore even if a license expires.

Need app object storage? Deploy the one-click MinIO template beside your apps. Dashboard Connections create/test is still shipping — wire the bucket via CLI today and the control plane will catch up.

  • BYO restic backend for .hsi — required to capture
  • MinIO template for S3-compatible app storage
  • Dashboard BYOK vault — completing; CLI works now
inference · ai ops

AI ops today — open-source inference next

Fleet Copilot diagnoses live state and proposes human-gated actions (redeploy, harden, restore). The MCP server lets agents drive the same authenticated control plane.

Hosted inference— llama.cpp, whisper, embeddings, TTS on the fleet plus ComfyUI / LTX-2 / Wan2GP on external GPU — is planned as HostSSH Apps behind an OpenAI-compatible gateway. It ships after the Coolify exit; we won't market model serving until it's real.

  • Copilot + MCP = AI ops on the fleet now
  • Inference = models as Apps (CPU + GPU tiers) — coming
  • Same Slot caps, sealed secrets, and volume story as every other App
license · fleet

License-gating & fleet awareness

Features unlock per tier through ed25519 license tokens the agent verifies locally — so capabilities are enforced even offline, and an expired license never blocks an emergency restore.

The control plane keeps every agent and server in one fleet view — health, backups, deploys and drills — regardless of which provider each box lives on. One pane of glass for a multi-cloud fleet.

  • Offline-verifiable, signed license tokens
  • Emergency restores always work, even expired
  • One fleet view across every provider
install in one line

Try it on any VPS.

One command installs the agent, prompts for your license key, and unlocks Files, DB, Workers, Storage, the deploy pipeline, backup, clone, relocate & Web-SSH.

$ curl -fsSL https://get.hostssh.com | sh