# Running Zurg in Hetzner Cloud

Zurg leverages support for .STRM files and WebDAV to create a shareable media library; it pairs very well with Infuse. (This is a low cost, low complexity deployment that is not suited for users of Emby, Jelly, Plex, *arr.)

Zurg is available in a private repository: debridmediamanager/zurg
Caddy is used as a reverse proxy with automatic SSL certificates to enable HTTPS.
Hetzner Cloud Run serves Zurg and Caddy as docker containers in a low-resource virtual server.

# Prerequisites

Hetzner Cloud CLI installed and configured.
GitHub Personal Access Token (Classic) with limited scopes: read:packages repo read:org

# Configure Hetzner Cloud Server

Configure Hetzner CLI and your SSH key:

Create a context for hcloud. You will be prompted for an API token from your Hetzner Cloud project:

 hcloud context create zurg-deployment
 hcloud context active zurg-deployment

Select the names and ID of an existing SSH key saved to Hetzner Cloud:

 hcloud ssh-key list
 printf "SSH key name or ID: " && read KEY_NAME

Upload a new public SSH key if needed:

 printf "SSH key name or ID: " && read KEY_NAME
 hcloud ssh-key create --name "$KEY_NAME" --public-key-from-file ~/.ssh/id_rsa.pub

Create a new Hetzner Cloud server:

 hcloud server create \
   --name zurg-server \
   --type cx22 \
   --image ubuntu-22.04 \
   --location fsn1 \
   --ssh-key "$KEY_NAME"

Note

This deployment uses the most basic virtual server cx22 in fsn1.

Once zurg-server is running, save its IP address:

 export ZURG_SERVER_IP=$(hcloud server ip zurg-server)
 echo "Server IP: $ZURG_SERVER_IP"

Update and Install Dependencies:

Connected to your server:

local
 hcloud server ssh zurg-server

Add both Docker and GitHub as package sources to Ubuntu:

remote
 curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
 | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
 | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
 | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
 | sudo tee /etc/apt/sources.list.d/docker.list

Install Curl, Docker, Docker Compose version 2, and GitHub CLI:

remote
 sudo apt update && sudo apt upgrade -y
 sudo apt install -y curl docker.io docker-buildx-plugin docker-compose-plugin gh

Establish GitHub Credentials:

To access private repositores, your server requires a new or exisiting GitHub Personal Access Token (Classic) with the following scopes: read:packages repo read:org

Temporarily save your GitHub username and token:
remote server
```
 printf "GitHub username: " && read GITHUB_USERNAME
 printf "GitHub token (hidden): " && read -s GITHUB_TOKEN && echo
```
Log in to GitHub with both docker and gh
remote server
```
 echo "$GITHUB_TOKEN" | docker login ghcr.io -u "$GITHUB_USERNAME" --password-stdin
 echo "$GITHUB_TOKEN" | gh auth login --with-token
```
Unset the GITHUB_TOKEN variable after a successful login:
remote server
```
 unset GITHUB_TOKEN
```
Warning

Ensure this token is limited in scope: repo read:packages read:org The token will still be exposed in these files:
/root/.docker/config.json
~/.config/gh/hosts.yml.

# Configure and Deploy Zurg & Caddy

Create a local docker-compose.yml file to define and manage your deployment of Zurg with Caddy for HTTPS:

docker-compose.yml
services:
  zurg:
    image: ghcr.io/debridmediamanager/zurg:latest
    command: ["--config", "/app/config.yml"]
    #image: zurg-local
    #command: ["/root/zurg", "--config", "/app/config.yml"]
    container_name: zurg
    restart: always
    expose:
      - "9999"
    volumes:
      - /etc/zurg/config.yml:/app/config.yml:rw
      - /etc/zurg/logs:/app/logs
      - /etc/zurg/data:/app/data
      - /etc/zurg/strm:/app/strm
    environment:
      - LOG_LEVEL=INFO

caddy:
  image: caddy:latest
  container_name: caddy
  restart: always
  ports:
    - "80:80"
    - "443:443"

volumes:
  - /etc/zurg/Caddyfile:/etc/caddy/Caddyfile:ro
  - caddy_data:/data
  - caddy_config:/config

volumes:
  caddy_data:
  caddy_config:

Create a local config.yml file for Zurg.

config.yml
 zurg: v1
 token: ****************************************************
 base_url: "https://username:password@your.domain.org"
 username: ********
 password: ********
 serve_strm_files: true

Create a local Caddyfile for automatic HTTPS:
Caddyfile
```
 zurg.andrewe.link {
 	reverse_proxy zurg:9999
 }
```
Transfer these local files (found in the same folder) to your server :
docker-compose.yml config.yml Caddyfile
local
```
 scp docker-compose.yml config.yml Caddyfile root@$ZURG_SERVER_IP:/tmp/
```
remote
```
 sudo mkdir -p /etc/zurg
 sudo mv /tmp/{docker-compose.yml,config.yml,Caddyfile} /etc/zurg/
```
Navigate to the zurg directory, start Zurg in detached mode, and confirm zurg and caddy containers are both running:
remote
```
 cd /etc/zurg
 sudo docker compose up -d
 sudo docker ps
```
Note

This command will pull the :latest Zurg and Caddy images, start both containers, and make Zurg accessible via HTTPS (automatic SSL certificates).

# Update Zurg

# option 1: pull latest image recommended

To update Zurg using a pre-built image, update docker-compose.yml, pull :latest image from debridmediamanager/zurg, manually remove any existing zurg containers, and recreate the zurg container in detached mode (apply the update without affecting the Caddy reverse proxy):

docker-compose.yml example
image: ghcr.io/debridmediamanager/zurg:latest
command: ["~/zurg", "--config", "/config/config.yml"]

Important

The locally built image will use ~/zurg as the binary path and the location of your config.yml file. Update docker-compose.yml accordingly.

remote
cd ~
nano docker-compose.yml # optional: edit docker-compose.yml
sudo docker compose pull zurg
sudo docker compose down zurg
sudo docker compose up -d zurg

# option 2: build from source

To update Zurg using the most recent source code, update docker-compose.yml, clone/update debridmediamanager/zurg, rebuild the Docker image, and recreate the container:

docker-compose.yml example
image: zurg-local
command: ["~/zurg", "--config", "/config/config.yml"]

Important

The locally built image will use ~/zurg as the binary path and the location of your config.yml file. Update docker-compose.yml accordingly.

remote
cd ~/zurg
nano docker-compose.yml # optional: edit docker-compose.yml
gh repo clone debridmediamanager/zurg zurg.git
git -C /etc/zurg/zurg.git pull
sudo docker buildx build --no-cache -t zurg-local .
sudo docker compose up -d zurg

# Update Caddy

remote
sudo docker compose pull caddy
sudo docker compose up -d caddy

Tip

Caddy automatically handles SSL certificate provisioning and renewal through Let’s Encrypt. No manual certificate management is required. Certificates are stored in the caddy_data Docker volume and will be automatically renewed before expiration.

# Running Zurg in Hetzner Cloud

# Prerequisites

# Configure Hetzner Cloud Server

Note

Warning

# Configure and Deploy Zurg & Caddy

Note

# Update Zurg

# option 1: pull latest image recommended

Important

# option 2: build from source

Important

# Update Caddy

Tip