21 apps DevOps
Grafana screenshot thumbnail

Grafana

The de facto dashboard of observability: Grafana is the open-source frontend that turns the data stores you already run into interactive graphs. It does not store metrics itself; it connects to the data stores you already run and turns their contents into interactive dashboards. Supported sources number over 150 via plugins: Prometheus, Loki, Tempo, InfluxDB, Elasticsearch, MySQL, PostgreSQL, Microsoft SQL Server, AWS CloudWatch, Azure Monitor, Google Cloud Monitoring, and many more. Dashboards are built from a large library of panel types (time series, heatmaps, tables, gauges, logs) with template variables for reusable, parameterized views. Unified alerting evaluates rules against any connected data source, not just Prometheus, and routes notifications to Slack, PagerDuty, email, and other channels with grouping and silencing - unlike Prometheus Alertmanager, a single rule can combine a Loki log pattern, a PostgreSQL query result, and a CloudWatch metric. Dashboards serialize to JSON and data sources configure via provisioning files, so the entire observability setup can live in Git and deploy repeatably across environments. Explore mode adds ad-hoc querying outside dashboards, with split view for correlating a metric spike against the matching log lines, and access control spans organizations, teams, folder permissions, and OAuth, LDAP, and SAML integration. Written in Go and TypeScript, AGPL-licensed. Self-hosting gives you unlimited users, dashboards, and queries at flat hosting cost, without Grafana Cloud's usage-based pricing.

Deploy
Kestra screenshot thumbnail

Kestra

Data, AI, and infrastructure workflows, orchestrated from declarative YAML: Kestra is an open-source, event-driven orchestration platform. Flows are declared in YAML - no DSL rewrites or Python decorators - and the definition stays the single source of truth even when edited through the UI, API, CI/CD, or Terraform, which makes pull-request review, versioning, and rollback natural. Tasks run in any language: Python, Node.js, Go, Rust, R, SQL, or Bash scripts executed in containers, and a plugin ecosystem of 1,000+ integrations covers ingestion, dbt, Airbyte, Spark, cloud storage, databases, and messaging systems. Scheduling supports cron triggers, event triggers, backfills, and conditional branching, with retries, timeouts, error handling, and typed inputs and outputs that surface artifacts in the UI. Namespaces, labels, and subflows organize workflows at scale, and the embedded code editor includes Git integration. Common uses span ETL/ELT pipelines, dbt runs, microservice coordination, infrastructure provisioning, and human-in-the-loop approvals. Java-based, Apache 2.0 licensed, deployed via Docker or Kubernetes.

Deploy
Dokploy screenshot thumbnail

Dokploy

Your own Heroku or Vercel on a single server - Dokploy is the open-source, self-hosted Platform-as-a-Service that makes the swap. You point it at a Git repository or a Docker image, and it builds and deploys the application using Dockerfiles, Nixpacks, or Heroku/Paketo buildpacks. Traefik is integrated as the reverse proxy, handling routing, load balancing, automatic Let's Encrypt SSL certificates, and HTTP/3. It also provisions and manages databases (MySQL, PostgreSQL, MongoDB, MariaDB, Redis) with automated backups to external storage. Complex multi-service applications deploy through native Docker Compose support, and multi-node scaling uses Docker Swarm. The web UI covers environment variables, volumes, resource limits, real-time CPU/memory/network monitoring, and deployment logs, with a CLI and API for automation. Deployment notifications go to Slack, Discord, Telegram, or email. One-click templates install common open-source tools, and a single Dokploy control plane can manage deployments across multiple remote servers. Because everything is standard Docker under the hood, there is no lock-in: your Dockerfiles, Compose files, and data volumes work anywhere else Docker runs. You get the Heroku-style push-to-deploy workflow without operating a Kubernetes cluster, and the total cost is the server it runs on - no per-app, per-environment, or per-seat platform fees regardless of how many applications you deploy.

