Khoj
A self-hosted "second brain": Khoj indexes your own files and answers questions from them, parsing Markdown (whole Obsidian vaults included), org-mode, PDF, Word, plain text, Notion pages, GitHub repositories, and images described by a vision model, then embedding everything with sentence-transformers into a vector index for semantic search and RAG with cited sources. Any LLM backend works: local models like Llama, Qwen, or Mistral via Ollama, or cloud models like GPT, Claude, and Gemini. You can build custom agents, each with its own persona, scoped knowledge base, chat model, and tools such as web search and code execution. Scheduled automations run recurring research and deliver newsletters or notifications to your inbox, and research mode performs multi-hop web searches with inline citations. Access it from a browser, the Obsidian plugin, Emacs, desktop, or WhatsApp - all clients connect to the same self-hosted instance, making Khoj one of the few AI assistants Emacs users can point at decades of org files. Semantic search means recall works without exact keywords: "that paper about forecasting with transformers" surfaces the right PDF even when you cannot remember its title. Switching LLM backends never requires re-indexing your documents, and with a local model via Ollama, even inference stays on hardware you control - journals, research, and private notes are never sent anywhere. Python/FastAPI stack, AGPL-licensed, with PostgreSQL storage.
Dokploy
Your own Heroku or Vercel on a single server - Dokploy is the open-source, self-hosted Platform-as-a-Service that makes the swap. You point it at a Git repository or a Docker image, and it builds and deploys the application using Dockerfiles, Nixpacks, or Heroku/Paketo buildpacks. Traefik is integrated as the reverse proxy, handling routing, load balancing, automatic Let's Encrypt SSL certificates, and HTTP/3. It also provisions and manages databases (MySQL, PostgreSQL, MongoDB, MariaDB, Redis) with automated backups to external storage. Complex multi-service applications deploy through native Docker Compose support, and multi-node scaling uses Docker Swarm. The web UI covers environment variables, volumes, resource limits, real-time CPU/memory/network monitoring, and deployment logs, with a CLI and API for automation. Deployment notifications go to Slack, Discord, Telegram, or email. One-click templates install common open-source tools, and a single Dokploy control plane can manage deployments across multiple remote servers. Because everything is standard Docker under the hood, there is no lock-in: your Dockerfiles, Compose files, and data volumes work anywhere else Docker runs. You get the Heroku-style push-to-deploy workflow without operating a Kubernetes cluster, and the total cost is the server it runs on - no per-app, per-environment, or per-seat platform fees regardless of how many applications you deploy.
Vane
Perplexity's search experience without Perplexity: Vane deploys Perplexica, an open-source AI answer engine built as the self-hosted alternative. Instead of returning a page of links, it reads your question, searches the live web through the SearxNG metasearch engine, and composes a direct answer with cited sources. Retrieval quality comes from embeddings and similarity search: fetched pages are re-ranked against the query so the model answers from the most relevant passages rather than whatever ranked first. Two query modes cover different needs - Normal mode runs a straightforward web search, while Copilot mode generates multiple reformulated queries and actively pulls content from top matches for harder questions. Focus modes specialize retrieval for academic papers, YouTube, Reddit discussions, Wolfram Alpha calculations, or the general web. The answering model is your choice: OpenAI-compatible APIs or fully local LLMs such as Llama 3 and Mixtral through Ollama, which keeps queries entirely on your infrastructure. Because SearxNG pulls live results, answers reflect current information, and no search history is tracked.
CyberChef
GCHQ open-sourced its "Cyber Swiss Army Knife", and CyberChef became the web app security analysts, incident responders, and CTF players reach for when data needs decoding, decrypting, or dissecting. Its interface is four panes: paste or drag input (files up to 2GB), search a categorized library of hundreds of operations, drag them into a recipe with arguments, and read the output. Operations span Base64, hex, and XOR encoding; AES, DES, and Blowfish encryption; classical ciphers from Caesar to Railfence; hashes and checksums; compression; regex and string extraction of IPs, domains, and URLs; timestamp conversion; and parsers for IPv6, X.509 certificates, and more. Recipes chain arbitrarily - convert from a hexdump then decompress, decrypt AES pulling the IV from the cipher stream, or let the Magic operation auto-detect several layers of nested encoding. Auto Bake re-runs the recipe live as input or arguments change, Step executes one operation at a time for debugging, and flow control (forks, subsections, registers) applies different operations to different parts of the data. Recipes save to files or share as URLs encoding the full pipeline. Crucially, CyberChef is entirely client-side JavaScript - nothing uploads anywhere - and self-hosting guarantees an unmodified copy inside your own network, where malware artifacts belong.
