Docker

If you have ever handed a new team member a README full of “install Node 22, then Python 3.12, then make sure your openssl headers match” instructions, you already know the problem. Nix flakes solve it at the root: instead of documenting what to install, you declare the exact toolchain in a flake.nix file, commit it alongside your code, and every developer runs nix develop to get an identical environment - same compiler, same CLI versions, same system libraries. In 2026, Nix flakes are stable, the Nixpkgs repository holds over 100,000 packages, and the ecosystem around flakes has matured to the point where the learning curve is manageable even for teams with no prior Nix experience.

Run Traefik v3 as a Docker container to build a production-ready stack. It discovers services through Docker labels and handles Let’s Encrypt TLS certificates automatically. You won’t need separate Nginx configs because everything lives in one docker-compose.yml file. This setup gives you a self-managing reverse proxy for multi-service deployments.

The current stable release as of early 2026 is Traefik v3.6.x, with v3.7 in early access. All examples in this guide target the v3.x line.

A wildcard SSL cert for *.example.com from Let’s Encrypt covers every one-level subdomain. You get one through the DNS-01 challenge, or, since February 2026, through the new DNS-PERSIST-01 challenge that skips per-renewal DNS edits. One wildcard cert replaces the per-service certs you’d otherwise juggle behind your reverse proxy.

Why Wildcard Certificates and When You Need Them

If you run three subdomains, single certs work fine. Each one gets its own HTTP-01 challenge, Certbot handles renewal, and life is simple. Once you pass 10 or 15 subdomains, the chore list grows. Every new service needs its own cert request, its own renewal entry, and its own way to break. A wildcard cert folds all of that into one.

A fanless home server under $300 is real in 2026. Using an Intel N150 or N305 mini PC - the Beelink EQ12 Pro or GMK NucBox G3 - you get a passively cooled machine that draws 6-15W under load, makes zero noise, and handles a full stack of self-hosted services: Home Assistant, Jellyfin, Vaultwarden, Nextcloud, Immich, and a WireGuard VPN all running simultaneously without a single fan spinning.

For self-hosting on Linux in 2026, Podman is the better default. It has no daemon, runs rootless out of the box, and its Quadlet unit files make containers behave like any other systemd service on your box. I say that as someone whose own stack still runs on Docker . After years of reading that Podman is lighter, faster, and safer, I installed it next to Docker and measured the difference on my own hardware. Some claims held up: rootless Podman with pasta networking (Podman’s user-mode network layer) beat rootful Docker’s bridge on download throughput in every run. There is also no daemon holding memory between deployments. One claim did not survive: the often-repeated “Podman starts containers about 50 ms faster” was a statistical tie on my machine.

You can run a self-hosted Plausible Analytics instance on a $6/month VPS. It uses Docker Compose and a Caddy reverse proxy for automatic HTTPS. The whole process takes under 30 minutes. Once it runs, you add one <script> tag to your site and you’re done. No cookie banners, no personal data collected. The tracking script weighs under 1 KB gzipped. It stores everything in a ClickHouse database on your own server, and gives you a clean, fast dashboard for your traffic.