Coolify
Any SSH-accessible Linux box - VPS, bare metal, Raspberry Pi, EC2 - becomes a Heroku-like deployment environment under Coolify, an open-source, self-hostable platform-as-a-service. Connect a GitHub, GitLab, Bitbucket, or Gitea repository and every push builds and deploys automatically via Nixpacks, a Dockerfile, or Docker Compose, with Traefik reverse proxying, automatic Let's Encrypt certificates, and per-branch preview deployments with their own URLs. Databases - PostgreSQL, MySQL, MariaDB, MongoDB, Redis - provision in a few clicks, and a catalog of 280+ one-click service templates covers WordPress, n8n, Grafana, MinIO, Plausible, and more, replacing an afternoon of Compose YAML with a two-minute operation. One dashboard manages multiple servers, with Docker Swarm available for clustering. Backups go to any S3-compatible storage with one-click restore, a browser terminal gives real-time server access, and a full API supports CI/CD integration. All configuration lives on your own servers, so resources keep running even without Coolify. Apache 2.0 licensed.
Nango
The integrations your SaaS product offers its own users - that is what Nango, an open-source product-integrations platform, exists to build. It solves the repetitive infrastructure work behind every third-party API connection: OAuth flows, API key handling, token refresh, encrypted credential storage, rate-limit backoff, retries, and multi-tenant connection management. It ships pre-built auth configurations for 800+ APIs. Your users connect their accounts through an embeddable, white-label Connect UI, and your backend then reads or writes data through Nango's proxy, SDKs, or REST API without ever touching raw credentials. Integration logic is written as TypeScript functions covering actions, scheduled data syncs, and webhook processing - all running on one runtime with retries, checkpointing, and per-connection logs built in. Syncs pull records incrementally on a schedule, one-way or two-way, which suits RAG pipelines, search indexing, and keeping local copies of external data current. Selected actions can also be exposed as tool schemas or through a built-in MCP server, so AI agents operate on user-connected accounts without ever handling provider credentials. Auth support spans OAuth 2.0, OAuth 1.0a, API keys, basic auth, and JWT, and observability - logs, metrics, failure detection, and a reconnect flow for expired credentials - is scoped per customer connection for easier support debugging. Works with any backend language. Self-hosting on RepoCloud keeps all customer credentials and synced data on infrastructure you control, which matters for data residency and compliance requirements.
Dokploy
Your own Heroku or Vercel on a single server - Dokploy is the open-source, self-hosted Platform-as-a-Service that makes the swap. You point it at a Git repository or a Docker image, and it builds and deploys the application using Dockerfiles, Nixpacks, or Heroku/Paketo buildpacks. Traefik is integrated as the reverse proxy, handling routing, load balancing, automatic Let's Encrypt SSL certificates, and HTTP/3. It also provisions and manages databases (MySQL, PostgreSQL, MongoDB, MariaDB, Redis) with automated backups to external storage. Complex multi-service applications deploy through native Docker Compose support, and multi-node scaling uses Docker Swarm. The web UI covers environment variables, volumes, resource limits, real-time CPU/memory/network monitoring, and deployment logs, with a CLI and API for automation. Deployment notifications go to Slack, Discord, Telegram, or email. One-click templates install common open-source tools, and a single Dokploy control plane can manage deployments across multiple remote servers. Because everything is standard Docker under the hood, there is no lock-in: your Dockerfiles, Compose files, and data volumes work anywhere else Docker runs. You get the Heroku-style push-to-deploy workflow without operating a Kubernetes cluster, and the total cost is the server it runs on - no per-app, per-environment, or per-seat platform fees regardless of how many applications you deploy.
UptimeKuma
Sixty-thousand-plus GitHub stars make Uptime Kuma the most popular self-hosted monitoring tool - MIT-licensed, Node.js, and the standard replacement for UptimeRobot, Pingdom, and Freshping. It watches a dozen monitor types: HTTP(S) endpoints with keyword and JSON-query content validation, TCP ports, ICMP ping, DNS records, WebSockets, Docker containers via the socket, Steam game servers, MQTT brokers, gRPC services, and push-based heartbeats for cron jobs and internal workers. Checks run at intervals as tight as 20 seconds - versus UptimeRobot's 5-minute free tier - with unlimited monitors and unlimited data retention. When something fails, alerts fan out through 90+ notification channels: Slack, Discord, Telegram, email with LiquidJS templating, PagerDuty, OpsGenie, ntfy, Gotify, Matrix, and dozens more via native providers plus the Apprise library. Unlimited public or password-protected status pages - mappable to specific domains and organized into monitor groups - communicate health to customers, with maintenance windows that suppress alerts during planned work. The reactive dashboard graphs response times, tracks SSL certificate expiry with advance warnings, supports proxies and 2FA, and ships in dozens of languages. One Docker container with a SQLite volume covers an entire infrastructure.
Infisical
API keys hardcoded in repos, database passwords pasted into CI variables, .env files emailed between developers - Infisical, the open-source platform for secrets, certificates, and privileged access management, is the answer to all three. Secrets live in versioned stores scoped by project, environment, and path, with fine-grained identity-aware access control and full audit logging on every read and change. Delivery covers every consumption pattern: CLI injection into local dev, SDKs for Go, Node.js, and Python, an HTTP API, agents, a Kubernetes Operator, and secret syncs that push to GitHub, GitLab, AWS Secrets Manager, and Vercel. Automatic rotation replaces credentials for PostgreSQL, MySQL, MSSQL, LDAP, AWS IAM, and Azure on a rolling schedule - new credentials issue while old ones stay temporarily valid, so nothing breaks mid-rotation. Dynamic secrets go further, generating ephemeral, time-bound database credentials on demand, and SSH access replaces static keys with short-lived CA-signed certificates that expire automatically. Secrets scanning catches hardcoded credentials in code and pipelines, certificate management automates X.509 issuance and renewal, and a built-in KMS handles encrypt/decrypt with central key control. Self-hosting keeps the keys to everything else on your own infrastructure.
Hasura
A PostgreSQL database becomes a production-grade GraphQL API the moment Hasura GraphQL Engine points at it: track tables and relationships - existing schemas included - and full query, mutation, and subscription types appear with where, order_by, limit, offset, and on_conflict arguments, no resolvers or boilerplate written. Its Haskell core compiles GraphQL to efficient SQL, and any query becomes a real-time live query with a single keyword, powering dashboards and collaborative UIs over standard GraphQL subscriptions. Authorization is where Hasura earns its enterprise reputation: role-based access control with row- and column-level permission policies driven by session variables from JWTs, auth webhooks, or headers - each role effectively sees its own GraphQL schema containing only what it may touch, integrating cleanly with Auth0, Firebase, or homegrown auth. Event triggers fire webhooks on inserts, updates, and deletes for asynchronous business logic; Actions extend the schema with custom REST handlers; remote schema stitching merges external GraphQL services into one endpoint; and auto-generated REST endpoints serve clients that skip GraphQL. A browser console handles data modeling and API exploration, the CLI manages migrations and metadata as code, and deployment is a single stateless Docker container beside Postgres.
Zitadel
Securing a SaaS product, running B2B onboarding, or replacing Auth0 and Keycloak with a stack they own - teams needing more than basic auth reach for ZITADEL, an open-source identity and access management platform built in Go. Its multi-tenancy model is the differentiator: a strict Instance, Organization, Project hierarchy isolates data and scopes policy at each level, with identity brokering (pre-built templates for Google, GitHub, Microsoft, Apple, plus generic OIDC, OAuth, SAML, and LDAP), domain discovery that routes users to the right organization by email domain, and delegated management so customers administer their own users and roles. Authentication covers OpenID Connect (certified, including device authorization and token exchange), SAML 2.0 as both IdP and SP, SCIM, FIDO2 passkeys for phishing-resistant passwordless login, and MFA via OTP, email, SMS, and U2F; machine-to-machine flows support JWT profile, PATs, and client credentials. The architecture is event-sourced - every mutation is an immutable event, yielding a complete audit trail - with relational projections for queries and no external session store, so it scales horizontally. API-first with gRPC and REST, extensible via Actions webhooks, and the same codebase self-hosted (Docker Compose or Helm on PostgreSQL) as in the cloud.
CubeJS
Between your databases and everything that consumes data - BI tools, embedded analytics, AI agents - sits Cube (formerly Cube.js), an open-source semantic layer. Metrics, dimensions, joins, and access rules are defined once as code in YAML, JavaScript, or Python, forming a governed data model that every downstream consumer shares, so "revenue" means the same thing in every dashboard. Caching is two-level: an in-memory cache absorbs bursts of identical queries, and declared pre-aggregations - rollup tables built in the warehouse or in Cube Store, Cube's distributed columnar engine, and refreshed in the background - deliver sub-second latency while cutting warehouse compute costs. The query planner routes each request to cache, rollup, or source automatically. Consumers connect through a Postgres-compatible SQL API (any tool that speaks Postgres works), plus REST, GraphQL, and a Meta API for model introspection. Row-level security and multi-tenancy are enforced in the layer itself, upstream of every client. Sources include Snowflake, BigQuery, Databricks, Postgres, MySQL, Presto, and Athena. Headless by design - bring your own UI.
Statping-ng
A status page and uptime monitor in one Go binary: Statping-ng - the actively maintained fork of Statping - replaces the UptimeRobot-plus-Statuspage combo with a ~20 MB Docker image using under 50 MB of RAM. It checks services over HTTP, TCP, UDP, ICMP ping, and gRPC health checks on configurable intervals, with per-service timeouts, expected status codes, POST requests with custom JSON bodies, SSL verification, and failure thresholds before alerting. The public status page is the differentiator against plain monitors: visitors see live status, uptime percentages, and latency charts grouped into service categories, with incident announcements and scheduled-maintenance messages you publish from the dashboard - and Sass-based custom styling matches the page to your brand rather than a vendor template. When something fails, notifiers fire immediately: Slack, Discord, Telegram, SMTP email, PagerDuty, Twilio SMS, Pushover, and custom webhooks, each testable before saving. Because notifiers are single Go files, the plugin system makes new channels straightforward. A RESTful API manages services and reads uptime data programmatically, and the free Statping mobile app connects to your server via QR code for on-the-go monitoring. Data persists to SQLite, MySQL, or PostgreSQL. Point it at internal services too - anything the container can reach is monitorable.
Thumbor
Born at Brazilian media giant Globo.com, Thumbor answers imaging CDNs like Imgix and Cloudinary with an HTTP service where every image variant is just a URL. Ask for /300x200/smart/your-image.jpg and Thumbor fetches the original, crops and resizes on demand, and caches the result - one source file, unlimited renditions, no batch pre-generation pipeline. The "smart" in the URL is the signature feature: OpenCV-based face detection finds people in the frame and crops around them (no more thumbnails with severed heads), and when no faces exist, feature detection finds visually important corners and computes a weighted center of mass as the focal point. Beyond cropping, a chainable filter pipeline handles brightness, contrast, grayscale, blur, red-eye removal, rounded corners, rotation, watermarks, and format conversion with quality control - applied in order via URL segments. All common image formats work out of the box, and every layer is pluggable: loaders (HTTP, local, S3), storages and result storages (local, S3, Ceph, and community backends), engines, optimizers, filters, and even custom detectors, with the awesome-thumbor list cataloging the ecosystem. URL signing prevents abuse of your processing capacity. Integrations exist for Django, Rails, Node, WordPress, and most frameworks. MIT-licensed, battle- tested for over a decade.
PowerDNS-Admin
Raw zone files and API calls become something a whole team can operate safely once PowerDNS-Admin puts its web interface in front of a PowerDNS authoritative server. It's a Python/Flask application covering full forward and reverse zone management, with the touches that matter in daily DNS work: zone templates for stamping out consistent new domains, easy IPv6 PTR record editing (reverse zones by hand are misery), full IDN/Punycode support for internationalized domains, and DynDNS 2 protocol support so routers and scripts can update records the way they would against a commercial dynamic-DNS service. Access control is enterprise-grade: local users, LDAP against OpenLDAP or Active Directory, SAML, and OAuth via Google, GitHub, Azure, or OpenID Connect, hardened with TOTP two-factor authentication. Role-based permissions extend to zone-specific access control - hand a developer their project's zone without exposing the rest of your namespace - and activity logging records who changed which record when, the audit trail bare PowerDNS never gives you. The dashboard monitors PDNS service configuration and statistics, and its own API exposes zone and record management for automation on top of the UI. Runs against MySQL/MariaDB or PostgreSQL, talking to PowerDNS through its REST API. MIT-licensed.