Duplicati
Encrypted, incremental, compressed backups on storage you already have - Amazon S3, Backblaze B2, Google Drive, Azure, OneDrive, Dropbox, MEGA, Storj, WebDAV, SFTP, FTP, SMB, or a plain local disk - is what the MIT-licensed Duplicati has quietly done for years. Its security model is Trust No One: every block is encrypted with AES-256 (or a local GPG instance) before leaving the machine, and the passphrase never travels, so the storage provider holds only ciphertext. The block-based storage engine gives the best of both backup worlds: after one initial full backup, only changed data blocks upload - modify a tiny part of a huge file and only that part transfers - yet every backup version restores like a full backup in a single operation, with no incremental chains to replay. Deduplication and compression keep remote storage growth slow even across years of versions. A web interface manages everything: the built-in scheduler keeps backups current automatically, flexible filters select folders, file types, or custom patterns, retention policies prune old versions, and an integrated updater flags new releases. On compatible object-lock backends, immutable (WORM) storage protects backup data from ransomware that reaches the credentials. Runs on Windows, macOS, and Linux, free even for commercial use.
Countly
Mixpanel, OneSignal, and Crashlytics in one self-hosted stack - Countly is an all-in-one product analytics and engagement platform where every byte of first-party data stays on your server. A Node.js application over MongoDB, it collects through ten battle-tested SDKs spanning iOS, Android, web JavaScript, React Native, Flutter, Unity, and desktop (plus a data write API for anything else), and has powered tens of thousands of mobile, web, and desktop apps since 2012. The analytics core covers sessions, custom events, views, user profiles, and real-time dashboards, with exploration tools built for product managers as much as analysts. What separates Countly from pure analytics tools is acting on the data without third parties: built-in push notifications send automated, transactional, and personalized messages to iOS (APNs), Android (Firebase), and Huawei devices, with the SDK handling token retrieval and permission flows automatically; crash reporting captures symbolicated native crashes on iOS and Android plus JavaScript errors, correlated with the same user and session data. Email reports keep stakeholders updated, and the plugin-based architecture means features load as modules. For GDPR-sensitive products, engagement without piping user data to advertising companies is the entire point. AGPL-licensed server, installable in minutes.
Papercups
Companies with privacy and security concerns about piping customer conversations through Intercom or Zendesk run Papercups - open-source live customer chat. The stack is a deliberate strength: an Elixir/Phoenix API over PostgreSQL, with real-time messaging powered by Phoenix Channels and Presence - the same BEAM foundation trusted by Discord and PagerDuty for fault-tolerant, low-latency messaging. Customers see a customizable chat widget that embeds in any site as an HTML snippet, a React component, or even inside React Native apps, with configurable colors, greetings, and away messages. Your team sees a dashboard for managing conversations - close, assign, and prioritize - with Markdown and emoji in replies. The killer workflow is the reply-channel integration: connect Slack or Mattermost and every customer conversation becomes a synced thread your team answers without leaving the tool they already live in, with two-way message syncing handled by webhooks. Email and SMS channels extend intake beyond the widget, an analytics dashboard tracks communication patterns, and the Storytime feature adds real-time screen sharing to watch users navigate while you help them. A documented API supports fully custom chat UIs in Svelte, Flutter, or Vue. MIT-licensed and GDPR-conscious - customer data stays in your PostgreSQL.
Upvote RSS
The antidote to doomscrolling: Upvote RSS turns Reddit, Hacker News, Lemmy, Lobsters, PieFed, Mbin, and trending GitHub repositories into calm, filtered RSS feeds. The MIT-licensed PHP app's killer feature is intelligent filtering: beyond simple score thresholds, the "posts per day" filter analyzes a community's recent history and computes the score cutoff that yields your target volume - say, exactly three r/technology posts daily - while a percentage-based threshold mode stays consistent as communities grow. Feeds are rich, not bare links: parsed full-article content via Readability (with optional Readability.js, Mercury, or Browserless for JavaScript-heavy pages), embedded videos and image galleries, top-voted comments with pinned-moderator filtering, scores, reading-time estimates, and optional AI summaries through Ollama, OpenAI, Gemini, Anthropic, Mistral, DeepSeek, or any OpenAI-compatible endpoint - with automatic provider fallback. A web UI builds the feed URL interactively with live preview; paste the result into any RSS reader. Reddit support includes custom domains like old.reddit.com plus NSFW filtering and blurring. Caching via filesystem, Redis, or APCu keeps repeated fetches cheap and avoids re-running paid summarizations.