Web-Check
Enter a URL and get a dashboard of everything publicly discoverable about its security posture, server architecture, and technology stack: Web-Check is an all-in-one OSINT tool for analyzing any website. One scan surfaces IP info and server location, the full SSL certificate chain with issuing authority and validity, DNS records (A, MX, NS, CNAME, TXT) with DNSSEC status, HTTP response headers interpreted for security directives like HSTS, CSP, and X-Frame-Options, cookies and their flags, WHOIS domain info, robots.txt crawl rules, a sitemap-derived page map, the redirect ledger, open ports, traceroute, detected technologies, third-party trackers, associated hostnames, site performance, and even carbon footprint. Each card explains what the data means and why it matters, which makes the tool double as a security education resource - junior engineers learn headers and attack surfaces by scanning real sites. Practical uses span pre-deployment security audits (catch missing headers and misconfigurations before they ship), privacy compliance checks (identify trackers and cookie behavior for GDPR work), competitive tech-stack research, and network debugging via DNS and redirect inspection. Built by Lissy93 in TypeScript, it deploys as a single Docker container, and self-hosting keeps your reconnaissance targets and audit activity off third-party services.
SearXNG
Up to 280 search services - Google, Bing, DuckDuckGo, Brave, Qwant, Startpage - aggregated without tracking or profiling: SearXNG is a privacy-respecting metasearch engine (AGPL-3.0, successor to Searx). Your instance queries the upstream engines on your behalf: your IP address, cookies, and search history never reach them, tracker parameters are stripped from result URLs, and an optional image proxy fetches thumbnails server-side so result pages leak nothing. It can even route outbound queries through Tor for full anonymity. Search is organized into categories - general, images, videos, news, maps, music, IT, science, files - with bang shortcuts for targeting specific engines, and every source can be enabled, disabled, or weighted per category in settings.yml. A plugin system adds calculators, hash tools, tracker removal, and unit conversions inline, and preferences (themes, safe search, languages, engine selection) persist in cookies rather than server-side accounts. The real argument for running your own instance rather than trusting a public one is control: you decide the logging policy (none), the engine mix, rate limiting, and who gets access - making it the default search backend for browsers, families, and teams that want Google-quality results without the profile.
Postiz
Buffer and Hypefury, taken on by an open-source, agentic social media scheduler: Postiz is a Next.js application with no feature gap between hosted and self-hosted versions. Connect 28+ platforms (X, LinkedIn, Instagram, TikTok, YouTube, Reddit, Facebook, Pinterest, Bluesky, Mastodon, Discord, Slack, and more), then draft, schedule, and analyze everything from a unified visual calendar. Platform-specific depth is real: Reddit flairs and subreddit search, YouTube playlists and categories, LinkedIn company pages and carousels, Pinterest boards, X reply controls. A built-in AI agent drafts hooks, captions, and threads tuned per platform, generates images from prompts, and can execute an instruction like "write a LinkedIn post about X, make a matching image, schedule it for Tuesday at 9am" end to end. The agentic angle extends outward: a CLI and MCP server let Claude, Codex, and other AI agents drive Postiz autonomously - discovering connected integrations, fetching platform constraints, uploading media, and batch- scheduling campaigns with structured JSON output. A public REST API plus n8n, Make.com, and Zapier integrations trigger posts from CI, a CMS, or any event source. Team features cover invites, comments, and collaborative scheduling. Self-hosting removes per-channel pricing and keeps OAuth tokens on your box.
