Nicholas Clooney

Private Analytics With Umami, Docker Compose, and Ansible

I wanted first-party analytics on my blog without handing traffic data to a SaaS vendor. Umami checked every box: open source, self-hostable, and friendly to privacy. I already keep a small VPS online 24/7, so dedicating a slice of that machine to Umami felt like a perfect fit.

Why Umami (and Why Now)

Analytics turned into a blind spot once I shut off the usual trackers. I needed something:

  • Self-hosted so the data never leaves my infrastructure.
  • Lightweight enough to run on the same box as the rest of my services.
  • Friendly to my workflow — ideally managed by Ansible like everything else.

Umami ships as a simple Node app that stores data in Postgres. The official docs make it easy to run it locally or in the cloud, but I wanted a repeatable, production-ready setup that I could test on my Mac and deploy with Ansible in one go.

A Quick Umami Primer

If you haven’t met it yet, Umami is an open-source analytics platform that mirrors the basics of Google Analytics without the bloat. It’s a Node application with a Postgres backend, emits a tiny <script> snippet for your sites, and exposes a slick dashboard to explore the data. No third-party cookies, no hidden trackers — just a straightforward way to see who’s visiting.

Deployment Paths I Considered

There are three obvious ways to stand Umami up:

  1. Install Node, pnpm, and PM2 directly on the server.
  2. Run the app in a single Docker container and manage Postgres separately.
  3. Use Docker Compose to define both services and their relationship.

Option 3 won instantly. Compose gives me:

  • Local parity. I can spin the stack up on macOS using Colima, just like in my Docker-on-macOS post.
  • A reproducible bundle. The compose file describes the exact images, health checks, and volumes needed — perfect for infra-as-code.
  • No host pollution. The VPS stays a clean Docker box with zero lingering Node/npm/PM2 packages.
  • Expressed dependencies. Compose orchestrates Postgres + Umami and waits for the DB’s health check before starting the app.
  • Strict networking. Services talk over a private bridge network. Only the ports I publish make it to the host.
  • Ansible-friendly automation. Ansible can drop the compose file, render an .env, and run docker compose up -d in one role.

The Ansible Role at the Core

I wrapped everything in ansible-role-umami so I can reuse it across machines. At commit f31f9b9a1c71039311a71ece3c8c8162de84316c, the compose template looks like this:

templates/docker-compose.yml.j2
view raw 
		
  1. services:
    2. 

  2.   db:
    3. 

  3.     image: {{ umami_postgres_image }}
    4. 

  4.     restart: unless-stopped
    5. 

  5.     environment:
    6. 

  6.       POSTGRES_DB: ${POSTGRES_DB}
    7. 

  7.       POSTGRES_USER: ${POSTGRES_USER}
    8. 

  8.       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    9. 

  9.       TZ: ${TZ}
    10. 

  10.     healthcheck:
    11. 

  11.       test: ["CMD-SHELL", "pg_isready -U \"$${POSTGRES_USER}\" -d \"$${POSTGRES_DB}\""]
    12. 

  12.       interval: 5s
    13. 

  13.       timeout: 5s
    14. 

  14.       retries: 10
    15. 

  15.     volumes:
    16. 

  16.       - umami-db-data:/var/lib/postgresql/data
    17. 

  17.     networks:
    18. 

  18.       - umami-net
    19. 

  19.     logging:
    20. 

  20.       driver: json-file
    21. 

  21.       options:
    22. 

  22.         max-size: "10m"
    23. 

  23.         max-file: "3"
    24. 

  24.  
    25. 

  25.   umami:
    26. 

  26.     image: {{ umami_image }}
    27. 

  27.     restart: unless-stopped
    28. 

  28.     depends_on:
    29. 

  29.       db:
    30. 

  30.         condition: service_healthy
    31. 

  31.     ports:
    32. 

  32.       - "{{ umami_bind_address }}:${UMAMI_PORT:-{{ umami_listen_port }}}:3000"
    33. 

  33.     environment:
    34. 

