n8n
Webhooks, cron schedules, and app events trigger chains of nodes that fetch, transform, and route data: n8n is a workflow automation platform built around a visual, node-based editor. It ships with 400+ built-in integrations covering databases like Postgres, SaaS tools like Slack and HubSpot, and every major AI provider. When a pre-built node does not exist, the HTTP Request node calls any REST API, and the Code node runs JavaScript or Python inline, so you are never blocked by a missing connector. Workflows execute as directed graphs with branching, loops, error handling, and sub-workflows, and every run is logged for inspection and replay during debugging. It also includes LangChain-based nodes for building AI agents with tool calling and memory. Self-hosting on RepoCloud gives you unlimited workflow executions with no per-task pricing, and all data stays on your instance. Runs on Node.js with SQLite by default; add Postgres and Redis queue mode when you need to scale workers horizontally.
OpenUI
Describe a component in natural language and watch it render: OpenUI, from Weights & Biases, is an open alternative to Vercel's v0. Type a prompt like "a dark-themed dashboard with a sidebar and charts" and the LLM renders working HTML with Tailwind styling live in the browser. You then iterate conversationally, asking for changes until the design is right, and convert the result to React, Svelte, or Web Components for use in a real project. The backend is Python with LiteLLM routing, so it works with OpenAI, Anthropic, Gemini, Groq, and Mistral API keys, or fully offline against local Ollama models, including vision models like LLaVA that can generate UI from screenshot input - feed a screenshot and the model reproduces or riffs on an existing interface. Generated markup is inspectable at any point, with light and dark mode toggles, theme selection, and responsive previews across device sizes. The practical effect is compressing the mockup-review-revise loop from hours to minutes: a described layout renders in seconds and iterates through follow-up prompts, and because output converts to real framework code, prototypes feed directly into production codebases instead of staying trapped in a design tool. Self-hosting keeps unreleased product interfaces and prompts on your own server, and LiteLLM routing lets you pick the model per task - a cheap fast model for rough drafts, a stronger one for final passes, or free local models for unlimited experimentation.
Bolt.diy
Prompt, run, edit, and deploy full-stack Node.js applications from a browser tab: Bolt.diy is the official open-source version of Bolt.new's AI coding agent. Its foundation is StackBlitz's WebContainer technology - a sandboxed in-browser Node.js environment where the AI controls the whole stack: filesystem, npm, dev servers, terminal, and browser console. That means the agent does not just generate code; it installs dependencies, runs Vite or Next.js, reads errors, and fixes them. The defining difference from Bolt.new is model choice per prompt: 19+ providers including OpenAI, Anthropic, Gemini, DeepSeek, Groq, Mistral, Amazon Bedrock, and local models via Ollama or LMStudio, extensible through the Vercel AI SDK. Development ergonomics include live preview, a diff view of AI changes, codebase search, file locking to prevent generation conflicts, 15+ starter templates (React, Vue, Next.js, Astro, Svelte, Expo), and MCP support for external tools. Projects integrate with Git and Supabase, and deploy in one click to Vercel, Netlify, or GitHub Pages.
Automatisch
Automatisch runs your Zapier workflows on your own hardware - an open-source, self-hosted automation platform built as a direct alternative. Flows are chains of steps: one trigger (a polling or webhook event such as a new GitHub issue, a Stripe payment, or a form submission) followed by action steps that pass data downstream (post to Slack, append a Google Sheets row, update Notion). The visual builder deliberately mirrors Zapier's trigger-action model, so migrating existing Zaps requires no retraining and no programming knowledge. Roughly 60 integrations cover common business services - Slack, GitHub, Google Sheets, Notion, Stripe, Discord - and connections store credentials per service, with multiple accounts per app supported. Every execution runs on your own server: execution history, logs, and payload data never touch a third-party processor, which matters for GDPR, healthcare, and finance workloads. Error handling with retry logic, a REST API for programmatic flow management, and Docker Compose deployment round out the platform. The AGPL-3.0 Community Edition has no feature limits or per-task billing; an Enterprise Edition adds SSO, roles, and audit logs.
