use-cases / cert-renewal-no-ssh / hero

CRON · EXEC · NO SSH

Roll your TLS certificates without an SSH session

Hoody Cron carries the schedule. Hoody Exec carries the renewal logic. Sunday at 04:00 a curl fires, certbot runs, the new bundle is PATCHed into the proxy, and the reload is acknowledged. No shell session, no key in ~/.ssh, no jump host between you and the cert.

Read the cron docs

exec.containers.hoody.com · scripts/certs/status

https://exec.containers.hoody.com/scripts/certs/statusrenewing

TLS · 5 domains · weekly jobnext run · sun 04:00

your-app.comLE · R3EXPIRES IN 69 DAYS
api.your-app.comLE · R3EXPIRES IN 23 DAYS
admin.your-app.comLE · R3RENEWING · POSTED TO ACME
billing.your-app.comLE · R3EXPIRES IN 92 DAYS
edge.your-app.comLE · E1EXPIRES IN 42 DAYS

cron entry

# weekly · Sunday 04:00
0 4 * * 0  bash /scripts/renew.sh

weekly · POSTed once · self-runs forever

last run · 04:00:18

04:00:01curl POST acme-v02.api.letsencrypt.org/new-order
04:00:09validate http-01 challenge · admin.your-app.com
04:00:18PATCH proxy/cert/bundle · 200 OK · reload accepted

1 cert renewed · proxy reloaded

no SSH key · no jump host · the schedule is a row in a JSON API

use-cases / cert-renewal-no-ssh / lifecycle

Three URLs, no shell

The whole renewal pipeline is two endpoints and a 5-field schedule. Cron triggers Exec. Exec calls ACME and PATCHes the proxy. The acknowledgement comes back as a 200.

RENEWAL LIFECYCLEPOSTED ONCE · RUNS WEEKLY

01 · SCHEDULE

POST one cron entry

POST /users/me/entries with schedule "0 4 * * 0" and command "curl /scripts/certs/renew". The cron service writes it into the user crontab and starts ticking. You did this once, from anywhere with HTTPS.

02 · RUN

Exec runs the script

Sunday 04:00, cron curls the exec URL. Exec spins up the script, talks to Let's Encrypt's ACME endpoint, validates the http-01 challenge, and writes the renewed bundle to /files. No node logging in, no session needed.

03 · RELOAD

PATCH the proxy bundle

The script PATCHes the new cert and key into the Hoody proxy's bundle endpoint. The proxy hot-reloads — no restart — and the next TLS handshake serves the new certificate. The whole cycle is under a minute.

Each step is an HTTP call you can replay from a terminal — `curl --dry-run` if you want to debug, `curl -i` if you want the headers. The pipeline doesn't depend on a logged-in session at any point.

use-cases / cert-renewal-no-ssh / mechanism

What the two endpoints look like

On the left, the cron entry that schedules the job. On the right, the exec script that does the work. Both are addressable via HTTP — both are auditable, both are replayable from any laptop or phone.

cron · register the schedule

POST · once

# register the weekly renewal
curl -X POST \
  https://cron.containers.hoody.com/users/me/entries \
  -H "Content-Type: application/json" \
  -d '[ "schedule":"0 4 * * 0", "command":"curl -fsS https://exec.containers.hoody.com/scripts/certs/renew", "comment":"weekly TLS renewal", "enabled":true ]'

# response
HTTP/1.1 201 Created
{ "id":"7a92", "schedule":"0 4 * * 0", "enabled":true }

exec · scripts/certs/renew.ts

GET · runs weekly

// scripts/certs/renew.ts
// @mode serverless
// @timeout 120000

const domains = ["your-app.com", "api.your-app.com", ...];

for (const d of domains) {
  const cert = await acme.order(d);
  await fetch("/api/v1/proxy/cert/bundle", {
    method: "PATCH",
    body: JSON.stringify({ d, cert })
  });
}

return { "renewed": domains.length };

Two URLs, one Sunday morning, zero SSH. The cron entry is data — POST it once and it's there until you DELETE it. The exec script is a file — change it via the API and the next run picks up the new logic. Nothing about this loop requires a person to be on a machine.

use-cases / cert-renewal-no-ssh / powers

Why this beats the SSH crontab

Same outcome — a renewed certificate every week — with three properties the legacy setup never had.

AUTH · URL TOKEN

No private key in ~/.ssh

Auth is a URL token, not an SSH key. Rotate it via the API and the old token stops working everywhere at once. No agent forwarding, no bastion, no key file you forgot you copied to a CI box three years ago.