phpMyAdmin
Since 1998, phpMyAdmin has been the standard web interface for MySQL and MariaDB - the tool millions of developers, DBAs, and hosting companies reach for when a database needs inspecting, fixing, or migrating. Written in PHP, it covers effectively the entire administration surface: create, browse, alter, and drop databases, tables, views, columns, and indexes; insert and edit rows through a tabular editor; manage user accounts and granular privileges; and maintain stored procedures, triggers, and events - all without touching a command line. The SQL editor executes arbitrary queries with syntax highlighting, autocompletion, history, and bookmarkable statements, including batch queries. Import/export is a migration workhorse: read SQL, CSV, XML, and OpenDocument spreadsheets in; write out to SQL dumps, CSV, JSON, XML, PDF, Word, LaTeX, and more - the fastest path for moving a WordPress database or handing a schema to a colleague. The Designer view renders your schema as an interactive ER diagram with drag-and-drop relationship editing, and data transformations display BLOBs as images or download links inline. Server maintenance views surface configuration suggestions. Multi-server support, dark mode, and translations into 72 languages round out a tool that earns its ubiquity. GPL-licensed.
Kanboard
"Less is more" is Kanboard's stated philosophy, and the free, MIT-licensed PHP application lives it: drag tasks between customizable columns, enforce work-in-progress limits per column, and slice boards horizontally with swimlanes for releases, teams, or priorities. Tasks carry what matters - colors, categories, subtasks with time estimates, Markdown descriptions, comments, attachments, internal links, and due dates - and move or duplicate across projects in one click. A concise query language filters any board dynamically (assignee, category, due date, description), and saved filters become custom views. The automatic-actions engine kills repetitive triage: on events like column moves or task creation, Kanboard reassigns, recolors, recategorizes, or closes tasks by rule. Around the board sit a calendar, per-project analytics (cumulative flow, lead and cycle time), Gantt view, and time tracking. Authentication spans LDAP/Active Directory, Google, GitHub, GitLab, and reverse-proxy headers; a JSON-RPC API, webhooks for creating tasks from external systems, and a CLI cover integration. A large community plugin catalog adds what core deliberately omits. With no external dependencies, it runs happily on anything from a Raspberry Pi up - translated into 30+ languages.
Apprise-API
One REST call, 130+ notification services: Apprise API wraps the well-known Apprise library in a lightweight Django/Gunicorn microservice, so "send an alert" works the same whether it goes to Slack, Discord, Telegram, Teams, email, SMS, Pushover, or PagerDuty - each addressed by a simple URL scheme. It solves the credential-sprawl problem cleanly: instead of embedding provider tokens in every app, cron job, and CI pipeline, you centralize them here and everything else just POSTs a body and title. Two modes cover every workflow. Stateless calls to /notify carry target URLs in the payload (or fall back to a default set via APPRISE_STATELESS_URLS); stateful mode stores named configurations server-side under keys, so /notify/{KEY} fans out to everything registered - with tag-based routing (comma for OR, space for AND) selecting which endpoints fire per message. Messages take info, success, warning, or failure types in text, Markdown, or HTML, with attachments up to a configurable size. A built-in web UI manages and tests configurations, APPRISE_CONFIG_LOCK makes the store read-only, service allow/deny lists restrict which schemes work, webhook remapping adapts third-party payloads, and a Prometheus /metrics endpoint watches the gateway itself.
