A few months ago I decided to self-host everything for my software house instead of paying for cloud infrastructure. Here’s what’s running on a Raspberry Pi 4B (4GB) at home:

Astro static site + nginx Full mail stack (Postfix + Dovecot + Roundcube) in Docker MariaDB with automated backups GoAccess analytics with custom Python bot/human separation Dynamic IP blocklist generated at every deploy Certbot managed on a separate Orange Pi Zero 3 (HAProxy + SSL termination)

The Orange Pi Zero 3 as a dedicated HAProxy node was the best €25 I spent — SSL overhead completely offloaded from the Pi, all subdomains routed through one config, clean network separation between “what faces the internet” and “what runs the services.” Storage: all boards boot from SSD via USB3. No SD cards in production. The ISP situation: Eolo wireless, 20Mbps down / 100Mbps upload. Yes, upload is 5x download. For a web server that’s actually ideal. Real stress test — June 22, 2026 A post on r/italy hit 20k views in 24 hours. Numbers that day:

555 human visitors (vs ~180 daily average) 151 unique IPs 72.2% return rate 9.98 MB bandwidth 0 downtime 0 errors in the mail stack

PageSpeed from Google’s infrastructure:

Desktop: Performance 100 / SEO 100 Mobile: Performance 97 / SEO 100

No CDN. No Cloudflare. No edge nodes. Just nginx on a Pi. The honest limitations:

Single point of failure — yes, if the Pi dies the site goes down Mail deliverability on residential ISP is hard (Brevo relay helps) No redundancy — we run backups, not replicas

All traffic data is live and public: stats.lake8.dev/geo.html Happy to answer questions on any part of the stack.

    • Tommy Fogli@feddit.itOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Ciao! I don’t have a tutorial yet, but it’s on my list — actually, this question is a good motivation to write one! 😄 The short version: HAProxy on Orange Pi Zero 3 (Armbian), Certbot for SSL, reverse proxy to Raspberry Pi 4B behind NAT. The trickiest part is the ACL rules for multiple subdomains and the certificate renewal hook. I’ll write a proper post about it on lake8.dev — I’ll mention it here when it’s ready.

    • Tommy Fogli@feddit.itOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Inbound: sender → port 587 → Postfix → Dovecot → Roundcube Outbound: Postfix → Brevo relay → recipient Thk

  • Carl Newton@feddit.uk
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    That’s awesome! I would never have expected that kind of throughput. On the day of your popular post, did you feel the traffic while trying to use the internet yourself at all? I sometimes fear that I’m going to get hit by something that interrupts what I’m doing and I’ll have to take the server down temporarily. It hasn’t happened yet though. I use a cloudflare tunnel mostly because I don’t have a static IP address, but it does help reassure me in the event of a DDOS and blocking bot traffic. Those services are free by the way (for the time being at least! Who knows about the future)

    • Tommy Fogli@feddit.itOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Honestly no — I didn’t feel it at all. The Pi was handling the spike silently in the background while I was working normally. Upload bandwidth on Eolo is 100Mbps, and a static Astro site serving mostly HTML/CSS is incredibly light. Peak day was 555 human visitors with 9.98MB total bandwidth — that’s nothing for a residential connection. The Cloudflare tunnel approach is smart especially without a static IP. We have a static IP included with Eolo (unusual for residential, I know) which simplifies things. For DDoS protection we rely on HAProxy on a separate Orange Pi Zero 3 doing rate limiting and our dynamic blocklist — but honestly at our scale a proper DDoS would still hurt. The “who knows about the future” concern about Cloudflare is real though. Building on free tiers of centralized services is convenient until it isn’t — which is part of why we went full self-hosted in the first place.

  • Mordred_85@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    Setup solido. Una domanda tecnica: syslog restituendo on-prem o tutto centralizzato su firewall logs verso la Pi? Io separo questi due (syslog localmente, applicazioni su VPS remoto) per motivi di privacy domestica. Curiosità su come lo gestisci.