Nango
The integrations your SaaS product offers its own users - that is what Nango, an open-source product-integrations platform, exists to build. It solves the repetitive infrastructure work behind every third-party API connection: OAuth flows, API key handling, token refresh, encrypted credential storage, rate-limit backoff, retries, and multi-tenant connection management. It ships pre-built auth configurations for 800+ APIs. Your users connect their accounts through an embeddable, white-label Connect UI, and your backend then reads or writes data through Nango's proxy, SDKs, or REST API without ever touching raw credentials. Integration logic is written as TypeScript functions covering actions, scheduled data syncs, and webhook processing - all running on one runtime with retries, checkpointing, and per-connection logs built in. Syncs pull records incrementally on a schedule, one-way or two-way, which suits RAG pipelines, search indexing, and keeping local copies of external data current. Selected actions can also be exposed as tool schemas or through a built-in MCP server, so AI agents operate on user-connected accounts without ever handling provider credentials. Auth support spans OAuth 2.0, OAuth 1.0a, API keys, basic auth, and JWT, and observability - logs, metrics, failure detection, and a reconnect flow for expired credentials - is scoped per customer connection for easier support debugging. Works with any backend language. Self-hosting on RepoCloud keeps all customer credentials and synced data on infrastructure you control, which matters for data residency and compliance requirements.
Umami
No cookies, no fingerprinting, no cross-site tracking, no personal data collection - Umami's privacy contract is the foundation of the open-source web analytics platform. IP addresses are hashed rather than stored, which makes it GDPR, CCPA, and PECR compliant by default - the consent banner can come off the site entirely. The tracking script is under 2 KB, roughly 20x smaller than Google Analytics, so measurement stops being a page-weight tax. The dashboard covers the core metrics - pageviews, visitors, bounce rate, visit duration, referrers, browsers, devices, and countries - with any date range and filtering by country or device. Beyond pageviews, custom events track clicks, form submissions, and signups via a data attribute or one JavaScript call, and advanced reports add funnels, user journeys, retention and cohort analysis, goals, and automatic UTM campaign tracking. Anonymous session views show individual visitor activity without identifying anyone. Teams share websites with role-based access, one instance manages unlimited sites, and a full REST API exposes every metric programmatically. MIT-licensed and self-hosted on PostgreSQL or MySQL via Docker, your analytics data never leaves your infrastructure.
Matomo
Several EU data protection authorities have ruled Google Analytics deployments unlawful; Matomo (formerly Piwik) is the most complete open-source replacement - a full analytics platform with 30+ report types across visitors, actions, referrers, goals, and ecommerce. The self-hosted PHP/MySQL edition is free and keeps every byte of visitor data on your infrastructure, which matters more each year: several EU data protection authorities have ruled Google Analytics deployments unlawful, while Matomo configured for cookieless tracking is approved by France's CNIL for use without a consent banner. All reporting runs on 100% unsampled data - no extrapolation at high traffic volumes. The GDPR Manager handles data subject requests and deletion, with IP anonymization, retention controls, and Do Not Track support built in. A dedicated importer pulls your historical Google Analytics data so years of trends survive the migration. Core analytics cover campaigns, custom variables and dimensions, entry/exit pages, downloads, site search, and full ecommerce tracking with a comprehensive HTTP API for reporting and ingestion. Premium plugins extend the platform into Hotjar-class behavioral tooling - click and scroll heatmaps, session recordings, conversion funnels, form analytics, A/B testing - plus a tag manager and SAML SSO. For teams that need GA-equivalent depth with actual data ownership, Matomo is the realistic drop-in replacement.