Change Detection
Price drops, restocks, job postings, government announcements, competitor edits - changedetection.io watches web pages and alerts you the moment anything changes, down to PDF text and checksums. Point it at a URL, set a check interval, and precise filters decide what counts as a change: a Visual Selector targets page elements by pointing and clicking, CSS selectors and XPath narrow scope, trigger-text and ignore-text rules (with regex support) cut noise, and JSONPath or jq handles API responses. A dedicated re-stock and price detection mode extracts product metadata and fires on thresholds - alert only when the price drops below your target or the percentage change exceeds a limit. JavaScript-heavy sites render through a real Chrome browser via Playwright, with the ability to execute JS steps first (log in, click, scroll) before extracting text. Notifications reach 85+ services through Apprise - Discord, Slack, Telegram, email, webhooks - optionally with a screenshot of the changed page, and AI-powered summaries (any OpenAI-compatible endpoint, including local Ollama) describe what changed. Per-watch proxies, custom headers, and POST/GET control cover hostile targets. Apache-2.0 licensed with local file-based storage: the URLs you monitor and why stay entirely your business.
Hasura
A PostgreSQL database becomes a production-grade GraphQL API the moment Hasura GraphQL Engine points at it: track tables and relationships - existing schemas included - and full query, mutation, and subscription types appear with where, order_by, limit, offset, and on_conflict arguments, no resolvers or boilerplate written. Its Haskell core compiles GraphQL to efficient SQL, and any query becomes a real-time live query with a single keyword, powering dashboards and collaborative UIs over standard GraphQL subscriptions. Authorization is where Hasura earns its enterprise reputation: role-based access control with row- and column-level permission policies driven by session variables from JWTs, auth webhooks, or headers - each role effectively sees its own GraphQL schema containing only what it may touch, integrating cleanly with Auth0, Firebase, or homegrown auth. Event triggers fire webhooks on inserts, updates, and deletes for asynchronous business logic; Actions extend the schema with custom REST handlers; remote schema stitching merges external GraphQL services into one endpoint; and auto-generated REST endpoints serve clients that skip GraphQL. A browser console handles data modeling and API exploration, the CLI manages migrations and metadata as code, and deployment is a single stateless Docker container beside Postgres.
Wiki.js
Team and product documentation on a fast Vue frontend with PostgreSQL storage: Wiki.js is a Node.js wiki engine. Its distinguishing trait is per-page editor choice: authors pick Markdown with live preview, a WYSIWYG visual builder for non-technical writers, or raw HTML, page by page. Native Git synchronization commits every page change to GitHub, GitLab, Bitbucket, Azure DevOps, or any Git remote - bi-directionally, so edits made in the repository flow back into the wiki - giving documentation version-controlled backup for free. Authentication coverage is among the broadest of any self-hosted wiki: local accounts with self-registration, social login via Google, GitHub, Discord, and Slack, and enterprise SSO through LDAP/Active Directory, SAML, CAS, Auth0, Okta, Azure AD, Keycloak, and generic OAuth2/OIDC, with optional MFA. Built-in full-text search runs on PostgreSQL with zero setup, and external engines like Algolia or Solr can substitute. Page history with visual version comparison, granular group-based permissions per path, nested navigation menus, 50+ integration modules, and full localization round it out. AGPLv3-licensed with a 28k-star community.
GPT Researcher
A question goes in; a cited, long-form report comes out - GPT Researcher is an open-source autonomous research agent. A planner agent decomposes the query into sub-questions, execution agents crawl 20+ web sources in parallel with JavaScript-enabled scraping, and a publisher aggregates findings into a 2,000+ word report with inline citations, exportable to PDF, Word, and Markdown. The Deep Research mode extends this recursively: each result yields follow-up questions that are explored to configurable breadth and depth in a tree pattern, while accumulated learnings, citations, and visited URLs are shared across branches. It also researches local documents (PDF, CSV, Word) alongside the web. LLM and search providers are pluggable, including OpenAI, Anthropic, Google, DeepSeek, and Ollama for models, and Tavily, Google, Bing, DuckDuckGo, and SearXNG for retrieval. It ships as a Python package, a FastAPI server with web frontend, a Docker image, and an MCP server for use inside Claude or Cursor. MIT-licensed.