    Complimenti anche per non aver barato su “redundanza” : ammettere il single point of failure è più utile di 10 artikel su Kubernetes. 👍

    • Tommy Fogli@feddit.itOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Buona domanda. Onestamente il nostro setup di logging è semplice per design — niente syslog centralizzato, niente aggregazione remota. Tutto resta locale sul Pi: log nginx in /srv/logs/, log applicazioni via Docker, log di sistema via journald. Niente lascia la macchina tranne quello che spingiamo esplicitamente (statistiche giornaliere verso la dashboard pubblica via scp). L’aspetto privacy che citi è interessante — noi non abbiamo la preoccupazione della “privacy domestica” perché il Pi È il server, ma il principio di tenere i log locali lo condividiamo. Niente Elastic, niente Loki, niente syslog remoto. HAProxy sull’Orange Pi Zero 3 ha i suoi log locali separati — non li spediamo al Pi. Due nodi, due store di log indipendenti. Non è architetturato per la scala. È architetturato per semplicità e controllo — che per una software house di una persona è il tradeoff giusto. E grazie per il commento sulla ridondanza — fingere che un Pi singolo sia highly available sarebbe stato imbarazzante. Non lo è. Funziona abbastanza bene, e sapere dov’è il punto di failure conta più che fingere che non esista.

  • nexttech@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    Hello !

    This is quite the setup !

    I had to put your post in an ai (claude) so that i can understand what you were saying, but it’s still amazing!

    • Tommy Fogli@feddit.itOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Ha! That’s actually quite meta — you used Claude to understand a post that was partially written with Claude’s help. Welcome to 2026, where AI reads infrastructure posts so humans don’t have to. 😄 Glad the setup is impressive even through the translation layer. If you have any specific questions, ask away — I’ll try to answer in plain English this time

    • Tommy Fogli@feddit.itOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Ciao! I’m Italian 🇮🇹 — my English is very “pasta asciutta” level. I use AI to help me write without saying something cosmically wrong. Sorry for that. But me and my dog are 100% real. 🐕

      • frongt@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        The AI is writing for you. None of your words are coming through. While I’m sure that Google translate runs on AI these days, it’s miles better than chatgpt.

        Even if your English is terrible, I’d still rather read broken English than AI slop. (Or you can post the short top-line summary in English and the rest in Italian, or even just the whole thing in Italian; this isn’t an english-only community!)

        • Tommy Fogli@feddit.itOP
          link
          fedilink
          English
          arrow-up
          0
          ·
          15 days ago

          Ciao, messaggio ricevuto. La prossima volta preparerò il post appositamente per te. Se mi mandi le specifiche IEEE ti prometto che farò del mio meglio per rispettarle. Buona serata.

        • Tommy Fogli@feddit.itOP
          link
          fedilink
          English
          arrow-up
          0
          ·
          15 days ago

          Ciao! I’m Italian — my English is not exactly my strongest skill. But if AI-assisted translation bothers you, I can always switch to Google Translate 😊 Hope that’s reassuring enough.

          • BakedCatboy@lemmy.ml
            link
            fedilink
            English
            arrow-up
            0
            ·
            15 days ago

            Yeah Google translate preserves a lot more of your communication style. AI overuses so many phrases it can get annoying reading something that was processed through it.

            • Tommy Fogli@feddit.itOP
              link
              fedilink
              English
              arrow-up
              0
              ·
              15 days ago

              Ciao! Fair enough. Though 200 people seemed to understand my AI-assisted English just fine — maybe the issue isn’t the language. 😄

              • BakedCatboy@lemmy.ml
                link
                fedilink
                English
                arrow-up
                0
                ·
                15 days ago

                To re-state, it’s not a problem of understand or the language, it’s a problem with overused, bland, and repetitive language and phrasing. It’s not fun to read even if you can understand it perfectly.

                Just because 200 people understood your post doesn’t mean it isn’t annoying to read. And it’s a super simple thing to fix - don’t use AI to rewrite your post and just use a normal translator instead, which won’t inject bland and repetitive phrases and structures.

                • Tommy Fogli@feddit.itOP
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  15 days ago

                  You’re right, and that’s a fair criticism. I’ll use a plain translator next time. Thanks for pushing back on it.

      • Philippe23@lemmy.ca
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        “My dog and I […]” is proper English grammar.

        1. It’s impolite for you to be first in the list of beings.
        2. “Me is 100% real” is wrong, it’s “I am […]”

        Your AI needs a grammar upgrade. 😉

        • Tommy Fogli@feddit.itOP
          link
          fedilink
          English
          arrow-up
          0
          ·
          15 days ago

          My dog and I […]” is proper English grammar.