Plausible
Built as a direct rejection of the adtech model, Plausible is the best-known privacy-first web analytics tool - lightweight, cookie-free, and open-source. It sets no cookies and stores no personal data: unique visitors are counted via a hash of IP plus User-Agent that rotates every 24 hours and is never stored raw, so no consent banner is required and GDPR compliance is structural rather than contractual. The tracking script is under 1 KB - orders of magnitude lighter than GA - and the dashboard is a deliberate contrast to GA4's sprawl: one fast-loading page with visitors, sources, top pages, countries, devices, and UTM breakdowns, filterable by any dimension. Custom events and goals track signups and clicks, Google Search Console integration pulls in search queries, scheduled email reports keep stakeholders updated, and the Stats API (v2) plus CSV export feed data anywhere. This is the AGPL-licensed Community Edition, the same Elixir codebase that powers Plausible's cloud service, running as three containers: the web app, PostgreSQL for accounts, and ClickHouse for event storage - which means self-hosters get direct SQL access to raw analytics data the cloud version never exposes. Traffic data stays entirely on your server, with no visitor caps or per-pageview pricing.
Grav
No database anywhere in the stack: Grav, the leading flat-file CMS, builds every page from a folder of Markdown and YAML on PHP, Symfony components, Twig templating, and Doctrine caching. That architecture is the whole argument: content is Git-versionable, rsync-able, and lock-in-free; pages render in well under 100ms without database round-trips; and backup means copying a directory. Content authors write Markdown (or plain HTML), configure with readable YAML, and define custom page structures via blueprint files that generate editing forms automatically. The optional Admin panel adds a polished editing layer: dashboard with site activity, page management with a syntax-highlighted editor and live preview, drag-and-drop media uploads, one-click plugin/theme updates, and normal/expert modes for form-based or raw YAML editing. The ecosystem runs deep - hundreds of open-source plugins and themes installed through the GPM package manager, with an event-hook architecture that gives plugins full control over the request lifecycle, and downloadable skeletons providing entire pre-built sites. Grav 2.0 modernizes the stack (PHP 8.3+, Symfony 7, Twig 3) and adds a first-party REST API, an MCP server for AI agents, and a SvelteKit single-page admin with real-time collaborative editing. Ideal for docs, blogs, and marketing sites. MIT-licensed.
Change Detection
Price drops, restocks, job postings, government announcements, competitor edits - changedetection.io watches web pages and alerts you the moment anything changes, down to PDF text and checksums. Point it at a URL, set a check interval, and precise filters decide what counts as a change: a Visual Selector targets page elements by pointing and clicking, CSS selectors and XPath narrow scope, trigger-text and ignore-text rules (with regex support) cut noise, and JSONPath or jq handles API responses. A dedicated re-stock and price detection mode extracts product metadata and fires on thresholds - alert only when the price drops below your target or the percentage change exceeds a limit. JavaScript-heavy sites render through a real Chrome browser via Playwright, with the ability to execute JS steps first (log in, click, scroll) before extracting text. Notifications reach 85+ services through Apprise - Discord, Slack, Telegram, email, webhooks - optionally with a screenshot of the changed page, and AI-powered summaries (any OpenAI-compatible endpoint, including local Ollama) describe what changed. Per-watch proxies, custom headers, and POST/GET control cover hostile targets. Apache-2.0 licensed with local file-based storage: the URLs you monitor and why stay entirely your business.
Wordpress
Roughly 43% of all websites and over 60% of the CMS market run on WordPress - the GPL-licensed platform that scales from a personal blog to publishing operations and WooCommerce stores. The Gutenberg block editor composes pages from reusable blocks, and full site editing extends block control to headers, footers, and templates; tens of thousands of plugins and themes cover essentially every capability a site might need, from SEO and caching to membership and e-commerce. WordPress 7.0 "Armstrong" marks the platform's biggest structural update since Gutenberg itself: a React-based DataViews admin replaces the legacy list tables with instant filtering, a provider-agnostic AI Client API ships with connectors for OpenAI, Anthropic, and Google, media processing moves into the browser via WebAssembly, and a universal Font Library manages typography across block, hybrid, and classic themes with local hosting for GDPR compliance. New Breadcrumbs, Icons, and lightbox Gallery blocks reduce plugin dependence, and server-side PHP block registration simplifies development. The REST API and WP-CLI make it automatable end to end. Self-hosting is what WordPress was designed for: your content, database, plugin choices, and upgrade schedule stay entirely under your control, free of wordpress.com plan limits.
