Why build an agency on open-source software in 2026?

Three reasons that all matter at once. Margin protection, because a single mid-size agency's SaaS subscriptions easily clear €1,500 per month and the underlying tools are mostly OSS anyway. Vendor lock-in avoidance, because a one-line price hike from Atlassian or Adobe can wreck a quarter. And GDPR posture, because EU clients increasingly want to know which physical machine in which jurisdiction holds their data, and 'us-east-1' is no longer an acceptable answer.

How much does it actually cost to run this stack?

Roughly €60 to €120 per month in VPS bills for a boutique agency setup on Hetzner Cloud, plus your time. The dollar figure that matters more is what it replaces. The same functional surface on SaaS, Google Workspace plus Mailchimp plus Figma plus DocuSign plus Pipedrive plus Notion plus Plausible plus the rest, runs €600 to €1,200 per month at five seats. The savings are real, but so is the operational load.

Is self-hosting a competitive moat or just a tax?

Both, depending on your client base. If you sell to EU public sector, healthcare, legal, or finance, the ability to point at a Hetzner box in Helsinki and say 'your data is there, encrypted, under our DPA' is a real moat. If you sell to indie SaaS startups in California, your clients do not care and you are paying a tax in operational hours. Read your customer base before committing.

When should an agency start with this stack vs migrate later?

Start at zero employees if you can, because the migration tax compounds. By year three, a five-person agency has years of email, files, CRM history, and design assets locked into SaaS, and pulling them out becomes a multi-week project. The cheapest moment to be self-hosted is before the first client. The second cheapest is before the second hire.

What's the biggest mistake new agencies make with self-hosting?

Trying to deploy everything in the first month. A half-configured Mautic with three contacts in it that you forgot to back up is worse than no Mautic. Pick the three or four tools that map to actual day-one workflows, get those production-grade, then add the next tool only when an active client need forces it. Most of the failures I see are deployment graveyards, not configuration mistakes.

Self-Hosted Agency Stack: FOSS-First Foundations

Key Takeaways

A self-hosted agency stack on FOSS replaces five-figure annual SaaS bills with a low three-figure VPS bill, in exchange for real operational hours you have to budget for.
Build in phases. A hardened VPS, an email server, and one collaboration tool will carry a boutique agency further than a half-deployed twelve-tool stack.
GDPR is a moat in 2026, not a tax. EU clients increasingly disqualify vendors that cannot point at the box their data lives on.
The contrarian rule: skip the SaaS-replacement deployments that do not save you money OR earn client trust. A self-hosted Pipedrive clone with two users on it is just unpaid sysadmin work.
The phased build order in this guide is the one I'd recommend to any new agency: VPS hardening, email, collaboration, monitoring, security layers, then client-facing tools as revenue allows.

I have run a boutique web agency on a self-hosted agency stack since 2019. Every email, every Git repo, every PDF a client signs, every newsletter, every CRM record, every design file lives on infrastructure I rent in a Hetzner data centre in Helsinki and Falkenstein. No Google Workspace, no Mailchimp, no DocuSign, no Pipedrive, no Figma. The five-figure annual SaaS bill an equivalent agency pays in 2026 lands as a low three-figure VPS bill on my side, and the data my clients hand me never crosses an Atlantic submarine cable to a US-controlled jurisdiction.

This post is the entry point to that stack. It is opinionated, because every choice in it has a real cost on the other side. It is also the table of contents for the rest of this archive, because the deep-dive deployment guide for each tool already exists and I will link to all of them inline. Read it once if you are deciding whether this approach fits your agency. Bookmark it as a phased build order if you have decided yes.

I have also been documenting the build on YouTube since the start, in a series called Building FOSS Digital Agency. The companion video for this overview is embedded below. The series is the shortest version of “how I would do it again from scratch” that I can record.

Why I built my agency on FOSS

The honest answer is margin. A four-person agency in 2019 pays for Workspace, Adobe, Slack, Notion, Pipedrive, Mailchimp, Plausible, DocuSign, Figma, Atlassian, and a handful of single-tool subscriptions nobody remembers signing up for. By the time I added it up I was looking at €1,400 a month in SaaS bills, growing roughly 10% a year because every vendor on that list raised prices annually. The same workload, on FOSS hosted on a Hetzner CPX31 and a CCX22, came out to €58 a month in compute. The hours-per-month operational cost is real. But not five-figures-a-year real.