Bazarr
Subtitles are the one chore Sonarr and Radarr leave behind - Bazarr finishes the *arr media stack by automating them. It connects to both via their APIs and mirrors their libraries - it doesn't scan disk itself, it manages exactly what your *arr apps index. For every monitored episode and movie it checks existing internal and external subtitles against your language profiles, then hunts missing ones across dozens of providers - OpenSubtitles.com, Podnapisi, Addic7ed, Subscene, and many regional sources - covering 184 subtitle languages including forced/foreign-dialogue tracks. Matching is smarter than filename guessing: releases are compared by release group and source, some providers support exact file-hash matching, and every downloaded subtitle gets a percentage score. Set a minimum score per Sonarr/Radarr connection and Bazarr rejects weak matches; enable upgrades and it replaces previously downloaded subtitles when better ones surface. Out-of-sync files get fixed too - automatic subtitle synchronization realigns timing after download, triggered only below a configurable score threshold so good subs aren't touched. Per-show and per-movie language configuration, download history, manual on-demand search, and adaptive searching that throttles provider API calls round it out, all behind a clean Sonarr-style web UI written in Python. If your library serves multilingual viewers, this removes the last manual step.
The Lounge
"Forget about bouncers" became a real sentence because of The Lounge: a Node.js web IRC client that holds persistent connections to your networks 24/7, logging everything while you sleep, so closing the browser tab never means missing a message or losing your place in a channel. Open it again from any device - desktop, phone, tablet - and you resume exactly where you left off, with full history synchronized. Because it combines bouncer and client in one process, the experience feels like a modern chat app rather than 1990s infrastructure: push notifications for highlights and private messages (with self-generated VAPID keys, so even Web Push needs no third-party service), automatic link previews, inline file and image uploads, and full IRCv3 protocol support. It installs as a progressive web app from any modern browser, so phones get a native-feel client without an app store. Multi-user support means one instance serves your whole team or community, each user with their own networks and history, and LDAP integration ties into existing authentication. A public mode alternatively serves as an open, registration-free web chat for events or support channels. MIT-licensed, born as a fork of Shout, and a fixture of self-hosting stacks since.
Lenpaste
Share code snippets, logs, configs, and notes without registration, tracking, or ads: Lenpaste is a minimal, self-hosted, anonymous alternative to pastebin.com. It is deliberately spartan in the right ways: no accounts, no JavaScript required (the entire site works in text browsers and hardened setups), and cookies used solely to store display preferences. Pastes support syntax highlighting across a long list of languages (from ApacheConf and Arduino to mainstream stacks), configurable expiration from minutes to unlimited, one-use "burn after reading" pastes that self-delete on first view, optional author attribution, and iframe embedding for dropping pastes into other pages. The form-encoded HTTP API covers everything the UI does - create pastes with title, syntax, expiration, and line-ending normalization, fetch them by ID, and query server capabilities - making it trivial to pipe command output to your paste server from shell scripts. Server operators control maximum title and body lengths, maximum paste lifetime, rate limits for viewing and creation, search-engine indexing policy, and can lock private instances behind HTTP Basic authentication. It deploys as a single lightweight Docker container, giving your team a snippet-sharing endpoint where the content never touches a third-party service.
Motor Admin
Stop building internal tools and ship your actual product - Motor Admin exists for exactly that. Point this Ruby/Vue application at a PostgreSQL, MySQL, MariaDB, or SQL Server database and it generates a complete CRUD admin panel from your schema in under a minute - search, filters, create, update, delete, all through a polished UI, with every customization done through in-app settings rather than a DSL or boilerplate code. What elevates it beyond CRUD generators is the business-intelligence half: write SQL queries (with variables) and render results as tables, numbers, line/bar/ pie charts, funnels, or markdown; organize reports into shared dashboards; and attach queries and dashboards directly to resource pages as tabs, so an order record shows its revenue history in place. Operations beyond CRUD are covered by custom actions and a WYSIWYG forms builder that posts to your existing REST or GraphQL APIs - send a refund, trigger an email, whatever your backend exposes. Email alerts deliver scheduled reports, Slack sends personalized report alerts, and intelligence search spans all resources. Governance is included: role-based permissions with row- and column-level control (CanCanCan), an audit log of admin activity, multiple database connections, and configuration sync between staging and production. Mobile-optimized, AGPL-licensed, also available as a Rails engine.
