🚀 One-command deployment: Hetzner server + Cloudflare Tunnel + Docker - fully automated via GitHub Actions.
⚠️ Disclaimer: This project is currently under active development. Use at your own risk. While care has been taken to ensure security, you are responsible for reviewing the code and understanding what it does before running it.
📋 Deployment Method: This project uses GitHub Actions exclusively. Local deployment is not supported as it bypasses the Control Plane architecture.
- Hetzner Cloud Server - x86 (default
cx43inhel1, Intel-shared 8 vCPU / 16 GB RAM / 160 GB) running Ubuntu 24.04 — defaults switched permanently from ARM in 2026-05 because (a) Hetzner ARM EU capacity has been unavailable since 2026-01-22, and (b) Hetzner's 2025+ pricing flipped — ARM is now ~40% more expensive than the equivalent x86 spec. Smaller x86 alternatives (cpx32AMD 4-vCPU/8-GB,cx32Intel 4-vCPU/8-GB) and ARM (cax*) variants are supported via theSERVER_TYPE/SERVER_LOCATIONrepo variables for users who want to override the default — see docs/admin-guides/setup-guide.md for the canonical list - Cloudflare Tunnel - All traffic routed through Cloudflare, zero open ports
- Cloudflare Access - Email OTP authentication for all services
- Remote State - OpenTofu state stored in Cloudflare R2
- Control Plane - Web UI to manage infrastructure (spin up, teardown, services)
- GitHub Actions - Full CI/CD deployment without local tools
- Scheduled Teardown - Optional daily auto-shutdown to save costs (with configurable policy to prevent users from disabling it)
- Email Notifications - Credentials and status emails via Resend
- Zero Entry - Zero open ports = Zero attack surface
- Firewall Management - Open specific TCP ports for external access (Kafka, PostgreSQL, MinIO) via Control Plane, auto-reset on teardown
- Service Tokens - Headless SSH access for CI/CD
- Secrets Management - Centralized in Infisical with auto-provisioning
- GitHub Actions Only - No local tools required, fully automated deployment
- Modular Stacks - Enable/disable services via Control Plane
- Auto-Setup - Admin users created automatically with generated passwords
- Info Page - Dashboard with all service URLs and credentials
- Hetzner Cloud account - For the server
- Cloudflare account - Free tier is sufficient
- Resend account - For email notifications (credentials, status updates)
- A domain - Must be added to Cloudflare (Cloudflare manages DNS)
- Docker Hub account (optional) - Increases pull rate limits for Docker images
→ See the Setup Guide for complete installation instructions.
After deployment you'll have:
https://control.yourdomain.com- Control Panel to manage services and view URLs
| Stack | Description | Website |
|---|---|---|
| AKHQ | Kafka/Redpanda management GUI for topics, consumer groups, schema registry, and Kafka Connect | akhq.io |
| Adminer | Lightweight database management tool (supports PostgreSQL, MySQL, SQLite, etc.) | adminer.org |
| Appsmith | Open-source low-code platform for building admin panels, dashboards, and internal tools | appsmith.com |
| Big-AGI | Stateless multi-LLM web UI for OpenAI, Anthropic, and local LLM endpoints (browser-side state, no server DB) | github.com/enricoros/big-agi |
| Budibase | Open-source low-code platform for building internal tools and dashboards | budibase.com |
| Chroma | Developer-friendly embedding (vector) database for LLM / RAG pipelines | trychroma.com |
| CloudBeaver | Web-based database management tool | dbeaver.com/cloudbeaver |
| ClickHouse | Fast columnar database for real-time analytics and OLAP queries | clickhouse.com |
| code-server | VS Code in the browser for remote development | coder.com |
| Crawl4AI | LLM-friendly web crawler that returns clean Markdown for RAG ingestion (REST API + Playground UI) | github.com/unclecode/crawl4ai |
| CyberChef | GCHQ's "Cyber Swiss Army Knife" — drag-and-drop data manipulation (encode/decode/hash/regex/crypto, ~400 operations) | gchq.github.io/CyberChef |
| Dagster | Python-native data orchestration for data pipelines and Software-Defined Assets | dagster.io |
| Debezium | Change data capture - streams database changes to Redpanda/Kafka in real time | debezium.io |
| Dify | AI workflow builder for LLM applications, RAG pipelines, and agents | dify.ai |
