Skip to content
Get Started

The 10 Best Self-Hosted Docker Apps in 2026

A good self-hosted app for a VPS needs more than a Docker image. It should benefit from staying online or having a stable address, and it should come with an operational cost you understand before it goes on the public Internet.

We picked these apps for technical usefulness rather than GitHub stars, and we have tried to be straightforward about the trade-offs. One habit worth keeping throughout: a public VPS does not mean an app should accept anonymous users. Several entries belong behind authentication, HTTPS, or another access-control layer.

The short list is: Vaultwarden for passwords, Paperless-ngx for documents, FreshRSS for feeds, Forgejo for Git, Umami for analytics, changedetection.io for page monitoring, ntfy for push notifications, SearXNG for private metasearch, Actual for budget synchronization, and linkding for bookmarks.

How these self-hosted apps were selected

We checked every project as of July 19, 2026 against five requirements: active maintenance, an open-source license verified in the canonical repository, an official Docker or self-host installation path, a reason to run continuously on an Internet-connected host, and an operational caveat worth planning around. “Best” here means the app clears those filters and earns its keep on an always-on server, with trade-offs we can explain honestly. The ten apps are listed in no particular order.

Awesome-Selfhosted was the discovery baseline. As of July 19, 2026, it contained 1,249 software entries across 94 categories, including 698 Docker-tagged entries; its GitHub repository had about 306,462 stars when checked. Use the recommended HTML catalog for browsing. The GitHub Markdown list is generated and retained as a legacy interface.

Those numbers describe the catalog as a whole; a listing is a discovery signal, not a security audit or a deployment endorsement. License labels can also lag canonical sources. As of the same July 19, 2026 check, Vaultwarden is listed there as GPL-3.0 although its repository declares AGPL-3.0, while Forgejo is listed as MIT although its canonical Codeberg repository uses GPL-3.0-or-later. Those mislabels are why we verified each license at the source.

Quick comparison

The table describes workload shape rather than invented RAM minimums. A mostly idle service can become busy with many users, aggressive polling, large imports, or long retention.

AppUseDeployment shapeMain VPS pressureBiggest caveat
VaultwardenPassword syncApp container plus reverse proxyDatabase, attachments, securityUnofficial Bitwarden API implementation and a high-value target
Paperless-ngxOCR document archiveApp, broker, database; optional convertersOCR bursts and document storageDocuments are stored in clear text
FreshRSSRSS aggregationPHP app plus supported databasePolling, scraping, retentionSlow or broken feeds need operator attention
ForgejoGit hostingApp plus SQLite or external databaseRepositories, LFS, packages, artifactsActions runners are separate systems
UmamiWeb analyticsNode application plus PostgreSQLEvent ingestion and retentionPostgreSQL is required
changedetection.ioPage-change alertsApp plus optional browser fetcherChromium CPU and memory, outbound requestsDatacenter IPs may be blocked
ntfyPush notificationsGo server with SQLite by defaultRetained messages, attachments, transferPermissive defaults can expose topics
SearXNGMetasearchApp plus Valkey for the limiterOutbound queries and abuse controlStill depends on upstream search engines
ActualBudget syncActual server containerSensitive sync data and backupsIt is a private sync service, not a public portal
linkdingBookmark managementApp with SQLite by defaultArchive snapshots and persistent dataChromium archive image is materially heavier

1. Vaultwarden: password synchronization

Vaultwarden gives individuals, families, and small teams a lightweight sync server for the Bitwarden clients they already use. It is an unofficial implementation of the Bitwarden client API, not a Bitwarden, Inc. product. Choose the official Bitwarden server when exact upstream behavior, formal support, or organizational compliance takes priority.

The current license is AGPL-3.0. Its official installation path supports a single application container through Docker, Podman, or Compose, normally behind an HTTPS reverse proxy. Mobile, desktop, browser, and CLI clients can all reach one stable VPS endpoint without opening a home network.

