What to self-host in 2026: 25 apps
A curated list of 25 self-hosted apps worth running in 2026, grouped by job, with what each one replaces, honest RAM and disk needs, and the gotcha to know.
What you are building
Not one app — a shortlist. This is the hub for everything else on this site: twenty-five applications genuinely worth running on your own VPS in 2026, grouped by the job they do. For each one you get the service it replaces, an honest RAM-and-disk figure, and the single thing that will bite you if you skip it. The links point to the full step-by-step guide where one exists.
I have run a VPS host for fifteen years, and I run most of these on my own boxes. So the resource numbers below are what the app actually uses under a small real workload, not the "minimum" from a marketing page. Read them as a budget, then add headroom.
Prerequisites and the honest reality
Every app here runs on a fresh Ubuntu 24.04 KVM VPS with root or sudo. Almost all of them ship as Docker containers, so install Docker once and you are ready for the whole list:
curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker "$USER"
newgrp docker
docker run --rm hello-world
If docker commands fail with permission denied while trying to connect to the Docker daemon socket, you skipped the group step or did not open a new shell — log out and back in. If docker compose returns docker: 'compose' is not a docker command, you have the ancient standalone binary; the script above installs the modern Compose plugin, which you call as docker compose (a space, not a hyphen).
Three realities set the shape of everything below. First, RAM is the constraint, not disk or CPU. A 1 GB VPS runs one small app and nothing more. 4 GB is the real sweet spot for a "self-host a few things" box. 2 GB is the awkward middle where a beginner stacks a third service, hits a silent Out-Of-Memory kill, and never works out why the container just vanished — sudo dmesg shows the Out of memory: Killed process line the daemon swallowed. Second, anything public needs a name and a certificate — a bare IP works for testing and fails the moment you want a phone app or a browser to trust it. Third, two ports decide half your options: 80 and 443 must reach the box for automatic TLS, and outbound 25 is blocked by most providers, which is why email is in the "do not" list at the end.
Files and photos
- Nextcloud replaces Google Drive, Dropbox, and Google Calendar in one suite. Budget 1–2 GB RAM plus whatever your files weigh. The one gotcha: SQLite is fine for a demo and a trap in production — install it on PostgreSQL from the first boot, because migrating the database after your data is in there is the most common way people wreck a Nextcloud. The full Nextcloud on a VPS with Docker, TLS and backups guide sets it up correctly the first time.
- Immich replaces Google Photos, right down to the phone app that auto-uploads your camera roll and the face and object search. Budget 4–6 GB RAM — Immich's own docs say 6 GB minimum, and the machine-learning container is the hungry part — and disk equal to your library plus roughly twenty percent for thumbnails. The gotcha: Immich still ships breaking changes between releases, so never blindly pull
latest; pin a version and read the release notes before every upgrade. The self-hosted Immich photo library guide covers the safe upgrade path. - Seafile replaces Dropbox with the fastest sync engine of the three. Budget around 1 GB RAM. The gotcha: Seafile stores your files as content-addressed blocks, not as plain files on disk, so you cannot browse the data with
lsand you must back up through Seafile's own tools, not by copying a folder.
Passwords
- Vaultwarden replaces Bitwarden's paid tier, LastPass, and 1Password with a tiny Rust server that speaks the Bitwarden protocol, so every official Bitwarden app and browser extension just works. Budget 100–200 MB RAM and almost no disk. The gotcha: this box holds every password you own, so TLS and backups are not optional here, they are the entire point — and set the
ADMIN_TOKENas an Argon2 hash, because a plaintext token in your compose file is a master key sitting in cleartext. The Vaultwarden password manager guide is the best possible first self-host.
Media
- Jellyfin replaces Plex and, for your own library, Netflix — fully open, no account, no paywalled remote streaming. Budget 1–2 GB RAM at idle, but CPU spikes hard on transcode. The gotcha: software transcoding a 4K stream will melt a small VPS; either give the box hardware acceleration or keep your files in a format your clients can play directly (Direct Play), so the server only shovels bytes. The Jellyfin media server on a VPS guide explains which is which.
- Navidrome replaces Spotify for your own music, streaming to any Subsonic-compatible app. Budget 150–300 MB RAM — it is written in Go and barely registers. The gotcha: the first library scan reads every file's tags and can take an hour on a big collection, and bad ID3 tags in, bad browsing experience out.
- Audiobookshelf replaces Audible and your podcast app, keeping playback position across devices. Budget 200–500 MB RAM. The gotcha: it expects a strict folder-per-book layout, and a messy import folder produces a messy, half-detected library that is tedious to fix after the fact.
Automation and AI
- n8n replaces Zapier and Make with a visual workflow builder you own, and no per-task billing. Budget 400 MB–1 GB RAM. The gotcha: n8n encrypts stored credentials with a key it generates on first run, and if you lose that key — or forget to set
N8N_ENCRYPTION_KEYand let it regenerate — every saved credential becomes unreadable and you re-enter them all. The self-hosted n8n with HTTPS guide pins the key and puts a real certificate in front of the webhook URLs. - Ollama replaces a ChatGPT subscription for local, private LLM inference. Budget by model: a 7–8B model wants about 8 GB of RAM, and each model is 4–8 GB on disk. The gotcha: on a CPU-only VPS, inference is honest but slow — think words per second, not the instant replies you get from a hosted API — so set expectations, or rent a GPU box. The run Ollama to self-host an LLM guide has realistic numbers.
