Terrarium

Appearance

TerrariumTransform any VPS into a secure host with isolated environments for your agents, development, and workloads. Time machine included.

Give each workload its own hardened LXC container, keep it private by default behind NAT, manage it from built-in web UIs, publish only what you mean, and rewind mistakes in small ZFS-backed steps. Lock anything behind single sign-on and user management

Get Started
See Guides
Understand Security
Terrarium

🔐 Harden the host

Terrarium secures the VPS itself first, with SSH hardening and safer defaults, so your management surface is not a raw fresh-server free-for-all.

🤖 Real agent environments

Run OpenClaw, Hermes, VSCodium, Compose stacks, and other workloads that need packages, services, shells, and background processes.

🛡️ Private by default

Containers sit behind LXD NAT, so random scans and inbound internet noise do not hit them directly. A service only becomes public when you expose it.

⏪ Built-in time machine

ZFS snapshots let you roll environments backward in small steps, and S3 exports give you disaster recovery when the whole VPS is gone.

🌐 Publish only what matters

Put apps behind Traefik with TLS and optional OIDC, while databases, Redis, admin ports, and internal APIs stay private inside the container.

🖥️ Built-in management UIs

Cockpit, the LXD UI, and the Traefik dashboard give you a visual control plane instead of forcing everything through the terminal.

Why people use it

One VPS, many isolated environments, much less regret.

Terrarium is for people who want to give agents and development tools room to operate without turning the whole host into a shared blast radius. Each workload gets a real container. The host stays hardened. Recovery gets a built-in time machine.

What changes

  • Agent breaks an environment: step back through snapshots instead of rebuilding from scratch.
  • Compose stack needs Postgres, Redis, workers, and dashboards: keep them inside one private LXC.
  • Browser IDE or internal UI needs public access: publish it through Traefik and protect it with OIDC.

Why Terrarium is safer

The most important part is not flashy, but it changes how comfortable the whole system feels.

Containers are not exposed directly to the internet. They sit behind LXD's private bridge and NAT, which means:

  • random scans and probes do not hit them directly
  • a service listening on 0.0.0.0 inside the container is still not automatically public
  • complex stacks can keep internal services private even when one frontend is exposed

That is why Terrarium works so well for non-experts. You can run a lot inside a container without accidentally publishing all of it.

Good fits

OpenClawGive it a real environment and keep risky experimentation away from the host.HermesRun agent services in their own container and expose only the UI or API you actually want public.VSCodium WebSpin up browser-accessible coding environments with custom packages, isolated filesystems, and proxy-based access.Compose stacksKeep multi-service apps together inside one time-machine-enabled LXC instead of tangling them into the host Docker setup.

Management without memorizing everything

Use the host visually when you want to.

Terrarium is friendly to terminal users, but it is also practical for people who do not want to manage a whole host from raw commands alone.

  • Cockpit for host administration, logs, terminal access, and ZFS-oriented extensions.
  • LXD UI for creating and managing containers, profiles, networks, and snapshots.
  • Traefik dashboard for understanding the live routing layer.

If you want the visual tour, start with Management GUIs.

What Terrarium installs

Everything needed to turn a plain VPS into a safer control plane.

Start here

Getting StartedInstall flow, storage strategy, domains, and identity provider choices.Security ModelWhy private-by-default networking and explicit exposure matter so much here.Management GUIsSee what Cockpit, the LXD UI, and the Traefik dashboard are each good for.Provider GuidesHow to create the VPS correctly on DigitalOcean, Vultr, Hetzner, or Hostinger.terrariumctl ReferenceThe full command surface for install, reconfiguration, backup, restore, and proxy sync.

Built with VitePress

Terrarium