AUDIT · HTTP TRACE

Every renewal is a request log

Each run is a row in the cron log and a request line in the exec log. Grep for who triggered it, when, what cert, what response code. The 200 from the proxy is the receipt that the reload landed.

DEBUG · DRY-RUN A CURL

You don't SSH to debug

Replay the renewal from your laptop with `curl /scripts/certs/renew?dry_run=true`. Watch the response, fix the script via the exec write API, retry. The whole loop happens over HTTPS — same pipe the production schedule uses.

use-cases / cert-renewal-no-ssh / capacity

What you skipped

Numbers from the deployment, not benchmarks. The shape is what matters: very few moving parts, all of them speak HTTP.

SSH SESSIONS0
Setup is a POST. Renewal is a GET on a schedule. Debug is a curl. There is no shell session in the pipeline at any point — your private key never has to be on the box.
ENDPOINTS USED2
One cron entry to schedule the run. One exec route that runs the script. The third URL — the proxy bundle PATCH — lives inside the script and reloads the cert.
FIELDS · CRON SCHEDULE5
Standard 5-field expression "0 4 * * 0" — Sunday 04:00. Or `@weekly` if you don't care which day. The cron service accepts both, plus auto-expiration for one-shot renewals.

Cron service: 5-field expressions and macros (`@hourly`, `@daily`, `@weekly`, `@monthly`, `@yearly`), per-user isolation, optional `expires_at`. Exec: V8 isolates, Bun runtime, magic comments for mode/timeout/CORS. ACME flow handled in your script — Hoody doesn't run the certbot for you, it runs your code on a schedule.

use-cases / cert-renewal-no-ssh / punchline

Renewal is a curl on a schedule — no shell session, no key, no jump host.

old · saturday before the certs expirednew · the cron has been running for nine months

WHAT THE OLD STACK LOOKED LIKEssh prod && certbot renew && systemctl reload nginxkey in ~/.ssh · bastion in front · prayer that the cron line survived the last reboot

WHAT IT LOOKS LIKE NOW

Read the exec docs

use-cases / cert-renewal-no-ssh / replaces

What this replaces

The standard ways to keep TLS valid in production. Each one wants either a shell session, a control-plane service, or both. The cron-plus-exec pair wants neither.

SSH + manual certbotA shell session, a key, a renew step you forget when you're on holiday
ssh-bastion + scriptA jump host you maintain just to run a one-line script
AWS Certificate Manager (closed-loop)Free, but only on AWS — and the cert never leaves their proxy
HashiCorp Vault PKIA whole secrets daemon to issue certs you renew once a week
cert-manager on KubernetesA controller, a CRD, a webhook — for what is two HTTP calls
custom renewal cron + jump host pipelineGlue scripts on a bastion, a key per CI runner, no audit trail

use-cases / cert-renewal-no-ssh / cta

Stop logging in to renew certs. POST the schedule once. Watch the proxy reload itself every Sunday morning.

Read the kit docs

use-cases / cert-renewal-no-ssh / related

Read the others

Sixty containers on one server

One bare-metal box runs dozens to hundreds of Hoody containers. KSM and BTRFS dedup make the marginal cost near zero.

Containers·Snapshots

Onboard a developer with one link

A new engineer joins on Monday. You send one URL. They open it on whatever laptop they have and they're in a fresh container cloned from your developer-baseline snapshot — code, deps, env, seed data, VSCode-in-browser. Writing code in five minutes, not setting up.

Snapshots·Containers·Terminal·Files

API endpoints that materialize on demand

A wildcard exec script catches the call, asks an LLM to write the handler, runs it in a V8 sandbox, and saves the route. The next call is native.

Exec·Agent·Code·Files

Branch computers like Git

Snapshot a running container — files, processes, memory. Restore in seconds. Fork via /copy. Branching, but for the entire machine.

Snapshots·Containers

Real VS Code on your phone

The Code Orchestrator spawns a VS Code instance on the container and serves the editor over a normal HTTPS URL. Any device with a browser can open it. The work lives in the container, not on the device.

Display·Terminal·Files·Containers+1

AI agents that spawn other AI agents

A research agent posts to /api/v1/projects/$PID/containers to start a child container, then calls the child's agent URL like any other HTTP service. Sub-agents spawn their own sub-agents the same way. No orchestrator framework, just URLs.

Agent·Exec·Containers

One sandbox per customer, automatically

An exec script catches your signup webhook, copies a fresh-customer container, and hands the new tenant their own URL. Isolation is the operating system, not a tenant_id column.

