The LastPass breach in December 2022 exposed encrypted vaults. The Okta breach in October 2023 took two weeks for them to confirm it affected all customers. CircleCI's January 2023 incident exposed secrets in customers' build pipelines. In each case, the breach happened on infrastructure you never controlled, maintained by teams you never interviewed, with incident response timelines you had no say in.
Self-hosting used to be the answer only if you had a dedicated ops team. That changed. Docker Compose reduced "deploy your own version of X" from a multi-day infrastructure project to a 20-minute task. A $20/month VPS now runs several production-grade services simultaneously.
This is not a post arguing you should self-host everything. It's a map of where self-hosting is viable, what you gain, what you actually give up, and what it costs in time—not just money.
The Honest Disclaimer First
Self-hosting is not free. It trades a monthly SaaS bill for:
- ▸Time: Someone must own updates, backups, and incident response. Budget 2–4 hours per month per service for maintenance, more when something breaks.
- ▸Expertise: You need someone who can read Docker Compose files, troubleshoot networking, and manage SSL certificates. This is not rocket science, but it's not nothing.
- ▸Reliability: If Zapier goes down, Zapier fixes it. If your n8n instance goes down at 2 AM, you fix it.
- ▸Integrations: SaaS products invest heavily in third-party integrations. Self-hosted alternatives often have fewer, or they require more configuration.
The calculus changes at scale. At 50 users, you might save $40,000/year by self-hosting your identity provider. That justifies a part-time DevOps hire. At 5 users, the math works differently.
With that said—here are ten categories where self-hosting is genuinely viable in 2026.
TL;DR Summary Table
| Category | Self-Hosted | Replaces | Monthly VPS Cost | Setup Time |
|---|---|---|---|---|
| Project Management | Vikunja | Todoist, Trello | $5–10 | 15 min |
| Password Manager | Vaultwarden | 1Password, LastPass | $5 (shared) | 20 min |
| Analytics | Plausible / Umami | Google Analytics | $6 | 15 min |
| Git Hosting | Forgejo / Gitea | GitHub | $10–20 | 30 min |
| Automation | n8n | Zapier, Make | $10–20 | 20 min |
| Notes | Trilium / Obsidian + Syncthing | Notion | $5 (shared) | 30 min |
| Team Chat | Mattermost | Slack | $20–40 | 45 min |
| Email Marketing | Listmonk | Mailchimp | $10 (shared) | 45 min |
| Identity (IAM) | Authentik | Auth0, Okta | $20–40 | 2–3 hours |
| Collaborative Docs | CryptPad | Google Docs | $10 (shared) | 20 min |
1. Project Management: Vikunja
Replaces: Todoist, Trello, Asana (light usage)
Vikunja is a task management application with projects, lists, Kanban views, Gantt charts, and recurring tasks. It handles teams, has granular permissions, and supports CalDAV sync. The UI is clean—not embarrassing to open in a client meeting.
```yaml
services:
vikunja:
image: vikunja/vikunja:latest
ports:
- "3456:3456"
environment:
VIKUNJA_SERVICE_JWTSECRET: your-secret-key
VIKUNJA_DATABASE_PATH: /db/vikunja.db
volumes:
- ./data:/app/vikunja/files
- ./db:/db
```
You gain: No per-seat pricing. 50 users costs the same as 5. All task data on your infrastructure. Gantt charts are included—Asana charges $24.99/user/month for those.
You lose: Mobile apps are functional but not polished. No native integrations with Salesforce, GitHub PRs, or Slack without manual webhook configuration. Email notifications require your own SMTP relay.
Bottom line: Excellent replacement for teams spending $50–200/month on Asana or Todoist. Struggles to replace Jira for engineering workflows that depend on deep CI/CD integration.
2. Password Manager: Vaultwarden
Replaces: 1Password, LastPass, Bitwarden (cloud)
Vaultwarden is an unofficial Bitwarden server implementation written in Rust. It is compatible with all official Bitwarden clients, browser extensions, mobile apps, desktop apps, which means your team gets a polished frontend while you control the backend.
After the December 2022 LastPass vault dump, every organization should be asking: where do our encrypted vaults live, and who has access to the encryption infrastructure? LastPass stored vault data with 100,000 PBKDF2 iterations for many accounts, far below the OWASP recommendation of 600,000. With Vaultwarden, you set the KDF parameters yourself.
```yaml
services:
vaultwarden:
image: vaultwarden/server:latest
volumes:
- ./vw-data:/data
environment:
DOMAIN: https://vault.yourcompany.com
SIGNUPS_ALLOWED: "false"
ADMIN_TOKEN: your-admin-token
ports:
- "80:80"
```
You gain: Full control over vault encryption keys and storage. No vendor pricing changes mid-contract. Deployable behind a VPN, accessible only to your team, not reachable from the public internet.
