Is there any service to manage env variables on remote machines? Like I have my server on Hetzner, could I use something to modify my env variables or to check logs**Yes, there are several excellent services and tools for managing environment variables (env vars/secrets) on remote machines like your Hetzner VPS, as well as checking/viewing logs remotely.** These avoid manual SSH + editing files every time and follow better security practices (no plain.env files sitting on the server).Here are the most practical options, grouped by use case:
1. Dedicated Secrets/Env Var Managers (Best for injecting secrets securely)
These let you **store and edit env vars centrally** (via web dashboard or API), then **pull/inject them as real environment variables** into your apps on the remote server at runtime. No more.env files on disk.- Infisical (strongly recommended – open-source + cloud option) Centralized dashboard for secrets, API keys, etc. On your Hetzner server: Install their lightweight CLI (infisical), then run apps like infisical run -- your-app-command. Secrets are injected as env vars automatically (no code changes needed). Supports multiple environments (dev/staging/prod), audit logs, access control, and self-hosting (you can even run it on the same Hetzner VPS). Great for teams or solo devs who want to modify vars centrally and have them update on restart.
- Doppler (SaaS, very developer-friendly) Similar workflow: Web UI to manage vars → CLI command doppler run -- your-app-command injects them live. Excellent for any Linux/VPS setup. Supports syncing, rotations, and integrations. No self-hosting, but very polished CLI.
- EnvKey (open-source option) Another solid encrypted config/secrets manager with similar CLI-based injection.
2. Self-Hosted PaaS for Full App + Env + Logs Management (Easiest if you use Docker)
If you run apps via Docker/Docker Compose (very common on Hetzner), **Coolify** is perfect:- Install it with one command on your Hetzner VPS → get a beautiful web dashboard (like a self-hosted Heroku/Netlify).
- Env vars: Edit them directly in the UI (normal form or raw.env-style editor), per app and per environment. Coolify writes them securely and loads them into containers.
- Logs: Built-in real-time container logs, monitoring, and deployment logs — view/search everything from the browser without SSH.
- Git-based deploys, automatic SSL, reverse proxy, etc.
- Many Hetzner-specific tutorials exist; it runs great on a cheap CX/CPX VPS.
3. Dedicated Log Management Services (For checking logs remotely)
- Papertrail (SaaS, super simple and recommended for VPS) Install a tiny agent (remote_syslog2) or configure rsyslog on your Hetzner server once. It forwards app logs, text files, systemd logs, etc., to their cloud dashboard. Then tail/search live logs in the browser (or via CLI/API) — no SSH required. Fast, has a free plan, and works with any app/language.
- Other good ones: Datadog, Loggly, or self-hosted Graylog/ELK + Grafana Loki (if you want everything on your own hardware).
Quick Recommendations Based on Your Setup
- Just want env vars + occasional log checks → Start with Infisical (or Doppler) + Papertrail. Minimal overhead.
- Run Docker apps and want a full dashboard → Coolify on your Hetzner VPS (covers both env vars and logs in one place).
- Already using CI/CD (GitHub Actions, etc.) → Most of these integrate natively.
Why Coolify Fits Perfectly
- Docker Compose first-class support: Point it at your docker-compose.yml (or docker-compose.production.yml). It treats the compose file as the source of truth but pulls in env vars from its UI.
- Env vars management: Define variables in your compose file like DATABASE_URL=${DATABASE_URL:?} (the:? makes them required). Coolify detects them automatically and shows a clean UI form (or raw editor) to set different values for dev vs prod deployments. You get separate environments/projects easily.
- Dev vs Prod: Create separate resources (or branches) in Coolify — one for dev (pointing to a dev branch), one for prod. Or use multiple compose files and switch via Coolify.
- Logs: Built-in real-time logs for all containers/services, searchable, with deployment history. No more constant SSH tailing.
- Vapor/Swift compatibility: Your Vapor app builds fine with a standard Dockerfile + Compose. Coolify handles the build/deploy cycle via Git (push → deploy).
- Single dev friendly: One-command install on Hetzner, free/open-source core, automatic HTTPS (Traefik), domains, backups, monitoring, etc. Runs great on cheap Hetzner CX/CPX instances.
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
Handling Env Vars Securely in Coolify + Compose
In your docker-compose.yml (or production variant):services:
vapor-app:
build: .
environment:
- APP_ENV=${APP_ENV:?} # Required, e.g. production or development
- DATABASE_URL=${DATABASE_URL:?}
- JWT_SECRET=${JWT_SECRET:?}
- APP_KEY=${APP_KEY:?} # Vapor-specific
# ... other vars
# ports, volumes, etc.
Alternative/Complementary: Infisical (for Centralized Secrets)
If you want a dedicated secrets dashboard (highly recommended for production/TestFlight keys):- Self-host Infisical on the same Hetzner VPS (easy Docker Compose setup).
- Use its CLI or machine identities to inject secrets at runtime into your containers.
- Works alongside Coolify: Manage vars centrally in Infisical → pull them into Coolify deployments.
Logs Recommendation
- Coolify built-in → sufficient for most solo use (container logs, deployment logs).
- For advanced tailing/search/alerts: Add Papertrail or self-hosted Loki + Grafana (both integrate easily with Docker).
Quick Workflow for You
- Install Coolify on Hetzner.
- Push your Vapor + Docker Compose repo to GitHub.
- Deploy as Docker Compose resource in Coolify.
- Set dev/prod env vars in the UI.
- For TestFlight: Keep iOS-side config separate (e.g., via Xcode or CI), but backend API keys can live in Coolify/Infisical.
- Deploy → view logs in browser.