Infisical
API keys hardcoded in repos, database passwords pasted into CI variables, .env files emailed between developers - Infisical, the open-source platform for secrets, certificates, and privileged access management, is the answer to all three. Secrets live in versioned stores scoped by project, environment, and path, with fine-grained identity-aware access control and full audit logging on every read and change. Delivery covers every consumption pattern: CLI injection into local dev, SDKs for Go, Node.js, and Python, an HTTP API, agents, a Kubernetes Operator, and secret syncs that push to GitHub, GitLab, AWS Secrets Manager, and Vercel. Automatic rotation replaces credentials for PostgreSQL, MySQL, MSSQL, LDAP, AWS IAM, and Azure on a rolling schedule - new credentials issue while old ones stay temporarily valid, so nothing breaks mid-rotation. Dynamic secrets go further, generating ephemeral, time-bound database credentials on demand, and SSH access replaces static keys with short-lived CA-signed certificates that expire automatically. Secrets scanning catches hardcoded credentials in code and pipelines, certificate management automates X.509 issuance and renewal, and a built-in KMS handles encrypt/decrypt with central key control. Self-hosting keeps the keys to everything else on your own infrastructure.
Label Studio
Images, text, audio, video, HTML, PDFs, and time series, labeled in one tool with a standardized output format: Label Studio is the open-source data labeling platform for building training datasets. Computer vision tasks cover classification, object detection (boxes, polygons, ellipses, keypoints), and semantic segmentation; audio work spans transcription, speaker diarization, and emotion recognition; NLP handles named entity recognition and document classification with taxonomies up to 10,000 classes; and GenAI workflows support LLM fine-tuning data and RLHF response ranking. Labeling interfaces are fully configurable with an XML-like templating language, so the UI matches the task instead of the reverse. The ML backend SDK turns any model into a connected web server for pre-annotation (model predicts, humans verify), interactive labeling (real-time predictions as annotators draw regions or highlight text), and model evaluation - cutting annotation time dramatically on large datasets. Data imports from S3, GCS, or file uploads; the Data Manager filters and explores tasks; exports convert to the format your ML library expects via label-studio-converter. Multi-user accounts tie every annotation to its author, and webhooks, a Python SDK, and REST API embed labeling into any pipeline. Self-hosting keeps proprietary training data - often a company's most sensitive asset - entirely on your infrastructure.
Plausible
Built as a direct rejection of the adtech model, Plausible is the best-known privacy-first web analytics tool - lightweight, cookie-free, and open-source. It sets no cookies and stores no personal data: unique visitors are counted via a hash of IP plus User-Agent that rotates every 24 hours and is never stored raw, so no consent banner is required and GDPR compliance is structural rather than contractual. The tracking script is under 1 KB - orders of magnitude lighter than GA - and the dashboard is a deliberate contrast to GA4's sprawl: one fast-loading page with visitors, sources, top pages, countries, devices, and UTM breakdowns, filterable by any dimension. Custom events and goals track signups and clicks, Google Search Console integration pulls in search queries, scheduled email reports keep stakeholders updated, and the Stats API (v2) plus CSV export feed data anywhere. This is the AGPL-licensed Community Edition, the same Elixir codebase that powers Plausible's cloud service, running as three containers: the web app, PostgreSQL for accounts, and ClickHouse for event storage - which means self-hosters get direct SQL access to raw analytics data the cloud version never exposes. Traffic data stays entirely on your server, with no visitor caps or per-pageview pricing.