  34.       DATABASE_TYPE: postgresql
    35. 

  35.       DATABASE_URL: ${DATABASE_URL}
    36. 

  36.       APP_SECRET: ${APP_SECRET}
    37. 

  37.       HOSTNAME: "0.0.0.0"
    38. 

  38.       PORT: "3000"
    39. 

  39.       TZ: ${TZ}
    40. 

  40.     healthcheck:
    41. 

  41.       test: ["CMD-SHELL", "curl -fsS http://localhost:3000/api/heartbeat || exit 1"]
    42. 

  42.       interval: 10s
    43. 

  43.       timeout: 5s
    44. 

  44.       retries: 10
    45. 

  45.     networks:
    46. 

  46.       - umami-net

A couple of highlights:

  • Postgres persists data in a named volume and exposes a health check.
  • Umami waits on that health check before launching.
  • The ports directive binds to {{ umami_bind_address }} so I can keep it locked to 127.0.0.1 instead of public interfaces.

Defaults live alongside the template, so each install starts loopback-only on port 3000 until I override it:

defaults/main.yml
view raw 
		
  1. ---
    2. 

  2. umami_timezone: Europe/London
    3. 

  3.  
    4. 

  4. # Config storage (remote)
    5. 

  5. umami_base_dir: "/opt/umami"
    6. 

  6.  
    7. 

  7. # Secrets storage (local controller)
    8. 

  8. umami_secrets_dir: "{{ playbook_dir }}/.secrets/{{ inventory_hostname }}"
    9. 

  9.  
    10. 

  10. # Container images
    11. 

  11. umami_image: ghcr.io/umami-software/umami:postgresql-latest
    12. 

  12. umami_postgres_image: postgres:18-alpine
    13. 

  13.  
    14. 

  14. # Networking
    15. 

  15. umami_listen_port: 3000
    16. 

  16. umami_bind_address: 127.0.0.1
    17. 

  17.  
    18. 

  18. # Database
    19. 

  19. umami_db_name: umami
    20. 

  20. umami_db_user: umami
    21. 

  21. umami_db_password: ""
    22. 

  22. umami_app_secret: ""
    23. 

  23.  
    24. 

  24. # Compose options
    25. 

  25. umami_compose_project_name: umami
    26. 

  26. umami_compose_pull: always
    27. 

  27. umami_compose_recreate: auto

The main task file ties it all together. Ansible generates strong secrets on the controller (so they persist between runs), templates both .env and docker-compose.yml, then presses docker compose up via the community module:

tasks/main.yml
view raw 
		
  1. ---
    2. 

  2. - name: Ensure base directory exists (remote)
    3. 

  3.   become: true
    4. 

  4.   ansible.builtin.file:
    5. 

  5.     path: "{{ umami_base_dir }}"
    6. 

  6.     state: directory
    7. 

  7.     owner: root
    8. 

  8.     group: root
    9. 

  9.     mode: "0755"
    10. 

  10.  
    11. 

  11. # --- Local secrets handling ---
    12. 

  12. - name: Ensure local secrets dir exists (controller)
    13. 

  13.   ansible.builtin.file:
    14. 

  14.     path: "{{ umami_secrets_dir }}"
    15. 

  15.     state: directory
    16. 

  16.     mode: "0700"
    17. 

  17.   delegate_to: localhost
    18. 

  18.   run_once: false
    19. 

  19.  
    20. 

  20. - name: Generate DB password if needed (local)
    21. 

  21.   ansible.builtin.set_fact:
    22. 

  22.     umami_db_password: >-
    23. 

  23.       {{ lookup('ansible.builtin.password',
    24. 

  24.                 umami_secrets_dir ~ '/.db_password chars=ascii_letters,digits length=32') }}
    25. 

  25.   when: (umami_db_password | default('') | length) == 0
    26. 

  26.   delegate_to: localhost
    27. 

  27.   run_once: false
    28. 

  28.  
    29. 

  29. - name: Generate app secret if needed (local)
    30. 