Deploy
Mattermost screenshot thumbnail

Mattermost

Teams that cannot send messages through someone else's cloud run Mattermost - the open-core, self-hosted alternative to Slack. It provides public and private channels, threaded discussions, unlimited search history, file sharing with previews, one-to-one audio calls, and screen sharing, with desktop clients for Windows, macOS, and Linux plus iOS and Android apps. Messages support full Markdown, which suits engineering conversations with code blocks and logs. Playbooks turn repeatable processes such as incident response and release management into checklist-driven workflows with automated triggers and retrospectives. Integration is a core strength: prebuilt connectors for GitHub, GitLab, Jira, ServiceNow, and PagerDuty, plus webhooks, slash commands, bots, a REST API, and a plugin marketplace with 700+ entries - together making it a working surface for ChatOps rather than just a chat room. Playbooks add keyword and event triggers, task assignment, status broadcasting, and post-incident retrospectives, so operational knowledge is not trapped in individuals' heads. The server is a single Go binary backed by PostgreSQL, with React clients, released monthly under MIT license and deployable fully air-gapped - which is why governments and defense organizations run it inside closed networks, and why the same control applies to any team with confidentiality requirements. The compiled Team Edition is free for unlimited users with no message history cutoff, so costs stay flat as the team grows.

Deploy
Coolify screenshot thumbnail

Coolify

Any SSH-accessible Linux box - VPS, bare metal, Raspberry Pi, EC2 - becomes a Heroku-like deployment environment under Coolify, an open-source, self-hostable platform-as-a-service. Connect a GitHub, GitLab, Bitbucket, or Gitea repository and every push builds and deploys automatically via Nixpacks, a Dockerfile, or Docker Compose, with Traefik reverse proxying, automatic Let's Encrypt certificates, and per-branch preview deployments with their own URLs. Databases - PostgreSQL, MySQL, MariaDB, MongoDB, Redis - provision in a few clicks, and a catalog of 280+ one-click service templates covers WordPress, n8n, Grafana, MinIO, Plausible, and more, replacing an afternoon of Compose YAML with a two-minute operation. One dashboard manages multiple servers, with Docker Swarm available for clustering. Backups go to any S3-compatible storage with one-click restore, a browser terminal gives real-time server access, and a full API supports CI/CD integration. All configuration lives on your own servers, so resources keep running even without Coolify. Apache 2.0 licensed.

Deploy
Tianji screenshot thumbnail

Tianji

Website analytics, uptime monitoring, and server status - three tools most teams run separately - combined in Tianji, an open-source observability platform. The analytics layer tracks page views, unique visitors, referrers, and UTM parameters with a lightweight cookie-less script, which keeps collection GDPR and CCPA friendly. The uptime monitor checks availability and latency on configurable intervals, accepts passively reported results, and publishes public status pages for incident communication. Server status agents report CPU, memory, disk, and network metrics with threshold-based alerts, and notifications route through webhooks, Slack, Telegram, and other channels with noise control. It also includes anonymous telemetry for tracking deployments of your own open-source projects, surveys, waitlists, team collaboration, and an OpenAPI interface for integrations and exports. The consolidation is the point: traffic analytics, uptime checks, and server metrics share one interface and one alerting layer, so diagnosing an incident does not mean hopping between Google Analytics, Uptime Kuma, and Prometheus - and the built-in public status pages replace a separate paid Statuspage-style subscription. Because collection uses no cookies with IP truncation and aggregation by default, basic traffic measurement requires no consent banner. Built in TypeScript under the Apache 2.0 license and inspired by Umami and Uptime Kuma, it is deliberately right-sized for independent developers and small SaaS teams whose monitoring needs are real but lightweight.

Deploy
Infisical screenshot thumbnail

Infisical

API keys hardcoded in repos, database passwords pasted into CI variables, .env files emailed between developers - Infisical, the open-source platform for secrets, certificates, and privileged access management, is the answer to all three. Secrets live in versioned stores scoped by project, environment, and path, with fine-grained identity-aware access control and full audit logging on every read and change. Delivery covers every consumption pattern: CLI injection into local dev, SDKs for Go, Node.js, and Python, an HTTP API, agents, a Kubernetes Operator, and secret syncs that push to GitHub, GitLab, AWS Secrets Manager, and Vercel. Automatic rotation replaces credentials for PostgreSQL, MySQL, MSSQL, LDAP, AWS IAM, and Azure on a rolling schedule - new credentials issue while old ones stay temporarily valid, so nothing breaks mid-rotation. Dynamic secrets go further, generating ephemeral, time-bound database credentials on demand, and SSH access replaces static keys with short-lived CA-signed certificates that expire automatically. Secrets scanning catches hardcoded credentials in code and pipelines, certificate management automates X.509 issuance and renewal, and a built-in KMS handles encrypt/decrypt with central key control. Self-hosting keeps the keys to everything else on your own infrastructure.