- Coolify installs its own Traefik reverse proxy (ports 80/443 by default) → this will conflict with your existing nginx. We will migrate the proxy to Traefik (recommended — it handles SSL automatically with Let’s Encrypt, just like certbot). Nginx can be stopped/re-purposed or removed later.
- Downtime of ~10–30 minutes during migration is expected.
- Backup everything first (see step 1).
- Coolify works best with a Git repository (your compose files become the source of truth). Local paths only work with some limitations, so we’ll use Git.
Step 1: Backup (do this NOW)
cd /opt/stockplan
tar -czf ~/stockplan-backup-$(date +%Y%m%d).tar.gz .
cp -r /etc/nginx /root/nginx-backup
cp -r /etc/letsencrypt /root/certbot-backup # if using certbot
docker compose -f docker-compose.production.yml ps # note running containers
Step 2: Put your code in Git (required for smooth Coolify Docker Compose deploys)
If you don’t have a repo yet:cd /opt/stockplan
git init
git add .
git commit -m "Initial commit - stockplan with dev/prod compose"
# Create a private GitHub/GitLab repo and push
git remote add origin https://github.com/yourusername/stockplan.git
git push -u origin main
Step 3: Install Coolify on your Hetzner server
Run as root:curl -fsSL https://cdn.coollabs.io/coolify/install.sh | sudo bash
- This installs Docker (if missing), creates /data/coolify/, sets up Traefik + Coolify.
- It will show a URL like http://YOUR-SERVER-IP:8000.
Step 4: First-time Coolify setup
- Log in at http://YOUR-IP:8000.
- Go to Servers → your server should already be added (localhost). If not, add it manually via SSH (it uses the root user).
- (Optional but recommended) Go to Settings → General and set your domain if you want Coolify dashboard on HTTPS later.
systemctl stop nginx
systemctl disable nginx # optional — you can re-enable later if needed
Step 5: Deploy your Stockplan API with Coolify (Docker Compose build pack)
We’ll create **two separate resources** (one for dev, one for prod) so you can manage them independently.- In Coolify → Projects → Create new project called Stockplan.
- Inside the project → Create New Resource → Application (or Service if you prefer).
- Choose Git Repository → paste your repo URL + select main branch (or develop for dev).
- Build Pack → change from Nixpacks to Docker Compose.
- Configure:
- Base Directory: / (or wherever your compose files live)
- Docker Compose Location: docker-compose.production.yml (for prod resource)
- Branch: main for prod, or create a second resource with develop branch + docker-compose.dev.yml 6. Click Continue → Coolify will parse your compose file.
- Base Directory: / (or wherever your compose files live)
- In your docker-compose.production.yml (and dev variant), change env vars to this format:
`markdown services: vapor-app: # or whatever your service name is environment:` (The:? makes them required in Coolify UI.)- APPENV=${APPENV:?}
- DATABASEURL=${DATABASEURL:?}
- JWTSECRET=${JWTSECRET:?}
- APPKEY=${APPKEY:?} # ... all your Vapor vars
- Coolify will auto-detect them and show a nice form. Fill them in the UI for now (we’ll move them to Infisical in step 7). 1. Assign a domain to your Vapor service (e.g. api.stockplan.com or dev.api.stockplan.com).
- Coolify/Traefik will auto-issue SSL. 2. Click Deploy. Coolify will:
- Clone the repo
- Run docker compose -f docker-compose.production.yml up -d --build
- Show real-time logs
Step 6: Deploy Infisical inside Coolify (easiest way)
Coolify has a one-click template for Infisical.- In the same Stockplan project → Create New Resource → Service → search for Infisical.
- Choose the official Infisical template (it sets up PostgreSQL + Redis + Infisical backend).
- Assign a domain, e.g. secrets.stockplan.com.
- Deploy it.
# In Coolify you can also paste this as a raw compose service, but one-click is simpler.
Step 7: Move all secrets to Infisical (dev + prod)
- In Infisical dashboard:
- Create two projects: stockplan-dev and stockplan-prod.
- Add all your env vars (DATABASE_URL, JWT_SECRET, etc.) separately for each environment. 2. (Recommended) Create Machine Identities (under Project Settings → Identities) for secure, tokenless access from your app. 3. Update your Vapor Docker Compose / Dockerfile to inject secrets at runtime:
- Install Infisical CLI in your Dockerfile (or Dockerfile.dev):
`markdown # Add near the end, before final CMD RUN curl -sSL https://infisical.com/install.sh | bash` Or use infisical run wrapper in the service definition. 4. In Coolify, remove the actual secret values from the UI (keep only the keys with ${VAR:?}) — they will now come from Infisical at deploy time. 5. Redeploy both dev and prod resources.- Change your entrypoint / command in compose to:
`markdown command: > sh -c "infisical run
--project-id YOURPROJECTID
--env production # or development --token YOURMACHINETOKEN
-- /app/.build/release/Run serve --env production --hostname 0.0.0.0"` (Adjust the Vapor run command to match your current one.)
- Change your entrypoint / command in compose to:
- Create two projects: stockplan-dev and stockplan-prod.
Step 8: Final cleanup & workflow
- Stop your old manual containers if still running:
`markdown cd /opt/stockplan docker compose -f docker-compose.production.yml down` - Update any monitoring/observability compose if you want Coolify to manage it too.
- New workflow:
- Edit secrets → Infisical UI (or CLI)
- Push code to GitHub → Coolify auto-deploys (or click Deploy)
- View logs, health, envs, backups all in Coolify browser UI
- For TestFlight → your prod backend is now at the domain you assigned, with secrets pulled securely.
- Edit secrets → Infisical UI (or CLI)
- Coolify managing deployments, logs, scaling, updates
- Infisical managing all secrets centrally (dev/prod separated)
- No more manual SSH editing of env files