Zitadel
Securing a SaaS product, running B2B onboarding, or replacing Auth0 and Keycloak with a stack they own - teams needing more than basic auth reach for ZITADEL, an open-source identity and access management platform built in Go. Its multi-tenancy model is the differentiator: a strict Instance, Organization, Project hierarchy isolates data and scopes policy at each level, with identity brokering (pre-built templates for Google, GitHub, Microsoft, Apple, plus generic OIDC, OAuth, SAML, and LDAP), domain discovery that routes users to the right organization by email domain, and delegated management so customers administer their own users and roles. Authentication covers OpenID Connect (certified, including device authorization and token exchange), SAML 2.0 as both IdP and SP, SCIM, FIDO2 passkeys for phishing-resistant passwordless login, and MFA via OTP, email, SMS, and U2F; machine-to-machine flows support JWT profile, PATs, and client credentials. The architecture is event-sourced - every mutation is an immutable event, yielding a complete audit trail - with relational projections for queries and no external session store, so it scales horizontally. API-first with gRPC and REST, extensible via Actions webhooks, and the same codebase self-hosted (Docker Compose or Helm on PostgreSQL) as in the cloud.
KeeWeb
Your KeePass vaults, opened from any browser: KeeWeb reads, edits, and creates standard KDBX files, so it works with the same databases as KeePass and KeePassXC without conversion or lock-in. Self-hosting the web app gives you a password manager reachable from any modern browser, including mobile, with no client installation and no third-party cloud in the loop. All KDBX cryptography runs client-side; the server just serves the static app. Open multiple vault files simultaneously and search them all from one box, with advanced options covering specific fields, password history, and regular expressions. Vaults load from local files, your own server (WebDAV), or Dropbox, Google Drive, and OneDrive, with automatic sync - and files are cached for offline use, so a dropped connection never locks you out; changes resync once you're back online. Day-to-day niceties include a configurable password generator, protected fields that stay masked and are held in memory more defensively, entry history, tags with easy input, drag-and-drop attachments, and per-entry icons with favicon fetching. The optional KeeWeb Connect extension (Chrome, Firefox, Edge, Safari) autofills credentials using the keepassxc-protocol. MIT-licensed with matching desktop apps for macOS, Windows, and Linux.
BentoPDF
Merge, split, compress, convert, edit, annotate, redact, OCR, and sign PDFs - BentoPDF packs over 130 tools into a privacy-first toolkit that runs entirely in the browser through WebAssembly. Files are never uploaded - processing happens in browser memory on the user's machine and disappears when the tab closes, which makes the tool GDPR-clean by architecture and safe for financial, legal, and internal documents. The engine combines WASM builds of PyMuPDF, Ghostscript, and CoherentPDF; Tesseract handles OCR with searchable text-layer output; Office conversions cover Word, Excel, and PowerPoint; and digital signatures use X.509 certificates (PFX/PEM) with the private key staying on the client. Because there is no server-side processing, deployment is a static-file exercise: a single Docker container, or any static host. A dedicated self-hosted build strips the marketing pages while keeping every tool, and air-gapped deployments are first-class - an automated script bundles the WASM modules, OCR language data, and fonts for fully offline networks. No accounts, no limits, no watermarks; TypeScript and Vite under the hood.
Automatisch
Automatisch runs your Zapier workflows on your own hardware - an open-source, self-hosted automation platform built as a direct alternative. Flows are chains of steps: one trigger (a polling or webhook event such as a new GitHub issue, a Stripe payment, or a form submission) followed by action steps that pass data downstream (post to Slack, append a Google Sheets row, update Notion). The visual builder deliberately mirrors Zapier's trigger-action model, so migrating existing Zaps requires no retraining and no programming knowledge. Roughly 60 integrations cover common business services - Slack, GitHub, Google Sheets, Notion, Stripe, Discord - and connections store credentials per service, with multiple accounts per app supported. Every execution runs on your own server: execution history, logs, and payload data never touch a third-party processor, which matters for GDPR, healthcare, and finance workloads. Error handling with retry logic, a REST API for programmatic flow management, and Docker Compose deployment round out the platform. The AGPL-3.0 Community Edition has no feature limits or per-task billing; an Enterprise Edition adds SSO, roles, and audit logs.
