A Practical Guide to Secure, Cost-Effective Open Source Infrastructure
For growing businesses, SaaS subscriptions can quietly become one of the largest technology budget line items. A team paying for Slack and Dropbox can easily spend hundreds or thousands of dollars per user per year — before storage overages or enterprise add-ons. There is a better way.
Deploying the Applications
DigitalOcean's 1-Click App marketplace pre-configures dependencies and baseline settings. Launching a Droplet takes only a few minutes — 1-Click is a starting point, not a finished deployment.
🚀 Rocket.Chat — Self-Hosted Team Messaging
- Feature-complete alternative to Slack and Microsoft Teams
- Channels, DMs, video conferencing (Jitsi), file sharing, bots, and a full REST API
- $24/month Droplet (4GB RAM) handles teams under 50 users
- Configure SMTP (Admin → Settings → Email) so password resets and notifications reach users
- Restrict open registration (Admin → Settings → Accounts → Registration → Disabled)
- For larger teams: move MongoDB to a DigitalOcean Managed Database
1-Click Deploy
☁️ Nextcloud — File Sync, Sharing, and Collaboration
- Most widely deployed self-hosted file platform
- Document collaboration (Collabora or OnlyOffice), calendar, contacts, video calls, and a rich app ecosystem
- Point file storage to DigitalOcean Spaces from the start — migrating later is complex
- Switch background jobs from AJAX to system cron (Admin → Basic Settings → Background Jobs)
1-Click Deploy
Production Configuration
Apply these settings to every deployment before going live. They are ordered by priority.
Firewall Rules and SSL
- DigitalOcean Droplets have all ports open by default
- Creating a Cloud Firewall is the single most important hardening step — do this immediately after launch
- Secure every app with a Let's Encrypt certificate via Certbot before going live
▶ show code▼ hide code
# Firewall Configuration
# 1. Create a Cloud Firewall in the DigitalOcean control panel:
# Networking → Firewalls → Create Firewall
# Inbound rules: TCP 80, TCP 443, TCP <your-ssh-port>
# 2. Harden SSH on the Droplet
sudo nano /etc/ssh/sshd_config
# Set: Port 2222 (or any non-default port)
# Set: PasswordAuthentication no
# Set: PubkeyAuthentication yes
sudo systemctl restart ssh
# 3. Assign the firewall to your Droplet in the control panel
# 4. Install Certbot (Ubuntu + Nginx)
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com
# Verify auto-renewal
sudo certbot renew --dry-run
sudo systemctl status certbot.timer
Backups
- Enable weekly Droplet backups — off by default, costs ~20% of the Droplet monthly price
▶ show code▼ hide code
# Backups Configuration
# Enable backups: DigitalOcean control panel → Droplet → Backups → Enable
# Cost: ~20% of the Droplet monthly price
Monitoring and Uptime
- Install the DigitalOcean metrics agent to enable CPU, memory, and disk alerts
- Add uptime checks before users rely on the service — free within the control panel
- UptimeRobot provides multi-region checks and a public status page
▶ show code▼ hide code
# Monitoring Configuration
# Install the DigitalOcean metrics agent
curl -sSL https://repos.insights.digitalocean.com/install.sh | sudo bash
# Set alert policies in the control panel:
# Droplet → Monitoring → Create Alert Policy
# Thresholds: CPU > 80%, Memory > 85%, Disk > 80%
# Notify via: email or Rocket.Chat webhook
# Enable Uptime Checks (free):
# Monitoring → Uptime → Create Check → HTTP/HTTPS
# Add UptimeRobot (uptimerobot.com) for multi-region checks + status page
Networking, Database and Logging
- Use a Reserved IP so the address survives Droplet resizes and rebuilds
- Place all Droplets in a VPC to keep internal traffic off the public internet
- Ship logs to a managed service so they survive a Droplet rebuild and are searchable across servers
- Cap local log file sizes with logrotate to prevent disk exhaustion
▶ show code▼ hide code
# Networking, Database & Logging Configuration
# Reserved IP — survives Droplet resizes and rebuilds
# Networking → Reserved IPs → Create → Assign to Droplet
# VPC — keeps internal traffic off the public internet
# Networking → VPCs → Create VPC
# Move all Droplets for this project into the same VPC
# Managed Database (Rocket.Chat — MongoDB)
# Databases → Create → MongoDB → Select plan ($15/mo base)
# Update Rocket.Chat: set MONGO_URL env var to the managed DB connection string
# Managed Database (Nextcloud — MySQL or PostgreSQL)
# Update config.php with the new managed DB host, user, and password
# Spaces for Nextcloud file storage (start here — migrating later is complex)
# Spaces → Create Space → copy endpoint URL and access keys
# Nextcloud admin panel → External Storage → Add S3-compatible storage
# Centralized logging — forward logs to Papertrail via rsyslog
sudo apt install rsyslog -y
echo "*.* @logs.papertrailapp.com:XXXXX" | sudo tee -a /etc/rsyslog.conf
sudo systemctl restart rsyslog
# Cap local log file sizes with logrotate
sudo nano /etc/logrotate.d/apps
# weekly / rotate 4 / compress / missingok
# Monitor Rocket.Chat MongoDB logs (database errors surface here first)
sudo tail -f /var/log/mongodb/mongod.log
Dramatic Cost Savings vs. SaaS Alternatives
Cost Comparison — 25-Person Team
SaaS subscriptions vs. self-hosted stack on DigitalOcean
💸SaaS Subscriptions
Slack Pro
$7.25/user/month × 25
Dropbox Business
$15/user/month × 25
Total
$556/mo
$6,672/yr
🖥️Self-Hosted on DigitalOcean
Rocket.Chat Droplet
4 GB RAM
Nextcloud Droplet + Spaces
2 GB RAM + object storage
Total
~$42–54/mo
$504–$648/yr
🎯
~$6,000
saved per year for 25 people — savings that scale as headcount grows