You lose: You are responsible for backups. A corrupted database with no backup means lost credentials. Set up automated daily backups before you import anything. Emergency access features work but require initial setup.
The maintenance reality: Vaultwarden updates are frequent. If you fall behind, you miss security patches. Subscribe to the GitHub releases page and update monthly.
Bottom line: Best self-hosted option for credential management. Vaultwarden's unofficial status is the only caveat. Bitwarden's official self-hosted server is the compliant alternative if your auditors require it. For a full head-to-head against commercial alternatives, see our Vaultwarden vs 1Password vs Bitwarden comparison.
3. Analytics: Plausible or Umami
Replaces: Google Analytics 4
Five EU data protection authorities have ruled GA4 non-compliant with GDPR because data transfers to US servers violate the Schrems II ruling (ECJ 2020). Austria, France, Italy, Denmark, and Finland have each issued findings. If you serve EU users and are using Google Analytics without a consent management platform, this is a live compliance risk, not a hypothetical.
Both Plausible and Umami ship the same basic Docker Compose pattern:
```yaml
Umami example
services:
umami:
image: ghcr.io/umami-software/umami:postgresql-latest
environment:
DATABASE_URL: postgresql://umami:your-password@db:5432/umami
APP_SECRET: your-secret
ports:
- "3000:3000"
depends_on:
- db
db:
image: postgres:15
environment:
POSTGRES_DB: umami
POSTGRES_USER: umami
POSTGRES_PASSWORD: your-password
```
You gain: GDPR compliance by design, data never leaves your infrastructure. No cookie consent banners required (both are cookieless by default). 1KB tracking script vs GA4's 45KB, which meaningfully improves Core Web Vitals scores. 30–50% of technical users block GA4; self-hosted analytics are blocked at lower rates.
You lose: No attribution modeling. No audience segments for ad targeting. If you need conversion funnels tied to Google Ads campaigns, you still need GA4 for that specific integration.
Plausible vs Umami: Plausible is the more opinionated product, it intentionally omits features to preserve privacy. Umami supports custom events and is more configurable. Both are production-ready.
Bottom line: Straightforward replacement for content sites, SaaS dashboards, and any site with meaningful EU traffic.
4. Git Hosting: Forgejo or Gitea
Replaces: GitHub (for private repositories)
Forgejo is a community-governed fork of Gitea with a more active development cadence. Both provide repositories, pull requests, issues, CI/CD runners (Gitea Actions uses GitHub Actions YAML syntax, most workflows transfer with minimal changes), package registries, and wikis.
```yaml
services:
forgejo:
image: codeberg.org/forgejo/forgejo:latest
environment:
USER_UID: 1000
USER_GID: 1000
volumes:
- ./forgejo:/data
ports:
- "3000:3000"
- "222:22"
```
You gain: Full control over your source code. No GitHub Terms of Service applying to your repositories. CI runners execute on your infrastructure, build logs and secrets stay local. No egress bandwidth charges for large artifact downloads.
You lose: GitHub's ecosystem is unmatched. Dependabot, GitHub Copilot, the Actions marketplace, and most third-party developer tools integrate with GitHub by default. If your workflow depends on GitHub-specific features, migration friction is real.
The realistic use case: Air-gapped environments, regulated industries where source code must stay on-premise, or organizations that want code off public cloud infrastructure entirely.
Bottom line: Forgejo is the recommended choice in 2026 due to more active governance and a clear commitment to remaining community-driven.
5. Automation: n8n
Replaces: Zapier, Make
The security argument here is underappreciated. Automation platforms are credential aggregators. Every OAuth token and API key for your CRM, payment processor, email platform, and HR system lives on Zapier's servers. The CircleCI January 2023 breach exposed secrets stored in customer CI pipelines. The same attack surface exists for any SaaS platform that stores your credentials.
n8n's self-hosted tier includes everything. JavaScript and Python code nodes, all integrations, no workflow limits, which Zapier gates behind its Professional plan at $73.50/month.
```yaml
services:
n8n:
image: docker.n8n.io/n8nio/n8n:latest
ports:
- "5678:5678"
volumes:
- ./n8n_data:/home/node/.n8n
environment:
N8N_BASIC_AUTH_ACTIVE: "true"
N8N_BASIC_AUTH_USER: admin
N8N_BASIC_AUTH_PASSWORD: your-password
```
You gain: Credentials stay on your infrastructure. n8n's pricing model counts per execution (an entire workflow run = 1 execution), not per step. Zapier counts every individual action. A 5-step workflow that runs 10,000 times costs 10,000 executions on n8n, but 50,000 task units on Zapier.
