A few months ago I decided to self-host everything for my software house instead of paying for cloud infrastructure. Here’s what’s running on a Raspberry Pi 4B (4GB) at home:

Astro static site + nginx Full mail stack (Postfix + Dovecot + Roundcube) in Docker MariaDB with automated backups GoAccess analytics with custom Python bot/human separation Dynamic IP blocklist generated at every deploy Certbot managed on a separate Orange Pi Zero 3 (HAProxy + SSL termination)

The Orange Pi Zero 3 as a dedicated HAProxy node was the best €25 I spent — SSL overhead completely offloaded from the Pi, all subdomains routed through one config, clean network separation between “what faces the internet” and “what runs the services.” Storage: all boards boot from SSD via USB3. No SD cards in production. The ISP situation: Eolo wireless, 20Mbps down / 100Mbps upload. Yes, upload is 5x download. For a web server that’s actually ideal. Real stress test — June 22, 2026 A post on r/italy hit 20k views in 24 hours. Numbers that day:

555 human visitors (vs ~180 daily average) 151 unique IPs 72.2% return rate 9.98 MB bandwidth 0 downtime 0 errors in the mail stack

PageSpeed from Google’s infrastructure:

Desktop: Performance 100 / SEO 100 Mobile: Performance 97 / SEO 100

No CDN. No Cloudflare. No edge nodes. Just nginx on a Pi. The honest limitations:

Single point of failure — yes, if the Pi dies the site goes down Mail deliverability on residential ISP is hard (Brevo relay helps) No redundancy — we run backups, not replicas

All traffic data is live and public: stats.lake8.dev/geo.html Happy to answer questions on any part of the stack.

  • Tommy2970@feddit.itOPEnglish
    32·
    6 hours ago

    Ciao! Really enjoyed reading about your setup — Alpine + Podman is a great minimal choice, and the Wireguard-in-front-of-SSH approach is elegant. On HAProxy: for my use case it’s not really a load balancer — it’s a reverse proxy and SSL termination point running on a separate board (Orange Pi Zero 3). The main reason is architectural: it sits in front of everything, handles Certbot renewals, and routes traffic to the Raspberry Pi 4B behind NAT. If one board needs maintenance, the other keeps running. For a personal setup with low traffic, you honestly don’t need it. Caddy already does what HAProxy does for me, and with less configuration. Your setup sounds cleaner for what you need. One thing I noticed we share: the bot/scraper problem is real. My public dashboard shows 6400+ attacks in 17 days vs ~4500 legitimate human visits. The uncommon port trick is underrated. 😄

    confusedpuppy @lemmy.dbzer0.com to [email protected] • My entire production website runs on a Raspberry Pi 4B + Orange Pi Zero 3 — real traffic, public dashboard, zero cloud English For the past year I’ve been learning to self host minimally on a used Raspberry Pi 5. I do have a Pi 4 as well but that’s dedicated to HomeAssistant for the small handful of lights and switches it controls.

    Both Pi’s run Alpine Linux with Podman containers. For my Pi 5 server it runs Caddy as my reverse proxy/SSL cert handler plus another contained for Kiwix. It’s super simple. Caddy also has a basic file server for me to host my git repositories as well as hosting my static site.

    The static site is based off a script I found called BashWrite but it hasn’t been updated in a year so I decided to add some of my own changes to it here. I also fixed up some of the English grammar since the original creater wasn’t an English native speaker.

    I’m still focusing on the background stuff but I’ve put a lot of effort into security and hardening. I’ve written all the maintenance (backup, keep-alive, updating) myself using POSIX portable scripts which can all be found on my codeberg page. It’s been a long process but I’m nearly there. I just have to switch from iptables to nftables and add secrets to my Caddyfile configuration to hide important keys that are currently sitting as plain text. After that I can focus on my blog/static site.

    Since I’m not doing this for a business, I’ve decided to use a wildcard domain for my SSL cert plus an uncommon port as a low effort way to hide myself from bots/scraper. Also I set up Wireguard infront of my SSH connection to also hide from bots. My log activity only shows my own activity which is comforting to know, especially since I’ve seen just how active bots and scrapers are in comparison to a year ago when I was just getting started and beginning to learn things.

    It’s really cool to see another minimal project like this and I think it’s refreshing to see. A lot of the times I see people with dozens on intensive services running and I feel a bit out of place with my scaled down self hosted project.

    My only question about your setup is about HAproxy. How important is a load balancer for your site? I don’t think I will need one for myself since the traffic will mostly be for myself and a few people I know personally but I am still curious about how it works and how effective it is for your setup.

    Body

    • confusedpuppy@lemmy.dbzer0.comEnglish
      1·
      3 hours ago

      Aaah that’s good to know. I’ve seen HAproxy mentioned before and this was the first time I looked at it.

      I am happy I went with Caddy because networking is not my strength and Caddy is quite simple in comparison to other reverse proxies. Nginx config files will forever look like scribbles to me.

      I don’t know about the limitations of using an uncommom port though because my needs are quite small and obscure by design. I do wonder if other people could benefit from using wildcard certs + uncommon ports. Watching bots/scrapers drop to zero attempts and stay zero has been really satisfying and I haven’t had the desire to use outside services like Anubis or Cloudflare.

      I know someone out there with itchy fingers is ready to warn that obscurity isn’t security and I wouldn’t deny that. However, I do believe obscurity layered with security is valid as long as security takes the main focus.

      • Tommy2970@feddit.itOPEnglish
        1·
        2 hours ago

        Caddy is a great choice for exactly that reason — it gets out of your way. HAProxy gives me more granular control but the config is definitely not for everyone. On the obscurity point: you’re absolutely right, and I’d sign that statement. Obscurity alone is theater. Obscurity on top of solid security is a legitimate noise reducer. Watching bots drop to zero is genuinely satisfying — my public dashboard shows 6,400+ attack attempts in 17 days vs ~4,500 real humans. The bots are loud. The wildcard cert + uncommon port approach is underrated for small personal setups. The attack surface doesn’t shrink, but the automated scanners move on and that’s often enough. 😄