One command per site

hexforge-ctl site add example.com provisions everything — database, secrets, Caddy routing, Prometheus targets, and the container. DNS and a cert follow automatically.

Client SSH access

Clients run WP-CLI directly over SSH on port 2222. No operator involvement, no shell access. Keys are managed per-site with site add-key / site remove-key.

Full observability

Metrics (Prometheus + Grafana), logs (Loki), and traces (Tempo) are provisioned for every site from day one. Dashboards and alerts ship out of the box.

Coraza WAF

OWASP CRS PL1 runs in-process inside every site container. No separate proxy hop. WordPress exclusions are pre-applied.

Automated backups

Encrypted incremental backups to S3-compatible storage via restic. Runs at 03:00 UTC, alerts if overdue.

Transactional email

AWS SES with automated DNS via deSEC. SPF, DKIM, and DMARC fully aligned. One command to set up, one to tear down.