The second reason is GDPR. By 2024 I had stopped winning EU public-sector and healthcare-adjacent work without a Data Processing Addendum, a sub-processor list, and the ability to answer “which physical box is my data on” with a sentence rather than a paragraph. Self-hosting answers that question structurally. I do not have to interpret a US vendor’s GDPR posture, because there is no US vendor. The data is on a machine I rent under a contract written under German law. That is not a marketing pitch. It is the actual reason three of my five biggest clients chose me over a larger competitor.

The third reason is what I think of as the “you own what you ship” principle. When Notion changed its pricing model in 2022, every team that built a workflow on top of it had to renegotiate it. When Atlassian deprecated server licences, on-prem Confluence customers had a year to either re-platform or pay 4x more. None of those events touch a self-hosted BookStack install, because the version I deployed runs forever on the box I deployed it on. The roadmap can stop tomorrow and my workflow is unaffected.

The series on YouTube documents this build phase by phase. It exists because a written guide alone is not enough for the parts that go wrong on camera, and because the SaaS-marketing playbook drowns out the FOSS path on every channel that is not specifically looking for it. If you are reading this, you are already off that channel. Welcome.

The phased approach

The original plan I sketched in 2019 split the build into four phases. Six years on, the same shape still holds, with the names slightly tightened and one more phase added on the front for the foundations.

Phase 0, foundations. Domain registrar, server provider, server specs, the local software you need on your laptop before you SSH anywhere.
Phase 1, infrastructure. VPN, control panel, container management, email. The load-bearing layer. Nothing else works without these.
Phase 2, security baseline. Linux hardening, intrusion detection, Nginx security, WordPress hardening if you host WP sites for clients.
Phase 3, collaboration and operations. Files, docs, tasks, monitoring, automation. This is where the agency actually runs day-to-day.
Phase 4, communication and marketing. Newsletter, marketing automation, analytics. The outbound surface.
Phase 5, client-facing and business operations. CRM, e-signature, design tooling, secret sharing, identity. The systems clients see, directly or indirectly.
Phase 6, developer productivity. Browser-based code editor, internal utilities, remote management. The optional layer that pays back if you are technical.

Phases are not strict gates. You can skip phase 4 entirely for the first year if you are not running newsletters yet. You should not skip phases 0, 1, or 2. They are the foundation; everything above them assumes they exist.

Phase 0: foundations (domain, server, software)

The boring layer. Get this wrong and every later step is harder than it should be.

Domain registrar

You need a registrar that supports both glue records and custom nameservers. Glue records are the DNS records the TLD nameserver hands back when someone resolves your custom NS. Without them, your custom nameservers cannot answer for the domain that defines them, because the resolver chain breaks at the registrar. Custom nameservers are how you point ns1.youragency.com and ns2.youragency.com at servers you actually control, instead of being a tenant on Cloudflare or Squarespace.

Most cheap registrars do not support glue records. Check before you buy. Porkbun, Namecheap, and Gandi all support both. I have used Porkbun since 2020 and have nothing to complain about. Whatever you pick, the rule is to keep registrar and DNS hosting separate from the rest of your stack, so a compromise of your application infrastructure does not also lose you control of the domain.

Server provider criteria

For an EU agency the criteria, in order, are: data processing addendum support, EU jurisdiction, rDNS configuration, unrestricted SMTP ports, and a hardware-level firewall on the provider side. Hetzner Cloud meets all five and is the provider I use for everything in this archive. Most US-headquartered providers do not meet criteria 1 or 2 in a way that actually holds up under an EU client’s procurement audit. If you are outside the EU and GDPR does not apply to your client base, the criteria narrow to rDNS and SMTP, which most providers handle.

Server specs (2026 numbers)

The original 2GB / 2GB / 8GB tiering I sketched in 2019 still maps to roughly the same shape. On Hetzner’s 2026 lineup that translates to:

CPX11 (2 vCPU / 2 GB RAM, ~€4.50/mo). VPN host. WireGuard, Wirehole, or Mistborn live here. Tiny resource needs.
CPX21 (3 vCPU / 4 GB RAM, ~€8/mo). Control panel host. CyberPanel or Enhance for DNS, email forwarding, and any WordPress sites you host directly without containers. (The original plan called for 2 GB; modern CyberPanel with MariaDB needs 4 GB to not swap.)
CCX23 (4 dedicated vCPU / 16 GB RAM, ~€32/mo). Docker host. Where everything in phases 3 to 6 lives. The original 8 GB was tight by 2022; 16 GB on dedicated cores is the right tier in 2026.