Deploy
Gotify screenshot thumbnail

Gotify

Real-time alerts from your own infrastructure to your phone, with no Firebase, Pushover, or third-party push service in the path: Gotify is a simple, self-hosted notification server written in Go. The model is deliberately minimal: senders push messages with a single HTTP POST to the REST API, receivers subscribe over a WebSocket stream, and a clean React web UI manages the pieces. Senders are namespaced as "applications," each with its own token, so your backup script, Uptime Kuma, CI pipeline, and cron jobs each get an identity, an icon, and independently revocable credentials - centralized alerting from many services with per-source management. Messages carry a title, body, and priority level that maps to notification importance on the client. The official Android app (on both F-Droid and Google Play, notable for working entirely without Google Play Services) shows push notifications for new messages; the web UI itself supports Web Push in the browser; and gotify/cli pushes messages from shell scripts with one command. A server-side plugin system adds custom behavior, and the whole thing runs as a single small binary with SQLite by default - near-zero resource footprint. Because dozens of tools (and Apprise) speak Gotify natively, it slots in as the notification hub for an entire homelab or ops stack.

Deploy
Vaultwarden screenshot thumbnail

Vaultwarden

The Bitwarden server, reimplemented in Rust: Vaultwarden (formerly bitwarden_rs) is the unofficial lightweight edition. It speaks the same wire protocol as the official server, so every official Bitwarden client - browser extensions, iOS, Android, desktop, and the bw CLI - connects without modification, while the server itself runs as a single container against SQLite (or MySQL/MariaDB/PostgreSQL) instead of the official multi-container stack that wants gigabytes of RAM. Features Bitwarden gates behind paid tiers ship free: organizations with collections, groups, member roles, and policies; TOTP code storage; file attachments; Bitwarden Send; Emergency Access; event logs; and admin password reset. Two-factor options cover authenticator apps, email, FIDO2 WebAuthn, YubiKey, and Duo, and OIDC-based SSO landed natively in v1.35.0. Zero-knowledge encryption is unchanged - vault data is encrypted client-side and the master password never reaches the server. Attachments and Sends store on local disk or S3-compatible backends, an admin panel manages users and server settings, and backup is copying one data directory. Suited to individuals and teams up to roughly 50 users.

Deploy
Apprise-API screenshot thumbnail

Apprise-API

One REST call, 130+ notification services: Apprise API wraps the well-known Apprise library in a lightweight Django/Gunicorn microservice, so "send an alert" works the same whether it goes to Slack, Discord, Telegram, Teams, email, SMS, Pushover, or PagerDuty - each addressed by a simple URL scheme. It solves the credential-sprawl problem cleanly: instead of embedding provider tokens in every app, cron job, and CI pipeline, you centralize them here and everything else just POSTs a body and title. Two modes cover every workflow. Stateless calls to /notify carry target URLs in the payload (or fall back to a default set via APPRISE_STATELESS_URLS); stateful mode stores named configurations server-side under keys, so /notify/{KEY} fans out to everything registered - with tag-based routing (comma for OR, space for AND) selecting which endpoints fire per message. Messages take info, success, warning, or failure types in text, Markdown, or HTML, with attachments up to a configurable size. A built-in web UI manages and tests configurations, APPRISE_CONFIG_LOCK makes the store read-only, service allow/deny lists restrict which schemes work, webhook remapping adapts third-party payloads, and a Prometheus /metrics endpoint watches the gateway itself.

Deploy
Unleash screenshot thumbnail

Unleash

Deployment decoupled from release: Unleash, the most popular open-source feature management platform on GitHub, is a Node.js server backed by PostgreSQL. Ship code dark, then control who sees it through activation strategies: gradual percentage rollouts, targeting by user ID, IP, hostname, or application name, custom constraints against your own context fields, and scheduled or time-limited releases. Strategies stack - a flag activates if any strategy matches - and strategy variants layer A/B versions on top of the on/off decision. Each flag carries per-environment configurations, so a feature can run at 100% in staging while canarying at 5% in production. Backend SDKs (Node.js, Java, Go, Python, Ruby, .NET, PHP, Rust, and more) fetch configuration and evaluate flags locally, so a flag check adds zero network latency to request paths; frontend SDKs for React, Vue, Svelte, iOS, Android, and Flutter evaluate through a proxy layer. Flag hygiene is built in: flags are typed (release, experiment, operational, kill-switch, permission) with expected lifetimes, and Unleash marks overdue flags as potentially stale and surfaces unknown flags your SDKs request but that don't exist. Self-hosting via Docker keeps flag data, targeting rules, and evaluation infrastructure entirely on your side.

