Deploy PocketBase on RamNode VPS
Open-source backend with embedded SQLite, real-time subscriptions, authentication, file storage, and admin dashboard — all in a single Go binary.
Prerequisites
- RamNode VPS: KVM-based with at least 1 CPU core, 1 GB RAM, and 10 GB SSD. PocketBase is extremely lightweight.
- Domain name: A registered domain with DNS A records pointed to your VPS IP (e.g.,
api.yourdomain.com) - SSH access: Root or sudo-level SSH access to your VPS
- Basic Linux knowledge: Familiarity with the command line and text editors
Initial Server Setup
Update the System
sudo apt update && sudo apt upgrade -y
sudo apt install -y wget unzip curl ufwCreate a Dedicated User
Running services as root is a security risk. Create a dedicated user for PocketBase.
sudo adduser --system --group --home /opt/pocketbase pocketbaseDownload and Install PocketBase
PocketBase ships as a single precompiled binary. Download the latest release, extract, and install.
Download the Latest Release
Check the PocketBase GitHub releases for the latest version.
cd /tmp
wget https://github.com/pocketbase/pocketbase/releases/download/v0.36.3/pocketbase_0.36.3_linux_amd64.zip
unzip pocketbase_0.36.3_linux_amd64.zip -d pocketbase💡 If your VPS uses an ARM64 processor, download the linux_arm64 variant instead.
Install the Binary
sudo mv /tmp/pocketbase/pocketbase /opt/pocketbase/pocketbase
sudo chown -R pocketbase:pocketbase /opt/pocketbase
sudo chmod +x /opt/pocketbase/pocketbaseVerify the Installation
sudo -u pocketbase /opt/pocketbase/pocketbase --versionpocketbase version 0.36.3Configure Systemd Service
Create a systemd unit file to keep PocketBase running persistently and start on boot.
sudo nano /etc/systemd/system/pocketbase.service[Unit]
Description=PocketBase Backend Service
After=network.target
[Service]
Type=simple
User=pocketbase
Group=pocketbase
WorkingDirectory=/opt/pocketbase
ExecStart=/opt/pocketbase/pocketbase serve --http=127.0.0.1:8090
Restart=on-failure
RestartSec=5
LimitNOFILE=4096
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=multi-user.target💡 The --http=127.0.0.1:8090 flag binds PocketBase to localhost only. External traffic flows through the Nginx reverse proxy.
Enable and Start the Service
sudo systemctl daemon-reload
sudo systemctl enable pocketbase
sudo systemctl start pocketbase
sudo systemctl status pocketbaseIf you encounter errors, check logs with journalctl -u pocketbase -f.
Nginx Reverse Proxy with SSL
Place PocketBase behind Nginx for SSL termination, HTTP/2, and clean URLs.
Install Nginx and Certbot
sudo apt install -y nginx certbot python3-certbot-nginxCreate the Nginx Server Block
sudo nano /etc/nginx/sites-available/pocketbaseserver {
listen 80;
listen [::]:80;
server_name api.yourdomain.com;
client_max_body_size 50M;
location / {
proxy_pass http://127.0.0.1:8090;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}💡 The Upgrade and Connection headers are essential for PocketBase's real-time subscriptions via WebSocket.
Enable the Site and Test
sudo ln -s /etc/nginx/sites-available/pocketbase /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginxObtain an SSL Certificate
sudo certbot --nginx -d api.yourdomain.comCertbot automatically configures HTTPS, redirects HTTP, and sets up auto-renewal via systemd timer.
Configure the Firewall
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 'Nginx Full'
sudo ufw enable
sudo ufw status verbosePort 8090 is not opened because PocketBase only listens on localhost behind Nginx.
Admin Dashboard Setup
Access the admin dashboard to create your first superuser account.
Access the Dashboard
Navigate to https://api.yourdomain.com/_/ in your browser. PocketBase will prompt you to create a superuser account.
Or Create via CLI
sudo -u pocketbase /opt/pocketbase/pocketbase superuser create admin@yourdomain.com YourSecurePasswordThe admin dashboard at /_/ provides a GUI for managing collections (database tables), configuring auth providers, viewing logs, and adjusting mail and S3 storage settings.
Automated Backups
PocketBase stores all data in a SQLite file at /opt/pocketbase/pb_data/data.db.
Create a Backup Script
sudo nano /opt/pocketbase/backup.sh#!/bin/bash
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/opt/pocketbase/backups"
mkdir -p "$BACKUP_DIR"
# Use SQLite online backup to safely copy the database
sqlite3 /opt/pocketbase/pb_data/data.db ".backup '$BACKUP_DIR/data_$TIMESTAMP.db'"
# Also archive uploaded files
tar -czf "$BACKUP_DIR/pb_data_$TIMESTAMP.tar.gz" -C /opt/pocketbase pb_data
# Remove backups older than 7 days
find "$BACKUP_DIR" -type f -mtime +7 -delete
echo "Backup completed: $TIMESTAMP"sudo chmod +x /opt/pocketbase/backup.sh
sudo chown pocketbase:pocketbase /opt/pocketbase/backup.shSchedule with Cron
sudo crontab -u pocketbase -e0 3 * * * /opt/pocketbase/backup.sh >> /opt/pocketbase/backups/backup.log 2>&1For additional redundancy, consider using rsync or rclone to copy backups to offsite or S3-compatible storage.
Updating PocketBase
Always create a backup before updating.
Built-in Update Command
sudo systemctl stop pocketbase
sudo -u pocketbase /opt/pocketbase/pocketbase update
sudo systemctl start pocketbaseManual Update Method
sudo systemctl stop pocketbase
cd /tmp
wget https://github.com/pocketbase/pocketbase/releases/download/vX.X.X/pocketbase_X.X.X_linux_amd64.zip
unzip pocketbase_X.X.X_linux_amd64.zip -d pocketbase-update
sudo mv /tmp/pocketbase-update/pocketbase /opt/pocketbase/pocketbase
sudo chown pocketbase:pocketbase /opt/pocketbase/pocketbase
sudo systemctl start pocketbase⚠️ Check the PocketBase changelog before each update for breaking changes or migration steps.
Security Hardening
SSH Hardening
Disable root login and password authentication.
sudo nano /etc/ssh/sshd_configPermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yessudo systemctl restart sshdEnsure you have uploaded your SSH public key before disabling password authentication.
Fail2Ban for Brute Force Protection
sudo apt install -y fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2banRestrict Admin Dashboard Access (Optional)
Add an IP-based restriction in your Nginx configuration to limit admin dashboard access.
location /_/ {
allow YOUR_IP_ADDRESS;
deny all;
proxy_pass http://127.0.0.1:8090;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}Replace YOUR_IP_ADDRESS with your static IP to restrict admin access while keeping the API publicly available.
Troubleshooting
PocketBase Fails to Start
journalctl -u pocketbase -f --no-pager -n 50Common causes: incorrect file permissions on /opt/pocketbase or a port conflict on 8090.
502 Bad Gateway from Nginx
Verify PocketBase is running and that the Nginx proxy_pass address matches the --http flag in your systemd unit.
SSL Certificate Renewal Issues
sudo certbot renew --dry-runEnsure ports 80 and 443 are open in UFW and Nginx is running.
Database Locked Errors
Under heavy concurrent writes, increase the LimitNOFILE value in your systemd unit and ensure no external processes are accessing the database file directly.
Ready to Deploy PocketBase?
Get started with a RamNode VPS for as little as $4/month.