Tommy2970

Ciao! Really enjoyed reading about your setup — Alpine + Podman is a great minimal choice, and the Wireguard-in-front-of-SSH approach is elegant. On HAProxy: for my use case it’s not really a load balancer — it’s a reverse proxy and SSL termination point running on a separate board (Orange Pi Zero 3). The main reason is architectural: it sits in front of everything, handles Certbot renewals, and routes traffic to the Raspberry Pi 4B behind NAT. If one board needs maintenance, the other keeps running. For a personal setup with low traffic, you honestly don’t need it. Caddy already does what HAProxy does for me, and with less configuration. Your setup sounds cleaner for what you need. One thing I noticed we share: the bot/scraper problem is real. My public dashboard shows 6400+ attacks in 17 days vs ~4500 legitimate human visits. The uncommon port trick is underrated. 😄

confusedpuppy @lemmy.dbzer0.com to Selfhosted@lemmy.world • My entire production website runs on a Raspberry Pi 4B + Orange Pi Zero 3 — real traffic, public dashboard, zero cloud English For the past year I’ve been learning to self host minimally on a used Raspberry Pi 5. I do have a Pi 4 as well but that’s dedicated to HomeAssistant for the small handful of lights and switches it controls.

Both Pi’s run Alpine Linux with Podman containers. For my Pi 5 server it runs Caddy as my reverse proxy/SSL cert handler plus another contained for Kiwix. It’s super simple. Caddy also has a basic file server for me to host my git repositories as well as hosting my static site.

The static site is based off a script I found called BashWrite but it hasn’t been updated in a year so I decided to add some of my own changes to it here. I also fixed up some of the English grammar since the original creater wasn’t an English native speaker.

I’m still focusing on the background stuff but I’ve put a lot of effort into security and hardening. I’ve written all the maintenance (backup, keep-alive, updating) myself using POSIX portable scripts which can all be found on my codeberg page. It’s been a long process but I’m nearly there. I just have to switch from iptables to nftables and add secrets to my Caddyfile configuration to hide important keys that are currently sitting as plain text. After that I can focus on my blog/static site.

Since I’m not doing this for a business, I’ve decided to use a wildcard domain for my SSL cert plus an uncommon port as a low effort way to hide myself from bots/scraper. Also I set up Wireguard infront of my SSH connection to also hide from bots. My log activity only shows my own activity which is comforting to know, especially since I’ve seen just how active bots and scrapers are in comparison to a year ago when I was just getting started and beginning to learn things.

It’s really cool to see another minimal project like this and I think it’s refreshing to see. A lot of the times I see people with dozens on intensive services running and I feel a bit out of place with my scaled down self hosted project.

My only question about your setup is about HAproxy. How important is a load balancer for your site? I don’t think I will need one for myself since the traffic will mostly be for myself and a few people I know personally but I am still curious about how it works and how effective it is for your setup.

Body

Deal! Work hard, find truffles, get tortellini con burro e tartufo. Best salary package in the industry. 😀

He’s a Lagotto Romagnolo — a breed selected for centuries specifically for truffle hunting. It’s literally in his DNA. Training starts as a puppy: you hide small pieces of truffle in the garden and let him find them. Now the only way to make him truly happy is to let him run free in the woods — and you run behind him 😄 When he finds one, he expects a proper reward. I’m from Bologna, so his payment is a tortellino per truffle. Fair trade. 😁

Keep up the hard work. English is bonkers.12:34Claude ha risposto: — Grazie! English is indeed bonkers. I’ll stick with pasta asciutta and truffle dogs. 👍

Honored. 🙏

My dog and I […]” is proper English grammar.

It’s impolite for you to be first in the list of beings. “Me is 100% real” is wrong, it’s “I am […]” Your AI needs a grammar upgrade. 😉 thk :-) Grammar noted and appreciated! My dog and I are 100% real. BASIC would have caught that error, but he was busy finding truffles. :-)

Ah, yeah, we don’t like Google here either. Ciao! At this rate I’ll have to rewrite everything in carrier pigeons. :-)

Ciao! Thank you — happy to be here. The mess feels familiar, honestly. My server room looks exactly the same. 😄 Looking forward to sharing more — there’s plenty of journey still ahead.

Good catch! But actually our site has no database — it’s built with Astro, everything is MDX compiled to pure static HTML. Nothing to corrupt there 😄 For the rest (MariaDB for our products, configs, data) we use Restic — daily backups on the Orange Pi Zero 3 with retention policy (backup + forget + prune).

Ciao! I don’t have a tutorial yet, but it’s on my list — actually, this question is a good motivation to write one! 😄 The short version: HAProxy on Orange Pi Zero 3 (Armbian), Certbot for SSL, reverse proxy to Raspberry Pi 4B behind NAT. The trickiest part is the ACL rules for multiple subdomains and the certificate renewal hook. I’ll write a proper post about it on lake8.dev — I’ll mention it here when it’s ready.

Ciao! I’m Italian — my English is not exactly my strongest skill. But if AI-assisted translation bothers you, I can always switch to Google Translate 😊 Hope that’s reassuring enough.

Image

This is BASIC — my Lagotto Romagnolo. Official lake8.dev mascot and uptime monitor. He also finds truffles. 😍

Ciao ropatrick! You nailed it perfectly. The big corporations made it incredibly easy — two minutes and you’re in. But “free” and “easy” always has a price, and in this case it’s your data and your independence. You’re right that self-hosting is still too technical for most people. That’s actually part of why I built lake8.dev — to make this kind of infrastructure more accessible for small businesses, at least in the manufacturing sector. And yes — that feeling of satisfaction is very real. Every time the server handles real traffic from my living room, it feels like a small personal victory against the cloud monopoly. 😄 Grazie for the kind words — and for actually reading and understanding the post!

