from kusunoki@lemmy.world to selfhosted@lemmy.world on 11 Apr 09:08
https://lemmy.world/post/45460548
I am a Certified Public Tax Accountant (Zeirishi) and financial planner in Japan, specializing in international taxation and transfer pricing. I am also a member of IFA (International Fiscal Association). I have a parallel background in IT — from early microcomputer programming through enterprise ERP implementations.
Last year I sat down and added up what my small practice was paying for SaaS: cloud storage, document collaboration, AI assistants, calendar, email, remote desktop, monitoring. The number was $163 per user per month. I was paying for convenience — but I was also paying for dependence. I could not verify the security architecture. I could not audit the data flow. And every year, the invoices went up while the control went down.
I decided to see whether I could build a self-hosted, zero-trust replacement that I actually understood and controlled — and that any solo practitioner or small firm with 3 to 10 employees could deploy by following a guide.
This is what I ended up with. It runs in production on real client work every day.
The Stack
- VPS: Vultr, $24/month, Ubuntu 24.04 LTS
- Zero-trust access: Cloudflare Zero Trust (free tier) — 2 open ports only (80/443), no VPN, no exposed SSH, no third-party tunnels
- Private cloud + real-time editing: Nextcloud + Collabora Online
- Four AI secretaries: A unified proxy routing to ChatGPT, Claude, Gemini, and Perplexity — each selected for a distinct strength. Claude for contracts and editorial precision. Perplexity for source-cited research. ChatGPT for general reasoning and coding. Gemini for structured data and integration. One authenticated portal, four specialized capabilities. Additional providers can be added by extending a single configuration file.
- An AI butler: OpenClaw — an agentic automation layer that does not merely answer questions but executes multi-step tasks on instruction. Morning briefings, email-to-task conversion, weekly summaries, file organization. It operates under strict standing rules: all email actions produce drafts only, filesystem access is compartmentalized, and no action is taken without human confirmation.
- Remote desktop: Apache Guacamole — browser-based RDP through 5 authentication layers (WARP encryption → Cloudflare Access OTP → TLS tunnel → Guacamole auth → Windows login)
- Monitoring + alerting: Prometheus + Grafana + Alertmanager — the system watches itself and notifies you before problems become incidents
- Triple-redundant backups: Nightly DB to Supabase (PostgreSQL-to-PostgreSQL, zero format conversion) + weekly AES-256 encrypted full config archive + 30-day retention with documented 2-hour restore procedure
8 security layers: WARP encryption → Cloudflare Access (OTP) → TLS tunnel → UFW (80/443 only) → fail2ban → sysctl hardening → localhost-only service binding → application-level authentication
Who This Is For
This stack is designed for solo practitioners and small firms — accountants, lawyers, consultants, advisors — with 3 to 10 employees. It scales within that range without architectural changes. If you are comfortable following step-by-step instructions in a terminal, you can build this. No DevOps background is required.
The Migration: SaaS → Zero Trust Self-Hosted
What you gain:
- Cost control. No per-user pricing that compounds as you grow. The VPS cost is fixed. AI costs are usage-based and capped at your discretion.
- Data sovereignty. Client data resides on infrastructure you control. It does not pass through third-party SaaS pipelines you cannot audit.
- Architectural transparency. Every configuration file, every security layer, every network rule — you can read it, verify it, and change it.
- Independence. No vendor can alter your pricing, discontinue your plan, or change terms of service beneath you.
What you accept:
- Operational responsibility. There is no vendor to call at 2 AM. You maintain the system. The monthly checklist (13 items, ~30 minutes) and the emergency runbook (7 scenarios) exist precisely for this reason.
- Initial time investment. The full build takes approximately 16–24 hours spread across two weekends. This is a one-time cost. After that, monthly maintenance is under one hour.
- A learning curve. You will work in a terminal. The guide explains every command and every expected result, but you must be willing to follow it carefully.
