Sidekick: Building Your Own $8 PaaS with Zero-Downtime Deploys

Hook

You’re probably overpaying for platform hosting. A $8 DigitalOcean droplet can handle more traffic than most side projects will ever see—if you can make deployment as painless as running sidekick deploy.

Context

The PaaS landscape has become crowded with Heroku replacements, each promising simplicity while locking you into their ecosystem at $20-50/month per project. Fly.io stands out for developer experience, but costs scale quickly once you leave the hobby tier. Meanwhile, VPS providers like DigitalOcean and Hetzner offer powerful instances for $6-12/month, yet most developers avoid them because manual deployment involves SSH orchestration, reverse proxy configuration, SSL certificate management, secrets handling, and zero-downtime deployment logic.

Sidekick bridges this gap by automating the entire workflow. Created by a developer tired of complexity in hosting side projects, it transforms bare Ubuntu servers into production platforms that feel like modern PaaS solutions. The tool runs locally on your machine, connects to your VPS via SSH, and handles everything from initial hardening to zero-downtime deployments. You get vendor independence, infrastructure ownership, and dramatically lower costs while maintaining the deployment velocity of premium platforms.

Technical Insight

Sidekick’s architecture is deceptively simple: a Go CLI that orchestrates remote operations through SSH while keeping Docker image builds local. This design decision is critical—instead of consuming VPS resources for compilation, your development machine does the heavy lifting, then Sidekick transfers the built image directly to the server.

The initialization process reveals thoughtful security defaults. Running sidekick init connects as root, creates a dedicated sidekick user with sudo privileges, then immediately disables root SSH access. It installs Docker, Traefik (for reverse proxying and automatic SSL via Let’s Encrypt), age (for encryption), and SOPS (Mozilla’s Secrets OPerationS tool). The system generates age keypairs and transfers the public key back to your local machine for encrypting secrets before they ever touch the wire:

sidekick init
# Enter VPS IP: 138.197.123.45
# Enter email for SSL: dev@example.com
# 
# ✓ Connected to VPS as root
# ✓ Created sidekick user
# ✓ Disabled root login
# ✓ Installed Docker and Traefik
# ✓ Generated age keypair
# ✓ VPS ready for deployments

Deployment orchestration leverages Docker Compose with Traefik labels for routing. When you run sidekick launch, the tool builds your Dockerfile locally for Linux, then transfers the image to the VPS and loads it into the remote Docker daemon. If you have a .env file, Sidekick encrypts it locally using SOPS and the VPS’s age public key before transfer. On the server, it decrypts the secrets at runtime, injecting them into the container environment.

The zero-downtime deployment strategy appears to use container orchestration through Traefik’s dynamic configuration. Each deployment creates a new container while the old one continues serving traffic. Traefik detects the new container through its configuration, then switches routing once the new instance is running. Only after successful cutover does Sidekick remove the previous container:

sidekick deploy
# Building Docker image...
# ✓ Image built
# Transferring to VPS...
# ✓ Image transferred
# Starting new container...
# ✓ New container running
# ✓ Traefik routing updated
# ✓ Old container removed
# 
# Live at: https://myapp.138.197.123.45.sslip.io

The sslip.io integration is particularly clever for development workflows. This free DNS service resolves anything.IP.sslip.io to IP, giving you instant wildcard DNS without configuration. Traefik requests Let’s Encrypt certificates automatically, so even throwaway deployments get proper HTTPS. For production, you simply point your own domain’s A record to the VPS IP and specify it during launch—Traefik handles certificate provisioning identically.

Sidekick also supports preview environments based on git commit hashes. Running sidekick deploy preview creates a new deployment tagged with your commit’s short hash and makes it accessible on a hash-based subdomain. This enables branch-based testing workflows similar to modern PaaS platforms, with multiple environments running alongside each other on the same VPS through Traefik’s host-based routing.

The secrets management via SOPS deserves emphasis. The tool encrypts .env files locally before transfer, keeping encrypted versions that are safe to commit to version control. The age private key never leaves the VPS, and decryption happens during container startup. This gives you GitOps-style version control for secrets without the operational overhead of external secret management systems.

Gotcha

Sidekick’s platform constraints are significant. The tool requires Homebrew for local installation because it uses brew install sops during setup, which effectively limits practical usage to macOS unless you manually install dependencies. This is a surprising limitation for a Go application that should theoretically cross-compile everywhere.

On the server side, only Ubuntu LTS is supported. The initialization scripts assume apt package management, systemd service management, and Ubuntu-specific paths. If you’re running Debian, Fedora, or Alpine on your VPS, you’ll need to fork and adapt the provisioning logic. Additionally, Sidekick assumes a single-VPS architecture. There’s no built-in support for multi-region deployments, database replication, or spreading load across multiple servers. You’re trading PaaS convenience for infrastructure simplicity, which means you’ll hit scaling walls faster than on platforms with managed load balancers and global edge networks.

The build-locally-transfer-remotely approach has tradeoffs. It saves VPS CPU and memory, but if you’re on slow internet, transferring large Docker images becomes painful. There’s no image registry caching or incremental layer transfer mentioned in the documentation—the tool appears to upload full images on each deployment. For teams, this means every developer needs the full build environment locally; you can’t lean on CI runners with pre-cached dependencies. The tool also lacks explicit rollback primitives in the documentation. If a deployment breaks production, you’d need to manually intervene or run another deployment with reverted code.

Verdict

Use Sidekick if you’re bootstrapping side projects or small production apps where cost efficiency trumps enterprise features. It’s perfect for indie hackers running 5-10 services on a single VPS who want Fly.io-style DX without the monthly bill. The automatic SSL, encrypted secrets, and zero-downtime deploys give you 80% of PaaS value at 10% of the cost. You’ll especially appreciate it if you’re already comfortable with SSH and Docker but hate stitching together deployment scripts. Skip it if you need multi-region high availability, require team collaboration features like RBAC or audit logs, or want managed databases and observability integrations. For those scenarios, pay for Fly.io, Railway, or Render—the operational maturity justifies the premium. Also consider alternatives if you’re on a non-macOS development machine (until platform support expands), or if you need sophisticated traffic management and deployment strategies beyond the zero-downtime deployments Sidekick provides.

[![Featured on Starlog](https://starlog.is/api/badge/ai-dev-tools/mightymoud-sidekick.svg)](https://starlog.is/api/badge-click/ai-dev-tools/mightymoud-sidekick)