Duplicati
Encrypted, incremental, compressed backups on storage you already have - Amazon S3, Backblaze B2, Google Drive, Azure, OneDrive, Dropbox, MEGA, Storj, WebDAV, SFTP, FTP, SMB, or a plain local disk - is what the MIT-licensed Duplicati has quietly done for years. Its security model is Trust No One: every block is encrypted with AES-256 (or a local GPG instance) before leaving the machine, and the passphrase never travels, so the storage provider holds only ciphertext. The block-based storage engine gives the best of both backup worlds: after one initial full backup, only changed data blocks upload - modify a tiny part of a huge file and only that part transfers - yet every backup version restores like a full backup in a single operation, with no incremental chains to replay. Deduplication and compression keep remote storage growth slow even across years of versions. A web interface manages everything: the built-in scheduler keeps backups current automatically, flexible filters select folders, file types, or custom patterns, retention policies prune old versions, and an integrated updater flags new releases. On compatible object-lock backends, immutable (WORM) storage protects backup data from ransomware that reaches the credentials. Runs on Windows, macOS, and Linux, free even for commercial use.
Whoogle
Google's search results without Google's surveillance: Whoogle is a self-hosted proxy that strips the tracking and keeps the results. Your query goes from browser to your Whoogle instance, which fetches results from Google with a randomly generated User Agent and strips everything hostile before returning them: no ads or sponsored content, no third-party JavaScript or cookies, no AMP links, no URL tracking tags like utm_source, no referrer header - and Google sees your server's IP, never yours. Unlike metasearch engines that blend sources, Whoogle proxies Google exclusively, so result quality is exactly what you'd get logged out and incognito, minus the noise. A lightweight Flask app configured entirely through environment variables, it supports DuckDuckGo-style bang shortcuts, autocomplete suggestions, safe search, per-country and per-language filtering, site blocklists, and automatic rewriting of social links to privacy front-ends like Nitter and Invidious. Privacy hardening goes further: built-in Tor routing makes Google see an exit node instead of your server, HTTP/SOCKS proxy support covers other setups, and POST-based queries keep search terms out of logs. Light, dark, and fully custom CSS themes plus browser search-engine registration make it a drop-in default on desktop and mobile. Stateless, tiny, and trivial to run.
Collabora Office
Real LibreOffice document engineering in the browser: Collabora Online is built by the company employing much of the former SUSE LibreOffice team - not a reimplementation. This deployment runs CODE (Collabora Online Development Edition), the collabora/code server that renders and edits documents entirely server-side while browsers get high-fidelity WYSIWYG output, so layout and formatting survive round-trips that break lesser converters. Four editors ship in one container: Writer for text documents (comments, track changes with comparison and restoration, form handling), Calc for spreadsheets (advanced formulas, macros, pivot tables, per-user sheet views, server-enforced cell protection), Impress for presentations, and Draw for Visio-class diagrams. Format compatibility spans DOCX, XLSX, PPTX, the ODF family, PDF, and dozens more - including Visio and Publisher import. Real-time collaborative editing supports multiple simultaneous editors with visible cursors and commenting. The architectural point: documents are processed on your server and never leave it, which is why Collabora is the engine behind Nextcloud Office and integrates with ownCloud, Seafile, and any WOPI-speaking host - or embeds in your own application via the SDK. An admin console monitors sessions and memory. For organizations that need Google Docs-style collaboration with actual data sovereignty, this is the reference open-source answer.
