The latest articles on Forem by Nadiar Syaripul (@codxse). https://forem.com/codxse https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3908845%2F1ec6345f-5523-4dc0-9951-0dcdb43aa1d5.jpeg https://forem.com/codxse en Nadiar Syaripul Sat, 02 May 2026 10:56:09 +0000 https://forem.com/codxse/how-to-deploy-any-public-docker-image-like-wg-easy-to-a-vps-using-kamal-jmn https://forem.com/codxse/how-to-deploy-any-public-docker-image-like-wg-easy-to-a-vps-using-kamal-jmn <p>Kamal is my go-to deployment tool for Rails apps — it handles SSL, zero-downtime deploys, and the proxy with a single kamal deploy command. But officially, Kamal expects you to build and push your own image. It can't deploy an arbitrary public image directly from a registry like Docker Hub or GHCR.</p> <p><em>Or so I thought.</em></p> <p>In this post, I'll show you a small trick using a placeholder Dockerfile + <a href="https://kamal-deploy.org/docs/configuration/accessories/" rel="noopener noreferrer">Kamal accessories</a> to deploy any publicly available Docker image to a VPS — no custom build required.</p> <h2> The Problem </h2> <p>Sometimes you just want to run a pre-built public image on your server. In my case, I needed to deploy <a href="https://github.com/wg-easy/wg-easy" rel="noopener noreferrer">wg-easy</a> — a WireGuard UI — on a VPS where I already have SSH access.<br> Kamal's normal flow assumes:</p> <ul> <li>You have a Dockerfile</li> <li>You build and push your own image to a registry</li> <li>Kamal pulls and deploys that image</li> </ul> <p>But for third-party images, step 1 and 2 are unnecessary overhead.</p> <h2> The Trick: Accessories + Placeholder Dockerfile </h2> <p>Kamal has a feature called accessories — long-running companion services (think databases, sidekiq workers) deployed alongside your main app. Crucially, accessories can pull any image directly from a public registry.</p> <p>The workaround:</p> <ul> <li>Deploy the real app (e.g. <code>wg-easy</code>) as an accessory</li> <li>Use a minimal placeholder Dockerfile (just an nginx image) as the "main" app to satisfy Kamal's build requirement</li> </ul> <p>Here's the full setup:</p> <p>File structure<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── config │ └── deploy.yml └── Dockerfile </code></pre> </div> <p>Dockerfile (placeholder)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> nginx:alpine</span> <span class="k">COPY</span><span class="s"> nginx.conf /etc/nginx/conf.d/default.conf</span> </code></pre> </div> <p>That's literally it. This exists only to satisfy Kamal's builder step.</p> <p>config/deploy.yml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Name of your application.</span> <span class="na">service</span><span class="pi">:</span> <span class="s">wg-easy</span> <span class="c1"># Placeholder image name (for the proxy app, not the real one).</span> <span class="na">image</span><span class="pi">:</span> <span class="s">wg-easy-proxy</span> <span class="na">servers</span><span class="pi">:</span> <span class="na">web</span><span class="pi">:</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">111.222.333.444</span> <span class="c1"># your VPS IP</span> <span class="na">ssh</span><span class="pi">:</span> <span class="na">user</span><span class="pi">:</span> <span class="s">ubuntu</span> <span class="na">keys</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">~/.ssh/id_ed25519"</span> <span class="na">proxy</span><span class="pi">:</span> <span class="na">ssl</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">host</span><span class="pi">:</span> <span class="s">example.yourdomain.com</span> <span class="na">app_port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="c1"># Image registry (AWS ECR shown here, Docker Hub works too).</span> <span class="na">registry</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">xxxx.dkr.ecr.us-west-1.amazonaws.com</span> <span class="na">username</span><span class="pi">:</span> <span class="s">AWS</span> <span class="na">password</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">AWS_ECR_CREDENTIALS</span> <span class="na">builder</span><span class="pi">:</span> <span class="na">arch</span><span class="pi">:</span> <span class="s">amd64</span> <span class="na">dockerfile</span><span class="pi">:</span> <span class="s">Dockerfile</span> <span class="c1"># wg-easy runs as an accessory — this is where the real image is pulled.</span> <span class="na">accessories</span><span class="pi">:</span> <span class="na">wg-easy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/wg-easy/wg-easy:15</span> <span class="na">host</span><span class="pi">:</span> <span class="s">111.222.333.444</span> <span class="na">env</span><span class="pi">:</span> <span class="na">clear</span><span class="pi">:</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">51821"</span> <span class="na">HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0"</span> <span class="na">INSECURE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="na">options</span><span class="pi">:</span> <span class="s2">"</span><span class="s">cap-add"</span><span class="err">:</span> <span class="pi">-</span> <span class="s">NET_ADMIN</span> <span class="pi">-</span> <span class="s">SYS_MODULE</span> <span class="s2">"</span><span class="s">publish"</span><span class="err">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">51820:51820/udp"</span> <span class="err"> </span><span class="s2">"</span><span class="s">sysctl"</span><span class="err">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">net.ipv4.ip_forward=1"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">net.ipv4.conf.all.src_valid_mark=1"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">net.ipv6.conf.all.disable_ipv6=0"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">net.ipv6.conf.all.forwarding=1"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">net.ipv6.conf.default.forwarding=1"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">wg_data:/etc/wireguard"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/lib/modules:/lib/modules:ro"</span> </code></pre> </div> <p>Deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kamal deploy </code></pre> </div> <p>That's it. Kamal builds and pushes the placeholder nginx image, then pulls and runs wg-easy as an accessory on your VPS.</p> <h3> Result </h3> <p>Once deployed, wg-easy gives you a clean web UI to manage WireGuard configurations — no terminal needed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp2m68pb4m9sb125x0u43.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp2m68pb4m9sb125x0u43.png" alt="Easy WireGuard. We can easily create any WireGuard configuration without touching the terminal."></a></p> <p>This approach works well when:</p> <ul> <li>You want to self-host a public Docker image (Plausible, Uptime Kuma, wg-easy, etc.)</li> <li>You already use Kamal and want a consistent deployment workflow</li> <li>You want SSL and zero-downtime handling without setting up Kubernetes</li> </ul> <p><em>If you found this useful, I share more Rails and DevOps tips on X: <a href="https://x.com/codxse" rel="noopener noreferrer">@codxse</a></em></p> docker ruby kamal webdev