  30.   ansible.builtin.set_fact:
    31. 

  31.     umami_app_secret: >-
    32. 

  32.       {{ lookup('ansible.builtin.password',
    33. 

  33.                 umami_secrets_dir ~ '/.app_secret chars=hexdigits length=64') }}
    34. 

  34.   when: (umami_app_secret | default('') | length) == 0
    35. 

  35.   delegate_to: localhost
    36. 

  36.   run_once: false
    37. 

  37.  
    38. 

  38. # --- Remote config + deployment ---
    39. 

  39. - name: Render .env file
    40. 

  40.   become: true
    41. 

  41.   ansible.builtin.template:
    42. 

  42.     src: env.j2
    43. 

  43.     dest: "{{ umami_base_dir }}/.env"
    44. 

  44.     owner: root
    45. 

  45.     group: root
    46. 

  46.     mode: "0640"
    47. 

  47.   notify: Restart umami stack
    48. 

  48.  
    49. 

  49. - name: Render docker-compose.yml
    50. 

  50.   become: true
    51. 

  51.   ansible.builtin.template:
    52. 

  52.     src: docker-compose.yml.j2
    53. 

  53.     dest: "{{ umami_base_dir }}/docker-compose.yml"
    54. 

  54.     owner: root
    55. 

  55.     group: root
    56. 

  56.     mode: "0644"
    57. 

  57.   notify: Restart umami stack
    58. 

  58.  
    59. 

  59. - name: Ensure Umami stack is running
    60. 

  60.   become: true
    61. 

  61.   community.docker.docker_compose_v2:
    62. 

  62.     project_src: "{{ umami_base_dir }}"
    63. 

  63.     project_name: "{{ umami_compose_project_name }}"
    64. 

  64.     state: present
    65. 

  65.     pull: "{{ umami_compose_pull }}"
    66. 

  66.     recreate: "{{ umami_compose_recreate }}"
    67. 

  67.   register: umami_compose_result
    68. 

  68.  
    69. 

  69. - name: Display docker compose changes
    70. 

  70.   ansible.builtin.debug:
    71. 

  71.     var: umami_compose_result
    72. 

  72.   when: umami_compose_result is defined

The handler simply restarts the stack when either template changes, which keeps upgrades predictable.

A Quick Note on Docker vs. UFW

If you publish a port without thinking, Docker quietly bypasses UFW because it owns its own iptables chain. That means even a server with “deny incoming” can leak an app to the public internet if you bind it to 0.0.0.0.

When you run a container and publish a port (e.g. -p 3000:3000), Docker modifies iptables directly — not through ufw.
Those rules are evaluated before ufw’s user-space rules.
So a simple docker run -p 3000:3000 umami exposes port 3000 on all interfaces (0.0.0.0) even if ufw is active.

Binding to 127.0.0.1 inside the compose file keeps the dashboard completely private until I put a reverse proxy (or Tailscale) in front of it.

Dropping the Role Into Project Lighthouse

My homelab playbook (ansible-project-lighthouse) consumes the role with just a few lines:

main.yml
view raw 
		
  1. - role: umami_nginx
    2. 

  2.   tags: [umami_nginx]
    3. 

  3. - role: nicholasclooney.umami
    4. 

  4.   tags: [umami]
    5. 

  5.   vars:
    6. 

  6.     umami_timezone: Europe/London
    7. 

  7.     umami_bind_address: 127.0.0.1
    8. 

  8.     umami_listen_port: 3000
    9. 

  9. - role: tailscale_serve
    10. 

  10.   tags: [tailscale_serve]

Group vars clamp the dashboard to the loopback network, ready for a reverse proxy to front it:

group_vars/debian_lighthouse/main.yml.template
view raw 
		
  1. # === Nginx/analytics access control ===
    2. 

  2. #
    3. 

  3. # CIDR/IPs allowed to reach the Umami dashboard via umami_nginx
    4. 

  4. nginx_dashboard_allowlist:
    5. 

  5.   - "127.0.0.1/32"
    6. 