Containers·Snapshots·Exec·Files

Wake up to a finished prototype

Hand the agent a paragraph at midnight. It spawns its own containers, snapshots before risky steps, and posts to your notification webhook at sunrise.

Agent·Snapshots·Containers·Browser+2

Emergency production fix from your phone

PagerDuty wakes you. Open the terminal URL on your phone. PATCH the snapshot from before the bad deploy. Production is back. No bastion, no VPN, no laptop.

Terminal·Snapshots·Network

Tail production logs to a URL anyone can curl

One pipe URL. Up to 256 readers. Three engineers tail the same incident at once with no bastion, no Datadog seat, no log forwarder.

Pipe

Push one build to thirty CI workers at once

The build container streams the tarball to a pipe path with ?n=30. All thirty test workers curl the same URL. Bytes go through once, fanned out.

Pipe

Watch your agent think from the coffee shop

Your agent runs at home. You're at a café. Pipe each event of the loop through Hoody Pipe and curl the same path from your phone — the trace lands character by character. No SSH, no dashboard, no upload.

Pipe·Agent

Move 200GB between clouds with two curls

pg_dump | gzip | curl from Frankfurt. curl | gunzip | psql in Singapore. Bytes flow through the pipe with zero disk in the middle.

Pipe

Send a teammate a database state in one line

pg_dump streams straight into their psql. No file uploaded, no link shared, no download. The pipe routes the bytes through.

Pipe

Stream LLM tokens to anything that reads HTTP

Step 3 streams tokens with curl -T -. Step 4 curls the same path. Tokens move generator to consumer at line speed. No SSE plumbing, no broker.

Pipe·Agent

A progress bar your boss can spectate without joining

Append ?progress to the pipe URL. Anyone who opens it gets a live HTML dashboard — bytes, speed, ETA, state. Up to fifty spectators, none consuming a receiver slot, none touching the stream.

Pipe

The webhook fan-out you didn't have to build

Stripe POSTs to a pipe path with ?n=12. Twelve subscribers curl the receiver URL with ?n=12. The pipe holds the event until everyone is connected.

Pipe·Exec

A CI cache that's just two curl commands

tar | zstd | curl puts node_modules into a pipe. Twenty downstream jobs curl | zstd -d | tar x. No S3 bucket, no cache action, no egress bill.

Pipe·Containers

Drag-drop uploads into your script

hoody-pipe serves a web upload form at every path. Drag a file onto the page, your script reads the bytes from stdin. Zero upload code, no S3 bucket, no presigned URLs.

Pipe·Exec

Broadcast a workshop to 200 viewers from your laptop

ffmpeg streams your screen to a pipe path with ?n=200. Each attendee curls the URL into a browser tab. No platform, no logins, no upload.

Pipe

Inter-container IPC without the message broker

Container A writes to a pipe path. Container B reads from the same path. Backpressure is the connection. No Redis, no queue, no broker.

Pipe·Containers

Tail your agent on the train, get pinged when it lands

The agent streams its trace to a pipe path you can curl from your phone. When it finishes, its last act hits hoody-notifications and your phone buzzes. Two URLs and a buzz — no SDK, no client app, no dashboard.

Pipe·Agent·Notifications

A microphone over HTTP, in two terminals

ffmpeg captures the mic, pipes to a URL. The other end curls and plays the audio. No Zoom, no SDK, no signaling server.

Pipe

Five agents, five pipes, one verdict

A panel of five models reviews the same input. Each runs in its own container and streams its verdict to its own pipe path. A judge process curls all five in parallel and tallies the result.

Pipe·Agent·Containers

Replay this morning's incident to the whole team

Snapshot the incident-time logs in hoody-files. Replay them through a Hoody Pipe URL with ?n=8. Eight engineers curl the same path and watch the cascade fire in lockstep — the post-mortem is a synchronized stream, not a Confluence doc.

Pipe·Files

The fastest 'send me that file' you've ever typed

A teammate pings for a 4 GB dump. Slack rejects it, Drive needs a share request. You type curl -T file …; they type curl … > file. The bytes move directly between disks — no upload bar, no link to share.

Pipe

Run a local LLM, serve it to your whole fleet

One GPU runs llama.cpp. Its tokens stream into a pipe path with ?n=50. Fifty containers curl the same URL and split the stream.

Pipe·Daemon

A live metrics dashboard with no metrics backend

Each container's monitoring loop curls a metric to a pipe URL. The dashboard curls the same URL with ?progress and renders the SSE stream.

Pipe

The cron job that deletes itself when you're done

POST a managed cron entry with expires_at set 48 hours out. The job runs on schedule, then removes itself — no reminder, no cleanup PR, no stale entry.

Cron

Snapshot the container right before the nightly migration

A hoody-cron entry that fires at 02:55 UTC, curls the snapshots URL, and names the artifact pre-migration-2026-05-04. Five minutes later the migration runs. If it succeeds, the snapshot sits idle and costs nothing. If it fails, you restore in 30 seconds with a single PATCH.

Cron·Snapshots

A separate crontab for every customer, automatically

Each tenant gets their own container and their own hoody-cron service. Customer A's 9am digest fires on time even when customer B's job hangs for 40 minutes, because they aren't on the same crontab.

Cron·Containers

Wake an agent at 3am, retire it at 4

A nightly cron POSTs a spawn request, the agent does its hour of work, then a second cron tears the container down. The agent exists only when there is work for it to do.

Cron·Agent·Containers

Daily rollups without an orchestrator

Raw events pile up in a sqlite URL. Every night a cron entry curls an exec endpoint, the script runs the rollup SQL, writes the daily table back. No DAG, no Airflow Postgres, no scheduler dashboard.

Cron·SQLite·Exec

A crontab per branch, deployed with the code

Your repo checks in `.hoody/crontab`. The deploy script PUTs that file to the new container's Cron API. Each branch gets its container, its filesystem, its schedule.

Cron·Containers

On-call escalation that ages out with the shift

POST a cron entry with expires_at = shift end. When the shift ends, the entry deletes itself. The next on-call posts their own.

Cron·Notifications

Hourly scrape, daily digest, weekly archive — one container

Three lines in one crontab: hourly browser scrape into SQLite, daily exec digest, weekly archive to files. Flat-rate server, three rhythms, no scheduler service.

Cron·Browser·SQLite·Files

Let your customers BYO their own cron schedule

Customers POST their own 5-field expressions; their crontab lives in their container, isolated. You don't validate against a global queue.

Cron·Containers

Schedule the agent, not the script

A 5-field cron entry curls hoody-agent with a prompt instead of running a fixed script. Today is the last day of the month — the agent figures it out. The data shape changed — the agent figures it out.

Cron·Agent

A heartbeat for the silent jobs

Each cron run POSTs a heartbeat to a notifications endpoint. A second cron checks last-heartbeat and pages on silence. Silence is the alert.

Cron·Notifications

Keep the last 24 hours as 24 snapshots

An hourly cron POSTs a snapshot named with the hour. After 24 hours each new snapshot overwrites yesterday's at the same hour. The 24-floor time machine.

Cron·Snapshots

Replay this morning's webhooks at the same time tomorrow

You captured 30 minutes of real Stripe traffic into a hoody-files folder. One cron entry replays it against staging at 9am every weekday — same volume, same payloads, same time-of-day pressure.

Cron·Files·Exec

Edit your crontab from a phone, in the airport

Open the cron URL on your phone in the gate area. Tap a row, change a single field of the cron expression, hit Save. PATCH lands. The job fires tonight on the new schedule. No SSH session, no jump box, no laptop.

Cron·Terminal

A scheduled digest that fans out to 200 inboxes

Cron at 9am POSTs to an exec script that builds the digest and curls a pipe URL with ?n=200. Two hundred recipients hit the same URL once.

Cron·Exec·Pipe

Mute the flaky job without losing it

PATCH /entries/[id] [ enabled: false ]. The job stays in your crontab waiting to be fixed. No deletion, no rewrite, no lost context.

Cron

An agent that grades yesterday's agents

A nightly cron POSTs to the supervisor agent with yesterday's agent traces from SQLite. The supervisor scores each one. Cron is the supervisor.

Cron·Agent·SQLite

Cleanup jobs that schedule their own retirement

The cleanup script checks if there's anything left to clean. When the directory is empty, it DELETEs its own cron entry. Job's done, job's gone.

Cron·Files

A weekly canary that tries to break production

Sunday 7am cron wakes a Hoody Agent in a fresh container against a snapshot of prod. It runs the OWASP top twenty, fuzzes the API, and writes a findings report to a URL by 9am. Container retires.

Cron·Agent·Browser·Snapshots

The hobby-project graveyard you can afford to keep alive

Eleven half-finished side projects on Heroku is eleven dynos at $5–7 each. On Hoody it's eleven containers on one $29 bare-metal box. Idle costs zero, the URL wakes the container in milliseconds, and the chess engine nobody uses still runs.

Containers

A preview environment per pull request, all month

Each open PR gets its own clone of a snapshot. The container wakes when reviewers click the link; idle PRs cost nothing.

Containers·Snapshots

Run a 12-product portfolio from one bare-metal box

Twelve isolated containers, each its own SaaS, share one $49 bare-metal server — a step above the $29 entry tier, chosen here for the RAM headroom fifty containers want. Per-product margins go from negative to nice.

Containers

Kill the staging-server tax

Stop paying for a duplicate of production. Snapshot the prod container, branch staging from it on demand, freeze it back to disk when nobody's testing. Three environments, one machine, one bill.

Containers·Snapshots

Forty client sites, one rent, one dashboard

Each client site lives in its own container; you bill them per-site, you pay the host once. The math finally works for agencies.

Containers·Workspaces

Replace the E2B bill with the bare metal you already rent

Your agents stop renting compute by the second from E2B/Modal/Daytona. They use containers on the box you already have.

Containers·Agent·Exec

Idle staging costs nothing, so staging stops getting deleted

Staging used to die because it was expensive to keep around. When idle is free, staging gets to live — even the one a teammate touched 90 days ago.

Containers·Snapshots

Per-customer sandboxes at fleet scale

Eight hundred isolated customers on three bare-metal servers — one flat-rate monthly bill, no per-tenant meter. Each tenant gets a real container with its own kernel namespace, filesystem, and URL. Idle containers cost nothing on top of the server you already pay for.

Containers·Snapshots·Exec

The CI cache that's not an S3 line item

Cache files live in /files on the box you already rent. Workers PUT and GET tarballs over HTTP. No S3 bucket, no egress, no third vendor — the bytes never leave the box.

Files·Containers

Fifty demo environments for fifty sales calls

Each prospect gets a real, isolated copy of your product seeded with their data. Cloned from a snapshot. Theirs to keep for a week.

Containers·Snapshots

Roll your TLS certificates without an SSH session

Three URLs, no shell

POST one cron entry

Exec runs the script

PATCH the proxy bundle

What the two endpoints look like

Why this beats the SSH crontab

No private key in ~/.ssh

Every renewal is a request log

You don't SSH to debug

What you skipped

What this replaces

Read the others

Sixty containers on one server

Onboard a developer with one link

API endpoints that materialize on demand

Branch computers like Git

Real VS Code on your phone

AI agents that spawn other AI agents

One sandbox per customer, automatically

Wake up to a finished prototype

Emergency production fix from your phone

Tail production logs to a URL anyone can curl

Push one build to thirty CI workers at once

Watch your agent think from the coffee shop

Share your screen with a URL, not a meeting invite

Move 200GB between clouds with two curls

Send a teammate a database state in one line

Stream LLM tokens to anything that reads HTTP

A progress bar your boss can spectate without joining

The webhook fan-out you didn't have to build

A CI cache that's just two curl commands

Drag-drop uploads into your script

Broadcast a workshop to 200 viewers from your laptop

Inter-container IPC without the message broker

Tail your agent on the train, get pinged when it lands

A microphone over HTTP, in two terminals

Five agents, five pipes, one verdict

Replay this morning's incident to the whole team

The fastest 'send me that file' you've ever typed

Run a local LLM, serve it to your whole fleet

A live metrics dashboard with no metrics backend

The cron job that deletes itself when you're done

Snapshot the container right before the nightly migration

A separate crontab for every customer, automatically

Wake an agent at 3am, retire it at 4

Daily rollups without an orchestrator

A crontab per branch, deployed with the code

On-call escalation that ages out with the shift

Hourly scrape, daily digest, weekly archive — one container

Let your customers BYO their own cron schedule

Schedule the agent, not the script

A heartbeat for the silent jobs

Keep the last 24 hours as 24 snapshots

Replay this morning's webhooks at the same time tomorrow

Edit your crontab from a phone, in the airport

A scheduled digest that fans out to 200 inboxes

Mute the flaky job without losing it

An agent that grades yesterday's agents

Cleanup jobs that schedule their own retirement

A weekly canary that tries to break production

The hobby-project graveyard you can afford to keep alive

A preview environment per pull request, all month

Run a 12-product portfolio from one bare-metal box

Kill the staging-server tax

Forty client sites, one rent, one dashboard

Replace the E2B bill with the bare metal you already rent

Idle staging costs nothing, so staging stops getting deleted

Per-customer sandboxes at fleet scale

The CI cache that's not an S3 line item

Fifty demo environments for fifty sales calls