Privacy-first self-host stack

5 open-source picks · replaces 5 SaaS · self-host on your own VPS

Persona. Security-conscious team or regulated org keeping analytics + credentials + SSO + notes + video inside its own perimeter, with zero data egress to US ad-tech.

Stack total · starts at

$35/mo

sum of per-tool VPS-cost lower bounds · recommended VPS providers →

Hardest setup in stack

moderate

worst of 5 picks

Health mix

5 alive

live from GitHub at build time

Run this stack

Two files, one command. Pinned image tags, named volumes, env vars in .env.example. Read the compose comments to see which picks are inlined vs which have heavier official composes linked.

curl -O https://code-rho-dun.vercel.app/stack/privacy-first/compose.yml
curl -O https://code-rho-dun.vercel.app/stack/privacy-first/.env.example && mv .env.example .env
docker compose up -d

Raw files: compose.yml · .env.example

Why these together

The privacy-first stack is the one a security-conscious team or a regulated org self-hosts to keep data inside its own perimeter. Plausible measures the public site without cookies and without pushing visitor data to a US ad-tech vendor; Vaultwarden stores credentials end-to-end-encrypted with the official Bitwarden clients; Authentik is the SSO that fronts every internal service so an offboarded employee loses access in one operation; Joplin is the encrypted notes app that replaces Evernote without uploading plaintext to anyone; Jitsi runs the video meetings that Zoom would route through US servers. The compose.yml on this page ships Vaultwarden + Joplin Server (+ postgres) — the two single-purpose pieces that close credential and notes egress with one file. Plausible (postgres + clickhouse), Authentik (server + worker + postgres + redis), and Jitsi (multi-container with STUN/TURN) have heavier installs and ship their own first-party composes, linked from inside the file. The full intended endpoint is all five behind a single reverse proxy with Authentik forward-auth, so you log in once and the rest of the stack inherits the session — that wiring is left to the operator since proxy choice is environment-specific.

The 5 picks

Pick	Replaces	Cost / setup	Health
Plausible plausible/analytics · `AGPL-3.0`	Google Analytics Web analytics	$5/mo+ easy · 10min docker-compose	alive ★ 24.8k · today
Vaultwarden dani-garcia/vaultwarden · `AGPL-3.0`	1Password Password manager / secrets vault	$5/mo+ easy · 10min docker-compose	alive ★ 60.2k · 11d ago
Authentik goauthentik/authentik · `MIT`	Auth0 Identity / SSO / authentication-as-a-service	$10/mo+ easy · 15min docker-compose	alive ★ 21.5k · today
Joplin laurent22/joplin · `AGPL-3.0`	Evernote Personal notes / web clipper / archive	$5/mo+ easy · 10min — desktop/mobile app + Joplin Server (or any WebDAV) for sync	alive ★ 54.8k · today
Jitsi Meet jitsi/jitsi-meet · `Apache-2.0`	Zoom Video conferencing	$10/mo+ moderate · 15-30min (Debian package + nginx)	alive ★ 29.2k · today

Other stacks

Indie Hacker self-host stack · 5 picks
Remote team self-host stack · 5 picks
Customer support team self-host stack · 4 picks
Dev platform self-host stack · 5 picks
Observability on $5 self-host stack · 5 picks
Marketing team self-host stack · 5 picks
Product team self-host stack · 5 picks
AI builder self-host stack · 4 picks