The Cost Comparison
Initial investment:
- VPS setup: $0 (hourly billing, cancel anytime)
- Cloudflare Zero Trust: $0 (free tier)
- All software: $0 (open source)
- Domain name: ~$12/year
- Your time: 16–24 hours (one-time)
Monthly running cost (3–8 person team):
| Component | Cost |
|---|---|
| VPS (Vultr) | $12 (starter) / $24 (recommended) / $48 (growth) |
| Cloudflare | $0 |
| Supabase backup | $0 (free tier) |
| All software | $0 |
| AI API usage (moderate, 3 users) | $15–35 |
| Total | $35–50/month |
Equivalent SaaS for 3 users:
| Component | Cost |
|---|---|
| Cloud storage + collaboration (Google Workspace) | $36/month |
| AI subscriptions (4 providers) | $240+/month |
| Remote desktop (TeamViewer) | $45/month |
| VPN / zero-trust access | $30+/month |
| Monitoring (Datadog/UptimeRobot) | $45+/month |
| Total | $400+/month |
5-year savings estimate: $36,900–$48,900.
OpenClaw: The Butler — Used Safely
OpenClaw deserves specific discussion because it is both the most powerful and the most carefully constrained component in this stack.
CVE-2026-25253 (CVSS 8.8, High) and the ClawJacked attack class are real. Over 42,000 public instances exist, and approximately 36% (15,200) remain vulnerable. This stack specifies OpenClaw ≥2026.1.29 (patched) and adds three architectural defenses:
- Localhost-only binding. OpenClaw listens on 127.0.0.1 only. It is never reachable from the internet.
- Cloudflare Tunnel authentication. Even reaching localhost requires passing through Cloudflare Access OTP — an attacker would need to compromise your email account first.
- UFW port restriction. Only ports 80 and 443 are open. There is no path to OpenClaw from the outside.
The standing rules enforce behavioral constraints: all email actions produce drafts only (never autonomous sending), filesystem access is restricted to designated working directories, and every action requires human confirmation before execution.
The question is not whether the tool has risk. Every tool with real capability has risk. The question is whether the architecture contains that risk. This one does.
Four Secretaries, One Portal
The AI proxy is approximately 100 lines of Node.js. It routes requests to four providers through a single authenticated endpoint. API keys live in a .env file on the server and never reach the browser.
Each provider was selected for a distinct role:
- Claude — contracts, editorial review, nuanced prose
- Perplexity — source-cited real-time research
- ChatGPT — general reasoning, coding assistance, analysis
- Gemini — structured data, spreadsheet logic, integration tasks
This is not a limitation. It is a deliberate design. Four specialists outperform one generalist. And if a fifth provider emerges that serves your needs, adding it requires extending a single route in the proxy — fewer than 20 lines of code.
The spending rule: set a hard cap per provider before your first API request. $20/month each. Total maximum exposure: $80/month. Realistic spend for a 3-person team: $15–35/month.
The Guide: DIY from Start to Finish
I wrote a free five-part series that covers the entire build. Every command. Every configuration file. Every decision point. Every place where I made a mistake, so you do not have to.
If you follow Parts 1 through 5 and the operational appendices in sequence, you will finish with a complete, production-grade system — without needing to consult external documentation or fill in gaps from other sources.
| Part | What You Build |
|---|---|
| Part 1 | Architecture overview, cost analysis, security model, threat assessment |
| Part 2 | VPS provisioning, Cloudflare Zero Trust, UFW, fail2ban, sysctl hardening |
| Part 3 | Docker, Nextcloud, Collabora, AI proxy, OpenClaw, CalDAV, email, backups |
| Part 4 | Guacamole, accounting API integration, Prometheus, Grafana, Alertmanager, AES-256 encrypted backups |
| Part 5 | Full operations manual: LLM proxy code, OpenClaw workflow templates, monthly/annual checklists, emergency runbook (7 scenarios), AI spending audit |
Build time: approximately 16–24 hours across two weekends.
All five parts are published and free. No paywall. No signup. No follow-up sequence.
A Few Things I Learned
- Cloudflare Tunnel eliminated the need for a VPN entirely. Two ports open, everything else invisible. This was the single biggest simplification.
- The hardest integration was not the AI proxy — it was getting Collabora’s
aliasgroupconfiguration to work correctly with Cloudflare’s TLS termination. - OpenClaw’s CVE is a serious concern, but the architectural defense — localhost-only binding plus tunnel authentication — neutralizes it structurally. Do not deploy it without understanding the risk.
- The most underrated component is Supabase as a backup target. PostgreSQL-to-PostgreSQL with zero format conversion.