That is roughly €45 a month for the full stack at boutique scale. Add a CX22 for Mailcow at €4 if you are running your own MX (recommended), and a small object storage volume for backups at €5, and the all-in is still under €60. Scale the Docker host up the day you start to feel it.

Required software on your laptop

You need an SSH client and a way to manage keys. I use Termius across Mac, iOS, and the iPad, because the cloud sync between devices is the single feature I value most when I am away from my main machine. It is not open-source and the advanced features sit behind a paid tier, so treat it as a paid productivity tool, not as part of the FOSS budget.

If you want to stay fully open-source: PuTTY plus PuTTYgen on Windows, Remmina on Linux (good for SSH and SFTP in the same UI), and the default Terminal plus an SFTP client like FileZilla or Cyberduck on macOS. Generate an SSH keypair on your laptop before you provision the first VPS, so you can paste the public half into the provider’s UI when the server is created. Saves a step and avoids the small window where the VPS exists with password auth on.

The deep dive on locking down a fresh server lives in Linux server security fundamentals. Read it before you provision anything; the hardening is the same fifteen-minute pass on every server in this stack.

Phase 1: infrastructure layer

This is the load-bearing phase. The four tools below are what every other layer depends on.

VPN. Admin access to the rest of the stack should not be exposed on the public internet. The VPN host is the only box that publishes SSH and admin ports outward; everything else is reachable only through it. Three options I have written full deployments for, in increasing order of opinion-on-rails: Wirehole (WireGuard plus Pi-hole, the classic stack), Wireguard Easy (WireGuard with a clean web UI for client management), and Mistborn (a fuller platform with built-in firewall and DNS filtering). I run Wireguard Easy at most agencies because the per-user QR-code workflow is the lowest-friction onboarding I have found.

Control panel. For DNS, email forwarding, and any WordPress hosting outside Docker, you want a control panel rather than hand-rolled Nginx vhosts. I have full installation walkthroughs for CyberPanel (OpenLiteSpeed-based, free, the one I use day-to-day) and Enhance (a modern multi-server alternative that scales horizontally if you grow into a larger hosting business). Pick CyberPanel if you are an agency hosting 10–100 sites; pick Enhance if you are explicitly building a hosting product.

Container management. The Docker host runs everything in phases 3 to 6. Three pieces of glue make it usable in production. Portainer is the GUI that lets you read logs, restart containers, and edit compose files without SSH. Nginx Proxy Manager is the reverse proxy and Let’s Encrypt automation that turns container ports into real domains. Vaultwarden is the password manager that stores the dozens of credentials this stack will accumulate. The full stack with all three together is in Portainer + Nginx Proxy Manager + Vaultwarden.

Email server. Either run Mailcow yourself, or delegate transactional mail to a provider like Postmark or Mailgun and run only the marketing newsletter sending through a self-hosted box. Running Mailcow is the highest-effort single decision in this stack. The reward is full inbox sovereignty and a DPA-clean MX record. The cost is reputation management, blocklist watching, and the occasional Sunday morning where Hotmail decides your IP needs a 24-hour timeout. I run Mailcow. I would not blame anyone for delegating.

Phase 2: security baseline

Security is not a layer you bolt on at the end. It is a baseline you set before anything client-facing lands on the box.

