A few months ago I decided to self-host everything for my software house instead of paying for cloud infrastructure. Here's what's running on a Raspberry Pi 4B (4GB) at home:
Astro static site + nginx Full mail stack (Postfix + Dovecot + Roundcube) in Docker MariaDB with automated backups GoAccess analytics with custom Python bot/human separation Dynamic IP blocklist generated at every deploy Certbot managed on a separate Orange Pi Zero 3 (HAProxy + SSL termination)
The Orange Pi Zero 3 as a dedicated HAProxy node was the best €25 I spent — SSL overhead completely offloaded from the Pi, all subdomains routed through one config, clean network separation between "what faces the internet" and "what runs the services." Storage: all boards boot from SSD via USB3. No SD cards in production. The ISP situation: Eolo wireless, 20Mbps down / 100Mbps upload. Yes, upload is 5x download. For a web server that's actually ideal. Real stress test — June 22, 2026 A post on r/italy hit 20k views in 24 hours. Numbers that day:
555 human visitors (vs ~180 daily average) 151 unique IPs 72.2% return rate 9.98 MB bandwidth 0 downtime 0 errors in the mail stack
PageSpeed from Google's infrastructure:
Desktop: Performance 100 / SEO 100 Mobile: Performance 97 / SEO 100
No CDN. No Cloudflare. No edge nodes. Just nginx on a Pi. The honest limitations:
Single point of failure — yes, if the Pi dies the site goes down Mail deliverability on residential ISP is hard (Brevo relay helps) No redundancy — we run backups, not replicas
All traffic data is live and public: stats.lake8.dev/geo.html Happy to answer questions on any part of the stack.
Ciao! Really enjoyed reading about your setup — Alpine + Podman is a great minimal choice, and the Wireguard-in-front-of-SSH approach is elegant. On HAProxy: for my use case it's not really a load balancer — it's a reverse proxy and SSL termination point running on a separate board (Orange Pi Zero 3). The main reason is architectural: it sits in front of everything, handles Certbot renewals, and routes traffic to the Raspberry Pi 4B behind NAT. If one board needs maintenance, the other keeps running. For a personal setup with low traffic, you honestly don't need it. Caddy already does what HAProxy does for me, and with less configuration. Your setup sounds cleaner for what you need. One thing I noticed we share: the bot/scraper problem is real. My public dashboard shows 6400+ attacks in 17 days vs ~4500 legitimate human visits. The uncommon port trick is underrated. 😄
Aaah that's good to know. I've seen HAproxy mentioned before and this was the first time I looked at it.
I am happy I went with Caddy because networking is not my strength and Caddy is quite simple in comparison to other reverse proxies. Nginx config files will forever look like scribbles to me.
I don't know about the limitations of using an uncommom port though because my needs are quite small and obscure by design. I do wonder if other people could benefit from using wildcard certs + uncommon ports. Watching bots/scrapers drop to zero attempts and stay zero has been really satisfying and I haven't had the desire to use outside services like Anubis or Cloudflare.
I know someone out there with itchy fingers is ready to warn that obscurity isn't security and I wouldn't deny that. However, I do believe obscurity layered with security is valid as long as security takes the main focus.
Caddy is a great choice for exactly that reason — it gets out of your way. HAProxy gives me more granular control but the config is definitely not for everyone. On the obscurity point: you're absolutely right, and I'd sign that statement. Obscurity alone is theater. Obscurity on top of solid security is a legitimate noise reducer. Watching bots drop to zero is genuinely satisfying — my public dashboard shows 6,400+ attack attempts in 17 days vs ~4,500 real humans. The bots are loud. The wildcard cert + uncommon port approach is underrated for small personal setups. The attack surface doesn't shrink, but the automated scanners move on and that's often enough. 😄