Leantime
"As simple as Trello but as feature-rich as Jira" is how the Leantime team frames its goals-focused project management system for non-project managers - built from the ground up with ADHD, autism, and dyslexia in mind, with behavioral science shaping customizable dashboards, time blocking, low-cognitive-load prioritization, and Kanban, list, table, Gantt, and calendar views so each person works the way their brain does. The PHP application (AGPL, Laravel Blade frontend) connects strategy to execution: tasks with unlimited subtasks and dependencies roll up into milestones on a timeline, sprints and retrospectives handle iteration, and strategy-level blueprint boards - Lean Canvas, SWOT, risk analysis, goal and metric tracking - keep the "why" attached to the work. Knowledge lives alongside: wikis and docs, idea boards, comments on everything, file storage on S3 or local disk, even screen and webcam recording. Time tracking with timesheets supports estimation and client billing. Admin features are serious for an OSS tool: per-project permissions, two-factor auth, LDAP and OIDC single sign-on, Slack, Mattermost, and Discord integrations, a plugin system, and an expanding API that now powers a mobile app. Recent releases added multi-collaborator task assignment and low-vision accessibility improvements. Available in 20+ languages.
Countly
Mixpanel, OneSignal, and Crashlytics in one self-hosted stack - Countly is an all-in-one product analytics and engagement platform where every byte of first-party data stays on your server. A Node.js application over MongoDB, it collects through ten battle-tested SDKs spanning iOS, Android, web JavaScript, React Native, Flutter, Unity, and desktop (plus a data write API for anything else), and has powered tens of thousands of mobile, web, and desktop apps since 2012. The analytics core covers sessions, custom events, views, user profiles, and real-time dashboards, with exploration tools built for product managers as much as analysts. What separates Countly from pure analytics tools is acting on the data without third parties: built-in push notifications send automated, transactional, and personalized messages to iOS (APNs), Android (Firebase), and Huawei devices, with the SDK handling token retrieval and permission flows automatically; crash reporting captures symbolicated native crashes on iOS and Android plus JavaScript errors, correlated with the same user and session data. Email reports keep stakeholders updated, and the plugin-based architecture means features load as modules. For GDPR-sensitive products, engagement without piping user data to advertising companies is the entire point. AGPL-licensed server, installable in minutes.
Homer
"Dead simple static HOMepage for your servER" - Homer's name is the spec. It is a fully static HTML/JS dashboard driven by one YAML file (assets/config.yml): list your services in groups with names, icons, tags, and URLs, and Homer renders a clean, fast landing page for everything you self-host. Because there is no backend, no database, and nothing to maintain, the container is tiny and effectively zero-maintenance - the entire operational surface is a text file you can version-control alongside your infrastructure. Despite the minimalism, the feature set is genuinely useful: smart cards add live data to service tiles via a type key - Pi-hole block statistics, AdGuard Home status, Jellyfin activity, Gatus and Home Assistant states, and dozens more integrations, with configurable periodic refresh. Fuzzy search jumps to any service as you type, keyboard shortcuts drive navigation, and multi-page support with item grouping keeps large homelabs organized. Theming covers built-in light and dark modes plus full custom CSS, tags get color-coded styles, and the whole dashboard installs as a PWA on phones and tablets. Icons come from Font Awesome or your own images. If Dashy is the maximalist dashboard and Homarr the drag-and-drop one, Homer is the minimalist: one YAML file, instant loads, and nothing that can break at 2 a.m.
Jellyseerr
Browse trending titles, search anything, request it in two clicks: Jellyseerr gives Jellyfin, Emby, and Plex users a beautiful storefront for the media library. Born as the Overseerr fork that added Jellyfin and Emby support (the projects have since unified as Seerr), it handles the full request lifecycle - users authenticate with their existing media-server accounts, pick individual seasons or movies in a clean interface, and admins approve or decline from a simple queue, including on mobile. Approved requests flow straight to Sonarr and Radarr, which handle acquisition automatically, with support for separate 4K server instances. Regular library scans keep availability accurate, so users see instantly what already exists instead of requesting duplicates. A granular permission system controls who can request what - auto-approval for trusted users, quotas and limits elsewhere - and override rules adjust request routing by user, tag, or other conditions. Watchlist and blocklist functions curate discovery, notifications reach email, Discord, Telegram, Slack, Pushover, and Pushbullet, and both PostgreSQL and SQLite are supported. Localized into many languages, it turns "can you add this movie?" texts into a self-service system that runs itself.