Treat the server as a high-value target. Disable open registration when it is unnecessary, protect the admin interface and token, enable MFA where appropriate, and keep the image current. Backups need the database, attachments, and configuration rather than a copy of the disposable container. The Vaultwarden Docker tutorial walks through registration lockdown, client synchronization, SQLite-safe backup, and an isolated restore test.

2. Paperless-ngx: searchable document storage

Paperless-ngx watches an inbox, runs OCR, applies metadata, and makes scanned paperwork searchable from different devices. That processing can continue on an always-on VPS while your laptop is offline.

The project uses GPL-3.0. Its official setup guide recommends Docker Compose, with the web application, a Redis-compatible broker, and a database as distinct responsibilities. Current guidance recommends PostgreSQL for new installations. Tika and Gotenberg are optional additions for relevant Office document formats.

OCR and conversion create short CPU and memory bursts, while originals and indexes create lasting storage pressure. The harder issue is trust: Paperless-ngx states that documents are stored in clear text and should not run on an untrusted host. Use authenticated HTTPS, harden the host, restrict administrative access, and encrypt backup destinations. Decide whether the VPS operator, host configuration, and recovery copies are suitable before uploading identity, tax, medical, or legal records. A local server is the safer fit when that trust requirement cannot be met. The Paperless-ngx Docker Compose guide works through PostgreSQL setup, a real OCR acceptance test, and an empty same-version restore.

3. FreshRSS: an always-on feed reader

FreshRSS keeps polling feeds after your personal devices go to sleep. It also synchronizes subscriptions, read state, and favorites across browsers and compatible mobile clients. Publishers that support WebSub can deliver updates directly.

FreshRSS is AGPL-3.0, and the project maintains an official Docker deployment. It is a PHP application with a choice of SQLite, PostgreSQL, MariaDB, or MySQL. Small private installs can keep the shape simple; larger ones can move the database out of the app container.

Feed count, refresh frequency, full-text scraping, and retention drive load. Schedule refresh jobs deliberately, watch slow or failed sources, and avoid hammering publishers. Database and configuration backups matter more than container backups. Use the FreshRSS Docker guide to configure the private first-run path and refresh scheduler.

4. Forgejo: Git hosting for a small team

Webhooks need a reachable endpoint, and Git over SSH or HTTPS benefits from a stable hostname. Forgejo supplies both, alongside repositories, issues, pull requests, packages, and releases for a developer or small team.

The canonical license is GPL-3.0-or-later. Forgejo provides an official container installation and can start with SQLite or use an external database. The server may be modest when traffic is low, but repository history, Git LFS objects, packages, release files, and Actions artifacts can fill NVMe storage much sooner than the web interface suggests.

Forgejo Actions runners are separate from the server. They execute workflow code and need their own isolation, patching, capacity, and trust policy. Do not size the forge as if runners were free background threads. Disable public registration unless you are prepared to handle spam and abuse. The Forgejo Docker guide keeps server deployment separate from runner trust decisions.

5. Umami: web analytics on your own collector

Every site measured by Umami sends events to its collection endpoint. Hosting that endpoint on an always-on VPS gives several sites one reachable collector and one operator-controlled dashboard.

Umami has an MIT license. Its installation guide covers Docker Compose and prebuilt images, but this is not a single-container database-free service. PostgreSQL is required, and current documentation specifies PostgreSQL 12.14 or newer and recommends UTC.

Event volume, data retention, bot traffic, and report queries determine database growth and load. Set retention with storage in mind, back up PostgreSQL consistently, and monitor ingestion rather than judging capacity from dashboard activity. Self-hosting controls where the collector runs; it does not remove privacy, consent, or data-retention obligations. The Umami Docker deployment pairs PostgreSQL backup and restore with a tested reverse-proxy path.

6. changedetection.io: scheduled page monitoring

Price, stock, policy, and content pages rarely change on your schedule. changedetection.io checks them on its own schedule and can send results to browser extensions, notification services, or API integrations. A VPS supplies the continuous scheduler and outbound Internet access.

The project is Apache-2.0, with official Docker and Compose instructions. Basic HTML fetches are relatively simple. JavaScript-heavy targets may need WebDriver, Playwright, or the recommended browser service, which adds Chromium processes and much more variable CPU and memory use.

Network behavior is often the limiting factor. Target sites may rate-limit or block a data center IP, and more compute will not fix that. Set sensible intervals, respect target policies, and do not turn the service into an aggressive scraper. If optional AI summaries are enabled, monitored content is sent to the configured external AI provider, so review that data flow before using it on private pages. Start with the plain HTTP fetcher in the changedetection.io Docker Compose guide and add browser automation only when a target requires it.

7. ntfy: HTTP push notifications

A backup job can send one HTTP request to ntfy, and a subscribed phone or browser can receive the result. The same small interface works for cron, CI, monitoring, and home automation. Hosting it on a VPS makes it reachable across otherwise separate networks.

ntfy is dual-licensed under Apache-2.0 and GPL-2.0. The official self-hosting guide supports a compact Go server, with SQLite used by default for persistence.

The easy publish model can also be dangerously open. A guessable topic name is not access control. Configure authentication, deny-by-default permissions where appropriate, HTTPS, rate limits, and persistent volumes. Retained messages and attachments consume disk and monthly transfer. Default SQLite storage is single-writer, so it should not be presented as a horizontally scalable cluster. The ntfy Docker guide starts from a closed access policy.

8. SearXNG: private metasearch with external dependencies

SearXNG aggregates results from multiple search sources; it does not build an independent web index. A private VPS instance keeps the interface and its preferences available across your devices.

SearXNG uses AGPL-3.0, and the project publishes an official container installation. Run it as an authenticated private service. An unrestricted domain invites bot traffic, raises the chance that upstream engines classify the VPS address as abusive, and may violate a provider’s acceptable-use rules.

Queries still go to upstream engines. Those services can return CAPTCHAs, throttle requests, or block data center IPs, so self-hosting does not remove the external dependency. The official limiter uses Valkey and helps control inbound bots, but it cannot guarantee acceptance by an upstream provider or replace access control. The private SearXNG Docker Compose deployment puts Caddy authentication in front of Valkey-backed limiting and exact trusted-proxy handling.

9. Actual: private budget synchronization

Actual is local-first, but its server lets devices and users synchronize a budget without leaving one laptop online. End-to-end encryption is optional, requires a second password, and must be enabled separately for each budget. The VPS is a private sync endpoint, not a public finance portal or a business accounting system.

Actual has an MIT license and an official Docker installation path. Put the server behind a correctly configured reverse proxy with HTTPS, enable authentication and end-to-end encryption for each budget, keep it updated, and test backups. Exposing its raw application port is not a finished deployment.

Financial records increase the cost of a weak setup. Protect credentials, restrict access where practical, and verify that a restored server can reopen and synchronize the budget. Bank-sync tokens are stored separately from budget data and are not covered by Actual’s end-to-end encryption; a server administrator or hosting provider with database access can read them. If your only device already provides enough local-first functionality, the extra Internet-facing service may not be worth maintaining. In the Actual Budget Docker Compose guide, server login, optional budget E2EE, two-client sync, and full-state recovery remain distinct tests.

10. linkding: centralized bookmarks

Bookmarks become more useful when the same searchable collection follows you between browsers and devices. linkding provides that endpoint for extensions, a bookmarklet, REST clients, and mobile apps. It is small enough to operate without turning bookmark capture into an infrastructure project.

The project is MIT-licensed. Its installation guide covers Docker, Compose, user creation, persistent storage, and reverse-proxy setup. SQLite is the default and PostgreSQL is available.

The basic deployment is straightforward, but the latest-plus image adds Chromium-based page archiving. That image is larger, browser processes use more memory, and saved snapshots make disk consumption grow with the collection. Back up the persistent database and archived assets rather than the replaceable container. If full archival is the primary job, a dedicated archive system may be a better fit than turning every bookmark into a snapshot. The linkding Docker Compose guide combines a private administrator bootstrap with application backups, isolated recovery, and tested egress blocks.

Home Assistant is usually most useful near local radios, sensors, and household devices. A VPS can host parts of the stack, but moving the primary controller away from the LAN adds dependence on the Internet path and complicates local hardware access.

Pi-hole and AdGuard Home are DNS resolvers first. Running one on a VPS can work only for clients reached through a deliberately restricted private-access design, but exposing an open recursive resolver is an abuse and amplification risk. A VPS-first recommendation needs complete access controls and resolver safeguards, not a public port 53 recipe.

Jellyfin and Immich are dominated by media storage, upload and download transfer, thumbnail or transcoding work, and sometimes GPU requirements. A storage-oriented home server or dedicated media host is often a better match than a general-purpose VPS with a monthly transfer quota.

Nextcloud can run well on a VPS, but it brings a larger operations footprint: database tuning, caching, background jobs, upgrades, file locking, storage growth, and recovery planning. It deserves a dedicated architecture guide rather than a casual place in a compact VPS-first list.

Shared deployment rules

Put each public web interface behind a maintained reverse proxy with valid TLS. Bind internal application and database ports to localhost or a private container network. Disable open registration unless it is intentional, use unique credentials, and enable MFA where the app supports it.

Container updates still require judgment. Pin stable versions or review release notes before automated updates, and keep a rollback path. Back up application data, databases, uploads, encryption material, and configuration. A running container does not prove that its data can be restored.

Watch disk growth in the places each app creates durable data: document originals, Git objects, analytics events, notification attachments, and page archives. Observe real CPU and memory use during OCR or browser automation before setting tight container limits. Apps that fetch arbitrary URLs also need outbound controls and protection against requests to internal metadata or private services.

Choosing VPS resources and location

Application count is a poor sizing metric. Workload shape, concurrency, retained data, and failure tolerance matter more. A few mostly idle private services behave differently from PostgreSQL analytics ingestion, document OCR, Chromium fetchers, or an Actions runner, even if both deployments contain the same number of containers.

For a few of the lighter services here, our Premium plan (2 vCPU, 4 GB RAM, 40 GB NVMe, 1 TB monthly transfer) is a comfortable starting point. Add heavier jobs such as OCR, Chromium fetchers, or analytics ingestion and Ultra (2 vCPU, 8 GB RAM, 80 GB NVMe, 2 TB) buys useful headroom, while Max (4 vCPU, 16 GB RAM, 160 GB NVMe, 4 TB) suits a fuller stack. Measure the heaviest jobs, watch how durable data grows, and keep an eye on monthly transfer if you host analytics collection, attachments, package hosting, or large Git operations.

Every plan includes daily backups, a 1 Gbps port, and full root access. Our VPS plans are unmanaged, so you run Linux, Docker, TLS, and the applications yourself and keep full control. Treat the daily backups as a safety net: pair them with application-consistent database dumps, off-server copies, and the occasional restore test.

Choose Tokyo or Singapore based on the people, websites, and upstream APIs that will use the service. If your users are in mainland China, it is worth a few minutes on the Tokyo Looking Glass and Singapore Looking Glass from their access networks. We carry the three major mainland carriers over CTGNet (formerly China Telecom CN2 GIA, AS23764 / AS4809), China Unicom Premium (CUP, AS9929 / AS10099), and China Mobile International N2 (CMIN2, AS58807), and the best judge of any route is a test of the actual path at the hours that matter to you.

When you have a feel for the workload, compare it against Riven Cloud pricing. Start with the service whose failure you can recover from, confirm its backup restore, then add the next one. An app earns its place when its always-on benefit is worth its biggest caveat.

Share