Skip to content

opt-in OS-level security updates for managed/connected servers #4779

Description

@Dolu89

What problem will this feature address?

I chose self-hosting with Dokploy specifically to avoid PaaS costs (Railway, Heroku, etc.) while keeping the deployment simplicity. But that means the underlying VPS's OS-level security (package updates, patching) is entirely on me and I don't have sysadmin experience or the time to manage it properly. I already had an apt upgrade break Traefik/Dokploy compatibility once, and had to fix it under pressure with no real guidance. I suspect a lot of Dokploy users are in the same boat: people who pick self-hosting for cost control, not because they're experienced sysadmins.

Describe the solution you'd like

An opt-in setting (per server) letting Dokploy handle OS-level security updates on the servers it manages e.g. a pre-configured unattended-upgrades (or distro equivalent) that only applies security-tagged patches, explicitly excluding Docker/Traefik-related packages so it can't break the stack. Ideally with a notification before/after each run, a configurable maintenance window, and logs visible in the Dokploy UI so I know what changed.

Describe alternatives you've considered

  • Setting up unattended-upgrades manually myself doable, but I have to figure out the right package exclusions (Docker, containerd, Traefik if applicable) on my own, with no guidance from Dokploy, and no visibility into it from the dashboard.
  • Doing manual apt update && apt upgrade periodically this is what caused the breakage in the first place, since I have no way to know in advance if a package update conflicts with what Dokploy/Traefik expects.

Additional context

I understand this is outside Dokploy's traditional scope as a deployment platform, and that "you manage your own server" is the current model. But for users choosing self-hosting mainly for cost reasons rather than infrastructure expertise, this is a real security gap, an unpatched VPS is a bigger risk than the problem Dokploy is solving. Even a minimal version (just security-only patches, with a safe exclude-list) would go a long way.

Will you send a PR to implement it?

No

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions