Case: Selecting Applications for Your Own IT Infrastructure

In this case, we have compiled a set of self-hosted solutions that allow you to deploy your own secure IT infrastructure — without cloud services or subscriptions.

From hosting and automation to email, SIEM, WAF, and DDoS protection — everything runs locally and free of charge. As a bonus, we’ve also included some cloud-based solutions (also conditionally free).

If you enjoyed the article or would like to leave feedback, criticism, or comments, you can do so at the very bottom of the right-hand panel under "On this page."

Infrastructure diagram

Who is this case for?

First and foremost, it’s for developers who will be setting up everything themselves on a single machine — whether it's a home PC or a private VPS/VDS. It’s designed for those who are essentially "a company and a team of one."

At the same time, this setup can also be a great fit for small and medium-sized businesses.

Part 1: Securing Your Infrastructure

We use multiple layers of open-source security tools to protect our systems from a wide variety of threats. Below are the key components and their purposes.

CDN (Cloudflare, ArvanCloud, etc.)

What it is: Global content delivery networks (CDNs) that provide caching, reverse proxy, WAF, and DDoS mitigation services. Why we use it: Hide real server IP addresses, absorb large traffic surges, and protect against volumetric attacks. What it protects against: Large-scale DDoS, HTTP floods, bot traffic, and exploit attempts on exposed web services. How it is used: Acts as an intermediary between visitors and origin servers, filtering and caching requests.

Tailscale or WireGuard

What it is: VPN solutions to create secure tunnels between servers and clients. Why we use it: They allow you to build private networks, hide services from the public Internet, and use internal IP addresses instead of public ones. What it protects against: Port scanning, direct Internet exposure, MITM (Man-in-the-Middle) attacks, traffic interception. How it is used: Create an internal secure network for admin panels, internal APIs, and sensitive services.

Fail2Ban (as part of CrowdSec or standalone)

What it is: A log monitoring and IP banning system that automatically blocks IPs after suspicious activities or multiple failed login attempts. Why we use it: Prevents brute-force attacks by banning abusive IP addresses automatically. What it protects against: Brute-force attacks on SSH, SMTP, web panels, and other login endpoints. How it is used: Integrated with CrowdSec or standalone, monitoring authentication logs and firewalling offenders.

cscli alerts (in CrowdSec)

What it is: CLI tool provided by CrowdSec to view and manage security alerts and blocked IPs. Why we use it: Provides real-time visibility into security events and allows manual intervention. What it protects against: Helps quickly analyze and react to attacks or suspicious behavior. How it is used: Administrators regularly review alerts to understand threat patterns and adjust policies.

2FA (Two-Factor Authentication)

What it is: An additional layer of authentication requiring a second factor (such as a mobile app or hardware key) in addition to a password. Why we use it: Ensures that even if credentials are compromised, attackers cannot gain access without the second factor. What it protects against: Account hijacking, credential stuffing, phishing attacks. How it is used: Mandatory for all control panels, admin accounts, and critical services.

ModSecurity

What it is: An open-source Web Application Firewall (WAF) module for Apache, Nginx, or IIS. Why we use it: Filters HTTP traffic and protects against common web attacks using rule sets like OWASP Core Rule Set. What it protects against: SQL injection, XSS, local/remote file inclusion, command injection, path traversal, and other OWASP Top 10 vulnerabilities. How it is used: Deployed on all web-facing servers to block malicious requests at the application layer.

Wazuh (optional for larger infrastructures)

What it is: A SIEM and XDR platform for log monitoring, threat detection, and compliance auditing. Why we use it: Provides centralized security visibility and advanced threat correlation. What it protects against: Complex multi-stage attacks, insider threats, abnormal behaviors across large environments. How it is used: Aggregates logs and alerts from endpoints, network devices, and applications.

CrowdSec

What it is: A modern open-source collaborative intrusion prevention system (IPS/IDS) and behavior-based firewall. Why we use it: Automatically bans malicious IPs and shares intelligence with the community. What it protects against: Botnets, scanners, distributed attacks, repeated abusive behaviors. How it is used: Monitors logs and traffic, updates firewall rules dynamically.

iptables

What it is: The core Linux packet filtering framework. Why we use it: Fine-grained control over network traffic, defining precise filtering and NAT rules. What it protects against: Unauthorized access, basic DDoS mitigation, internal segmentation control. How it is used: Forms the foundation of UFW and custom advanced firewall configurations.

AppArmor (or Proxmox VE)

What it is: AppArmor is a mandatory access control (MAC) system for restricting application capabilities. Proxmox VE is a virtualization environment with strong container and VM isolation. Why we use it: Isolates processes and limits their access to system resources. What it protects against: Privilege escalation, container breakout attacks, unintended access to sensitive files. How it is used: AppArmor profiles enforce strict policies on applications; Proxmox provides full VM-level separation.

Bitwarden (VaultWarden)

What it is: Bitwarden is a popular open-source password manager for securely storing and managing login credentials, API keys, and other sensitive secrets. VaultWarden is a lightweight, self-hosted implementation of Bitwarden written in Rust, optimized for running on small servers or home environments.

Why we use it:

• Centralized secrets management: Instead of saving passwords in text files, browsers, or spreadsheets, all credentials are stored securely in a single encrypted vault.

• Zero knowledge encryption: Only the user holds the master password; even the server administrator cannot see the vault contents.

• Team sharing: Allows securely sharing credentials and environment secrets with specific team members or service accounts.

• Cross-platform support: Works with browser extensions, mobile apps, CLI, and desktop apps — making it easy to use everywhere.

What it protects against:

• Unauthorized access to admin accounts, cloud panels, and critical services due to weak or reused passwords.

• Credential leaks caused by human error (e.g., sending passwords over email or chat).

• Phishing attacks — Bitwarden can autofill only verified login forms, reducing the chance of entering credentials on fake sites.

How it is used:

• Install VaultWarden (self-hosted Bitwarden) on your private server or VPS.

• Store all your service passwords (VPN, SSH, admin panels, etc.) in the vault.

• Enforce strong, unique passwords and set up 2FA inside Bitwarden for additional layers of security.

• Configure team or organization access policies if you work with multiple admins or developers.

Why include it in the security stack? Password hygiene is often overlooked but is one of the most common weak points exploited by attackers. By centralizing and encrypting all secrets, Bitwarden (VaultWarden) drastically reduces this attack surface. Combined with 2FA and hardware security keys (like Nitrokey), it creates a robust authentication and credential security strategy.

Optional (if you have enough resources and want extra security)

Prometheus + Grafana

What it is: Open-source stack for metrics collection and visualization. Why we use it: Enables deep performance and security monitoring with historical trends. What it protects against: Not a direct protection layer, but helps detect anomalies and resource abuse early. How it is used: Alerting on unusual metrics, creating dashboards for ongoing visibility.

Keycloak

What it is: Identity and access management (IAM) solution. Why we use it: Centralizes user authentication, provides SSO, enforces 2FA policies. What it protects against: Unauthorized access, weak authentication mechanisms. How it is used: Handles authentication for all internal and external applications.

Hardware security keys (Nitrokey)

What it is: Physical security tokens for strong authentication. Why we use it: Provides the most secure form of 2FA. What it protects against: Phishing, credential theft, session hijacking. How it is used: Required for admin accounts and sensitive system access.

ClamAV or OpenEDR

What it is: ClamAV is an open-source antivirus; OpenEDR is an endpoint detection and response system. Why we use it: Scans for malware, rootkits, and persistent threats. What it protects against: Viruses, worms, trojans, backdoors. How it is used: Installed on servers and desktops to scan files and processes.

Unbound or Pi-hole

What it is: Unbound is a DNS resolver; Pi-hole is a DNS sinkhole and ad blocker. Why we use it: Controls DNS queries, blocks malicious and unwanted domains. What it protects against: DNS spoofing, phishing, malware domains, unwanted tracking. How it is used: As the main DNS resolver for the entire infrastructure.

FastNetMon

What it is: A real-time DDoS detection and mitigation tool using NetFlow/sFlow. Why we use it: Detects high-volume attacks quickly and automatically triggers countermeasures. What it protects against: Large-scale DDoS and flooding attacks. How it is used: Integrated at the edge router or switch level.

Cowrie, Dionaea, T-Pot (honeypots)

What it is: Honeypots designed to attract and log attacker behavior. Why we use it: Gather intelligence on attack techniques and distract adversaries from real systems. What it protects against: Not direct protection, but provides early warning and research data. How it is used: Deployed as decoy servers to capture attack data.

Part 2: Self-Hosting Deployment Platform – Dokploy

Rather than managing raw Docker containers manually, we use a self-hosted PaaS to simplify deployments. We considered tools like plain Docker with a GUI or Coolify (a popular open-source Heroku/Netlify-like system), but ultimately chose Dokploy. The decision was based on features, performance, and flexibility. Dokploy is a developer-oriented, Docker-based platform (open-source) that supports multi-server deployments, Docker Compose files, and advanced user controls. It offers out-of-the-box monitoring, logging, and backups – features that Coolify lacks or only provides via plugins.

Dokploy’s advantages over Coolify include built-in monitoring and automated backups, plus support for multiple source code platforms (GitHub/GitLab/Gitea) and advanced user roles. In practice, Dokploy has been noted to use fewer resources while offering a polished single-page UI. Coolify is not bad – it’s a viable open-source PaaS – but it feels less mature in some features (e.g. no built-in monitoring) and its cloud option has had stability issues (per community feedback). For our needs, Dokploy’s developer-friendly focus and complete feature set made it the better choice.

Part 3: Unified Business Platform – ERPNext

For business functions like CRM, CMS, accounting, inventory, and more, we chose ERPNext as an all-in-one platform. ERPNext is a fully integrated open-source ERP/CRM system written in Python and JavaScript, providing modules for Sales, Purchase, Inventory, Projects, HR, Accounting, Website/CMS, and much more. It effectively gives you a complete business suite in one application.

Key reasons for choosing ERPNext

• Full-featured out of the box ERPNext includes a broad range of modules ready to use (CRM, Inventory, Accounting, Manufacturing, Website, Helpdesk, etc.). Many competing systems split features into paid editions — for example, Odoo’s Community Edition lacks core modules like Accounting, Payroll, or full manufacturing, which are only in its expensive Enterprise edition. By contrast, ERPNext’s open-source edition includes everything at no extra license cost.

• Open-source (100% license-free) ERPNext is 100% open source and free for unlimited users. Odoo and others often require per-user fees for advanced modules. For instance, ERPNext can serve 50 users for under $50/month (hosting costs only), whereas a comparable Odoo setup would cost ~$450/month for licensing.

• Customization and integration ERPNext has a built-in form/report/workflow builder (no-code customization) that lets you tailor screens, reports, and logic without extra software. You can also write custom scripts or code in the framework. (Odoo requires its paid Studio add-on to do similar customization.)

• Web CMS included ERPNext includes a website builder and CMS, complete with blog and e-commerce features. No separate CMS is needed unless you require something very specialized.

• Active community and support ERPNext has a large open-source community and ecosystem. Many plugins and community apps exist. If you don’t pay for enterprise support, community forums often suffice for help.

• Scalable for growth You can add unlimited users without license fees. This makes ERPNext extremely cost-effective as the team grows.

Alternative options (for lower-resource servers or simpler setups)

Dolibarr

• What it is: A simpler open-source ERP and CRM solution written mainly in PHP.

• Why choose it: Dolibarr is lightweight, easier to install, and consumes fewer server resources than ERPNext. It is an excellent alternative if you have a small team or very limited hardware (e.g., a single small VPS).

• Features: Supports CRM, invoicing, accounting, project management, inventory, and more. Though not as comprehensive as ERPNext, it covers most essential business processes for small to medium enterprises.

• Trade-off: Dolibarr offers fewer advanced features and less flexible customization compared to ERPNext.

Directus

• What it is: An open-source data platform and headless CMS built on top of any SQL database.

• Why choose it: Directus focuses on content management, data modeling, and simple workflows. It’s lighter than a full ERP and can act as a "mini ERP" or advanced CMS, especially for web-focused projects or API-driven apps.

• Features: Offers a modern no-code admin panel for managing database content, roles, permissions, and API endpoints. Perfect if you primarily need content/data management without complex accounting or manufacturing modules.

• Trade-off: Directus does not provide out-of-the-box accounting, HR, or inventory modules like ERPNext. It’s best suited as a backend for digital products rather than as a full business suite.

ERPNext meets nearly all business needs in one platform, without per-user licensing costs. It is best suited for teams that want everything integrated — from CRM to accounting and website.

For smaller servers or simpler requirements, Dolibarr is a practical, lightweight ERP alternative, while Directus is an excellent choice if you mainly need a headless CMS or data platform.

Thus, depending on your infrastructure size and business complexity, you can pick the most suitable option — but for a full, unified business backbone, ERPNext remains the strongest candidate in a self-hosted, no-subscription setup.

Part 4: Workflow Automation – n8n

To automate tasks and integrate services, we use n8n – an open-source workflow automation tool. n8n provides a visual, node-based editor to connect APIs and services and run logic (similar to Zapier/Make.com but self-hostable). Key points:

• Open-source & self-hosted – Unlike Make.com (formerly Integromat), Zapier, or many other “no-code” tools, n8n allows you to run the server on your own infrastructure. All node definitions and code are open-source, so you can inspect or modify them. This gives complete control and no per-usage fees.

• Rich integrations (500+ apps) – n8n comes with hundreds of pre-built integrations (HTTP/Webhooks, databases, CRMs, cloud services, social media, etc.). Its website advertises “500+ app integrations” out of the box. This means we can automate workflows across Slack, GitHub, Google Workspace, ERPNext, email, and more, all from one platform.

• Complex logic support – It supports loops, conditional logic (if/else), data transformations, and retries within a workflow. This is more flexible than simpler webhook triggers or rules.

• Developer-friendly – n8n lets you insert custom JavaScript or Python code if needed. Workflows can be version-controlled (Git integration) and deployed via code, fitting a developer’s stack.

• Alternatives: We considered Make.com (Integromat) and Zapier, but they are cloud-only SaaS with costly usage limits. Node-RED is another open tool (great for IoT/hardware), but n8n’s focus is on cloud/service integration with a modern UI. In short, n8n’s free self-hosting and robust features make it ideal for a developer-centric team.

Part 5: Cloud Storage (MEGA vs Nextcloud)

For file sharing and backups, we balance ease of use with control.

• For small teams (≈1–10 users), we often use a third-party file-sync service like MEGA.nz. MEGA provides a generous free tier of encrypted cloud storage and has client apps, so there’s almost no setup overhead. It handles encryption and sync in the cloud. Using MEGA offloads the maintenance burden – ideal when you don’t need advanced enterprise features. (Cryptomator can be used to further encrypt the files before upload if desired, since it supports MEGA.)

• For larger teams (10+ users) who need more control and collaboration features, we self-host Nextcloud. Nextcloud is an open-source, self-hostable Dropbox/OneDrive alternative that offers file sync, calendars, contacts, and more. When using Nextcloud, we combine it with Cryptomator to encrypt files on the client side before they leave the machine. Cryptomator is open-source and works seamlessly with any file-sync folder (including Nextcloud). This way we retain privacy and end-to-end encryption while leveraging Nextcloud’s sharing and versioning.

In summary: for a minimal one-person or small-team setup, a cloud file service like MEGA keeps things simple. For serious collaboration or compliance needs, Nextcloud + Cryptomator on our infrastructure offers full functionality and security.

Part 6: Custom Email with MailCow

For email hosting on our own domain, we use MailCow: Dockerized.

MailCow is a powerful, fully open-source mail server suite that bundles all the essential email components in one unified Docker-based package. It includes:

• Postfix (Mail Transfer Agent)

• Dovecot (IMAP/POP3 server)

• SOGo (webmail and calendar)

• Rspamd (spam filtering)

• ClamAV (antivirus)

• A friendly web-based admin UI

Key advantages of MailCow

• Integrated setup MailCow comes with pre-configured sensible defaults and a modern browser-based admin panel. You can easily manage user accounts, domains, DKIM/DMARC/SPF, TLS certificates, and more without building or scripting everything from scratch.

• Security features It enforces SSL/TLS encryption on all mail services (SMTP, IMAP, webmail) by default. The built-in Rspamd handles spam filtering, while ClamAV scans for viruses and malware — keeping your mail flow clean and safe.

• Docker-based architecture The entire suite runs as Docker containers, making it easy to deploy, snapshot, migrate, and upgrade. This containerized model simplifies maintenance and increases reproducibility across different environments.

• Cost-effective MailCow is 100% open source and does not require any licensing or per-user fees. This makes it especially attractive for small teams or solo developers who want full control without recurring costs.

Alternative options

FastPanel.direct (with built-in mail module)

• What it is: FastPanel is a free web hosting control panel that includes a mail module (based on Exim, Dovecot, and Roundcube).

• Why use it: If you already plan to host websites using FastPanel, you get integrated mail support in the same interface. It is simpler to configure for small teams and saves time if you don’t want a dedicated mail suite like MailCow.

• Limitations: While easier to set up, it lacks advanced security features (like Rspamd with reputation learning) and fine-grained controls. You may have fewer options for advanced spam policies or multi-domain setups.

Cloudflare + Gmail hybrid method

• What it is: Use Cloudflare to manage DNS records and point your MX records to Gmail (Google Workspace), or forward inbound email to Gmail and send through Gmail SMTP.

• Why use it: Extremely easy for small setups. You get Gmail’s advanced spam filtering, modern webmail, calendar, and contacts interface without running your own mail server.

• Pros: Very reliable, great deliverability, excellent anti-spam.

• Cons: Not fully self-hosted, requires paying for Google Workspace or using personal Gmail with forwarding (which can be limited or not suitable for business domains). You also lose full data sovereignty.

Other self-hosted mail alternatives

• iRedMail: Another all-in-one mail server stack, simpler than MailCow but without a strong UI. Good for those who prefer traditional non-Docker deployments.

• Mail-in-a-Box: Very beginner-friendly self-hosted mail solution, installs everything on a single Ubuntu VM. Easy for small teams or hobby projects but less customizable.

• Zimbra Open Source Edition: More enterprise-focused, feature-rich, but more resource intensive and complex to maintain.

Final choice reasoning

MailCow provides a robust, fully integrated, and secure self-hosted mail solution without recurring costs.

However, if your priority is ease and minimal maintenance rather than full control, forwarding to Gmail or using FastPanel’s mail module can be faster and simpler.

Choose based on your priorities: full sovereignty and features (MailCow), simplicity (Gmail hybrid), or minimal resources (FastPanel).

Part 7: Docs Sites

In addition to all self-hosted and on-premise components, documentation is one area where using cloud services can be a major advantage. While security is always a priority, documentation typically does not contain highly sensitive data (for example, it does not store credentials, keys, or personal information). This makes using SaaS platforms a practical and efficient choice.

Below, we break down several popular options — their strengths, when and why you might choose each, and what trade-offs you should consider.

GitBook

What it is: GitBook is a modern, cloud-based platform designed to create, maintain, and publish beautiful documentation websites and internal knowledge bases.

Why we use it:

• Clean and intuitive WYSIWYG editor: You can write in a "what you see is what you get" interface or use Markdown — no coding skills required.

• Version control and history: Track every change, rollback, and see diffs, just like in Git.

• Custom domain and branding: Easily set your own domain (e.g., docs.yourcompany.com) and customize branding to match your style.

• Access control: Manage who can view or edit docs (e.g., open public docs or internal restricted docs).

• Interactive and responsive: Works perfectly on mobile and desktop, and supports interactive code snippets and embeds.

• Automatic SEO optimization: Pages are SEO-friendly out of the box, improving discoverability.

When to use it: If you want a fast, modern-looking documentation site without dealing with servers, build pipelines, or complex configuration. Ideal for startups, teams with limited DevOps resources, or anyone focused on content-first approach.

Drawbacks:

• Fully cloud-based — you do not control the infrastructure, and you depend on GitBook’s availability and pricing changes.