Thumbor
Born at Brazilian media giant Globo.com, Thumbor answers imaging CDNs like Imgix and Cloudinary with an HTTP service where every image variant is just a URL. Ask for /300x200/smart/your-image.jpg and Thumbor fetches the original, crops and resizes on demand, and caches the result - one source file, unlimited renditions, no batch pre-generation pipeline. The "smart" in the URL is the signature feature: OpenCV-based face detection finds people in the frame and crops around them (no more thumbnails with severed heads), and when no faces exist, feature detection finds visually important corners and computes a weighted center of mass as the focal point. Beyond cropping, a chainable filter pipeline handles brightness, contrast, grayscale, blur, red-eye removal, rounded corners, rotation, watermarks, and format conversion with quality control - applied in order via URL segments. All common image formats work out of the box, and every layer is pluggable: loaders (HTTP, local, S3), storages and result storages (local, S3, Ceph, and community backends), engines, optimizers, filters, and even custom detectors, with the awesome-thumbor list cataloging the ecosystem. URL signing prevents abuse of your processing capacity. Integrations exist for Django, Rails, Node, WordPress, and most frameworks. MIT-licensed, battle- tested for over a decade.
CodeX Docs
Writing docs should feel like editing a modern document, not wrangling Markdown files - CodeX Docs delivers that on Editor.js, the block-styled editor its CodeX team builds and thousands of products use. Content is composed from clean blocks (headings, lists, code, images, embeds) with a UI that reads well on both desktop and mobile, and pages render statically with human-readable, SEO-friendly URLs. Structure is free-form: pages nest to any depth, so a flat FAQ and a deep product manual coexist in one instance, and the UI tunes to fit - collapse sections, hide the sidebar. The operational footprint is deliberately tiny. No database is required: the default driver persists to a local folder, with MongoDB available when you want it, and the whole app configures through one YAML file (overridable with APP_CONFIG_ environment variables) covering title, start page, auth password, and JWT secret. Editing mode sits behind password authentication. Thoughtful extras are wired in: readers can report misprints straight to your Telegram or Slack, Hawk error tracking catches frontend and backend exceptions, and Yandex Metrica analytics is a one-line config. A ready-made Helm chart covers Kubernetes. Written in TypeScript.
Verdaccio
Private npm packages without shipping code to the public registry or paying for npm Enterprise: Verdaccio is the standard lightweight, zero-config private registry and caching proxy. It runs as a single Node.js process with its own tiny embedded database; no external database is required to start. Point npm, yarn, or pnpm at it and everything behaves as expected: install, publish, unpublish, dist-tags, and deprecation all work against the standard npm endpoints. The uplink system is where it earns its keep: packages not found locally are fetched from configured upstreams (npmjs.org, yarn, JFrog, Nexus, or another Verdaccio), cached as tarballs, and served locally thereafter - cutting CI latency and surviving registry outages. Multiple uplinks chain for failover, and per-package glob patterns in config.yaml route scopes to specific upstreams while controlling access, publish, and unpublish rights per group. You can even override a public package by publishing a patched version under the same name locally. A plugin architecture swaps in auth backends (htpasswd default, LDAP and others available), storage drivers (S3, Google Cloud Storage), middleware routes, and metadata filters. With official Docker images and a Kubernetes Helm chart, it slots into any pipeline in minutes.