          It’s impolite for you to be first in the list of beings. “Me is 100% real” is wrong, it’s “I am […]” Your AI needs a grammar upgrade. 😉 thk :-) Grammar noted and appreciated! My dog and I are 100% real. BASIC would have caught that error, but he was busy finding truffles. :-)

            • Tommy Fogli@feddit.itOP
              link
              fedilink
              English
              arrow-up
              0
              ·
              15 days ago

              Keep up the hard work. English is bonkers.12:34Claude ha risposto: — Grazie! English is indeed bonkers. I’ll stick with pasta asciutta and truffle dogs. 👍

      • Grail@multiverse.soulism.net
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        You’re completely right — OP’s comments do sound like an AI! Keep going, champ, and let U̸̡̢̖̜̬̐Ș̵̲̈̀̎̈́ know what project you’d like to work on next!

  • Tommy Fogli@feddit.itOP
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    Here’s my “cloud infrastructure” Air conditioning — NO Sterile environment — NO Dedicated server room — NO Enterprise-grade monitoring — is BASIC (BASIC is my Lagotto Romagnolo. He checks uptime personally.)

  • Tommy Fogli@feddit.itOP
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    This is BASIC — my Lagotto Romagnolo. Official lake8.dev mascot and uptime monitor. He also finds truffles. 😍

      • Tommy Fogli@feddit.itOP
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        He’s a Lagotto Romagnolo — a breed selected for centuries specifically for truffle hunting. It’s literally in his DNA. Training starts as a puppy: you hide small pieces of truffle in the garden and let him find them. Now the only way to make him truly happy is to let him run free in the woods — and you run behind him 😄 When he finds one, he expects a proper reward. I’m from Bologna, so his payment is a tortellino per truffle. Fair trade. 😁

          • Tommy Fogli@feddit.itOP
            link
            fedilink
            English
            arrow-up
            0
            ·
            15 days ago

            Deal! Work hard, find truffles, get tortellini con burro e tartufo. Best salary package in the industry. 😀

  • confusedpuppy@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    For the past year I’ve been learning to self host minimally on a used Raspberry Pi 5. I do have a Pi 4 as well but that’s dedicated to HomeAssistant for the small handful of lights and switches it controls.

    Both Pi’s run Alpine Linux with Podman containers. For my Pi 5 server it runs Caddy as my reverse proxy/SSL cert handler plus another contained for Kiwix. It’s super simple. Caddy also has a basic file server for me to host my git repositories as well as hosting my static site.

    The static site is based off a script I found called BashWrite but it hasn’t been updated in a year so I decided to add some of my own changes to it here. I also fixed up some of the English grammar since the original creater wasn’t an English native speaker.

    I’m still focusing on the background stuff but I’ve put a lot of effort into security and hardening. I’ve written all the maintenance (backup, keep-alive, updating) myself using POSIX portable scripts which can all be found on my codeberg page. It’s been a long process but I’m nearly there. I just have to switch from iptables to nftables and add secrets to my Caddyfile configuration to hide important keys that are currently sitting as plain text. After that I can focus on my blog/static site.

    Since I’m not doing this for a business, I’ve decided to use a wildcard domain for my SSL cert plus an uncommon port as a low effort way to hide myself from bots/scraper. Also I set up Wireguard infront of my SSH connection to also hide from bots. My log activity only shows my own activity which is comforting to know, especially since I’ve seen just how active bots and scrapers are in comparison to a year ago when I was just getting started and beginning to learn things.

    It’s really cool to see another minimal project like this and I think it’s refreshing to see. A lot of the times I see people with dozens on intensive services running and I feel a bit out of place with my scaled down self hosted project.

    My only question about your setup is about HAproxy. How important is a load balancer for your site? I don’t think I will need one for myself since the traffic will mostly be for myself and a few people I know personally but I am still curious about how it works and how effective it is for your setup.

