Self-Hosted Analytics with Umami

I can see you, anon.

April 11, 2026

I added analytics to my sites. Not Google Analytics. Not a third-party tracker. Umami, running on my own infrastructure.

The honest reason? I just like data. Charts, graphs, patterns – something about visualising information scratches an itch in my brain. I wanted to see what pages get visited, where people come from, what browser they're using. Not for optimisation or growth hacking. Just curiosity.

For a while I ran ewancroft.uk with zero analytics. The stance was simple: I don't want to be tracked, so why would I track you? But the curious part of me wanted signal. Real data, not guesses from social engagement.

What Umami Does Differently

The analytics industry normalised invasive tracking. Google Analytics is free because you're the product – your visitors' behavioural data gets folded into cross-site profiles. That's the bargain: give us your visitors' data, we'll give you charts.

Umami breaks that:

Self-hosted on my own hardware
No cookies
GDPR compliant – no cookie banner needed
Anonymised IPs
No cross-site tracking
Open source (AGPL-3.0)

What's collected: page URLs, referrer, browser, OS, country. That's it. No user IDs, no fingerprinting, nothing to sell.

The Setup

Umami runs on an old Inspiron 3501 laptop sitting on a shelf in my room. PostgreSQL backend, Caddy reverse proxy, exposed through my Cloudflare Tunnel. The whole thing took about 30 minutes to configure once I found the native nixpkgs module.

The main gotcha was peer authentication. The module uses DynamicUser = true by default, but PostgreSQL peer auth requires the system username to match the database username. Small override and it was working.

Adding the tracking script to each site – ewancroft.uk, docs.ewancroft.uk, malachite.croft.click – was a single line per domain with a unique UUID. I also updated the Content Security Policy on the main site to allow scripts from my analytics domain.

Transparency

The dashboard is public at analytics.ewancroft.uk. Nothing to hide because nothing sensitive is collected. If I were tracking something I didn't want public, that would be a privacy breach for visitors.

Umami respects Do Not Track. Enable it in your browser and nothing gets sent.

The Trade-off

I'm not claiming this makes my sites perfectly private. Embedded content has its own data practices. But for the analytics layer, the part I control, I've made the most privacy-respecting choice available.

The hardware costs nothing – it's repurposed kit that would otherwise gather dust. Moving to a Raspberry Pi 5 soon will drop the power draw even further. No behavioural data. No external parties. Just charts I can stare at when the mood strikes.

Four Days with Letta Code

Tomodachi Life: Living the Dream and Why I Absolutely Love It

infra

website

Ewan’s Blog

I ramble, enjoy.