Actual Budget
Every unit of income gets a job in Actual Budget - a local-first personal finance app built on envelope (zero-sum) budgeting, where you can only budget cash you actually have, which keeps the plan honest by construction. The data model is a SQLite file that lives on your device and works fully offline; the self-hosted Node.js sync server adds background multi-device synchronization using CRDT-based distributed-systems machinery, browser and mobile access as an installable web app, and automated backups. Optional end-to-end encryption makes the synced data unreadable even to the server hosting it. Transactions enter three ways: manual entry, file import (CSV, QIF, OFX, QFX, CAMT.053), or automatic bank syncing through GoCardless for EU/UK banks and SimpleFIN for US/Canada. Built-in YNAB4 and nYNAB importers migrate complete budget histories, and reports, schedules for recurring transactions, and rule-based transaction cleanup handle the day-to-day. A fully featured local API lets developers script custom importers and automation against their own data. 100% free, open source, and 26k stars strong.
Kestra
Data, AI, and infrastructure workflows, orchestrated from declarative YAML: Kestra is an open-source, event-driven orchestration platform. Flows are declared in YAML - no DSL rewrites or Python decorators - and the definition stays the single source of truth even when edited through the UI, API, CI/CD, or Terraform, which makes pull-request review, versioning, and rollback natural. Tasks run in any language: Python, Node.js, Go, Rust, R, SQL, or Bash scripts executed in containers, and a plugin ecosystem of 1,000+ integrations covers ingestion, dbt, Airbyte, Spark, cloud storage, databases, and messaging systems. Scheduling supports cron triggers, event triggers, backfills, and conditional branching, with retries, timeouts, error handling, and typed inputs and outputs that surface artifacts in the UI. Namespaces, labels, and subflows organize workflows at scale, and the embedded code editor includes Git integration. Common uses span ETL/ELT pipelines, dbt runs, microservice coordination, infrastructure provisioning, and human-in-the-loop approvals. Java-based, Apache 2.0 licensed, deployed via Docker or Kubernetes.
Focalboard
From the Mattermost team comes Focalboard, an open-source, MIT-licensed project board tool - a self-hosted alternative to Trello, Asana, and Notion databases, written in Go with a React frontend. Every board renders the same card data four ways: Kanban with drag-and-drop columns, a spreadsheet-style table, an image-forward gallery, and a calendar. Cards carry unlimited custom properties - dates, dropdowns, checkboxes, people, URLs - and boards can be grouped, filtered, and sorted by any property combination, with unlimited saved filtered views for quick access. Built-in templates cover the common workflows (meeting agendas, content calendars, project tasks, roadmaps, sprint planning), or you can build fully custom boards from scratch. Collaboration is real: card comments with @mentions, per-board permissions for teams or individuals, file attachments stored on your own infrastructure, and archiving with backup snapshots. Migration tooling imports existing boards from Trello (JSON export), Asana, and Notion, so switching does not mean starting over. It ships in 20+ languages and runs as a lightweight multi-user personal server. Worth knowing before deploying: Mattermost has shifted primary development to the integrated Mattermost Boards plugin, so the standalone edition is community-maintained - stable and functional, but evolving slowly. For teams wanting a free, private Trello without per-user fees, it remains a solid pick.
Dashy
Every service you run, behind one polished start page: Dashy is the most customizable homelab dashboard, built as a Vue.js homepage. Configuration lives in a single YAML file, but you never have to hand-edit it: an integrated UI editor with real-time validation writes changes back to disk, so both config-as-code and point-and-click camps are served. Status indicators put a live health dot next to every app - HTTP checks or pings on custom intervals, with response time and status details on hover - giving you an at-a-glance uptime overview before anything breaks. Over 50 built-in widgets pull dynamic content from the services you already run: Pi-hole and AdGuard block stats, Proxmox lists, Nextcloud status, Netdata CPU/memory history, Prometheus data, plus weather, RSS, crypto prices, and generic iframe/API-response widgets for anything with an endpoint. Instant fuzzy search launches any app as you type, with customizable hotkeys and web-search fallthrough. Theming is deep: dozens of built-in themes, a UI color palette editor, and custom CSS over CSS variables. Alternate views include a fast-loading minimal startpage and a workspace view that embeds apps side-by-side without leaving the dashboard. Icons resolve from Font Awesome, homelab icon packs, emojis, or auto-fetched favicons. Built-in authentication, multi-page support, cloud backup/sync, and multi-language round out an MIT project with a massive community.