Skip to content
Naasson Docs

Quickstart

This walks you through the shortest path to a running, publicly reachable app on a host you control. The end state: a Nextcloud at nextcloud-something.cloud.naasson.com, served by your own VM, with a real TLS certificate, in under five minutes of real work.

You will need:

  • a Yandex, Google, or GitHub account (any one) to sign into cloud.naasson.com.
  • a Linux host with sudo and outbound internet — a tiny Hetzner CX11, a spare Raspberry Pi, or a VM you provisioned on AWS, GCP, Yandex Cloud, or wherever. The host does not need a public IP — the Naasson edge reverse-proxies traffic into it.

1. Sign in and create a workspace

Open https://cloud.naasson.com, sign in, and create a workspace. The workspace is just a label — a grouping for everything you’ll deploy together. You’ll get a 13-character cloud_segment (e.g. 6kf7v5tdfdtgr) bound to it that we use for stable subdomain pieces.

2. Mint an agent token

Go to My tunnels (/{locale}/my/tunnels/) → New route → pick your workspace → Mint new agent token.

The page shows a one-time agent_token (64 hex chars) and an install command. Copy them now — the token is shown exactly once.

3. Install the agent on your host

SSH into your Linux host and paste the install command we just generated:

Terminal window
curl -fsSL https://cli.cloud.naasson.com/install-agent.sh \
    | sudo NAASSON_AGENT_TOKEN=<token-from-step-2> \
           NAASSON_EDGE_HOST=edge.cloud.naasson.com:8443 \
           bash

The script does five things, in this order:

  1. detects your CPU architecture (amd64 / arm64);
  2. downloads the matching binary from https://cli.cloud.naasson.com/agent/latest/ and verifies its SHA256;
  3. drops it at /usr/local/bin/naasson-tunnel-agent;
  4. creates a dedicated naasson system user;
  5. writes a hardened systemd unit and starts it.

You should see the agent come up within ~10 seconds. Verify with:

Terminal window
sudo systemctl status naasson-tunnel-agent
sudo journalctl -fu naasson-tunnel-agent

The agent dials outbound to the edge — no inbound port on your host.

4. Create a tunnel route

Back in the My tunnels page, fill the rest of the form:

  • Target port: whatever your service listens on locally (80 for nginx, 8080 for a fresh container, 3000 for a Node app).
  • Vanity name (optional): if you want my-app.cloud.naasson.com, set my-app here. Otherwise we generate a random 13-character segment.

Hit Create route.

5. Open the URL

Click the freshly-minted URL. The first request takes about a second (TLS handshake at the edge); after that it’s straight passthrough to your local service. The cookie set by the edge is scoped only to that exact hostname — no cross-app session leakage.

If you don’t have a service on the target port yet, this is a good moment to start one — docker run -p 8080:80 nginx makes the URL serve “Welcome to nginx!” the moment the container is up.

What just happened

You now own a public *.cloud.naasson.com subdomain pointing at a service on a host that doesn’t even need a public IP. The edge does TLS termination with a wildcard cert we manage, looks up your route in its YDB-backed registry, and forwards into the agent’s persistent mTLS connection.

To clean up: same page → Revoke → the FQDN is gone in < 2 seconds. To kill the agent: sudo systemctl disable --now naasson-tunnel-agent.

Next steps

  • Want to expose a real app (Nextcloud, Plex, Jellyfin, Outline, …)? Install from the marketplace — the wizard does steps 3 and 4 automatically and provisions the app for you.
  • Want the same thing from a CLI? weldctl — installs in one line, runs simple deploy nextcloud against your VM.
  • Want to understand the edge architecture (instance group + NLB + per- agent connection)? Edge network.