ClassicPress
WordPress without Gutenberg: ClassicPress, the community-led fork, keeps the TinyMCE classic editor as the default and strips the block editor and Full Site Editing out of core entirely. The result is roughly half WordPress's size - obsolete libraries like jQueryUI, Thickbox, and Flash support are gone, replaced by native HTML5 elements and modern alternatives like SortableJS - which translates to a measurably faster admin and a leaner attack surface. Forked from WordPress 6.2, it remains compatible with the vast plugin and theme ecosystem targeting that lineage (anything not requiring blocks generally works, helped by a blocks-compatibility mode), and the PHP-first WordPress API developers have used for over a decade works unchanged - no React required to extend your CMS. The fork adds its own improvements: built-in media categories and tags with bulk editing, revision management that lets you prune database bloat, native HTML5 dialogs for accessible touch-friendly menus, and recent releases bring APCu object-cache support, vanilla-JS core widgets, and performant translations. Governance is democratic and community-driven rather than corporate. For content sites, business sites, and blogs where the classic editing workflow is the feature, ClassicPress is stability as a philosophy.
Roundcube
Two decades of continuous development made Roundcube the standard-bearer of open-source webmail - a PHP IMAP client that gives any mail server a polished, application-like interface in the browser. It connects to whatever IMAP/SMTP stack you run - Dovecot, Postfix, a hosted mailbox - and delivers the full desktop-client experience: drag-and-drop message management, threaded conversation views, full MIME and HTML mail handling, find-as-you-type address book with groups and LDAP connectors, multiple sender identities, full-text search, and spell checking in dozens of languages. The default Elastic skin is genuinely responsive, working as well on a phone as a desktop, and the entire UI is skinnable. The plugin API is where deployments get shaped: managesieve exposes server-side filter management in the UI, enigma brings PGP encryption and signing via GnuPG, markasjunk trains spam filters, zipdownload batches attachments, password lets users change credentials, and attachment_reminder catches the classic forgotten-attachment email - among hundreds of community plugins. Built-in caching keeps large mailboxes fast, IMAP ACLs and shared folders support team setups, and XSS protection is engineered into the rendering pipeline. It scales from a single personal mailbox to unlimited users, backed by MySQL, MariaDB, PostgreSQL, or SQLite. GPL-licensed with regular security releases.
Ackee
Page views, referrers, browsers, and screen sizes - Ackee delivers the analytics developers actually check, from a deliberately minimal Node.js and MongoDB stack that skips both Matomo's weight and Google Analytics' cloud dependency. Its defining constraint is anonymization: no cookies, no unique user tracking, and a multi-step anonymization process that keeps visitors unidentifiable while the aggregate numbers stay useful. In its default anonymous mode Ackee collects no personally identifiable information at all, which means GDPR and CCPA compliance out of the box and no cookie consent banner on your sites. A detailed mode adds screen size, language, and per-visit referrers - still without cookies or fingerprinting. Integration mirrors the Google Analytics pattern: create a domain in settings, drop the generated ackee-tracker snippet into your pages, and data appears in a clean single-page dashboard. One instance tracks multiple domains, and custom events capture button clicks, signups, and conversions. The distinctive engineering choice is the fully documented GraphQL API: everything the dashboard shows comes from that API, so you can query active visitors, average duration, and view statistics programmatically, feed data in from apps and services beyond websites, or build an entirely custom interface on top. If you want bare-minimum analytics with a real API and zero privacy anxiety, this is the tool.