Communication
- Rocket.Chat replaces Slack for a team, with threads, calls, and integrations. Budget 2 GB RAM and up, because it runs on MongoDB and that is the heavy tenant. The gotcha: Rocket.Chat pins a specific MongoDB major version per release, and skipping a version during an upgrade is how you strand your database — upgrade one step at a time. The Rocket.Chat with Docker Compose guide walks the version ladder.
- Matrix (Synapse) replaces Slack and Discord with a federated, end-to-end-encrypted network where you own your homeserver. Budget 1–2 GB RAM that grows as you join large public rooms. The gotcha: Synapse's memory use balloons on big federated rooms, and it must run on PostgreSQL — the default SQLite works only for a single-user test and falls over the moment you federate. If Synapse feels heavy, the lighter Conduit or Dendrite servers speak the same protocol.
Networking and access
- WireGuard replaces a commercial VPN, giving you a private tunnel to your own IP and your other services. Budget almost nothing — under 50 MB and the crypto runs in the kernel. The gotcha: on container-based virtualization (OpenVZ, some LXC) the module fails with
RTNETLINK answers: Operation not supported; you want KVM. The self-hosted WireGuard VPN guide is the reference, and pairing it with services bound to the tunnel is how you keep things off the public internet entirely. - Traefik replaces hand-written nginx virtual hosts and manual certificate renewal — it discovers your containers by their Docker labels and fetches Let's Encrypt certs automatically. Budget around 100 MB RAM. The gotcha: the label-based config model is genuinely confusing at first, and a single wrong label leaves an app unrouted with no obvious error. The Traefik reverse proxy for multiple Docker apps guide is built exactly for running several of the apps on this page behind one entry point.
- AdGuard Home replaces a Pi-hole box and paid DNS filtering, blocking ads and trackers for every device on your network at the DNS layer. Budget 100–150 MB RAM. The gotcha: it wants to own port 53, which collides with
systemd-resolvedon Ubuntu — it fails to start withlisten udp 0.0.0.0:53: bind: address already in useuntil you free the port first.
Monitoring
- Uptime Kuma replaces Pingdom, UptimeRobot, and StatusPage with a clean dashboard and alerts to nearly any channel. Budget 150–300 MB RAM. The gotcha, and it is the one people always miss: monitor your production box from a different box — Uptime Kuma running on the same server it watches cannot tell you when that server dies. The Uptime Kuma status monitoring guide covers external placement.
- Zabbix replaces Datadog and enterprise monitoring suites, with deep agent-based metrics, triggers, and history. Budget 2 GB RAM and up, plus its own database. The gotcha: Zabbix is powerful and genuinely heavy to set up — it is overkill for watching three containers and the right tool for a fleet. Start with Uptime Kuma; graduate to the Zabbix monitoring server when you actually have infrastructure to monitor.
Dashboards and control panels
These change the whole model — instead of running compose files by hand, a panel manages the apps for you.
- Cloudron replaces the "I wish this were one-click" wish with a polished app store, automatic TLS, and backups built in. Budget 2 GB RAM minimum, 4 GB comfortably. The gotcha: it is opinionated and wants to own the whole box, and it is free only up to two apps — beyond that it is a paid product.
- CasaOS replaces a messy homelab dashboard with a friendly app grid, free and lightweight. Budget under 200 MB for CasaOS itself. The gotcha: it is designed for a trusted home network and is not hardened for the public internet — do not expose it directly; reach it over WireGuard.
- Coolify replaces Heroku, Vercel, and Netlify — git-push deployments, databases, and previews on your own server. Budget 2 GB RAM minimum. The gotcha: it is a younger project that moves fast, so pin versions and read release notes before upgrading. The Cloudron vs CasaOS vs Coolify comparison breaks down which of the three fits which person.
Developer and productivity tools
- Gitea (or Forgejo) replaces GitHub for private repositories, issues, and CI. Budget 200–500 MB RAM. The gotcha: Forgejo is the community-governed fork of Gitea and the one many people now recommend; both are excellent, but pick one and back up the repositories and the database together — a repo backup without the database loses every issue and pull request.
- Paperless-ngx replaces a filing cabinet and paid document scanners, OCR-ing everything so your documents become searchable. Budget around 1 GB RAM, with CPU spikes during OCR. The gotcha: the OCR results are only as good as your scans, and re-processing a large archive is slow — tune it before you bulk-import ten years of paper.
- Actual Budget replaces YNAB and Mint with fast, local, private envelope budgeting. Budget around 150 MB RAM. The gotcha: automatic bank sync is a separate add-on with its own setup, so out of the box you import transactions manually.
