Skip to Content
Deploy on a VPSOverview

Deploy on a VPS

This section walks you from a plain hiveloom serve to a production-ish deployment reachable over https://<your-host> with an automatically-renewed Let’s Encrypt certificate. The admin and MCP ports stay off the public internet.

If your goal is “give Claude/Cursor an HTTPS URL quickly” without opening ports 80 and 443, jump to Cloudflare Tunnel instead.

The five steps

A or AAAA record for your hostname.

1. Point DNS at the VPS

SSH + 80 + 443 only.

2. Apply a minimal firewall

Caddy is the default. Drop in the Hiveloom Caddyfile.

3. Install a reverse proxy

Trigger Let’s Encrypt issuance, verify HTTPS.

4. Obtain a TLS certificate

Long-lived, bound to loopback.

5. Run as a systemd service

Follow them in order. Each page has the full command set — you don’t need to cross-reference anything.

What Hiveloom contributes

hiveloom tls render --host hiveloom.example.com --email [email protected] \
  | sudo tee /etc/caddy/Caddyfile.d/hiveloom.caddy

Prints a ready-to-use Caddyfile to stdout. That is the entire built-in tooling for this feature — DNS, firewall, Caddy install, and systemd unit are all operator action.

Smoke test at the end

If everything is wired up correctly:

curl -s https://hiveloom.example.com/healthz
# {"status":"ok"}
 
curl -s https://hiveloom.example.com/.well-known/oauth-authorization-server | jq .issuer
# "https://hiveloom.example.com"

The OAuth metadata URLs must start with https://. If they start with http://, the reverse proxy isn’t forwarding the right headers — revisit Reverse proxy.

Alternative path

Outbound-only HTTPS for MCP clients without opening inbound ports.

Cloudflare Tunnel
Last updated on
InstallDNS