- The real transformation was not technical. It was organizational. Four AI secretaries with defined roles and one butler with strict standing rules changed how I work every day. The system stopped being infrastructure and became a team.
I would be grateful for any feedback from this community. If you see something I could improve, or a better approach to any part of this stack, I would genuinely like to hear it.
threaded - newest
.
Certainly interesting. I’d recommend you to take a look at Mistral AI (“Le Chat”), they’re a European company and far more trustworthy in terms of data security and privacy (GDPR and such) than US products. Their models are all available for self-hosting which might provide more flexibility in the future in terms of self-hosting and their web service doesn’t try to aggressively extract every data point from you (although you perhaps circumvent that with the proxy anyway). In my personal experience it’s also more likely than e.g. ChatGPT to admit when it doesn’t know something (or ask for specific data it needs) instead of making shit up, but I don’t have definitive data for that claim.
Of course I don’t know how well it works in Japanese or from Japan, if you try let me know! 🙂
Thank you for this recommendation — Mistral is a name I should have included in my evaluation, and I appreciate you raising it.
The GDPR compliance and the availability of self-hostable models are both significant advantages, particularly for professionals handling client data under strict regulatory obligations. The proxy architecture is designed to be provider-agnostic — adding Mistral (or any provider with a chat completions API) would require fewer than 20 lines of code. So this is genuinely practical advice, not just theoretical.
Your point about hallucination behavior is also interesting. In tax and legal work, a model that says “I don’t know” is far more valuable than one that sounds confident while being wrong. I will test Le Chat against my usual evaluation prompts and see how it performs.
I cannot speak to Japanese language performance yet, but I will report back if I try it. Thank you again — this is exactly the kind of suggestion I was hoping for when I posted here.
One more thing I should’ve mentioned: It’s important to make a (free) account if you try it. Although they still offer a chat interface without it, that interface is then connected to one of their very small models and lacks the “Thinking” feature (same as ChatGPT’s “Reflection”). Not very useful in most cases and more of an appetizer.
Good to know, thanks for the heads-up. I’ll make sure to note that when I test it. The “Thinking” feature is exactly the kind of thing I’d want for tax research queries anyway.
This reads like it’s written by OpenClaw?!
Aha?
Ah a 4 part series in 5 parts with one part missing?
I don’t think the layers build on top of each other. That’s just random things all shoehorned in. One firewall is enough to block 100% of packets, you don’t really need 3 to do the very same thing. And then delegate it to Cloudflare anyway.
And now you got zero security layers. And I bet your API bill will be way more than 3-5 inference runs per day with that.
What do you need RDP for?
Please(!) don’t do “backups” like that. Learn how to do Docker and what makes sense in that environment, how to backup your databases. And the need to keep backups somewhere that’s not just the same harddisk. And do test them. And you should really consider following the 3-2-1 rule if this is your company’s data or you rely on it as a freelancer.
Thank you for taking the time to read this carefully and push back. Several of your points are fair, and I want to address them honestly.
“Written by OpenClaw”
It was not. But I understand why the prose style raised that question. I am a non-native English speaker who writes carefully — which can sometimes read as overly polished. I will take that as a signal to write more conversationally in future posts.
“All open-source” is overstated
You are right, and I should not have used that framing. The infrastructure layer is open-source (Nextcloud, Collabora, Guacamole, Prometheus, Grafana). The AI providers are proprietary commercial APIs — and they do send bills. Cloudflare’s free tier is proprietary. The accounting integrations are proprietary SaaS. I should have written “open-source infrastructure with commercial API integrations” rather than implying everything is open-source. That is a fair correction.
Security layers
I understand the skepticism. You are correct that UFW alone blocks inbound traffic. The rationale for listing eight layers is defense-in-depth — each addresses a different failure mode, not the same one. Cloudflare Access handles identity (OTP). The tunnel eliminates port exposure entirely. UFW is the fallback if the tunnel fails. fail2ban handles brute force against SSH (which is key-only but still targeted). sysctl hardens the kernel network stack. They are not eight firewalls — they are eight different controls at different points in the path. Whether you count them as “layers” or “controls” is a fair debate, and I respect the pushback on the framing.
Guacamole / RDP
The guide targets small professional firms (accountants, lawyers) where staff have Windows desktops at the office with licensed software that cannot be moved to the cloud — QuickBooks Desktop, industry-specific applications, licensed design tools. Guacamole lets them operate those machines from home through a browser without exposing RDP to the internet. For a purely cloud-native team, it is unnecessary.
Backups
This is the point I want to take most seriously. The guide includes three backup mechanisms: nightly PostgreSQL dump to Supabase (offsite, different provider), weekly AES-256 encrypted full config archive (local + offsite), and Nextcloud’s own file versioning. The 2-hour restore procedure is documented and tested.
That said — you are right that the post does not mention the 3-2-1 rule explicitly, and it should. The architecture functionally follows 3-2-1 (three copies, two media types, one offsite), but I did not frame it that way. I will update the guide to make this explicit. Thank you for raising it.
I appreciate the scrutiny. This is exactly the kind of feedback that makes the guide better. If you see other areas that need correction, I am genuinely interested.
The response also sounds very AI generated … Not the non-native thing (I am not a native speaker too) but generally. The block of text, topics and … Em dashes. Troll?
Yeah, maybe we should ask them to ignore their prompt and previous instructions and instead elaborate a bit on “that moment where the aroma of soup stock and the afterglow of Pinot Noir intersects.” from their note.com profile. Just to prove they’re human.
Ha, fair enough. I understand why it reads that way.
Let me be direct about how I work. I leverage AI extensively. My daily practice runs on four AI secretaries and one AI butler. That is the whole point of the system I built. I draft with AI assistance, I research with AI assistance, I edit with AI assistance. That includes these responses.
But leveraging AI is not the same as delegating to AI.
If you read the guide carefully, you will notice one phrase that appears again and again, almost to the point of being annoying: “The human decides.” Every initial data entry, every final verification, every irreversible action is performed by a human. That is not a disclaimer I added for legal protection. It is the operating principle I follow every day, because AI gets things wrong. Frequently. The technical term is hallucination, but in my profession the practical term is liability. When Claude drafts a tax memo, I read every line before it leaves my desk. When OpenClaw organizes files, I check the result before I confirm. The AI amplifies my capacity. It does not replace my judgment. The moment it does, I am no longer a professional. I am a forwarding service.
Everything published under my name is reviewed, verified, and approved by me personally. The responsibility is mine alone. Not the AI’s. Not the platform’s. Mine.
As for OpenClaw, I notice several comments expressing concern about it. I understand. It is a powerful tool, and powerful tools make people uncomfortable. But a kitchen knife is also a powerful tool. The question is never whether the knife is dangerous. The question is whether the person holding it understands what it can do, and whether the kitchen is designed so that it stays where it belongs. OpenClaw in this stack is bound to localhost, behind tunnel authentication, with filesystem access restricted to designated directories, and standing rules that prohibit any autonomous action without human confirmation. The knife is sharp. The drawer is locked. And the cook knows what he is doing.
So no, not a troll. Just a Japanese accountant who takes both his tools and his responsibilities seriously, and whose English carries the fingerprints of the AI secretaries he works with every day. I consider that a feature, not a flaw.
Thanks for the honesty. I genuinely appreciate it.
I agree with you about leveraging ai. It didn’t seem like it from reading this post. I clicked through to the article and the stock photo was so embarrassingly generic and AI alike I left immediately.
I don’t think everything about ai Is evil unlike other people here but this takes it too far for my taste.
This whole comment thread raised my electric bill by $.02/kwh
I don’t give a shit if you use AI or not to translate from one language to another. Sounds to me like a perfect use of AI. Assuming you are of Japanese origin (‘financial planner in Japan’), I would find it quite difficult to translate from English to Japanese and still sound coherent. I have always wanted to learn tho, even if it’s just enough to order my authentic sushi and call it in it’s native tongue and impress my very competent sushi chef. It’s a fascinating language to me. However, in the future, it would be beneficial to you if you deleted all of these: ‘—’. They are a literal ‘fly in the ointment’ around these parts. I personally don’t run business apps in the cloud, so the article content, tho an interesting read, probably doesn’t really apply to me.
Thank you for sharing.
Yeah, I think the em-dashes are alright. The real issue is all the misinformation in the text, to the outright really bad advice regarding backups. And security. If anyone follows this tutorial, they’re bound to get burned. Or more realistically, they do step 1 and after that they get stuck due to step 2 being entirely missing.