The order I run it in:

Linux server security fundamentals. SSH keys, sudo user, password auth disabled, UFW with default-deny inbound. The fifteen-minute pass that turns a fresh VPS from a brute-force target into background noise. Run this before you install anything else on a new box, every time.
CrowdSec installation and server protection. Community-driven intrusion detection that watches your auth logs and bans IPs based on shared threat intelligence. The replacement for fail2ban that has a real future. CrowdSec on every Docker host and every WordPress host.
CrowdSec WordPress integration. The bouncer that brings CrowdSec’s verdicts into WordPress’s request loop. Stops credential stuffing at the application layer before it hits wp-login.php. Pair this with the next post.
Comprehensive WordPress server security guide. The application-layer pass for any WordPress site you host. 2FA on every admin, leaked password protection, pingbacks off, brute-force protection, the lot. The post most likely to save a client account from getting owned.
WordPress admin account recovery. What to do when a client locks themselves out, or when an attacker locks them out. Database-level password reset, role correction, MFA bypass via wp-cli. The post you bookmark and hope you never need.
Nginx security hardening. TLS configuration, security headers, rate limiting, the production server block I use as a template. The web-facing edge of the stack.
The human element in cybersecurity defense. The post that argues the social-engineering surface is the one you cannot patch. Pair every technical hardening pass with a human-element pass for the team.

If you only do three of these, do Linux fundamentals, CrowdSec, and the WordPress comprehensive guide. They cover the most common attack surfaces of an agency stack at the steepest part of the curve.

Phase 3: collaboration and operations

This is where the agency actually runs.

Nextcloud AIO is the file sync, calendar, contacts, and Office stack. The Google Workspace replacement. AIO is the official packaged distribution and the path of least resistance; install once, get the full feature surface. Every client deliverable I have shipped since 2020 lived on a Nextcloud share before it left.

BookStack is the documentation wiki. Notion and Confluence both work for the same use case; BookStack is the FOSS one that does not need an internet connection to render a page. I use it for client runbooks, internal SOPs, and the per-engagement playbooks that turn into the next contract’s starting point.

Vikunja is the task and project management board. Trello, Asana, ClickUp all do the same job. Vikunja’s specific advantage is that boards, lists, and tasks all import and export cleanly as JSON, so your historical project data does not become hostage to a vendor’s API.

Uptime Kuma is the monitoring dashboard. Pingdom, StatusCake, and Better Uptime all work. Kuma’s pitch is that it ships a status page out of the box that you can hand to a client without paying per-status-page-pricing. Run it on a separate small VPS, not on the box it is monitoring; otherwise you will be the last to know when the box goes down.

n8n is the workflow automation engine. Zapier and Make.com replacements. n8n is where the small daily glue lives: form submissions to Vikunja tasks, Stripe events to BookStack changelog entries, Plausible weekly digests to Listmonk. The agency-specific automation post that builds on n8n and Baserow is at AI WordPress automation with DeepSeek, n8n, and Baserow if you want the production example.

Phase 4: communication and marketing

The outbound surface. None of these are critical on day one. All of them save real money once you are doing more than €5k MRR.

Listmonk is the newsletter platform. Mailchimp, ConvertKit, and Substack all do the same job and charge per subscriber. Listmonk does not. The catch is that you supply the SMTP. Pair Listmonk with Mailcow if you want full ownership, or with Postmark or Amazon SES if you want someone else’s deliverability problem. I run Listmonk plus Postmark for marketing, and Mailcow for transactional.

Mautic is marketing automation: lead scoring, drip campaigns, segmentation. The HubSpot replacement at the marketing-automation layer specifically (HubSpot CRM is replaced separately, see phase 5). Mautic is the highest-touch tool in this list. Do not deploy it unless you have a marketing function that will use it.

Plausible Analytics is the analytics dashboard. Google Analytics replacement, with two clear wins: no cookie banner needed because there are no cookies, and a UI a non-technical client can read without a 30-minute tutorial. Plausible self-hosted is one Docker compose file and a pinned version. The product is so contained that I have never had a Plausible deploy go sideways.

Phase 5: client-facing and business operations

The systems your clients see, sign on, or feel through the polish of the agency.

Perfex CRM is the CRM, project management, and invoicing stack. Pipedrive, HubSpot CRM, and Dubsado all do parts of the same job. Perfex bundles them. It is not the prettiest tool in the stack and the UI feels 2018, but it covers leads, proposals, contracts, projects, time tracking, and invoicing on one self-hosted PHP app. Boring, mature, fine.

DocuSeal is the e-signature platform. DocuSign replacement. Self-hosted DocuSeal is the cleanest deploy in this group; one compose file, one domain, one SMTP. Every contract I sign now goes through it. Clients have never asked why I am not on DocuSign.

