How to Set Up a VPS: Step-by-Step 2026 Guide
Photo by Michael Burrows on Pexels
Setting up a VPS in 2026 is faster than ever — but the gap between “got an SSH prompt” and “production-ready, hardened, monitored” is still where most weekend projects get stuck. This guide walks through the entire path: pick a provider, provision, harden, install your stack, deploy a real app behind TLS, and add the safety nets you’ll be glad you set up the first time something breaks.
We’ve used this exact runbook to spin up production VPS for internal tools, side projects, and customer demos. From “click create” to “https://yourdomain.com is live” should take 45–60 minutes the first time and 10 minutes once you’ve packaged it as an Ansible playbook.
How This Guide Works
Each step gets a short rationale and the actual commands. We use Ubuntu 24.04 LTS as the OS (Debian 12 and Rocky Linux 9 work the same with minor package-name swaps), DigitalOcean as the example provider (any KVM-based provider works identically), and a Node.js web app behind Caddy as the example workload.
VPS Setup Checklist
| Step | What it does | Time |
|---|---|---|
| 1. Provision VPS | Create the box | 2 min |
| 2. SSH in & create user | Drop root, use ops | 5 min |
| 3. Harden SSH | Keys only, no root | 5 min |
| 4. Configure firewall | UFW default deny | 3 min |
| 5. Auto security updates | unattended-upgrades | 3 min |
| 6. Install web server + TLS | Caddy with auto Let’s Encrypt | 5 min |
| 7. Deploy your app | systemd unit | 10 min |
| 8. Backups | restic to B2/S3 | 10 min |
| 9. Monitoring | Netdata + UptimeRobot | 5 min |
| 10. Snapshot baseline | Provider snapshot | 1 min |
Step 1 — Provision the VPS
Pick a KVM-based provider. Sensible defaults:
- DigitalOcean Basic Droplet, $6/mo (1 vCPU, 1GB)
- Linode (Akamai) Nanode, $5/mo (1 vCPU, 1GB)
- Hetzner Cloud CX22, ~$5/mo (2 vCPU, 4GB)
- Vultr Cloud Compute, $6/mo (1 vCPU, 1GB)
In the provider UI:
- Choose Ubuntu 24.04 LTS
- Pick a region within 50ms of your users
- Add your SSH public key (paste from
~/.ssh/id_ed25519.pub) - Enable IPv6 and (optional) monitoring
Skip backups for now — we’ll set up encrypted off-server backups in Step 8.
Step 2 — Connect and Create a User
ssh root@<your-vps-ip>
adduser ops
usermod -aG sudo ops
mkdir -p /home/ops/.ssh
cp ~/.ssh/authorized_keys /home/ops/.ssh/
chown -R ops:ops /home/ops/.ssh
chmod 700 /home/ops/.ssh
chmod 600 /home/ops/.ssh/authorized_keys
Open a second terminal and verify SSH works as ops:
ssh ops@<your-vps-ip>
sudo whoami # should print: root
Don’t close the original session until you’ve confirmed ops works.
Step 3 — Harden SSH
Create /etc/ssh/sshd_config.d/hardening.conf:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers ops
ClientAliveInterval 300
Reload SSH:
sudo systemctl reload ssh
Step 4 — Firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
If you’re behind Cloudflare and serving only via Cloudflare, restrict 80/443 to Cloudflare’s IP ranges instead.
Step 5 — Automatic Security Updates
sudo apt update
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
Edit /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
Step 6 — Web Server with TLS
Install Caddy — it handles Let’s Encrypt automatically.
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update && sudo apt install -y caddy
Edit /etc/caddy/Caddyfile:
example.com {
reverse_proxy localhost:3000
}
Point your DNS A record at the VPS IP, then:
sudo systemctl reload caddy
Caddy fetches a Let’s Encrypt cert and renews it forever.
Step 7 — Deploy Your App
For a Node app, install Node 20 LTS and run under systemd:
curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
sudo apt install -y nodejs
sudo mkdir -p /srv/myapp
sudo chown ops:ops /srv/myapp
# rsync your code into /srv/myapp, then npm install
Create /etc/systemd/system/myapp.service:
[Unit]
Description=My App
After=network.target
[Service]
Type=simple
User=ops
WorkingDirectory=/srv/myapp
ExecStart=/usr/bin/node server.js
Restart=on-failure
RestartSec=5
Environment=NODE_ENV=production
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable --now myapp
sudo journalctl -u myapp -f # tail logs
Visit https://example.com — your app is live behind TLS.