Miniflux
One statically-compiled Go binary over PostgreSQL, no ORM, no framework, static assets embedded in the executable: Miniflux is the minimalist, opinionated feed reader. The opinions are the feature: page layout, fonts, and colors are tuned for reading, and everything else is treated as noise. It consumes Atom, RSS, and JSON Feed formats with OPML import/export, organizes articles with categories and bookmarks, fetches original full-text content for summary-only feeds, and provides Postgres-powered full-text search. Privacy work happens automatically: pixel trackers are stripped, tracking parameters removed from URLs, a media proxy blocks third-party tracking, referrers are never forwarded, and there is zero telemetry. Navigation is keyboard-first - j/k through items, o to open, f to star - with touch gestures on mobile. Podcast, video, and music enclosures are supported, and YouTube videos play inline. Over 25 integrations save articles onward to Wallabag, Readwise Reader, Pinboard, Linkding, Instapaper, Notion, Telegram, Matrix, Ntfy, and more, plus webhooks and a REST API with Go and Python clients; the Google Reader API endpoint supports existing mobile reader apps. Authentication spans local passwords, passkeys (WebAuthn), Google OAuth2, OpenID Connect, and reverse-proxy headers. It is Apache 2.0 licensed, translated into 20 languages, and updates feeds on an internal scheduler.
EspoCRM
Teams tired of paying Salesforce or HubSpot per seat run EspoCRM: an AGPL-licensed PHP application with a fast single-page frontend over a REST API, covering sales, support, and marketing in one uncluttered interface. The sales core is complete - leads, contacts, accounts, opportunities with customizable pipeline stages, kanban views, calendars, meetings, and calls. Email is deeply integrated rather than bolted on: IMAP sync links messages to CRM records automatically, and mass email campaigns run with reusable templates, tracking, and Web-to-Lead forms feeding the funnel. Support teams get case management and a customer portal where clients track their own tickets and access a knowledge base. The real differentiator is the Entity Manager: create custom entities, fields, relationships, and layouts from the admin UI without code, with dynamic logic showing or hiding fields conditionally - EspoCRM is as much a business-application platform as a CRM. Formula scripting handles calculated fields and record automation in the free core; the optional Advanced Pack adds visual BPM process design and workflow rules. Role-based permissions with team and territory scoping, full-text search, reports, and a straightforward REST API for n8n or custom integrations round it out. Runs on PHP 8.3+ with MySQL, MariaDB, or PostgreSQL - unlimited users, zero per-seat fees.
Unleash
Deployment decoupled from release: Unleash, the most popular open-source feature management platform on GitHub, is a Node.js server backed by PostgreSQL. Ship code dark, then control who sees it through activation strategies: gradual percentage rollouts, targeting by user ID, IP, hostname, or application name, custom constraints against your own context fields, and scheduled or time-limited releases. Strategies stack - a flag activates if any strategy matches - and strategy variants layer A/B versions on top of the on/off decision. Each flag carries per-environment configurations, so a feature can run at 100% in staging while canarying at 5% in production. Backend SDKs (Node.js, Java, Go, Python, Ruby, .NET, PHP, Rust, and more) fetch configuration and evaluate flags locally, so a flag check adds zero network latency to request paths; frontend SDKs for React, Vue, Svelte, iOS, Android, and Flutter evaluate through a proxy layer. Flag hygiene is built in: flags are typed (release, experiment, operational, kill-switch, permission) with expected lifetimes, and Unleash marks overdue flags as potentially stale and surfaces unknown flags your SDKs request but that don't exist. Self-hosting via Docker keeps flag data, targeting rules, and evaluation infrastructure entirely on your side.