Deploy
Kener screenshot thumbnail

Kener

A polished public status page without Statuspage prices or a heavyweight observability suite: Kener is a status and uptime monitoring system built with SvelteKit and Node.js. It runs 11 monitor types - API, Ping, TCP, DNS, SSL certificate, SQL query, Heartbeat, gRPC, and GameDig game-server checks among them - each with configurable intervals and thresholds. Incident management covers the full lifecycle: structured timelines from investigation through resolution, acknowledgements, and subscriber-visible updates, plus maintenance windows with RRULE-based recurring schedules and automatic status transitions. Notifications reach email, Slack, Discord, and custom webhooks through trigger-based workflows with template-driven messaging. One instance can serve multiple branded status pages - per product, team, or region - with custom logos, colors, and CSS, localization into 21 languages, timezone-aware displays, and server-rendered pages that stay fast and SEO-friendly. Operations tooling includes role-based access for teams, API key management, a secrets vault, analytics integrations (Google Analytics, Plausible, Umami, and others), and a REST API with 17+ endpoints for automating incidents and monitors from CI/CD. MIT-licensed; Docker deployment with Redis, SQLite by default, PostgreSQL or MySQL for production.

Deploy
Kopia screenshot thumbnail

Kopia

Engineers who have outgrown Duplicati or rsync scripts tend to appreciate Kopia's design: encrypted, compressed, content-deduplicated snapshots in Go, stored in a repository on any storage you control - S3, Google Cloud Storage, Azure Blob, Backblaze B2, SFTP, WebDAV, or a plain filesystem. Encryption is mandatory and end-to-end: every block is encrypted client-side with AES-256-GCM or ChaCha20-Poly1305 using keys derived from your repository password, and even file names never leave the machine in plaintext. Blocks are packed into 20-40 MB blobs with random names, so the storage provider learns nothing about content or structure. Deduplication is automatic and content-based - identical data across files, snapshots, and even multiple machines backing up to the same repository is stored once. Policies govern everything per-directory: compression choice, retention (hourly through annual), scheduling, and ignore rules. Incremental snapshots are point-in-time records you can mount and browse like a filesystem. This deployment runs the Kopia repository server with its web UI, centralizing backups from multiple client machines over an authenticated API - each client connects with the server URL and certificate fingerprint, and users only see their own snapshots. Error correction, high-latency-tolerant caching, and both CLI and GUI round it out.

Deploy
UptimeKuma screenshot thumbnail

UptimeKuma

Sixty-thousand-plus GitHub stars make Uptime Kuma the most popular self-hosted monitoring tool - MIT-licensed, Node.js, and the standard replacement for UptimeRobot, Pingdom, and Freshping. It watches a dozen monitor types: HTTP(S) endpoints with keyword and JSON-query content validation, TCP ports, ICMP ping, DNS records, WebSockets, Docker containers via the socket, Steam game servers, MQTT brokers, gRPC services, and push-based heartbeats for cron jobs and internal workers. Checks run at intervals as tight as 20 seconds - versus UptimeRobot's 5-minute free tier - with unlimited monitors and unlimited data retention. When something fails, alerts fan out through 90+ notification channels: Slack, Discord, Telegram, email with LiquidJS templating, PagerDuty, OpsGenie, ntfy, Gotify, Matrix, and dozens more via native providers plus the Apprise library. Unlimited public or password-protected status pages - mappable to specific domains and organized into monitor groups - communicate health to customers, with maintenance windows that suppress alerts during planned work. The reactive dashboard graphs response times, tracks SSL certificate expiry with advance warnings, supports proxies and 2FA, and ships in dozens of languages. One Docker container with a SQLite volume covers an entire infrastructure.