Thumbor
Born at Brazilian media giant Globo.com, Thumbor answers imaging CDNs like Imgix and Cloudinary with an HTTP service where every image variant is just a URL. Ask for /300x200/smart/your-image.jpg and Thumbor fetches the original, crops and resizes on demand, and caches the result - one source file, unlimited renditions, no batch pre-generation pipeline. The "smart" in the URL is the signature feature: OpenCV-based face detection finds people in the frame and crops around them (no more thumbnails with severed heads), and when no faces exist, feature detection finds visually important corners and computes a weighted center of mass as the focal point. Beyond cropping, a chainable filter pipeline handles brightness, contrast, grayscale, blur, red-eye removal, rounded corners, rotation, watermarks, and format conversion with quality control - applied in order via URL segments. All common image formats work out of the box, and every layer is pluggable: loaders (HTTP, local, S3), storages and result storages (local, S3, Ceph, and community backends), engines, optimizers, filters, and even custom detectors, with the awesome-thumbor list cataloging the ecosystem. URL signing prevents abuse of your processing capacity. Integrations exist for Django, Rails, Node, WordPress, and most frameworks. MIT-licensed, battle- tested for over a decade.
mCaptcha
The CAPTCHA bargain - annoy your users and feed their behavior to Google - gets replaced with economics by mCaptcha. Instead of image puzzles, it uses SHA256 proof-of-work: every visitor's browser silently solves a small computational challenge (via a WebAssembly library) before submitting a form. Humans never notice the milliseconds; bots hammering your site must burn more compute sending requests than your server spends answering them, which makes attacks more expensive than defense - the property that also makes mCaptcha genuine DoS protection, not just bot filtering. Written in Rust, the system is fully automated: difficulty scales with traffic, so challenges stay trivial in normal conditions and harden under attack. The privacy and accessibility wins are structural rather than promised: no tracking, no profiling, no user-pattern data collection, and no visual puzzles that exclude users with visual or cognitive impairments - the design was published in Communications of the ACM. Rate limiting is IP-independent, so users behind NATs, VPNs, or Tor get the same experience instead of endless challenge loops, and proofs resist replay attacks, neutering captcha farms. Migration is deliberately easy: the API is compatible with reCAPTCHA and hCaptcha, making it a drop-in replacement. AGPL-licensed core with proprietary-friendly client libraries.
Shaarli
Personal, minimalist, database-free bookmarking - Shaarli is a philosophy as much as an app. Everything lives in a single compressed datastore file inside data/: no MySQL, no PostgreSQL, backup by copying one directory. That write-once/read-many file is usually served straight from OS disk caches, which is why a decade-old Shaarli instance with tens of thousands of links still responds instantly. Designed deliberately single-user, it saves URL, title, unlimited-length description, and tags (with autocomplete, renaming, and merging), marks entries public or private, and automatically strips utm_source and fb tracking parameters from saved URLs. That description field is why the community uses Shaarli as far more than bookmarks: a microblog, read-it-later queue, code-snippet base, pastebin, and shared clipboard between machines. Sharing is one click via bookmarklet or Android apps; consumption is per-tag RSS/Atom feeds plus a daily digest feed; search is full-text with tag filtering. A REST API opens it to any client, a plugin and theme system extends the PHP core (Markdown rendering, thumbnails), and import/export uses browser-standard Netscape HTML - your data enters and leaves freely. LDAP login is supported, no telemetry is sent anywhere, and the UI degrades gracefully without JavaScript. The anti-cloud Delicious.
Isso
Named from the German "Ich schrei sonst" - roughly "or I'll scream" - Isso is a lightweight Python/JavaScript commenting server, a drop-in Disqus replacement for people who noticed what Disqus does to reader privacy and page load times. The design premise is printed right in the docs: comments are not Big Data. So the backend is a single SQLite file rather than a database cluster, and the entire client is one embeddable JavaScript file - 65 kB, 20 kB gzipped - that you drop into any static site, blog, or CMS. Commenters write in Markdown, need no account, and can edit or delete their own comments within a configurable window (15 minutes by default). Spam control comes from an optional moderation queue: held comments stay invisible until you activate them via an admin interface or email notification links. Migration is a first-class feature, with importers for Disqus and WordPress exports, so years of existing threads move over intact. Because everything is server-rendered from your own instance, no third party tracks your readers, and real-world switchers report smaller pages and faster loads than the Disqus embed. MIT-licensed, running since 2012.