Step 8 — Backups
Install restic and back up to Backblaze B2 (cheapest at $6/TB/mo):
sudo apt install -y restic
export RESTIC_REPOSITORY="b2:my-bucket:vps-prod"
export RESTIC_PASSWORD="<long-passphrase>"
restic init
restic backup /etc /home /srv /var/lib/postgresql
Schedule via systemd timer or cron at 03:00 daily. Test a restore monthly.
Step 9 — Monitoring
Lightweight on-box: Netdata.
bash <(curl -Ss https://my-netdata.io/kickstart.sh) --dont-wait
Bind it to localhost only and reverse-proxy through Caddy with HTTP basic auth, or tunnel via SSH for occasional checks.
External: add a free UptimeRobot or BetterStack monitor that hits your URL every 5 minutes from multiple regions.
Step 10 — Snapshot Baseline
Take a provider snapshot now. If something goes wrong in week 2, you can restore in under a minute. Snapshots cost ~$0.05/GB/mo — cheap insurance.
Time and Cost Recap
| Item | Cost |
|---|---|
| VPS (Hetzner CX22) | $5/mo |
| Domain | $1/mo (annualized) |
| Backups (B2, 50GB) | $0.30/mo |
| Monitoring (UptimeRobot Free) | $0 |
| TLS (Let’s Encrypt) | $0 |
| Total monthly | ~$6.30 |
Tips for First-Time VPS Setup in 2026
- Run through the checklist once on a throwaway box. Make every mistake on a $5 VPS that can be destroyed and rebuilt.
- Save the commands as an Ansible playbook by week two. Future setups become a 5-minute job.
- Don’t expose your application directly. Put Caddy in front of every app. Apps that bind to public ports get scanned within minutes.
- Test backup restores monthly. A backup you’ve never restored is a guess, not a backup.
- Document the rebuild plan. Write down “how to rebuild this VPS from scratch” in a private repo. Read it before you need it.
For deeper hardening and ops, see our Self-Managed VPS Guide.
Recommended Offers
💡 Editor’s pick — best beginner VPS: DigitalOcean Basic Droplet — clean UX, $200 credit, beginner-friendly docs.
💡 Editor’s pick — cheapest production VPS: Hetzner Cloud CX22 — 2 vCPU, 4GB RAM, 40GB NVMe for ~$5/mo.
💡 Editor’s pick — global regions: Vultr — 32 regions, hourly billing, $250 free credit.
FAQ — How to Set Up a VPS
Q: How long does VPS setup take? A: 45–60 minutes the first time following this guide. ~10 minutes per server once you’ve packaged the steps as an Ansible playbook.
Q: Do I need to be a Linux expert? A: No — you need to be comfortable copying commands, reading what they do, and using SSH. Each command in this guide is intentional and documented.
Q: What if I lock myself out of SSH? A: Most providers offer a console (web-based VNC) in the control panel. Use it to fix the SSH config and get back in.
Q: Should I use a control panel like cPanel or Plesk? A: Optional. For one or two apps, the systemd + Caddy stack here is simpler. For hosting many sites for clients, panels add value.
Q: Can I host multiple websites on one VPS? A: Yes — Caddy makes it trivial. Add another block in the Caddyfile per domain, point DNS, reload Caddy.
Q: How do I scale beyond one VPS? A: When you outgrow a single box: add a managed Postgres, put a load balancer in front of multiple app VPS, then move static assets to object storage + CDN. See our VPS vs Dedicated Server for upgrade paths.
Related Reading on Rightework
- Self-Managed VPS Guide for 2026
- Best VPS Hosting of 2026
- Best Cheap VPS Hosting 2026
- Best NVMe VPS Hosting 2026
- Best Developer Tools 2026
Final Verdict
A solid VPS setup in 2026 is a checklist, not an art form. Provision a KVM box, harden SSH, drop a firewall, enable unattended-upgrades, install Caddy, run your app under systemd, back up off-server with restic, and monitor with Netdata + UptimeRobot. Run through this guide once on a $5 Hetzner box and you’ll have a production-ready stack you can replicate in 10 minutes for the rest of your career.
This article is for informational purposes only. VPS pricing, performance, and features are accurate as of publication and subject to change. Rightework may receive compensation for some placements; rankings are independent.
By Rightework Editorial · Updated May 9, 2026
- vps hosting
- setup guide
- 2026
- hosting
- tutorial