Sidekick: The Anti-PaaS That Turns Your $5 VPS Into a Deployment Platform

Hook

A single developer built a tool that replicates 80% of Heroku's functionality with three CLI commands and a $5 Digital Ocean droplet. No Kubernetes. No registry. No $25/month dyno fees.

Context

The modern deployment landscape presents developers with an uncomfortable choice: either pay $20-100+ monthly for PaaS convenience (Heroku, Render, Fly.io), or dive deep into Kubernetes, Terraform, and infrastructure-as-code complexity. Solo developers and bootstrapped startups feel this squeeze most acutely—they need production-grade deployments with SSL, zero-downtime updates, and secret management, but can't justify enterprise tooling or PaaS costs for side projects generating zero revenue.

Sidekick emerged from this frustration. Rather than abstracting infrastructure into a complex platform, it takes the opposite approach: it's an opinionated orchestrator that chains together proven open-source tools (Docker, Traefik, SOPS, Age encryption) via SSH. The philosophy is radical simplicity—assume you have one Ubuntu VPS and one application, then automate everything between bare metal and production-ready. No web dashboards. No agents. No clusters. Just a CLI that does the boring work of configuring reverse proxies, SSL certificates, secret encryption, and container orchestration.

Technical Insight

Sidekick's architecture reveals why it punches above its weight. When you run sidekick init, it generates a sidekick.yml configuration that defines your application's build context, environment variables, and deployment target. Behind the scenes, it's also generating Age encryption keys and configuring SOPS for secret management—this means your environment variables are encrypted at rest on the VPS using Mozilla's battle-tested SOPS tool, only decrypted when containers start.

The deployment flow is where Sidekick's design decisions become clear. Unlike tools that push source code to a remote builder (Heroku buildpacks) or rely on container registries (most CI/CD pipelines), Sidekick builds Docker images locally, saves them as tarballs, SCPs them to your VPS, and loads them into the remote Docker daemon. Here's what a basic deployment looks like:

# Initialize project (one-time setup)
sidekick init

# Launch infrastructure on fresh VPS
sidekick launch --ip 192.168.1.100 --domain myapp.com

# Deploy application
sidekick deploy

Under the hood, sidekick launch SSHs into your VPS and provisions the entire stack. It installs Docker, deploys Traefik as a reverse proxy with automatic Let's Encrypt SSL, sets up SOPS for secret decryption, and generates a docker-compose configuration. The Traefik configuration is particularly clever—Sidekick uses Docker labels to dynamically route traffic and configure health checks for zero-downtime deployments:

# Generated docker-compose snippet
services:
  app:
    image: myapp:${COMMIT_SHA}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`myapp.com`)"
      - "traefik.http.routers.app.tls.certresolver=letsencrypt"
      - "traefik.http.services.app.loadbalancer.healthcheck.path=/health"
    environment:
      DATABASE_URL: ${DATABASE_URL}  # Decrypted by SOPS at runtime

The zero-downtime deployment mechanism leverages Traefik's built-in health checking. When you run sidekick deploy, it builds a new image tagged with the current git commit SHA, transfers it to the VPS, and tells docker-compose to update the service. Traefik waits for the new container to pass health checks before routing traffic to it, then gracefully drains connections from the old container. This is the same pattern used by Kubernetes rolling updates, but implemented with just Docker Compose and a smart reverse proxy.

Preview environments showcase Sidekick's git-aware workflows. Each deployment uses the git commit hash as the image tag, and you can spin up preview environments for feature branches with routing rules like feature-auth.myapp.com. The entire state is maintained in version-controlled config files—no external database, no state server, just SSH and filesystem operations. This simplicity means you can understand exactly what Sidekick is doing by reading the generated docker-compose.yml and Traefik configurations.

The secret management integration deserves special attention. Instead of storing .env files in plaintext or relying on external secret managers, Sidekick uses SOPS to encrypt your environment variables with Age encryption keys. The private key lives only on your VPS (never committed to git), and secrets are automatically decrypted when containers start. This gives you HashiCorp Vault-level security without running additional infrastructure.

Gotcha

Sidekick's greatest strength—its simplicity—is also its hard ceiling. The tool is explicitly designed for single-server deployments. If your application grows to need horizontal scaling across multiple VPS instances, geographic distribution for latency, or active-active database replication, Sidekick offers no migration path. You'll be rewriting your deployment pipeline from scratch, likely moving to Kubernetes or a more sophisticated tool like Kamal. There's no incremental complexity—you get all of Sidekick's benefits until you outgrow its single-server assumption, then you get none of them.

The local build-and-transfer model creates surprising bottlenecks. If your Docker image is 2GB and your home internet has 10 Mbps upload (typical for U.S. residential connections), each deployment takes nearly 30 minutes just for the transfer. Teams with multiple developers can't parallelize deployments easily, and CI/CD integration requires the build server to have fast upload speeds and SSH access to production. The lack of a container registry means no image caching between deploys—every deployment transfers the full image, even if only one line of code changed. For teams deploying frequently or working with large dependencies (ML models, heavy Node.js projects), this becomes prohibitively slow. Additionally, the hard requirement for Homebrew on Linux systems (used to install SOPS) introduces an unusual dependency that conflicts with package management philosophies on Debian-based systems.

Verdict

Use Sidekick if you're a solo developer or small team (2-3 people) deploying containerized applications to a single VPS, you're comfortable debugging Docker and Traefik when issues arise, and you value infrastructure cost savings over deployment speed. It's ideal for side projects, MVPs, and small production apps serving hundreds to low thousands of users where a $5-20/month VPS is sufficient. The built-in secret encryption and zero-downtime deploys give you production-grade features without PaaS pricing. Skip Sidekick if you need multi-region deployments, plan to scale beyond one server within 6 months, require sub-30-second deployment times, or if your team lacks Docker/SSH debugging skills. Also skip if you're already on a PaaS and the cost isn't painful—the operational complexity Sidekick eliminates compared to raw VPS management is real, but it's still more hands-on than fully managed platforms. For teams needing multi-server support with similar simplicity, evaluate Kamal instead.