sidekick
Sidekick is a CLI tool that automates VPS setup and application deployment, enabling bare-metal servers to run production workloads with features like zero-downtime deploys, SSL certificates, and environment secret management. It targets developers who want Fly.io-like experience on affordable self-hosted infrastructure.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | MightyMoud/sidekick |
| Owner | MightyMoud |
| Primary language | Go |
| License | GPL-3.0 — OSI-approved |
| Stars | 7.5k |
| Forks | 162 |
| Open issues | 17 |
| Latest release | v0.6.6 (2024-10-24) |
| Last updated | 2026-02-03 |
| Source | https://github.com/MightyMoud/sidekick |
What sidekick is
Go-based CLI that orchestrates Docker, Traefik, SOPS, and age to provide infrastructure-as-code for single or multi-app VPS deployments. Handles container image transport, encrypted secret injection, load balancing, and rolling updates via Docker Compose.
Get the sidekick source
Clone the repository and explore it locally.
git clone https://github.com/MightyMoud/sidekick.gitcd sidekick# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- VPS must run Ubuntu LTS with public IP and SSH key access; other Linux distributions not mentioned as supported.
- Brew dependency on local machine for installing SOPS limits cross-platform portability (macOS/Linux primary; Windows requires WSL).
- SSL cert setup via Let's Encrypt requires email and valid domain or reliance on sslip.io for testing; certificate renewal automation not explicitly documented.
- Encrypted .env files use age+SOPS; key rotation, secret versioning, and multi-user access policies are not documented.
- Preview environments attach to git commit hashes; requires clean git tree and may complicate CI/CD pipelines if not carefully integrated.
When to avoid it — and what to weigh
- Requires managed database services — Sidekick does not provide out-of-the-box managed databases (PostgreSQL, MySQL); roadmap indicates this is planned but not yet available. Workarounds require manual setup or external services.
- Need multi-region or HA across VPS instances — Single-VPS focus means geographic distribution, cross-region failover, and multi-datacenter orchestration are not supported. Roadmap mentions 'managing multiple VPSs' but not yet implemented.
- Enterprise compliance or audit requirements — GPL-3.0 license implies source-code sharing obligations; no clear SOC 2, HIPAA, or PCI-DSS compliance documentation. Requires legal review for regulated workloads.
- Complex microservices or Kubernetes equivalence — Sidekick is optimized for simple container deployments; complex orchestration, service meshes, or advanced networking policies require manual Docker Compose or move to Kubernetes.
License & commercial use
Licensed under GPL-3.0 (GNU General Public License v3.0). This is a copyleft open-source license requiring that any derivative work or distribution includes source code and remains under the same license.
GPL-3.0 permits commercial use, but imposes strict copyleft obligations: if you modify Sidekick or distribute it (including as part of a service), you must disclose source code and license derivative works under GPL-3.0. If you only use Sidekick as a tool (CLI) without modification or distribution, commercial use is permitted. Requires legal review before embedding in proprietary products or SaaS offerings.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Sidekick automates several hardening steps: disables root login, creates unprivileged sidekick user, installs age+SOPS for secret encryption at rest. However: (1) SSH key security depends on local machine hygiene; (2) secret key material (age private keys) stored on VPS filesystem—review key storage, access controls, and backup practices; (3) TLS cert renewal automation not explicitly documented; (4) no network firewall setup yet (roadmapped); (5) Docker and Traefik security posture depend on image provenance and upstream updates; (6) encrypted .env files provide some protection, but threat model against insider access or VPS compromise not addressed.
Alternatives to consider
Fly.io
Managed PaaS with multi-region deployment, built-in databases, and global load balancing; no VPS management overhead but higher cost and vendor lock-in.
Kamal (by Basecamp)
Docker-based deployment tool with zero-downtime updates and accessory services (databases); requires more manual infrastructure setup but lighter-weight than Kubernetes.
Dokku
Heroku-like platform-as-a-service on your own server; simpler for Git-based deployments and Procfile-driven apps, but less flexible for complex Docker workflows.
Build on sidekick with DEV.co software developers
Sidekick automates VPS setup and container deployment. Review the source code, test with preview environments, and assess GPL-3.0 licensing implications for your use case.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
sidekick FAQ
Can I deploy non-Dockerized applications?
Does Sidekick manage databases?
What if I lose my age encryption key?
Is there a web UI or monitoring dashboard?
Custom software development services
DEV.co helps companies turn open-source tools like sidekick into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source devops stack.
Ready to self-host without complexity?
Sidekick automates VPS setup and container deployment. Review the source code, test with preview environments, and assess GPL-3.0 licensing implications for your use case.