Self-Hosted Infrastructure
Two Machines. Thirty Services. Zero SaaS.
A full homelab stack across two machines — RPi5 running core networking and lightweight apps, Lenovo Flex 4 running automation and data tools — all routed through Traefik with Authelia SSO.
System Architecture
Hover over any service chip to see what it does. Two physical machines, one unified infrastructure — all traffic routed through a single Traefik entry point.
Request Lifecycle
Every request — from any device, anywhere — follows this exact path before reaching a service. No exceptions. No back doors.
401 — Traefik serves the login page. The target service never receives the request. By the Numbers
What This Would Cost in SaaS
Every service below runs locally on hardware I already own. The "SaaS equivalent" column shows what a comparable hosted product bills monthly.
| Self-Hosted Service | SaaS Alternative | Monthly SaaS Cost | Savings |
|---|---|---|---|
| n8n Workflow automation | n8n Cloud Starter | $20 | $20 |
| Outline Team wiki / knowledge base | Notion Team | $10 | $10 |
| Invoice Ninja Invoicing & billing | Invoice Ninja Pro | $14 | $14 |
| Ghostfolio Portfolio tracker | Ghostfolio Premium | $14 | $14 |
| DocuSeal Document signing | HelloSign Essentials | $15 | $15 |
| Mautic Email & marketing | Mailchimp Essentials | $20 | $20 |
| Infisical Secrets management | Infisical Pro | $6 | $6 |
| Grafana + Loki Observability stack | Grafana Cloud Pro | $29 | $29 |
| Total monthly SaaS equivalent | $128/mo | $0/mo | |
Hardware cost: RPi5 (~$80 one-time) + repurposed Lenovo Flex 4 ($0). Electricity: ~$8/mo for both. ROI < 8 months.
Key Design Decisions
Split Routing
Traefik runs only on the RPi5. RPi5 services use Docker labels for zero-config routing. Flex 4 services are defined in a static external service file — no Traefik container on the Flex 4 itself, keeping it lean.
Single Sign-On
Authelia acts as a forward-auth middleware for all services. One login with MFA covers every app — no per-service passwords, no credential sprawl.
Resource Efficiency
Sablier auto-stops idle containers and wakes them on demand. Rarely-used services don't waste RAM when inactive — sub-second wake-on-request.
Docker Socket Isolation
The Docker socket is never directly exposed to containers. A socket-proxy enforces an allowlist of safe API calls — Traefik manages routing without full Docker access.
Centralized Observability
Promtail ships logs from the RPi5 to the Flex 4 Grafana/Loki stack. All metrics and logs in one dashboard, regardless of which machine generated them.
AI-Assisted Operations
Paperless-AI automatically tags and categorizes incoming documents. n8n orchestrates cross-service workflows — reducing manual overhead for routine ops tasks.
Why Self-Host?
Every SaaS subscription is a dependency. A pricing change, a policy update, a data breach — any of it can break a workflow you depend on. Self-hosting trades convenience for control, and for a data-driven person who cares about where their data lives, that tradeoff is worth it.
Owning your stack isn't about saving money. It's about knowing exactly what's running and why.
The architecture evolved from a single Raspberry Pi running a handful of services into a split two-node setup as the workloads grew. The RPi5 handles latency-sensitive networking; the Flex 4 handles CPU-intensive data and automation tasks.
The most important lesson: start with a good reverse proxy and auth layer. Everything else can be added incrementally, but retrofitting SSO and TLS across 20 services is painful. Build the entry point first, then add services behind it.