Ciao! I’m Italian 🇮🇹 — my English is very “pasta asciutta” level. I use AI to help me write without saying something cosmically wrong. Sorry for that. But me and my dog are 100% real. 🐕

Image

Here’s my “cloud infrastructure” Air conditioning — NO Sterile environment — NO Dedicated server room — NO Enterprise-grade monitoring — is BASIC (BASIC is my Lagotto Romagnolo. He checks uptime personally.)

Exactly. I didn’t move to the cloud. The cloud moved to my living room.

Ha, thanks! To be fair — I’ve been writing code since 1995, and doing industrial software for the last 21 years. So not exactly a beginner. The self-hosted infrastructure side was genuinely new territory though, and yes, a lot came together quickly. “Git sum” is going on the wall. 😄

That’s brutal — and unfortunately very common. ISPs love the “you’re violating ToS” card, especially when they have a more expensive business plan to sell you. The irony is that most residential ToS are deliberately vague about what constitutes “running a business” — a wedding RSVP site is hardly a commercial operation, but it doesn’t matter when the ISP is the judge, jury and executioner. We’ve been lucky with Eolo so far — they haven’t flagged anything. Part of the reason is probably that our traffic profile looks residential (low inbound, spikes rather than constant load) and we’re not running anything that would show up as “suspicious” on their side. The asymmetry you’re describing is real though. A large company can host whatever they want on enterprise infrastructure. A small developer hosting a wedding site gets cut off without warning. Self-hosting is getting harder at the residential level precisely because ISPs have a financial incentive to make it harder. Hope you found a better solution eventually.

Big oof on that mobile performance score, gotta get that fixed XD Ha, fair point — 97 is not 100. 😄 To be honest, I know exactly what’s pulling it down and I’m working on it. Running a static site on a Raspberry Pi with 100Mbps upload and hitting 97 on mobile from Google’s infrastructure felt like a win worth sharing — but you’re right, there’s always room to squeeze out those last 3 points. The perfectionist in me agrees with you. The pragmatist in me is still celebrating.

Ha! That’s actually quite meta — you used Claude to understand a post that was partially written with Claude’s help. Welcome to 2026, where AI reads infrastructure posts so humans don’t have to. 😄 Glad the setup is impressive even through the translation layer. If you have any specific questions, ask away — I’ll try to answer in plain English this time

You’re completely right, and thank you for saying it directly. Let me try again in plain English: I run a small software company from home. Instead of paying €50-100/month for hosting, email, and analytics services, I built everything on a €60 Raspberry Pi computer sitting next to my router. What’s actually running on it:

The website you’re reading about (like any website, just hosted at home instead of on AWS) Email — when someone writes to info@lake8.dev, it lands on that Pi Analytics — that world map showing where visitors come from

That’s it. Three things, one small computer, zero monthly fees. There’s also a green angle that rarely gets mentioned: the entire setup draws around 3-4W idle — less than a LED light bulb. A data center rack serving the same traffic would consume orders of magnitude more. Self-hosting at this scale isn’t just cheaper, it’s genuinely lighter on the planet. The complexity you’re seeing is real — it took months to set up and I have 20+ years of experience. I’m not going to pretend it’s for everyone. It isn’t. But that’s also why I built Lagotto BI — our actual product — which does the opposite: takes complex business data and makes it readable for people who just want to understand their business, not manage servers. So yes, “software house” is my small business. The Pi is just how I run the infrastructure behind it without paying cloud prices forever. Thanks for the honest feedback — it’s genuinely useful. thk :-)

Buona domanda. Onestamente il nostro setup di logging è semplice per design — niente syslog centralizzato, niente aggregazione remota. Tutto resta locale sul Pi: log nginx in /srv/logs/, log applicazioni via Docker, log di sistema via journald. Niente lascia la macchina tranne quello che spingiamo esplicitamente (statistiche giornaliere verso la dashboard pubblica via scp). L’aspetto privacy che citi è interessante — noi non abbiamo la preoccupazione della “privacy domestica” perché il Pi È il server, ma il principio di tenere i log locali lo condividiamo. Niente Elastic, niente Loki, niente syslog remoto. HAProxy sull’Orange Pi Zero 3 ha i suoi log locali separati — non li spediamo al Pi. Due nodi, due store di log indipendenti. Non è architetturato per la scala. È architetturato per semplicità e controllo — che per una software house di una persona è il tradeoff giusto. E grazie per il commento sulla ridondanza — fingere che un Pi singolo sia highly available sarebbe stato imbarazzante. Non lo è. Funziona abbastanza bene, e sapere dov’è il punto di failure conta più che fingere che non esista.

Honestly no — I didn’t feel it at all. The Pi was handling the spike silently in the background while I was working normally. Upload bandwidth on Eolo is 100Mbps, and a static Astro site serving mostly HTML/CSS is incredibly light. Peak day was 555 human visitors with 9.98MB total bandwidth — that’s nothing for a residential connection. The Cloudflare tunnel approach is smart especially without a static IP. We have a static IP included with Eolo (unusual for residential, I know) which simplifies things. For DDoS protection we rely on HAProxy on a separate Orange Pi Zero 3 doing rate limiting and our dynamic blocklist — but honestly at our scale a proper DDoS would still hurt. The “who knows about the future” concern about Cloudflare is real though. Building on free tiers of centralized services is convenient until it isn’t — which is part of why we went full self-hosted in the first place.

Thk 😀

Inbound: sender → port 587 → Postfix → Dovecot → Roundcube Outbound: Postfix → Brevo relay → recipient Thk

lake8.dev 😀