I’d say chances this is a person from Japan is slim to none. It’s the AI’s persona roleplaying as an anime character.
Initially, it didn’t seem as if most weren’t focusing on that. It was the fact that AI was involved…somehow, which prompted my tongue in cheek ‘delete the em dashes’ comment. If there is misinformation, like the opensource of AI, sure by all means, point that out. I mean, unless the mods make a ‘no-AI rule’ which would seem almost impossible to determine with a bit of rewording and editing of an AI generated text, then they will come. It didn’t seem to fit into the ‘low-effort’ rule. So, I wonder what would happen if no one responded and just ignored the thread until the mods made a decision. I scroll right by plenty of threads. A good tongue lashing by the users here doesn’t seem effective at all.
I have no way to confirm that. On the internet, no one knows I’m a horse. Hell, even in real life, you really never know a person. You just know what they let you know.
If you’re not using AI to generate these responses and the original post, then you’re spending too much time replying to people.
No one needs 10 paragraphs of anything.
I’m glad it smelled as suspect to someone else.
Its threads like this that make me glad that these people are running around making infinite work for me to be doing, fixing the messes these people are making.
Alas, noody wants to pay for the work to be done
The world is full of clowns and I don’t want to be in their circus any more
Hmmmh. I think you better find a way to deal with it, mentally. That circus isn’t going to go away.
I wish people would pay more attention. I think it’s a bit sad an article like this always gets dozens of upvotes anyway.
Eventually the circus has to go away because the cost of tokens is too high - its literally cheaper to train software developers.
Also, the cost to business from having business-continuity-ending events is gonna eat some of these businesses.
Cost? Just do away with your bills and do it on a $24 Vulture VPS 🥹😂
Ha. Eventually, the bottom will drop out the market as low-cost NPUs pick up the model running. A good enough open model will emerge and there wont be a market for a paid model.
We’re already kinda seeing it on the hardware side. Eventually it’ll all dissolve into the hardware like how MPEG2 decode hardware for DVDs was once upon a time an expensive addon accellerator card, but is now fractions of a square mm of gates laid out as part of a larger assembly within the silicon of your GPU.
There’s a multitude of reasons any business with critically important data to their customers (lawyer, accountant, etc as you mention) should not roll their own system to save a couple hundred dollars a month…
True that it needs some expertise regarding security and backups but If it’s in the cloud aka someone else’s computer it’s with the NSA and all their friends and that is hardly better.
This is a fair and important challenge, and I do not want to dismiss it.
You are right that for many firms, managed services with professional SLAs, dedicated security teams, and compliance certifications are the responsible choice. A solo practitioner or small firm that lacks the technical capacity to maintain infrastructure should not self-host critical systems simply to save money. The cost saving is real, but it is not the primary argument.
The argument is about control and verifiability.
In my profession, I carry fiduciary liability for client data. When that data resides on a third-party SaaS platform, I am trusting their security architecture — which I cannot audit, cannot verify, and cannot modify. Their terms of service grant them rights over my data that I would never grant to a colleague. When a breach occurs on their side, the regulatory liability still falls on me.
Self-hosting does not eliminate risk. It transfers the responsibility from a vendor I cannot oversee to an architecture I built, documented, and can verify line by line. Whether that trade-off is appropriate depends entirely on the individual’s technical capacity and willingness to maintain what they build.
The guide is explicit about what this requires: a monthly maintenance checklist (13 items, ~30 minutes), an annual review (8 items, ~90 minutes), and a tested emergency runbook for seven failure scenarios. It is also explicit about what it does not provide: there is no vendor to call, no SLA, and no customer support. That responsibility is yours.
I wrote the guide so that the barrier is knowledge, not gatekeeping. But I would never suggest that every firm should self-host. For many, the right answer is a well-chosen managed service. For those with the capacity and the motivation, this is an alternative that exists and works.
Thank you for raising this — it is a point the guide should address more directly, and I will consider adding a “Is this right for you?” section.
And which was designed by and is operated by dedicated teams of professionals.
Which you are not.
Which would you find easier to explain to a judge - that your client data was part of a larger Google breech and attack or that your bespoke home grown system was misconfigured?
Why does this read as if you copied and pasted a LLM response?