You lose: Zapier has 6,000+ app integrations. n8n has approximately 400 native integrations plus HTTP request nodes for everything else. Less polished setup experience for non-technical users.
Bottom line: The strongest case for self-hosting in this list. The credential security argument alone justifies it for any organization running sensitive data flows through automation. For a full cost and feature breakdown of self-hosted n8n versus Zapier and Make, see our n8n vs Zapier vs Make analysis.
6. Notes and Knowledge: Trilium or Obsidian + Syncthing
Replaces: Notion, Roam Research
Notion is convenient until you consider that your internal strategy documents, competitive analysis, and board meeting notes live on Notion's servers under their terms of service. Notion's AI features train on your workspace data by default (opt-out available, but it requires knowing to find it).
Trilium is a hierarchical note-taking application with rich text, code blocks, relation maps, and scripting support. It runs as a local desktop application or self-hosted server.
Obsidian + Syncthing is the other path: Obsidian stores notes as plain Markdown files on disk. Syncthing provides peer-to-peer file synchronization between devices without a central server. Your notes sync between your laptop and phone without touching any third-party infrastructure. The files are readable forever with any text editor.
```yaml
Trilium server
services:
trilium:
image: zadam/trilium:latest
ports:
- "8080:8080"
volumes:
- ./trilium-data:/home/node/trilium-data
```
You gain: Notes stored in formats you control. No vendor pricing changes. Obsidian's plain Markdown format means zero lock-in, switch applications without data migration.
You lose: Notion's database views, real-time collaborative editing, and public sharing are hard to replicate. Trilium has no concurrent collaboration. For teams using Notion as a shared company wiki with multiple editors, self-hosting adds significant friction.
Bottom line: Strong for individual knowledge management and small teams. Weaker for organizations that rely on Notion's collaborative database features.
7. Team Chat: Mattermost
Replaces: Slack
Mattermost is the most enterprise-ready self-hosted Slack alternative. It has channels, direct messages, threads, search, file uploads, slash commands, bots, and mobile apps. The free Team Edition is genuinely usable for teams under 100 people.
```yaml
services:
mattermost:
image: mattermost/mattermost-team-edition:latest
ports:
- "8065:8065"
volumes:
- ./mattermost/data:/mattermost/data
- ./mattermost/logs:/mattermost/logs
- ./mattermost/config:/mattermost/config
environment:
MM_SQLSETTINGS_DATASOURCE: postgres://mattermost:your-password@db:5432/mattermost?sslmode=disable
```
You gain: Message history you own. No Slack retroactive changes to retention policies or pricing. LDAP and SAML authentication are included in the free tier. Slack charges for SSO at the Business+ plan ($12.50/user/month). Compliance organizations can configure their own data retention and audit logging.
You lose: Slack's integration ecosystem is significantly larger. Mattermost has integrations, but fewer mature ones. The mobile app is functional but does not match Slack's polish. Audio and video calling requires a third-party plugin (Jitsi Meet integration works but adds setup complexity).
The maintenance reality: Mattermost is one of the heavier applications in this list. A lost database means lost chat history. Automated daily backups are non-negotiable before you put team communication on this.
Bottom line: Viable for organizations with 10–100 users and someone willing to own the infrastructure. Not a passive deploy-and-forget service.
8. Email Marketing: Listmonk
Replaces: Mailchimp, ConvertKit
Listmonk is a high-performance newsletter and mailing list manager. It handles subscriber management, segmentation, HTML and plain-text campaigns, and open/click tracking. The PostgreSQL backend scales to millions of subscribers without architectural changes.
```yaml
services:
listmonk:
image: listmonk/listmonk:latest
ports:
- "9000:9000"
environment:
LISTMONK_db__host: db
LISTMONK_db__port: "5432"
LISTMONK_db__user: listmonk
LISTMONK_db__password: your-password
LISTMONK_db__database: listmonk
```
Listmonk handles the application layer. Sending still requires an SMTP service: Amazon SES at $0.10/1,000 emails, Mailgun, Postmark, or SendGrid. For a list of 10,000 subscribers with four monthly sends, Amazon SES costs under $5/month. Compare that to Mailchimp Essentials at $110/month for 10,000 contacts.
You gain: No per-subscriber pricing. No feature limits. Subscriber data stays on your infrastructure. Mailchimp's terms permit them to use aggregated data for their own analytics purposes.
You lose: Mailchimp's visual automation builder, landing page tools, and audience insights. Listmonk is a sending tool, not a full marketing platform. Sophisticated segmentation is possible but requires SQL comfort.
Bottom line: Excellent for straightforward newsletter operations. Not a replacement for full marketing automation workflows.
