# Self-Hosted Productivity Suite * Status: accepted * Date: 2026-02-09 * Deciders: Billy * Technical Story: Select and deploy self-hosted alternatives to commercial cloud productivity services ## Context and Problem Statement Commercial cloud services (Google Workspace, iCloud, Notion) centralize personal data with third parties and incur ongoing subscription costs. A homelab with sufficient compute and storage can host equivalent services with full data ownership. Which self-hosted applications best replace commercial productivity services, and how should they share infrastructure? ## Decision Drivers * Data sovereignty — all personal data stays on-premises * Feature parity with commercial alternatives where possible * SSO integration via Authentik for unified login * Shared infrastructure (database, cache, storage) to reduce overhead * Public access via Cloudflare Tunnel for mobile/remote use ## Decision Outcome Deploy five productivity applications sharing a common infrastructure layer (CNPG PostgreSQL, Valkey cache, NFS storage), exposed publicly via Cloudflare Tunnel with Authentik SSO where supported. ## Components | Application | Replaces | Image/Chart | Database | Cache | Storage | |-------------|----------|-------------|----------|-------|---------| | **AFFiNE** | Notion | `ghcr.io/toeverything/affine:stable` | CNPG (VectorChord) | Valkey DB 2 | 10Gi Longhorn | | **Immich** | Google Photos | `immich` chart v0.10.3 | CNPG (VectorChord) | Valkey DB 3 | 10Gi NFS | | **Nextcloud** | Google Drive | `nextcloud` chart v8.8.1 | CNPG | Valkey DB 1 | 200Gi NFS | | **Kasm** | — (unique) | `kasm` chart v1.18.1 | CNPG | Valkey | 50Gi Longhorn | | **Kavita** | Kindle/Calibre | `ghcr.io/kareadita/kavita:latest` | Embedded | — | 30Gi NFS (3 libraries) | All deployed in the `productivity` namespace, exposed via `envoy-external` at `*.daviestechlabs.io`. ## Shared Infrastructure ### Valkey Cache (Shared Instance) A single Valkey instance (`valkey/valkey:9.0.2`) with per-application ACL users and database isolation: | User | DB Index | Application | |------|----------|-------------| | `nextcloud` | 1 | Nextcloud | | `affine` | 2 | AFFiNE | | `immich` | 3 | Immich | | `kasm` | — | Kasm | Default user disabled. Per-user passwords from Vault. 20Gi Longhorn storage. ### CloudNativePG Databases Each application with a relational database gets its own CNPG cluster (single instance, 10Gi Longhorn, amd64 affinity). AFFiNE and Immich use PostgreSQL 18 with the **VectorChord** extension for vector search capabilities. ## Application Details ### AFFiNE (Notion Alternative) Knowledge base and project management with real-time collaboration. - OIDC SSO via **Authentik** (`openid`, `profile`, `email` scopes) - VectorChord extension enables AI-powered semantic search - OTEL tracing to OpenTelemetry collector - Init container runs database migration (`self-host-predeploy.js`) ### Immich (Google Photos Alternative) Photo and video management with ML-powered search and face recognition. - Built-in ML sidecar for facial recognition and smart search - VectorChord PostgreSQL extension for similarity search - OTEL tracing enabled - Library stored on NFS for large photo collections ### Nextcloud (Google Drive Alternative) File sync, calendar, contacts, and collaboration. - Imaginary sidecar for image processing - Custom reverse-proxy config for trusted proxies (RFC1918 ranges) - CalDAV/CardDAV `.well-known` URL redirects via HTTPRoute - PHP cron job for background tasks - Chart pinned to v8.8.1 (v8.9.0 has timeout issues) ### Kasm Workspaces (Browser Isolation) Remote browser isolation and desktop streaming. - Small deployment (10-15 concurrent sessions) - WebSocket support via custom `BackendTrafficPolicy` (no request timeout, 1h idle, TCP keepalive) - `applySecurity: false` for Talos compatibility - Dedicated Let's Encrypt certificate for `*.kasm.lab.daviestechlabs.io` ### Kavita (Digital Library) Ebook, manga, and comic reader. - Simplest deployment — no external database, no cache, no SSO - Three NFS-backed content libraries: manga (10Gi), comics (10Gi), books (10Gi) - Embedded database in config PVC ## Network Access All productivity apps are publicly accessible via Cloudflare Tunnel: | Service | URL | |---------|-----| | AFFiNE | `affine.daviestechlabs.io` | | Immich | `immich.daviestechlabs.io` | | Nextcloud | `nextcloud.daviestechlabs.io` | | Kasm | `kasm.daviestechlabs.io` | | Kavita | `kavita.daviestechlabs.io` | ## Links * Related to [ADR-0027](0027-database-strategy.md) (CNPG databases) * Related to [ADR-0023](0023-valkey-ml-caching.md) (Valkey caching) * Related to [ADR-0026](0026-storage-strategy.md) (NFS + Longhorn storage) * Related to [ADR-0028](0028-authentik-sso-strategy.md) (SSO integration) * Related to [ADR-0044](0044-dns-and-external-access.md) (Cloudflare Tunnel access)