Thumbor
Born at Brazilian media giant Globo.com, Thumbor answers imaging CDNs like Imgix and Cloudinary with an HTTP service where every image variant is just a URL. Ask for /300x200/smart/your-image.jpg and Thumbor fetches the original, crops and resizes on demand, and caches the result - one source file, unlimited renditions, no batch pre-generation pipeline. The "smart" in the URL is the signature feature: OpenCV-based face detection finds people in the frame and crops around them (no more thumbnails with severed heads), and when no faces exist, feature detection finds visually important corners and computes a weighted center of mass as the focal point. Beyond cropping, a chainable filter pipeline handles brightness, contrast, grayscale, blur, red-eye removal, rounded corners, rotation, watermarks, and format conversion with quality control - applied in order via URL segments. All common image formats work out of the box, and every layer is pluggable: loaders (HTTP, local, S3), storages and result storages (local, S3, Ceph, and community backends), engines, optimizers, filters, and even custom detectors, with the awesome-thumbor list cataloging the ecosystem. URL signing prevents abuse of your processing capacity. Integrations exist for Django, Rails, Node, WordPress, and most frameworks. MIT-licensed, battle- tested for over a decade.
pgweb
Inspect a PostgreSQL database right now, without installing pgAdmin or exposing Postgres to the internet - pgweb answers that recurring need. It's a Go application from Dan Sosedoff, a decade in development, shipped as a single statically-linked binary with zero dependencies - the Docker image is essentially just the executable - that puts a clean browser UI in front of any PostgreSQL 9.1+ server. Connect via URL string or host/port credentials, and browse tables, views, and sequences from the sidebar; selecting a table shows its rows immediately alongside tabs for structure, indexes, and constraints. The Query tab executes arbitrary SQL with query history, and the Explain Query button renders the query plan - estimated cost, row counts, execution strategy - which makes pgweb a quick performance-triage tool, not just a browser. Results and entire tables export to CSV, JSON, or XML in a click. Connectivity is more flexible than its size suggests: native SSH tunneling (password or key) reaches databases behind firewalls, server bookmarks make switching instances instant, and an optional multi-session mode handles several databases concurrently. For a RepoCloud stack full of Postgres-backed apps, one pgweb instance is the universal inspection hatch. MIT-licensed, actively maintained.
Emby
Point Emby at your movie, music, and photo libraries and it becomes a private streaming service: metadata and artwork arrive from TMDB and TVDB, everything lands in a polished browsable interface, and media transcodes on the fly whenever a client can't play the original format. The client reach is the selling point: native apps span Android TV, Apple TV, Google TV, Fire TV, Roku, LG and Samsung smart TVs, iOS, Android, Apple CarPlay, Android Auto, plus web browsers and desktop apps for Windows, macOS, and Linux, and DLNA devices are auto-detected for casting and remote control. Multi-user support gives each household member their own account, watch history, favorites, and recommendations, with genuinely capable parental controls: content restrictions, access schedules, time limits, and live monitoring with remote control of kids' sessions. Live TV works with hardware tuners like HDHomeRun or M3U playlists, with free guide data in the US, Canada, and UK. The server and core features are free; an optional Premiere key adds hardware-accelerated transcoding, DVR recording, offline sync, and Cinema Mode intros.
Gotify
Real-time alerts from your own infrastructure to your phone, with no Firebase, Pushover, or third-party push service in the path: Gotify is a simple, self-hosted notification server written in Go. The model is deliberately minimal: senders push messages with a single HTTP POST to the REST API, receivers subscribe over a WebSocket stream, and a clean React web UI manages the pieces. Senders are namespaced as "applications," each with its own token, so your backup script, Uptime Kuma, CI pipeline, and cron jobs each get an identity, an icon, and independently revocable credentials - centralized alerting from many services with per-source management. Messages carry a title, body, and priority level that maps to notification importance on the client. The official Android app (on both F-Droid and Google Play, notable for working entirely without Google Play Services) shows push notifications for new messages; the web UI itself supports Web Push in the browser; and gotify/cli pushes messages from shell scripts with one command. A server-side plugin system adds custom behavior, and the whole thing runs as a single small binary with SQLite by default - near-zero resource footprint. Because dozens of tools (and Apprise) speak Gotify natively, it slots in as the notification hub for an entire homelab or ops stack.