Serve Plausible Analytics on the least expensive IONOS VPS tier running Debian 13. This should work for any Debian VPS with 2GB of RAM. Runs sensible security settings such as unattended upgrades and Fail2Ban. Enable SSH hardening by hand. Secrets are generated locally with openssl — no external vault.
Template repo — replace the placeholders before deploying.
- Host + secrets in one step: run
scripts/configure.sh— it prompts for your Plausible host and Caddy email, generates the runtime secrets withopenssl, and writes.env. The host flows through a singleDOMAINvalue, so nothing is hand-edited. Re-running preserves the existing secrets.stats.yourdomain.example→ your Plausible host (only if you configure by hand instead of the wizard)- Prefer to do it by hand? Copy
env.exampleto.envand fill in the blanks; the file lists theopensslrecipe for each secret.Real secrets never live in git:
.envis generated locally and is gitignored. SeeDEPLOY.mdfor the full walkthrough.
A direct-exposure, single-VPS Plausible stack for self-hosting Plausible Analytics behind Caddy with automatic HTTPS. Caddy is the only service with published ports (80/443); the databases sit on an internal-only Docker network.
Browser → Caddy → Plausible (stats.yourdomain.example)
Caddy → Let's Encrypt (HTTP-01) certificate issuance
In practice this 2 GB tier runs comfortably tracking two sites. Upstream warns
that city-level MaxMind geo wants ~1 GB more RAM, but in practice it has run fine
here too, backed by the swapfile bootstrap creates. City-level geo is optional —
see the MAXMIND_* notes in env.example.
Provision these on the VPS before you start — the repo does not install Docker or create the login user:
- Docker (with Compose v2) and
gitinstalled - A non-root user with
sudo+ Docker access whose SSH key logs in. Docs useadminas the example username — substitute your own.
See DEPLOY.md for the full walkthrough. In brief:
- Configure host + secrets:
scripts/configure.sh(prompts for host and Caddy email, generates secrets withopenssl, and writes.env). Or copyenv.exampleto.envand fill it in by hand. - Bootstrap the host (Debian 13 VPS):
scripts/bootstrap-plausible-stack.sh - Harden the host:
scripts/harden-host.sh(plus SSH perdocs/ssh-hardening.md) - Deploy:
scripts/deploy-services.sh - Smoke test:
curl -I https://<your-host>
- DEPLOY.md — full deploy walkthrough for a fresh VPS
- docs/add-a-site.md — add another site to an existing instance (including the first-party proxy variants)
compose.yml— every service, network, and volumeCaddyfile— routing, automatic HTTP-01 TLSenv.example— reference schema for the runtime.envscripts/— bootstrap, deploy, hardening, and setup helpersclickhouse/— upstream low-resource configs (fetched by bootstrap; gitignored)docs/— checklist, SSH-hardening guide, and reasoning guardrailsCHANGES.md— recorded decisions and their revisit triggersAGENTS.md/CLAUDE.md— agent behavior rules for this repo
MIT — see LICENSE.