| Dinky | Web-based Flink SQL IDE with auto-completion and job management | dinky.org.cn |
| Dozzle | Realtime Docker logs in the browser — tail every container without SSH | dozzle.dev |
| Draw.io | Flowchart and diagramming tool for technical diagrams | diagrams.net |
| Excalidraw | Virtual whiteboard for sketching hand-drawn diagrams | excalidraw.com |
| Evidence | SQL + markdown BI for analytics engineers — pages diff as plain text, charts render inline, ships with a sample project | evidence.dev |
| Filestash | Web-based file manager with S3/FTP/SFTP/WebDAV backend support | filestash.app |
| Flink | Distributed stream and batch processing engine (JobManager + TaskManager cluster) | flink.apache.org |
| Garage | Lightweight S3-compatible object storage for self-hosting | garagehq.deuxfleurs.fr |
| Git Proxy | Public Git HTTPS proxy for external tools (Databricks, Git Desktop) | Documentation |
| Gitea | Self-hosted Git service with pull requests, code review, and CI/CD | gitea.com |
| Grafana | Full observability stack with Prometheus, Loki & dashboards | grafana.com |
| HedgeDoc | Collaborative real-time Markdown editor (HackMD alternative) — joint workshop notes, slide-mode, MathJax/Mermaid rendering | hedgedoc.org |
| Hoppscotch | Open-source API testing platform (Postman alternative) | hoppscotch.io |
| Infisical | Open-source secret management platform | infisical.com |
| IT-Tools | Collection of handy online tools for developers | it-tools.tech |
| Jupyter | Interactive PySpark notebook platform with Spark SQL support and cluster connectivity | jupyter.org |
| Kafdrop | Lightweight Kafka/Redpanda web UI for browsing topics and consumer groups | GitHub |
| Kafka-UI | Modern web UI for Apache Kafka / Redpanda management | kafka-ui.provectus.io |
| Kestra | Modern workflow orchestration for data pipelines & automation | kestra.io |
| LakeFS | Git-like version control for data lakes (Hetzner Object Storage backend) | lakefs.io |
| Lakekeeper | Modern Iceberg REST Catalog (Rust) — Spark / Trino / DuckDB / PyIceberg share Iceberg tables on the existing object storage | lakekeeper.io |
| LiteLLM | Unified OpenAI-compatible proxy for 100+ LLM providers (Ollama, OpenAI, Anthropic, Mistral, ...) — single SDK, per-key budgets, cost tracking | litellm.ai |
| Mage | Modern data pipeline tool for ETL/ELT workflows | mage.ai |
| Mailpit | Email & SMTP testing tool - catch and inspect emails | mailpit.axllent.org |
| Marimo | Reactive Python notebook with SQL support | marimo.io |
| Meilisearch | Lightning-fast Rust full-text search — sub-100ms typo-tolerant, schema-less | meilisearch.com |
| Meltano | Open-source data integration platform (CLI-only, no web UI) | meltano.com |
| Metabase | Open-source business intelligence and analytics tool | metabase.com |
| MinIO | S3-compatible object storage for data lakes & backups | min.io |
| n8n | Workflow automation tool - automate anything | n8n.io |
| NocoDB | Open-source Airtable alternative - turn any database into a spreadsheet | nocodb.com |
| Ollama | Local LLM inference with Open WebUI chat interface | openwebui.com |
| OpenMetadata | Open-source metadata management for data discovery and governance | open-metadata.org |
| pg_ducklake | PostgreSQL with DuckLake extension - SQL-native lakehouse with S3 storage | pgducklake.select |
| pgAdmin | PostgreSQL administration and development platform | pgadmin.org |
| Planka | Open-source kanban board (Trello alternative) with real-time multi-user collaboration | planka.app |
| Portainer | Always-on Docker dashboard — first stop for inspecting a misbehaving container (logs, state, restart). Auto-deployed alongside Gitea/Grafana/Infisical | portainer.io |
| PostgreSQL | Powerful open-source relational database (internal-only, no web UI) | postgresql.org |
| Prefect | Modern Python-native workflow orchestration for data pipelines | prefect.io |
| Quickwit | Cloud-native search engine for log management and analytics | quickwit.io |
| Redpanda | Kafka-compatible streaming platform with Console UI | redpanda.com |
| Redpanda Connect | Declarative data streaming framework for real-time pipelines | redpanda.com |
| Redpanda Datagen | Test data generator for Redpanda topics | redpanda.com |
| RisingWave | PostgreSQL-compatible streaming database for real-time materialized views | risingwave.com |