  6.  
    7. 

  7. # === Domains ===
    8. 

  8. #
    9. 

  9. # Used by certbot role when requesting site certificates
    10. 

  10. primary_domain: "example.com"
    11. 

  11. # Shared by certbot + umami_nginx site template for analytics host
    12. 

  12. analytics_domain: "analytics.example.com"
    13. 

  13.  
    14. 

  14. # === Certbot ===
    15. 

  15. #
    16. 

  16. # Toggle ACME issuance in certbot role
    17. 

  17. certbot_issue_certificates: false
    18. 

  18. # Ensures packaged systemd timer stays enabled
    19. 

  19. certbot_auto_renew: true
    20. 

  20. # Certbot registration email for expiry notices and ToS
    21. 

  21. certbot_admin_email: "[email protected]"
    22. 

  22. # Domains to request via Certbot (include each site explicitly and point DNS to this host)
    23. 

  23. certbot_domains:
    24. 

  24.   - "example.com"

Because I only trust my tailnet to see sensitive dashboards, I run a tiny systemd unit that publishes Umami through Tailscale Serve:

roles/tailscale_serve/tasks/main.yml
view raw 
		
  1. ---
    2. 

  2. - name: Deploy tailscale serve systemd unit
    3. 

  3.   become: true
    4. 

  4.   ansible.builtin.template:
    5. 

  5.     src: tailscale-serve.service.j2
    6. 

  6.     dest: "/etc/systemd/system/{{ tailscale_serve_service_name }}.service"
    7. 

  7.     owner: root
    8. 

  8.     group: root
    9. 

  9.     mode: '0644'
    10. 

  10.   notify:
    11. 

  11.     - Restart tailscale serve
    12. 

  12.  
    13. 

  13. - name: Ensure tailscale serve service is enabled and {{ tailscale_serve_state }}
    14. 

  14.   become: true
    15. 

  15.   ansible.builtin.systemd:
    16. 

  16.     name: "{{ tailscale_serve_service_name }}"
    17. 

  17.     enabled: "{{ tailscale_serve_enabled }}"
    18. 

  18.     state: "{{ tailscale_serve_state }}"
    19. 

  19.     daemon_reload: true

That translates to a private https://umami.tailXX.ts.net endpoint that only logged-in tailnet devices can reach. No public ingress, no guesswork.

Publishing the Tracking Script With Nginx

The public web still needs /script.js and /api/send, so I carved out an Nginx site that only exposes those endpoints while keeping the full dashboard locked to my allowlist:

roles/umami_nginx/templates/analytics.conf.j2
view raw 
		
  1. # 1) HTTP → HTTPS redirect
    2. 

  2. server {
    3. 

  3.     listen 80;
    4. 

  4.     listen [::]:80;
    5. 

  5.     server_name {{ analytics_domain }};
    6. 

  6.     return 301 https://$host$request_uri;
    7. 

  7. }
    8. 

  8.  
    9. 

  9. # 2) HTTPS site
    10. 

  10. server {
    11. 

  11.     listen 443 ssl http2;
    12. 

  12.     listen [::]:443 ssl http2;
    13. 

  13.     server_name {{ analytics_domain }};
    14. 

  14.  
    15. 

  15.     # Logs
    16. 

  16.     access_log /var/log/nginx/{{ umami_nginx_site_name }}.access.log;
    17. 

  17.     error_log /var/log/nginx/{{ umami_nginx_site_name }}.error.log;
    18. 

  18.  
    19. 

  19.     # TLS certs
    20. 

  20.     ssl_certificate     /etc/letsencrypt/live/{{ analytics_domain }}/fullchain.pem;
    21. 

  21.     ssl_certificate_key /etc/letsencrypt/live/{{ analytics_domain }}/privkey.pem;
    22. 

  22.  
    23. 

  23.  
    24. 

  24.     location = /script.js {
    25. 

  25.         proxy_pass http://{{ umami_nginx_upstream_host }}:{{ umami_nginx_upstream_port }};
    26. 