9. Identity and Access Management: Authentik
Replaces: Auth0, Okta
This is the highest-stakes category in this list, and the one with the strongest argument for self-hosting after 2022–2023.
Okta's October 2023 breach began when a threat actor accessed its support case management system using a stolen credential. BeyondTrust notified Okta on October 2nd. Okta took two weeks to confirm the scope, and initially said 1% of customers were affected before revising to all customers. Auth0 was acquired by Okta for $6.5 billion in 2021 and now shares infrastructure, which means trust concerns about Okta's breach response extend to Auth0 customers.
Authentik provides SAML 2.0, OAuth2, OpenID Connect, LDAP, SCIM, and a full MFA stack. Its Outpost model allows it to proxy authentication to applications that don't natively support SSO.
```yaml
services:
postgresql:
image: docker.io/library/postgres:16-alpine
environment:
POSTGRES_PASSWORD: your-pg-password
POSTGRES_USER: authentik
POSTGRES_DB: authentik
redis:
image: docker.io/library/redis:alpine
server:
image: ghcr.io/goauthentik/server:latest
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: your-pg-password
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_SECRET_KEY: your-secret-key
ports:
- "9000:9000"
- "9443:9443"
worker:
image: ghcr.io/goauthentik/server:latest
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: authentik
AUTHENTIK_POSTGRESQL__PASSWORD: your-pg-password
AUTHENTIK_POSTGRESQL__NAME: authentik
AUTHENTIK_SECRET_KEY: your-secret-key
```
You gain: Identity infrastructure you control. No vendor breach timeline affecting your users. At 500 users, Okta costs $5,000–7,500/month. Authentik hosting costs $50–150/month, a difference that funds a part-time security engineer.
You lose: This is the most complex service in this list. SSO misconfiguration is a security vulnerability, not just a user inconvenience. You need someone who understands OAuth2 and OIDC flows. There is no 24/7 support SLA.
The non-negotiable: High availability is required in production. A single Authentik instance that goes down takes your login infrastructure with it. Plan for at minimum two instances behind a load balancer with a shared managed database before you move production workloads onto it.
Bottom line: High payoff, high responsibility. Right for organizations with security engineering capacity. Wrong for teams without dedicated infrastructure ownership. For background on what makes self-hosting IAM compelling after recent breaches, see our Authentik vs Auth0 vs Okta comparison.
10. Collaborative Docs: CryptPad
Replaces: Google Docs, Google Drive
CryptPad is end-to-end encrypted collaborative document editing. Documents are encrypted client-side before reaching the server, the server operator cannot read document contents. This is a stronger privacy guarantee than any SaaS alternative, including Google Workspace and Microsoft 365.
It supports rich text, spreadsheets, Kanban boards, presentations, and Markdown. Real-time collaboration works. The encryption model is open-source and auditable.
```yaml
services:
cryptpad:
image: cryptpad/cryptpad:latest
ports:
- "3000:3000"
- "3001:3001"
volumes:
- ./cryptpad/data:/cryptpad/data
- ./cryptpad/config:/cryptpad/config
```
You gain: True end-to-end encrypted document storage. Even with physical access to your server, an attacker cannot read document contents without the user's encryption keys. Useful for legal, HR, board communications, and executive documents where confidentiality requirements exceed what Google's terms cover.
You lose: Google Docs integration with the broader Workspace ecosystem is tight. CryptPad's ecosystem is intentionally isolated. Mobile app polish does not match Google Drive. Document conversion (Word, Excel import/export) works but imperfectly.
HedgeDoc is the lighter alternative for teams that only need collaborative Markdown, simpler setup, lower resource use, no spreadsheet support.
Bottom line: Strong for specific high-sensitivity use cases. Not a wholesale Google Workspace replacement for organizations that depend on Drive's sharing and organization features.
Who Should Actually Self-Host?
The honest answer comes in three profiles.
Self-host if you have someone on staff who maintains Linux servers, a budget for a dedicated VPS ($40–80/month runs most of the stack above), and a meaningful reason to control your data, compliance requirements, security posture, or cost savings at scale that justify the operational overhead.
Hybrid approach if you're unsure: start with analytics (lowest stakes, easiest setup) and automation (strongest security argument). Keep identity and chat on SaaS until you have the expertise and operational process to run them correctly.
Stick with SaaS if your team has no one who owns infrastructure, your compliance requirements do not demand data residency, or the cost savings at your current scale don't justify the time investment. Docker Compose is accessible, but accessible is not the same as zero-cost.
The breach timeline of 2022–2024 made clear that SaaS is not inherently more secure than self-hosting, it's a different risk profile. Vendor breach versus operational error. Choose based on which risk your organization is better equipped to manage, not based on which option feels easier to explain to a board.