mCaptcha
The CAPTCHA bargain - annoy your users and feed their behavior to Google - gets replaced with economics by mCaptcha. Instead of image puzzles, it uses SHA256 proof-of-work: every visitor's browser silently solves a small computational challenge (via a WebAssembly library) before submitting a form. Humans never notice the milliseconds; bots hammering your site must burn more compute sending requests than your server spends answering them, which makes attacks more expensive than defense - the property that also makes mCaptcha genuine DoS protection, not just bot filtering. Written in Rust, the system is fully automated: difficulty scales with traffic, so challenges stay trivial in normal conditions and harden under attack. The privacy and accessibility wins are structural rather than promised: no tracking, no profiling, no user-pattern data collection, and no visual puzzles that exclude users with visual or cognitive impairments - the design was published in Communications of the ACM. Rate limiting is IP-independent, so users behind NATs, VPNs, or Tor get the same experience instead of endless challenge loops, and proofs resist replay attacks, neutering captcha farms. Migration is deliberately easy: the API is compatible with reCAPTCHA and hCaptcha, making it a drop-in replacement. AGPL-licensed core with proprietary-friendly client libraries.
Ackee
Page views, referrers, browsers, and screen sizes - Ackee delivers the analytics developers actually check, from a deliberately minimal Node.js and MongoDB stack that skips both Matomo's weight and Google Analytics' cloud dependency. Its defining constraint is anonymization: no cookies, no unique user tracking, and a multi-step anonymization process that keeps visitors unidentifiable while the aggregate numbers stay useful. In its default anonymous mode Ackee collects no personally identifiable information at all, which means GDPR and CCPA compliance out of the box and no cookie consent banner on your sites. A detailed mode adds screen size, language, and per-visit referrers - still without cookies or fingerprinting. Integration mirrors the Google Analytics pattern: create a domain in settings, drop the generated ackee-tracker snippet into your pages, and data appears in a clean single-page dashboard. One instance tracks multiple domains, and custom events capture button clicks, signups, and conversions. The distinctive engineering choice is the fully documented GraphQL API: everything the dashboard shows comes from that API, so you can query active visitors, average duration, and view statistics programmatically, feed data in from apps and services beyond websites, or build an entirely custom interface on top. If you want bare-minimum analytics with a real API and zero privacy anxiety, this is the tool.
Nanote
100% portability is Nanote's one non-negotiable principle as a self-hosted note-taking app. There is no database - notebooks are plain folders and notes are plain Markdown files on your filesystem, so the same notes remain fully manageable from a terminal, Notepad, or any other editor, and walking away from Nanote costs nothing because your data was never in a proprietary format to begin with. Built with Nuxt and TypeScript around the Milkdown editor, it layers modern conveniences on that plain-file foundation: fast content search across all notes using OS-optimized tooling (ugrep), native Markdown rendering, image and file attachments, and a mobile-friendly layout for reading and editing on a phone. Clever remark directives make plain text interactive - typing ::file inserts an inline upload picker, while ::today, ::now, and ::tomorrow expand to live dates and times. A fully typed REST API with validation covers automation, and access is protected by a configurable secret key. Deployment is one container with three env vars: paths for notes, uploads, and config, all bind-mountable so your Markdown lives wherever you want it - including inside an existing sync setup. AGPL-licensed and actively daily-driven by its author.
Cockpit
Built by an agency in 2011 and refined by real client work since, Cockpit is a headless CMS whose pragmatism is earned. It's a pure content backend: model your data, let editors manage it, and fetch it over REST or GraphQL from any frontend - React, Vue, Flutter, a static site generator, or an IoT dashboard. Content modeling covers three shapes: Collections for repeatable items (posts, products, events), Singletons for one-off content (settings, about pages), and Trees for hierarchies (navigation, categories), all assembled from 20+ field types including relationships. The API layer is unusually capable: MongoDB-style query filtering, field selection to trim payloads, automatic image optimization through the assets API, and built-in caching. Localization is first-class with per-field multi-language content and fallback support; user management includes roles, granular permissions, two-factor authentication, and API tokens; and webhooks push changes into external workflows. Agencies get multi-tenant Spaces - several sites or clients from one installation. The operational footprint is refreshingly small: PHP plus either SQLite or MongoDB, no build steps, no toolchain, extensible through hooks, events, and addons (pages/SEO, forms, full-text search, layout components). Where enterprise headless platforms bill per seat and per locale, Cockpit is MIT-licensed and simply yours.