Gramax

What it is: Gramax is a self-hosted, open-source platform designed for creating technical documentation, knowledge bases, and product docs. Unlike GitBook, Gramax is not a cloud-only SaaS — it can be fully deployed on your own server, giving you complete control over data and infrastructure.

Why we use it:

• Full data control: All your documentation stays on your servers, under your management — no third-party storage or SaaS dependency.

• Lightweight and modern design: Offers a modern UI similar to GitBook, making docs easy to read and navigate.

• Markdown-based: Uses Markdown for content creation, making it developer-friendly and easy to integrate with Git workflows.

• Fast deployment: Can be installed quickly via Docker or traditional Linux packages, with minimal configuration.

• Custom branding and themes: Supports customizing the appearance and structure to match your brand or project style.

When to use it:

• When you need a GitBook-like experience but want full self-hosting and control.

• When your organization requires compliance with strict data sovereignty policies.

• When you want to avoid any recurring SaaS fees.

Drawbacks:

• Requires your own server resources and knowledge to set up and maintain.

• You handle backups, security patches, and updates yourself.

Docsify

What it is: Docsify is an open-source documentation generator that turns your Markdown files into a beautiful, mobile-friendly single-page application (SPA) documentation site. Unlike static site generators (like Jekyll or Hugo), Docsify runs entirely on the client side, meaning you don’t need to build static HTML — it renders Markdown files on the fly in the browser.

Why we use it:

• No build process: Just write Markdown files and deploy — no need to run build commands or generate static pages.

• Instant preview and updates: You can update Markdown files directly, and changes are immediately reflected in the browser.

• Lightweight and fast: Small footprint, works even on minimal hosting setups (e.g., GitHub Pages).

• Extensible: Supports plugins, themes, and custom navigation.

What it protects against: Not a security tool — it is purely for documentation presentation.

When to use it:

• When you want a super-simple and fast way to publish docs without a backend.

• When you deploy docs via static hosting (Netlify, Vercel, GitHub Pages, etc.).

• When you want ultra-lightweight and minimal maintenance.

Drawbacks:

• No built-in authentication or access control.

• Not ideal for very large doc sets with complex search or SSO needs.

AppFlowy

What it is: AppFlowy is an open-source, self-hosted alternative to Notion. It is a collaborative workspace designed for building wikis, docs, databases, and managing tasks. AppFlowy focuses on privacy, extensibility, and local-first principles.

Why we use it:

• Full data ownership: All data is stored locally or on your own server — no vendor lock-in or third-party storage.

• Notion-like interface: Familiar block-based editor, drag-and-drop, inline databases, kanban boards.

• Customizable: You can modify or extend the codebase to match your exact workflow needs.

• Community-driven: Open-source with an active developer community.

What it protects against:

• Keeps internal knowledge private; you control all data.

• Reduces risk of data breaches compared to hosted SaaS workspaces.

When to use it:

• For internal team wikis, knowledge bases, or collaborative project docs.

• When privacy and data sovereignty are top priorities.

• When you want an all-in-one knowledge and task hub similar to Notion.

Drawbacks:

• Still evolving; some features may be less polished than in mature SaaS solutions.

• Requires self-hosting and ongoing maintenance.

Part 8: Analytics & User Tracking

Understanding how users interact with your services, websites, or apps is critical for improving usability, performance, and security. In our stack, we consider both cloud-based and self-hosted analytics options depending on privacy, compliance, and control requirements.

Google Analytics

What it is: Google Analytics is a widely used cloud-based analytics platform that provides detailed insights into user behavior, traffic sources, audience demographics, conversion rates, and more.

Why we use it (or might use it):

• Easy to integrate: Just add a tracking script to your website.

• Advanced features: Built-in funnels, goals, event tracking, A/B testing, and e-commerce analytics.

• Free for most use cases (GA4 standard version).

What it protects against: Not a protection layer — purely for data analysis.

When to use it:

• When you prioritize advanced features over data sovereignty.

• When data privacy laws (GDPR, CCPA) do not strictly require data localization or on-prem storage.