Deploy
Flagsmith screenshot thumbnail

Flagsmith

Wrap code in a flag, then toggle it per environment, per user, per segment, or by percentage - no redeploy required: Flagsmith is an open-source feature flag and remote config platform. Every flag doubles as remote config, carrying string, number, or JSON values, so functional and visual changes ship to production without a code push. Segments are the targeting engine: build them from stored user traits, then release to beta testers first, test in production by exposing features only to internal teams, or run canary deployments to a small percentage before going wide - segment membership changes instantly without app updates. Multivariate flags split traffic across two or more variations for A/B/n testing, with flag events flowing into Amplitude, Mixpanel, or Segment for analysis. SDKs cover 15+ languages including TypeScript, .NET, Java, Python, and Go, with framework support for React, Next.js, and mobile, plus local evaluation for latency-sensitive paths. Organizations, projects, and roles keep multi-team setups tidy. Core functionality - unlimited flags, remote config, targeting, multivariate flags - is BSD-3-Clause licensed with an explicit commitment that it stays open. Self-hosting suits privacy-conscious teams: flag rules and user traits stay on your infrastructure, deployable via Docker or Kubernetes with Helm.

Deploy
Verdaccio screenshot thumbnail

Verdaccio

Private npm packages without shipping code to the public registry or paying for npm Enterprise: Verdaccio is the standard lightweight, zero-config private registry and caching proxy. It runs as a single Node.js process with its own tiny embedded database; no external database is required to start. Point npm, yarn, or pnpm at it and everything behaves as expected: install, publish, unpublish, dist-tags, and deprecation all work against the standard npm endpoints. The uplink system is where it earns its keep: packages not found locally are fetched from configured upstreams (npmjs.org, yarn, JFrog, Nexus, or another Verdaccio), cached as tarballs, and served locally thereafter - cutting CI latency and surviving registry outages. Multiple uplinks chain for failover, and per-package glob patterns in config.yaml route scopes to specific upstreams while controlling access, publish, and unpublish rights per group. You can even override a public package by publishing a patched version under the same name locally. A plugin architecture swaps in auth backends (htpasswd default, LDAP and others available), storage drivers (S3, Google Cloud Storage), middleware routes, and metadata filters. With official Docker images and a Kubernetes Helm chart, it slots into any pipeline in minutes.

Deploy
PowerDNS-Admin screenshot thumbnail

PowerDNS-Admin

Raw zone files and API calls become something a whole team can operate safely once PowerDNS-Admin puts its web interface in front of a PowerDNS authoritative server. It's a Python/Flask application covering full forward and reverse zone management, with the touches that matter in daily DNS work: zone templates for stamping out consistent new domains, easy IPv6 PTR record editing (reverse zones by hand are misery), full IDN/Punycode support for internationalized domains, and DynDNS 2 protocol support so routers and scripts can update records the way they would against a commercial dynamic-DNS service. Access control is enterprise-grade: local users, LDAP against OpenLDAP or Active Directory, SAML, and OAuth via Google, GitHub, Azure, or OpenID Connect, hardened with TOTP two-factor authentication. Role-based permissions extend to zone-specific access control - hand a developer their project's zone without exposing the rest of your namespace - and activity logging records who changed which record when, the audit trail bare PowerDNS never gives you. The dashboard monitors PDNS service configuration and statistics, and its own API exposes zone and record management for automation on top of the UI. Runs against MySQL/MariaDB or PostgreSQL, talking to PowerDNS through its REST API. MIT-licensed.

Deploy
pgweb screenshot thumbnail

pgweb

Inspect a PostgreSQL database right now, without installing pgAdmin or exposing Postgres to the internet - pgweb answers that recurring need. It's a Go application from Dan Sosedoff, a decade in development, shipped as a single statically-linked binary with zero dependencies - the Docker image is essentially just the executable - that puts a clean browser UI in front of any PostgreSQL 9.1+ server. Connect via URL string or host/port credentials, and browse tables, views, and sequences from the sidebar; selecting a table shows its rows immediately alongside tabs for structure, indexes, and constraints. The Query tab executes arbitrary SQL with query history, and the Explain Query button renders the query plan - estimated cost, row counts, execution strategy - which makes pgweb a quick performance-triage tool, not just a browser. Results and entire tables export to CSV, JSON, or XML in a click. Connectivity is more flexible than its size suggests: native SSH tunneling (password or key) reaches databases behind firewalls, server bookmarks make switching instances instant, and an optional multi-session mode handles several databases concurrently. For a RepoCloud stack full of Postgres-backed apps, one pgweb instance is the universal inspection hatch. MIT-licensed, actively maintained.

Deploy