Inside the Architecture of dflow.sh, A Lightweight, Self-Hostable PaaS for Developers

Deploying applications in the cloud has become easier than ever, but traditional cloud platforms often come with hidden costs, losing control over your infrastructure, rising complexity, vendor lock-in, and ballooning expenses. At dflow.sh, we set out to build something different: a platform that empowers developers with full control, effortless deployment, and the freedom to run workloads anywhere they choose.

dflow.sh is a developer-friendly Platform-as-a-Service (PaaS) designed to be lightweight, self-hostable, and extensible. You can run it on your own servers, VPS, or even your laptop, without the need to wrangle Kubernetes or get trapped by vendor ecosystems. Think of dflow.sh as a blend of Heroku’s developer experience and Tailscale’s seamless networking, crafted for teams who want hassle-free Git-based deployments, multi-tenant environments, custom domains, HTTPS out of the box, and zero-trust networking, all while keeping your infrastructure secure and private.

Take a look at this architecture diagram, which will help you understand the architecture more deeply while following up with the rest of the blog post.

Why dflow.sh Stands Out

dflow.sh was created with a clear vision:

• Enable Git-based deployments with real, isolated environments.
• Provide multi-tenant support out of the box.
• Offer custom domain routing with automatic HTTPS and rollback functionality.
• Implement zero-trust networking without exposing SSH ports.
• Let teams run everything on their own servers or cloud VMs, anywhere.

By focusing on the full app lifecycle, from provisioning and configuration to routing and observability, dflow.sh delivers developer happiness and operational simplicity, without reinventing another complex CI/CD pipeline.

Powered by Tailnet: Your Private Network Backbone

Central to dflow.sh’s architecture is Tailscale, which creates a private mesh VPN called Tailnet. This network fabric connects every component using secure, private IPs, allowing your entire PaaS to behave as if it’s running on a local LAN.

• No firewall openings or public endpoints are required.
• VMs and services communicate securely across clouds or physical machines.
• Deployments and SSH commands travel exclusively over Tailscale SSH.

This design enables secure-by-default workflows and protects your infrastructure from unnecessary public exposure.

The dFlow App: Control Plane and Orchestrator

Running inside your Tailnet, the dFlow App is the heart of the platform. It is responsible for:

• Managing tenants, services, domains, and deployments.
• Orchestrating remote Dokku commands over Tailscale SSH.
• Keeping track of app states and VM allocations.
• Serving as the API backend powering CLI and dashboards.

When you deploy or manage apps, the dFlow App connects to the appropriate VM securely and leverages Dokku to handle build, deploy, restart, and teardown seamlessly, whether you run a single machine or an entire fleet.

No Heavy Agents , Just Observability with Beszel

dflow.sh avoids running active control agents on your servers. Instead, it uses the Beszel Agent, which is:

• A passive observer installed on your VMs.
• Responsible for streaming logs, VM health, app status, and uptime metrics.
• Designed not to control deployments or interfere with critical workflows.

Deployments and configurations always run over secure Tailscale SSH channels, ensuring no additional attack surface or single points of failure.

Dokku for Deployments, but SSL is Handled Elsewhere

dflow.sh makes use of the battle-tested Dokku to manage your apps:

• Git- or container-based deploys that isolate tenants properly.
• Config var injection, rollback, restart, and app lifecycle commands.
• Important: Dokku in dflow.sh does NOT handle SSL certificate management or termination.

Instead, SSL and routing responsibilities live with Traefik, ensuring a clear separation of concerns and a more resilient infrastructure.

Traefik: Routing and SSL Termination Made Easy

Public traffic to your applications is handled by Traefik, a dynamic reverse proxy and SSL terminator:

• The dflow.sh Config Generator automatically produces Traefik routing configurations.
• Traefik reloads with zero downtime on every app deploy.
• It manages SSL certificates for all apps and domains via Let’s Encrypt.
• Apps become instantly accessible under custom domains or subdomains with HTTPS enabled.

This decoupling allows Traefik to provide robust, seamless routing and certificate management tailored to multi-tenant environments.

Databases: MongoDB and Redis Power the Control Plane

dflow.sh uses two core databases for reliability and speed:

• MongoDB stores metadata including users, teams, projects, deployments, and routing configurations.
• Redis handles real-time pub/sub interactions, log streaming, and ephemeral state management.

This combination ensures consistent, scalable control plane state without excessive complexity.

Ownership and Flexibility at the Core

What truly differentiates dflow.sh is its commitment to your ownership:

• No vendor lock-in: deploy the control plane wherever you wish.
• Run workloads across multiple cloud providers or your own servers.
• Keep your code, databases, and traffic contained safely within your Tailnet.
• Use Tailnet ACLs and VM-level separation to enforce tenant isolation.
• All databases can be backed up to s3

You get a full PaaS experience, but with your own rules, your keys, and your infrastructure fully in your hands.

A Day in the Life of a dflow.sh Deployment

Here’s what happens when you run dFlow

1. Your deployment command hits the dFlow App API.
2. The app calculates which VM is optimal for deployment.
3. dFlow connects via Tailscale SSH to that VM and runs Dokku deployment commands.
4. Once the app is up, the Config Generator updates Traefik’s routing rules.
5. Traefik seamlessly reloads and issues (or renews) SSL certs for HTTPS.
6. Beszel Agents begin sending logs and metrics back to the control plane.

Within seconds, you have a live, secure HTTPS app running on your own infrastructure, all without exposing sensitive ports or credentials publicly.

What’s Next for dflow.sh?

We’re actively shaping the future of dflow.sh to better serve developers, teams, and enterprises. Here's a glimpse of what’s coming:

• Kubernetes Support for Advanced Use Cases
  Native support for Kubernetes clusters to handle complex, large-scale deployments.
• Next-Level Backup Systems
  Beyond traditional S3 database backups, introducing volume-level and multi-region backup strategies.
• Simplified Self-Hosting
  Improved tooling and documentation to make running dflow.sh on your own infrastructure effortless.
• Enterprise-Grade Features
  SLAs, audit logs, access control, and white-glove onboarding for large teams and organizations.
• Smarter Cost Efficiency
  Optimization features and guides to help users deploy on low-cost VPS without compromising performance.
• Step-by-Step Product Guides
  A new learning hub featuring tutorials, videos, and use-case based content to help users unlock the full power of dflow.sh.

Despite these future enhancements, dflow.sh remains committed to its core principles: simplicity, security, and self-hostability.

In conclusion, dflow.sh delivers a modular, secure, and developer-friendly PaaS that blends the best of Heroku-style deployments with Tailscale’s private networking. By distinctly separating application management (via Dokku) and SSL termination/routing (via Traefik), it provides a secure, flexible platform where you retain full control over your cloud-native future.