| RustFS | Rust-based S3-compatible object storage (MinIO alternative) | rustfs.com |
| S3 Manager | Web-based S3 bucket browser and manager for Hetzner Object Storage | GitHub |
| SeaweedFS | Distributed object storage with Filer UI and S3 API | seaweedfs.com |
| SFTPGo | SFTP/SCP server with R2 backend (file-protocol front door onto the datalake; WebDAV/FTPS supported upstream, disabled by default) | sftpgo.com |
| Sling | Lightweight CLI for database-to-database and file-to-database transfers | slingdata.io |
| Soda | Data quality testing with SodaCL checks (CLI-only, no web UI) | soda.io |
| Spark | Distributed data processing engine (Master + Worker cluster) | spark.apache.org |
| Superset | Modern data exploration and visualization platform with SQL Lab | superset.apache.org |
| Telegraf | Metrics collection agent with 300+ plugins (CLI-only, no web UI) | influxdata.com |
| Trino | Distributed SQL query engine for querying data across multiple sources | trino.io |
| Uptime Kuma | A fancy self-hosted monitoring tool | uptime.kuma.pet |
| Vector | High-performance observability pipeline for logs, metrics, and traces | vector.dev |
| Wetty | Web-based SSH terminal - access server terminal from any browser | GitHub |
| Wiki.js | Open-source wiki and knowledge base with Markdown and visual editor | js.wiki |
| Windmill | Open-source workflow engine for scripts, workflows, and UIs | windmill.dev |
| Woodpecker CI | Lightweight Docker-native CI/CD engine with pipeline-as-code | woodpecker-ci.org |
→ See docs/stacks/README.md for detailed stack documentation and how to add new services.
Manage your Nexus-Stack infrastructure via web interface at https://control.YOUR_DOMAIN.
Features:
- ⚡ Spin Up / Teardown - Start and stop infrastructure with one click
- 🧩 Services - Enable/disable services dynamically
- ⏰ Scheduled Teardown - Auto-shutdown to save costs
- 📧 Email Credentials - Send login credentials to your inbox
| Workflow | Description |
|---|---|
| Initial Setup | One-time setup (Control Plane + Spin Up). Supports enabled_services parameter to pre-select services. |
| Spin Up | Re-create infrastructure after teardown |
| Teardown | Teardown infrastructure (keeps state) |
| Destroy All | Delete everything |
| Cleanup Orphaned Resources | Manual cleanup of orphaned Cloudflare resources |
Pre-select services during Initial Setup:
# Core services (Gitea, Grafana, Infisical, Portainer) are always enabled —
# pass any additional services you want active on the first spin-up.
gh workflow run initial-setup.yaml -f enabled_services="n8n,kestra"→ See docs/admin-guides/setup-guide.md for configuration details.
This setup achieves zero open ports after deployment:
- During initial setup, SSH (port 22) is temporarily open
- OpenTofu installs the Cloudflare Tunnel via SSH
- After tunnel is running, SSH port is automatically closed via Hetzner API
- All future SSH access goes through Cloudflare Tunnel
Result: No attack surface. All traffic flows through Cloudflare.
Firewall Management: For TCP-based services (Kafka, PostgreSQL, MinIO S3 API), the Control Plane provides a Firewall Management page to selectively open ports. DNS A records are created pointing directly to the server IP (
proxied = false). All firewall rules are automatically reset on every Teardown for security.
- Services are protected by Cloudflare Access (email OTP)
- Set
public = truein config if you want a service publicly accessible (bypasses Zero Trust)
| Document | Description |
|---|---|
| Setup Guide | Complete installation and configuration |
| Control Plane Guide | How to use the Control Plane web interface |
| Stacks | Available services and how to add new ones |
| Contributing | How to contribute to the project |
| Migration to Python | scripts/deploy.sh → nexus_deploy package (completed Phase 4c via issue #505 / PR #535) |
Read the full story behind Nexus-Stack:
Nexus-Stack: Your Data, Your Rules, Your Flow
For a detailed technical explanation of how this infrastructure works under the hood - including the Docker deployment on Hetzner and the Cloudflare Zero Trust Tunnel security setup - check out this article:
Secure Hetzner Docker Deployment via Cloudflare Zero Trust Tunnel
Learn more about Nexus-Stack and explore the full documentation:
