If you run Kubernetes and want a wildcard TLS cert from Let's Encrypt — say *.example.com — you need a DNS-01 challenge. HTTP-01 cannot prove control over a wildcard. That single fact rules out the easy path most tutorials show.

This post is what we actually run at Hostim.dev for our shared *.region.hostim.dev wildcard. We use cert-manager for per-app certs and a plain certbot Ansible playbook for the wildcard. Two different tools for two different jobs. We will explain why, then show the code for both.

Most small teams hit the same question at some point: should we move to Kubernetes? The honest answer for the majority of them is no, but that answer alone is not very helpful. So here is the longer version, with real prices and a clear line where the answer flips to yes.

When you're deploying your own app, the database choice matters more than most people think. It affects performance, ops complexity, backups, and how much memory your server needs.

There are four options you'll run into most often: SQLite, MySQL, PostgreSQL, and Redis. They're not all the same kind of database – and that's the point. Here's when each one makes sense.

Heroku just said it's moving to a "sustaining engineering" model.

That's corporate speak for:

• No big new features
• Focus on stability and security
• No new enterprise contracts
• Maintain what exists

Heroku isn't shutting down.

But it's not a growth product anymore.

I haven't posted updates for a while, but several core features landed on Hostim.dev recently.

Instead of shipping from a fixed roadmap, I'm following support-driven (customer-driven) development: features move to the top of the queue once users actively need them.

Over the past month, this resulted in three practical additions around Docker CI/CD, GitHub Actions deployment, and secure bastion host access.

If you've ever moved a Docker project from a Mac to a Linux server, you've probably hit this error:

Connection refused: host.docker.internal:3000

On macOS and Windows, host.docker.internal is a magic DNS name that resolves to your host machine's IP address. It's incredibly useful for connecting containers to local databases or APIs running outside of Docker.

But on Linux? It doesn't exist by default.

Umami is great. Lightweight, privacy-friendly, no cookies, no tracking drama. We use it ourselves on Hostim.dev, and we ship a one-click Umami template for anyone who wants simple, privacy-focused analytics.

But once you start relying on analytics to make actual decisions, you hit the limits pretty quickly.

When running Kubernetes on Hetzner Dedicated, there is no cloud load balancer. But you can provide public LoadBalancer IPs by attaching a routed IP range to a vSwitch and letting MetalLB announce addresses over L2.

Our setup:

• Calico (VXLAN + WireGuard)
• kube-proxy IPVS with strictARP
• ingress-nginx for ingress traffic

n8n is a popular open-source automation tool – like Zapier, but self-hosted. Here's how to run it on your own VPS using Docker Compose, and expose it securely over HTTPS using Caddy as the ingress proxy.

If you want a broader primer, check out How to Self-Host a Docker Compose App. But you don't need to read it first – this guide is self-contained.

Reverse proxies are the unsung heroes of modern infrastructure. They terminate TLS, route traffic, balance loads, and keep your apps reachable. But which one should you choose? There are four popular options worth comparing head-to-head: Nginx, HAProxy, Caddy, and Traefik. Each comes with its own strengths, trade-offs, and ideal use cases.