• When you need seamless integration with other Google marketing tools (Ads, Tag Manager, etc.).

Drawbacks:

• Data is stored and processed on Google servers.

• May conflict with strict privacy policies or regional data residency requirements.

• Visitors may block Google scripts with privacy tools.

Plausible Analytics

What it is: Plausible is a privacy-focused, open-source analytics platform that can be self-hosted or used as a managed service. It does not use cookies and is fully compliant with GDPR, CCPA, and PECR.

Why we use it:

• Privacy-friendly: No personal data or cookies, simplifying legal compliance.

• Lightweight: Adds minimal overhead to page load times.

• Transparent: Open-source codebase allows full auditing and customization.

What it protects against:

• Helps avoid privacy policy complexity and potential legal issues.

• Reduces user tracking footprint.

When to use it:

• When user privacy is a priority.

• When you want full control over data by self-hosting.

• When analytics needs are simpler (page views, referrers, top pages).

Drawbacks:

• Less feature-rich than Google Analytics (e.g., lacks advanced funnels and detailed visitor profiling).

• Requires hosting and maintenance if self-hosted.

Litlyx

What it is: Litlyx is another modern, open-source, self-hosted analytics solution. Like Plausible, it focuses on privacy and minimalism but offers extra flexibility for custom metrics and event tracking.

Why we use it:

• Self-hosted: Full control of data and compliance with data residency laws.

• Flexible: Supports custom event tracking beyond basic page views.

• Lightweight and easy to integrate.

What it protects against:

• Prevents third-party data harvesting.

• Reduces data exposure risks.

When to use it:

• When you want privacy-focused analytics with custom events and extended metrics.

• When running fully on your own infrastructure is a must.

Drawbacks:

• Needs more setup and technical maintenance than Google Analytics.

• Smaller community and fewer integrations than mainstream solutions.

If privacy and data sovereignty are top priorities, Plausible or Litlyx (self-hosted) are the best choices. If you need advanced marketing analytics and can accept data outsourcing, Google Analytics is still the most feature-rich option.

Part 9: Backups & Disaster Recovery

Even the most secure infrastructure is never complete without a solid backup strategy. Backups help protect against data loss from ransomware, hardware failure, accidental deletions, and catastrophic incidents.

In our stack, we rely on multiple options to ensure business continuity.

Dokploy Native Backups (S3 Destinations)

What it is: Dokploy, our chosen deployment and orchestration platform, already supports automated backups to S3-compatible storage out of the box (called S3 Destinations).

Why we use it:

• Integrated and easy to set up: You can configure backups directly in the Dokploy UI without additional tools.

• Versioned backups: Allows restoring to different points in time.

• Offsite storage: Using S3 (e.g., AWS S3, Wasabi, Backblaze B2, or self-hosted MinIO) ensures that data is stored off your primary server, reducing the risk of total loss.

How it is used: Configure S3 credentials and schedule directly in Dokploy. Your application data and volumes can be snapshot and sent to the S3 bucket automatically.

Restic

What it is: Restic is a fast, secure, and efficient open-source backup program that supports many backends (local disk, SFTP, S3, etc.).

Why we use it:

• Encryption by default: All backups are encrypted locally before being uploaded.

• Deduplication: Saves space by storing only unique data blocks.

• Cross-platform: Can back up multiple types of servers and endpoints.

When to use it:

• When you need independent, granular backups beyond what Dokploy provides.

• When you want additional redundancy (e.g., separate file-level or database backups).

BorgBackup

What it is: BorgBackup (or simply Borg) is another open-source deduplicating backup solution focused on high performance and secure encryption.

Why we use it:

• Efficient storage: Deduplication and compression greatly reduce backup size.

• Strong encryption: Protects backup contents from unauthorized access.

• Flexibility: Supports local, SSH, and remote storage destinations.

When to use it:

• When you want full control over backup structure and schedules.

• When backing up large data volumes or entire file systems.

Part 10: Free Host Sites

This is the bonus section of the article, which you can read on another page of the documentation: "Websites in the Cloud" or in Archive Posts, number 5 (there are translations into other languages and sources there).