Server control that
earns its keep.
hostctl is a secure, opinionated Rust CLI for managing Ubuntu web hosting infrastructure. Create sites. Protect routes. Enable TLS. Apply blueprints. Deploy with confidence.
Rust
Built for performance & safety
6+
Core commands
MIT
Open source license
0
Control panels needed
Features
Your server, under control.
hostctl gives you exactly what you need to run Ubuntu-hosted web apps — no more, no less. Fast, composable, and safe to run in production.
Nginx generation
hostctl writes battle-tested Nginx configs for PHP, Node, and static sites. Generated files are stamped and tracked — hostctl knows what it owns.
Safe by default
No silent destructive actions. Confirms before deletion. Refuses to overwrite unmanaged configs. Validates domains and paths before touching the filesystem.
Access protection
Lock down admin paths with IP allowlists in one command. Inject and remove access blocks without editing Nginx configs by hand.
One-command TLS
hostctl tls enable calls Certbot under the hood and handles the Nginx integration. HTTPS in under 30 seconds.
Blueprint-driven hosting
Define your site in YAML. Apply it with hostctl apply. Reproducible, version-controllable, script-friendly infrastructure from a single file.
Verify before you ship
hostctl verify checks your Nginx config is valid, the site is enabled, and it responds over HTTP/HTTPS. Catch config drift before your users do.
How it works
Install. Create. Protect. Ship.
Go from a bare Ubuntu server to a production-ready HTTPS site with IP-protected admin routes in minutes — not hours.
One binary. Zero dependencies.
Build from source with cargo build --release or grab a prebuilt binary. hostctl is a single static executable — drop it on your server and you're done.
Requires Ubuntu + Nginx + systemd. Certbot needed for TLS.
$ git clone https://github.com/yourname/hostctl $ cd hostctl && cargo build --release $ sudo cp target/release/hostctl /usr/local/bin/ ✓ hostctl is ready $ hostctl --version hostctl 0.1.0
$ sudo hostctl site create blog \ --domain blog.example.com \ --type php \ --root /var/www/blog/public \ --php-sock /run/php/php8.3-fpm.sock ✓ Config written → /etc/nginx/sites-available/blog ✓ Site enabled ✓ Nginx reloaded
One command from nothing to serving traffic.
Run hostctl site create and hostctl writes a production Nginx config, enables the site, and reloads Nginx. PHP, Node, and static sites all supported out of the box.
Use --dry-run to preview what would happen without writing anything.
Harden in seconds. Sleep at night.
IP-restrict your admin panel with hostctl access protect. Add HTTPS with hostctl tls enable. Confirm everything is healthy with hostctl verify site. Three commands to a locked-down production site.
Nothing writes without confirmation. Managed files are always backed up first.
$ sudo hostctl access protect blog \ --path /admin --ip 203.0.113.5 ✓ Access block injected $ sudo hostctl tls enable blog \ --domain blog.example.com \ --email ops@example.com ✓ Certificate installed $ sudo hostctl verify site blog ✓ Config valid · HTTPS reachable
Command reference
Everything you need. Nothing you don't.
hostctl stays focused. Each command does one thing well. Compose them, script them, run them in CI — they behave the same everywhere.
Blueprints
Reproducible infra from a single file.
Define your site configuration as a YAML blueprint and apply it with one command. Version-control your server setup. Reproduce it on a new box in seconds. Stack presets for Laravel, Node, and static sites coming in Phase 3.
- PHP, Node, and static site types
- Environment variable injection (coming soon)
- Multi-site blueprints (coming soon)
- hostctl plan to preview diffs before applying
site: name: blog domain: blog.example.com type: php root: /var/www/blog/current/public php_sock: /run/php/php8.3-fpm.sock # Apply with: $ sudo hostctl apply site.yaml ✓ Config written ✓ Site enabled ✓ Nginx reloaded
Philosophy
Built for operators, not dashboards.
hostctl is an opinionated tool with a clear point of view. Here's what it stands for.
Safe by default
No silent destructive actions. No hidden shell hacks. No blind overwrites. hostctl asks before it acts, backs up before it changes, and refuses to touch what it doesn't own.
Managed state over mutation
Configs created by hostctl are clearly stamped and tracked separately from unmanaged files. hostctl knows what it wrote and will never silently overwrite files you created yourself.
Scriptable and human-friendly
Works identically in CI pipelines, SSH sessions, provisioning scripts, and manual ops workflows. Flags like --yes and --dry-run are first-class citizens.
Opinionated over bloated
hostctl does fewer things extremely well. No 200-page config format. No plugin ecosystem to maintain. The surface area is small on purpose.
Roadmap
Where this is going.
hostctl is early-stage but has a clear commercial trajectory. Here's what's built and what's coming.
Core hosting controls
- site create + delete
- Nginx config rendering
- Dry-run + force + backup
- Health check
Access & TLS
- access protect (done)
- tls enable (done)
- verify site (done)
- Rate limiting presets
- Security headers pack
Blueprint-driven infra
- apply site.yaml (done)
- Multi-site blueprints
- Stack presets (Laravel, Node)
- hostctl plan + diff
Audit & intelligence
- Config scoring
- Open admin path detection
- TLS enforcement checks
- Security findings + suggestions
Remote & team workflows
- SSH remote execution
- Multi-server orchestration
- Audit logs
- Rollback tracking
Commercial layer
- Hosted dashboard
- Blueprint marketplace
- Deployment pipelines
- Team management
Early access
Stop clicking around.
Start scripting.
hostctl is built for developers, operators, and small hosting teams who want a fast, scriptable, production-ready way to manage Ubuntu-hosted web apps — without dragging in a control panel.
Request early accessGet in touch
Get in early.
We're building hostctl for operators who want production-grade server management without the bloat. Tell us about your setup.