    • Tommy Fogli@feddit.itOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Ciao! Really enjoyed reading about your setup — Alpine + Podman is a great minimal choice, and the Wireguard-in-front-of-SSH approach is elegant. On HAProxy: for my use case it’s not really a load balancer — it’s a reverse proxy and SSL termination point running on a separate board (Orange Pi Zero 3). The main reason is architectural: it sits in front of everything, handles Certbot renewals, and routes traffic to the Raspberry Pi 4B behind NAT. If one board needs maintenance, the other keeps running. For a personal setup with low traffic, you honestly don’t need it. Caddy already does what HAProxy does for me, and with less configuration. Your setup sounds cleaner for what you need. One thing I noticed we share: the bot/scraper problem is real. My public dashboard shows 6400+ attacks in 17 days vs ~4500 legitimate human visits. The uncommon port trick is underrated. 😄

      confusedpuppy @lemmy.dbzer0.com to Selfhosted@lemmy.world • My entire production website runs on a Raspberry Pi 4B + Orange Pi Zero 3 — real traffic, public dashboard, zero cloud English For the past year I’ve been learning to self host minimally on a used Raspberry Pi 5. I do have a Pi 4 as well but that’s dedicated to HomeAssistant for the small handful of lights and switches it controls.

      Both Pi’s run Alpine Linux with Podman containers. For my Pi 5 server it runs Caddy as my reverse proxy/SSL cert handler plus another contained for Kiwix. It’s super simple. Caddy also has a basic file server for me to host my git repositories as well as hosting my static site.

      The static site is based off a script I found called BashWrite but it hasn’t been updated in a year so I decided to add some of my own changes to it here. I also fixed up some of the English grammar since the original creater wasn’t an English native speaker.

      I’m still focusing on the background stuff but I’ve put a lot of effort into security and hardening. I’ve written all the maintenance (backup, keep-alive, updating) myself using POSIX portable scripts which can all be found on my codeberg page. It’s been a long process but I’m nearly there. I just have to switch from iptables to nftables and add secrets to my Caddyfile configuration to hide important keys that are currently sitting as plain text. After that I can focus on my blog/static site.

      Since I’m not doing this for a business, I’ve decided to use a wildcard domain for my SSL cert plus an uncommon port as a low effort way to hide myself from bots/scraper. Also I set up Wireguard infront of my SSH connection to also hide from bots. My log activity only shows my own activity which is comforting to know, especially since I’ve seen just how active bots and scrapers are in comparison to a year ago when I was just getting started and beginning to learn things.

      It’s really cool to see another minimal project like this and I think it’s refreshing to see. A lot of the times I see people with dozens on intensive services running and I feel a bit out of place with my scaled down self hosted project.

      My only question about your setup is about HAproxy. How important is a load balancer for your site? I don’t think I will need one for myself since the traffic will mostly be for myself and a few people I know personally but I am still curious about how it works and how effective it is for your setup.

      Body

      • confusedpuppy@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        15 days ago

        Aaah that’s good to know. I’ve seen HAproxy mentioned before and this was the first time I looked at it.

        I am happy I went with Caddy because networking is not my strength and Caddy is quite simple in comparison to other reverse proxies. Nginx config files will forever look like scribbles to me.

        I don’t know about the limitations of using an uncommom port though because my needs are quite small and obscure by design. I do wonder if other people could benefit from using wildcard certs + uncommon ports. Watching bots/scrapers drop to zero attempts and stay zero has been really satisfying and I haven’t had the desire to use outside services like Anubis or Cloudflare.

        I know someone out there with itchy fingers is ready to warn that obscurity isn’t security and I wouldn’t deny that. However, I do believe obscurity layered with security is valid as long as security takes the main focus.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    15 days ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    Git Popular version control system, primarily for code
    ISP Internet Service Provider
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    nginx Popular HTTP server

    [Thread #29 for this comm, first seen 26th Jun 2026, 07:20] [FAQ] [Full list] [Contact] [Source code]

  • nelson@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    How do you enforce consistent backups of the database? Do you dump the data periodically? Copying the data on the docker volume won’t give you consistent ( and possibly corrupted ) backups IIRC if the database itself isn’t stopped.

    • Tommy Fogli@feddit.itOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      Good catch! But actually our site has no database — it’s built with Astro, everything is MDX compiled to pure static HTML. Nothing to corrupt there 😄 For the rest (MariaDB for our products, configs, data) we use Restic — daily backups on the Orange Pi Zero 3 with retention policy (backup + forget + prune).

    • pmk@piefed.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      15 days ago

      If clouds are far away, then self-hosting could be “fog”? Clouds at ground level that you walk around in.