- FreshRSS replaces Feedly and the departed Google Reader — a fast, private feed reader with mobile apps. Budget around 150 MB RAM. The gotcha: set up the cron-based feed refresh, or feeds only update when you happen to open the page.
- BookStack replaces Notion and Confluence for documentation, organized as shelves, books, and pages. Budget around 500 MB RAM on PHP and MySQL. The gotcha: it structures content its own way rather than as free-form notes, which some people love and some find rigid — try it before you commit your whole wiki.
- Home Assistant replaces SmartThings and a dozen vendor apps, unifying your smart home locally. Budget around 1 GB RAM. The gotcha: much of its magic needs local network access to your devices, so it lives more naturally on hardware at home than on a remote VPS — run the dashboard remotely and bridge back if you must.
A representative install
To make it concrete, here is the whole shape of a self-host: a compose file, a real certificate, and a backup. This is Uptime Kuma, but every app on the list follows the same pattern.
services:
uptime-kuma:
image: louislam/uptime-kuma:2
container_name: uptime-kuma
volumes:
- ./data:/app/data
ports:
- "127.0.0.1:3001:3001"
restart: unless-stopped
docker compose up -d
docker compose logs -f
Note the 127.0.0.1: — the app listens only on localhost, and a reverse proxy such as Traefik or nginx terminates TLS in front of it. Binding straight to 0.0.0.0:3001 is how people accidentally publish an unencrypted admin panel to the whole internet.
What NOT to self-host (yet)
- Email. This is the honest one. Outbound port 25 is blocked by most VPS providers — you will see
Connection timed outfromtelnet aspmx.l.google.com 25and there is nothing to fix, it is policy. Even with 25 open, a fresh IP with no reputation, PTR record, SPF, DKIM, and DMARC lands your mail in spam or gets it rejected outright. It is a real, ongoing job, not a weekend. If you are set on it, go in with eyes open using the self-hosted email with Mailcow guide, and expect to babysit deliverability for months. - Anything you cannot reliably back up and restore. If you have never done a test restore, you do not have a backup, you have a hope. Do not put irreplaceable data — the only copy of your photos, your accounts — on a service until its restore is proven.
- Your only copy of a critical dependency. A self-hosted DNS server that, when it crashes, takes your whole network's internet with it is a bad first project. Keep an upstream fallback.
- Real-time safety systems. Home alarms, medical alerts, anything where five minutes of downtime is a genuine problem does not belong on a hobby box you upgrade on Sunday nights.
How to choose your first one, and the two non-negotiables
Pick the app that removes a bill you resent or a privacy worry you actually feel. In practice the best first installs are Vaultwarden and Uptime Kuma: both are tiny, both are immediately useful, and both are forgiving if you make a mistake. Get one working end to end — install, certificate, backup, restore test — before you add a second. The skill you are building is operations, not clicking install.
Two things are non-negotiable on every single app above, no exceptions:
- TLS on everything public. A bare-IP, plaintext service is a demo, not a deployment. Put a real certificate in front of it with Certbot and Let's Encrypt on nginx, or let Traefik do it automatically. Then harden the front door with Fail2ban for SSH on Ubuntu 24.04.
- Backups you have actually restored. Automate a nightly dump — database and data volume together — send it off the box, and once a month restore it onto a throwaway VPS to prove it works. The day your disk dies is the wrong day to discover the backup was empty.
Get those two right and self-hosting is a pleasure. Skip them and it is a countdown.
FAQ
What should I self-host first?
Vaultwarden. A password manager gives you daily value, replaces a subscription, and forces you to learn the whole workflow — Docker, a reverse proxy, TLS, and backups — on an app small enough to rebuild in ten minutes if you break it. Uptime Kuma is a great second, so you find out about outages before your users do.
How much VPS do I actually need?
For one small app, 1 GB of RAM works. For a comfortable "run a handful of things" box, aim for 4 GB — the 2 GB middle is where people hit silent Out-Of-Memory container kills and cannot work out why. RAM is almost always the limit; add disk to match the data you plan to store, and expect Immich, Ollama, and anything with a big database to want the most of both.
What should I not self-host?
Email, first and foremost — outbound port 25 is blocked by most providers and deliverability is a full-time fight. After that, anything you cannot reliably back up and restore, and any single point of failure whose downtime causes real harm, like a DNS server with no fallback or a home safety system. Everything else on this list is fair game.
Do I need Docker for all of this?
No, but you want it. Every app here has a Docker image, and Docker gives you clean installs, clean removals, easy version pinning, and portability to a new host. A few apps (WireGuard, Zabbix) also install natively from apt if you prefer. Once you know one compose file, you know them all, which is why the whole list becomes approachable.
How do I keep it all secure?
Four habits cover most of it: put TLS in front of everything, keep SSH locked down with key-only login and Fail2ban banning brute-force attempts, expose only the ports you truly need publicly and reach the rest over your WireGuard VPN, and update regularly while reading release notes so an upgrade never surprises you. Backups are the fifth habit — they are your recovery when a mistake slips past the first four.