  26.         proxy_set_header Host $host;
    27. 

  27.         proxy_set_header X-Real-IP $remote_addr;
    28. 

  28.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    29. 

  29.         proxy_set_header X-Forwarded-Proto $scheme;
    30. 

  30.     }
    31. 

  31.  
    32. 

  32.     location = /api/send {
    33. 

  33.         proxy_pass http://{{ umami_nginx_upstream_host }}:{{ umami_nginx_upstream_port }};
    34. 

  34.         proxy_set_header Host $host;
    35. 

  35.         proxy_set_header X-Real-IP $remote_addr;
    36. 

  36.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    37. 

  37.         proxy_set_header X-Forwarded-Proto $scheme;
    38. 

  38.  
    39. 

  39.         limit_except POST OPTIONS { deny all; }
    40. 

  40.  
    41. 

  41.         proxy_hide_header Access-Control-Allow-Origin;
    42. 

  42.         proxy_hide_header Access-Control-Allow-Methods;
    43. 

  43.         proxy_hide_header Access-Control-Allow-Headers;
    44. 

  44.         proxy_hide_header Access-Control-Max-Age;
    45. 

  45.  
    46. 

  46.         add_header Access-Control-Allow-Origin "$http_origin" always;
    47. 

  47.         add_header Access-Control-Allow-Methods "POST, OPTIONS" always;
    48. 

  48.         add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
    49. 

  49.         add_header Access-Control-Max-Age 86400 always;
    50. 

  50.         add_header Vary "Origin" always;
    51. 

  51.  
    52. 

  52.         if ($request_method = OPTIONS) {
    53. 

  53.             return 204;
    54. 

  54.         }
    55. 

  55.     }
    56. 

  56.  
    57. 

  57.     location / {
    58. 

  58.         {% for cidr in nginx_dashboard_allowlist %}
    59. 

  59.         allow {{ cidr }};
    60. 

  60.         {% endfor %}
    61. 

  61.         deny all;
    62. 

  62.         proxy_pass http://{{ umami_nginx_upstream_host }}:{{ umami_nginx_upstream_port }};
    63. 

  63.         proxy_set_header Host $host;
    64. 

  64.         proxy_set_header X-Real-IP $remote_addr;
    65. 

  65.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    66. 

  66.         proxy_set_header X-Forwarded-Proto $scheme;
    67. 

  67.     }
    68. 

  68. }

  • /script.js and /api/send proxy straight through to Umami, complete with the required CORS headers.
  • Any other path hits the allowlist first — in production I set it to tailnet ranges so only I can see the UI.

With that in place, the public site embeds Umami’s script tag while the administrative interface stays non-routable unless you’re me.

The Stack in Motion

Putting it all together looks like this:

  1. Ansible renders .env + docker-compose.yml, generates secrets, and runs docker compose up -d.
  2. Docker Compose brings up Postgres + Umami, health checks everything, and binds the UI to loopback.
  3. Tailscale Serve publishes the dashboard to my tailnet so I can check analytics from anywhere (even on mobile).
  4. Nginx proxies just the beacon endpoints to the public internet while keeping the rest locked down.

Because the role also runs locally, I can clone the repo, fire up Colima, and test the exact stack on my Mac before pushing changes upstream. When updates drop, ansible-playbook main.yml --tags umami pulls the new image and restarts the stack cleanly.

Final Thoughts

This setup sounds complex on paper, but it condenses into a repeatable Ansible run:

  • Compose keeps the host tidy and the deployment predictable.
  • Tailscale and Nginx add just enough routing to stay private-by-default.
  • Secrets never leave my control, and rollbacks are one docker compose down away.

If you’re already automating servers with Ansible, steal the role, tune the defaults, and try the workflow on a Colima sandbox first. When you’re ready to go live, aim the playbook at your server and enjoy Umami’s dashboard — privately. Then take a detour through the related posts on Colima, Tailscale, and debugging Umami to see how the rest of the puzzle pieces fit together.