GroundCtrl: Deploying Your Own Self-Hosted PaaS in 5 Minutes

For years, we managed our client deployments the hard way: spinning up generic VPS instances, manually fighting through Docker container overhead, praying that NGINX routing didn’t break during an update, and dealing with painful database isolation issues.

We eventually hit a breaking point. While massive enterprise cloud orchestrators exist, they are often incredibly expensive and completely overkill for boutique agencies spinning up standard React or high-performance Astro web applications.

So, we built GroundCtrl—our “Agency in a Box.”

GroundCtrl is a custom, highly optimized PaaS (Platform as a Service) designed to natively orchestrate multi-tenant routing, SQLite database isolation, and atomic zero-downtime deployments all from a simple, clean UI. In this guide, we are going to walk through exactly how the platform lifecycle works from a fresh bare-metal server to a fully SSL-secured deployment.

Phase 1: Bootstrapping the Node (DEV vs. PROD)

Before you can orchestrate client sites, the GroundCtrl Node itself must be configured.

The beauty of GroundCtrl is its environment awareness. When you boot the application for the first time, you are placed into the Setup Wizard.

GroundCtrl Initial Dashboard Setup Phase

At this initial stage, the orchestrator detects its active environment:

DEV Mode: If developing locally, the wizard gracefully skips all strict Cloudflare edge-binding dependencies. It acts securely as a local Node API backend allowing you to immediately link your template Component Libraries without complex network spoofing.
PROD Mode: When running on a live bare-metal VPS, the Orchestrator expects a Cloudflare Global API Key. It natively generates a celestial subdomain (e.g., pulsar.ahm-labs.com), binds its own NGINX proxy pass, runs Certbot against itself, and fully encrypts its own Dashboard.

Phase 2: Tenant Provisioning

Once the Master Node is active and secured, we transition out of the setup wizard and into standard orchestration.

When onboarding a new client, you no longer write brittle bash scripts. You simply drop into the dashboard and define a new Tenant Project.

Defining the New Tenant via Dashboard

During this phase, you define the target Origin Repository, custom routing domains, Turnstile secrets, and its infrastructure topology (e.g. SSG vs SSR). Because GroundCtrl avoids creating monolithic failure points, saving this form dynamically spawns a highly portable, dedicated client_id.db exclusively isolated for this tenant.

Phase 3: The Atomic Pipeline & NGINX Mapping

Now that the tenant parameters are mapped, GroundCtrl flexes its automated orchestration muscle. The system connects to the given origin repository, clones the code layer, and triggers the isolated build pipelines automatically.

To see what this actually looks like in real time, watch the orchestrator burn through the initial build process:

Orchestrator Initial Provisioning GIF

What you are witnessing is a “Vercel-like” deployment pipeline functioning natively. GroundCtrl compiles cleanly into a timestamped directory (e.g. /releases/[timestamp]), and once verified, instantly updates symlinks to execute a flawless atomic directory swap without disrupting any live traffic.

Orchestrator Logs Compiling Atomic Layers

Behind the scenes, the internal routing sockets are updated and dynamically injected directly into the NGINX gateway configurations—skipping the terrifying process of writing NGINX rewrites manually via nano over SSH.

Phase 4: Automated SSL Management

We have reached the finish line. The final hurdle in manual deployment is almost always SSH-ing back into the server, stalling for DNS propagation to clear, and manually executing Let’s Encrypt certificates.

GroundCtrl intercepts this entirely through native edge-automation.

Automated SSL Mapping GIF

Our internal proxy module tracks the domain lifecycle. The moment the tenant’s new NGINX routing configuration logs as successfully “Live”, GroundCtrl communicates natively with the certification authorities to automatically fetch, apply, and schedule the SSL renewal without a single human keystroke.

Final Dashboard Depicting Live Project Domains

Conclusion: Reclaiming Development Time

In under five wall-clock minutes, we have gone from a fresh web server to a dynamically routed, SSL-secured, multi-tenant web application isolated on its own localized SQLite container.

No third-party subscription limits, no Docker networking nightmares, and absolutely no external headless CMS database fees. By unifying the tools we constantly use into GroundCtrl, we have reclaimed our engineering time—allowing us to focus strictly on building high-performance websites for our clients.