Penpot is the collaborative design tool. Figma replacement. Penpot is the only piece in this list where I genuinely think the FOSS alternative has caught up to the SaaS leader since I started this build. SVG-native, real-time multi-user, plugin system. If you do design work in-house, this is worth the deploy.

Stirling PDF is the PDF toolkit. Adobe Acrobat at the agency-grade level. Merge, split, rotate, OCR, redact, sign. Self-hosted, no per-seat licence. Replaces a Cloud subscription that has gotten harder to justify every year.

Cryptgeon is the secret sharing tool. The way you send a one-time-readable password or API key to a client without it sitting in their email forever. The agency-hygiene tool that costs nothing to run and quietly raises your operational maturity bar.

2FAuth is the self-hosted 2FA vault. Authy replacement, Google Authenticator replacement at the team level. Centralises the team’s TOTP codes so onboarding and offboarding takes minutes instead of a Friday afternoon.

Authentik is the SSO and identity provider. Okta and Auth0 replacements. Authentik is the layer that lets you log into Vikunja, BookStack, Nextcloud, Portainer, and ten other tools with one account. Deploy it once you are past four or five tools; before that, the per-tool admin overhead is fine.

Phase 6: developer productivity

The optional layer. Pays back hard if you are technical, irrelevant if you are not.

Code-server is VS Code in a browser tab, running on a server you control. The remote-development pattern that lets you SSH into the workspace from any device, including an iPad, with full extension support. The deploy is small; the workflow change is large.

IT Tools is the self-hosted “online tools” page. Base64 encode, JWT decode, regex tester, JSON formatter, the hundred small utilities you currently paste into random websites without thinking about where the data goes. Self-hosted means no data leaks.

MeshCentral is the remote desktop and machine-management platform. TeamViewer and AnyDesk replacement. If you support client machines, this is the FOSS tool that does it without a per-endpoint licence.

Immich is the photo and video backup platform. Google Photos replacement. Strictly speaking it is more personal than agency, but it is the tool I most often install on a client’s spare server when they ask “what could you put on this hardware that I would actually use.” The conversion rate to “fine, take the contract” is high.

Kasm Workspaces is the browser-isolation platform. The tool that lets you run a sandboxed browser session for visiting client sites you do not fully trust, or for separating client work from your main browsing profile. Niche but specific.

The hidden costs of running this stack

The honest accounting that nobody markets, because it is not marketable.

Initial setup time. A boutique build from cold takes me about 35 to 45 hours of focused work. That is 1 hour for the VPS hardening pass, 2 hours for VPN, 4 hours for CyberPanel and DNS, 2 hours for the Docker host bootstrap with NPM and Vaultwarden, 6 hours for Mailcow including warming the IP, 3 hours for Nextcloud AIO, 2 hours each for BookStack and Vikunja, 1 hour for Uptime Kuma, 4 hours for Listmonk including SMTP wiring, 3 hours for Perfex, 1 hour each for the smaller tools, plus 6 hours of inevitable debugging across the lot. Less if you have done it before. Roughly 1.5x the first time.

Ongoing maintenance. I budget 4 to 6 hours a month across the stack at steady state. That covers Docker image updates (mostly automated through Watchtower with manual pinning for the riskier services), the monthly Mailcow update window, the Nextcloud point releases, OS package updates, Uptime Kuma alert triage, and the occasional “why did Listmonk’s queue stall.” Quarterly I add another 4 hours for backup-restore drills and security log review. So 50 to 70 hours a year, all in.

VPS bills. Roughly €60 a month all in for a boutique agency, scaling to €120 if you upgrade the Docker host to a CCX33 once you have a serious self-hosted CRM history and a Nextcloud with real photo libraries. Add €10 a month for offsite backups. Annualised: €840 to €1,560.

The SaaS replacement bill, for comparison. Workspace Business Standard at five seats: €60/mo. Mailchimp Standard at 5k contacts: €60/mo. Figma Professional at five seats: €70/mo. DocuSign Personal at five seats (DocuSign Business is more): €50/mo. Pipedrive Professional at five seats: €170/mo. Notion Plus at five seats: €40/mo. Plausible 100k pageviews: €19/mo. Adobe Acrobat Pro at five seats: €100/mo. Authy / Okta / Auth0: €30+/mo. That is €600/mo without trying, before you add Slack, project management, internal docs hosting, anti-spam, or an analytics extension. Annualised: €7,200 minimum, €12,000 realistic, growing 10% a year.

Net. The self-hosted stack costs roughly 70 hours and €1,000 a year. The SaaS stack costs €7,000 to €12,000 a year and growing. The crossover point, where my hourly rate makes it cheaper to pay the SaaS bill, sits around €170/hr, and even there the SaaS price growth eats the gap back within two years.

Where to start (recommended deployment order)

If you take one piece of advice from this whole post, take this one: do not deploy everything at once. Most failed self-hosting attempts I have seen are deployment graveyards, not configuration mistakes. Three half-configured tools nobody uses are worse than zero tools.

The order I would recommend to a brand-new agency, with the fewest steps to the largest first win:

Hardened VPS. Fifteen minutes, the Linux fundamentals pass. Do this on every server you touch from now on.
Email. Mailcow if you have the patience, otherwise delegate to Postmark or SES and revisit Mailcow in year two. Email is the slowest-moving piece to migrate later, so deciding early matters more than picking the perfect setup.
Nextcloud AIO. Your file sync, calendar, and Office. Two days of “this is faster than Drive” and you will not look back. Deployment walkthrough here.
BookStack. Your internal documentation. Cheap, mature, becomes the second brain of the agency. BookStack deployment.
Vikunja. Task management. The lightweight piece that replaces Trello before Trello replaces your concentration. Vikunja deployment.
Uptime Kuma. Run it on a separate small VPS so it can tell you the main host is down. Uptime Kuma walkthrough.
CrowdSec. Once you are exposing real services, CrowdSec is the next security layer. Pair with Nginx hardening on every public-facing host.

That stack alone replaces roughly €400 of monthly SaaS bills and gets you to a working agency. From there, layer in the rest as actual client work demands it: Listmonk when the newsletter has 200 subscribers, Perfex when you have more than five active engagements, Mautic if and only if you have a marketing function, Authentik when you have more than five tools to log into.

The companion YouTube series

This post pairs with the Building FOSS Digital Agency series on YouTube. The video below is the series intro and walks through the same four-phase shape from the original 2019 plan, on camera, with the actual UI of every provider and tool involved. The follow-up videos cover each phase in order, in the same depth as the deep-dive posts linked above.

The video card renders below the article body. If you prefer reading to watching, every tool has its own deep-dive post linked inline above, and those are the canonical references; the videos exist for the parts where seeing the workflow is faster than reading it.

Closing the loop

I started this build in 2019 because I wanted to know how much of the agency-tools market was real product and how much was vendor lock-in dressed up as convenience. Six years later the answer, on this stack, is roughly 80% lock-in and 20% real product. The 20% is real and worth paying for in some cases. The 80% I run myself, on a few hundred euros a month of compute, in a Hetzner data centre under an EU jurisdiction with my name on the contract.

This post is the entry point to the rest of the archive. Every tool above has its own deployment guide; every guide has its own war stories. Pick the three that match your actual day-one workflow, deploy those well, and let the rest wait until a real client need pushes them onto the schedule. The stack you actually use beats the stack you almost finished.

Watch on YouTube

Video walkthrough

Prefer the screen-recording version of this guide? Watch it on YouTube — opens in a new tab so the player only loads when you ask for it.

27:30 YouTube

Building FOSS Digital Agency | Overview & Prerequisites

Watch on YouTube

Built on the work of others

Thanks to these open-source projects

This guide would not exist without the maintainers shipping these tools. Star their repositories, contribute back, and sponsor them if you can.

Docker

The container runtime and CLI that nearly every service in this stack runs on. Docker is the load-bearing primitive for self-hosted agencies in 2026.

GitHub
Portainer

A Docker GUI that replaces the need to SSH in and read compose files every time a container needs a kick. The community edition is free and covers the agency use case.

GitHub Website
Nginx Proxy Manager

Reverse-proxy and Let's Encrypt management with a usable web UI. The single piece of glue that turns a Docker host into something you can put real domains on.

GitHub Website
Nextcloud AIO

The official, AIO-packaged Nextcloud distribution. The collaboration spine of the stack: file sync, calendar, contacts, Office, all on one DPA-compatible host.

GitHub Website