daviestechlabs/homelab-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2d035ce8b7ce2daae78cfbf88248043e1d043a1
homelab-design/decisions/0049-self-hosted-productivity-suite.md
Billy D. 5846d0dc16
All checks were successful
Update README with ADR Index / update-readme (push) Successful in 6s
Details
docs: add ADRs 0043-0053 covering remaining architecture gaps 
New ADRs:
- 0043: Cilium CNI and Network Fabric
- 0044: DNS and External Access Architecture
- 0045: TLS Certificate Strategy (cert-manager)
- 0046: Companions Frontend Architecture
- 0047: MLflow Experiment Tracking and Model Registry
- 0048: Entertainment and Media Stack
- 0049: Self-Hosted Productivity Suite
- 0050: Argo Rollouts Progressive Delivery
- 0051: KEDA Event-Driven Autoscaling
- 0052: Cluster Utilities (Spegel, Descheduler, Reloader, CSI-NFS)
- 0053: Vaultwarden Password Management

README updated with table entries and badge count (53 total).
2026-02-09 18:37:14 -05:00

123 lines
4.8 KiB
Markdown
Raw Blame History

# Self-Hosted Productivity Suite
* Status: accepted
* Date: 2026-02-09
* Deciders: Billy
* Technical Story: Select and deploy self-hosted alternatives to commercial cloud productivity services
## Context and Problem Statement
Commercial cloud services (Google Workspace, iCloud, Notion) centralize personal data with third parties and incur ongoing subscription costs. A homelab with sufficient compute and storage can host equivalent services with full data ownership.
Which self-hosted applications best replace commercial productivity services, and how should they share infrastructure?
## Decision Drivers
* Data sovereignty — all personal data stays on-premises
* Feature parity with commercial alternatives where possible
* SSO integration via Authentik for unified login
* Shared infrastructure (database, cache, storage) to reduce overhead
* Public access via Cloudflare Tunnel for mobile/remote use
## Decision Outcome
Deploy five productivity applications sharing a common infrastructure layer (CNPG PostgreSQL, Valkey cache, NFS storage), exposed publicly via Cloudflare Tunnel with Authentik SSO where supported.
## Components
| Application | Replaces | Image/Chart | Database | Cache | Storage |
|-------------|----------|-------------|----------|-------|---------|
| **AFFiNE** | Notion | `ghcr.io/toeverything/affine:stable` | CNPG (VectorChord) | Valkey DB 2 | 10Gi Longhorn |
| **Immich** | Google Photos | `immich` chart v0.10.3 | CNPG (VectorChord) | Valkey DB 3 | 10Gi NFS |
| **Nextcloud** | Google Drive | `nextcloud` chart v8.8.1 | CNPG | Valkey DB 1 | 200Gi NFS |
| **Kasm** | — (unique) | `kasm` chart v1.18.1 | CNPG | Valkey | 50Gi Longhorn |
| **Kavita** | Kindle/Calibre | `ghcr.io/kareadita/kavita:latest` | Embedded | — | 30Gi NFS (3 libraries) |
All deployed in the `productivity` namespace, exposed via `envoy-external` at `*.daviestechlabs.io`.
## Shared Infrastructure
### Valkey Cache (Shared Instance)
A single Valkey instance (`valkey/valkey:9.0.2`) with per-application ACL users and database isolation:
| User | DB Index | Application |
|------|----------|-------------|
| `nextcloud` | 1 | Nextcloud |
| `affine` | 2 | AFFiNE |
| `immich` | 3 | Immich |
| `kasm` | — | Kasm |
Default user disabled. Per-user passwords from Vault. 20Gi Longhorn storage.
### CloudNativePG Databases
Each application with a relational database gets its own CNPG cluster (single instance, 10Gi Longhorn, amd64 affinity). AFFiNE and Immich use PostgreSQL 18 with the **VectorChord** extension for vector search capabilities.
## Application Details
### AFFiNE (Notion Alternative)
Knowledge base and project management with real-time collaboration.
- OIDC SSO via **Authentik** (`openid`, `profile`, `email` scopes)
- VectorChord extension enables AI-powered semantic search
- OTEL tracing to OpenTelemetry collector
- Init container runs database migration (`self-host-predeploy.js`)
### Immich (Google Photos Alternative)
Photo and video management with ML-powered search and face recognition.
- Built-in ML sidecar for facial recognition and smart search
- VectorChord PostgreSQL extension for similarity search
- OTEL tracing enabled
- Library stored on NFS for large photo collections
### Nextcloud (Google Drive Alternative)
File sync, calendar, contacts, and collaboration.
- Imaginary sidecar for image processing
- Custom reverse-proxy config for trusted proxies (RFC1918 ranges)
- CalDAV/CardDAV `.well-known` URL redirects via HTTPRoute
- PHP cron job for background tasks
- Chart pinned to v8.8.1 (v8.9.0 has timeout issues)
### Kasm Workspaces (Browser Isolation)
Remote browser isolation and desktop streaming.
- Small deployment (10-15 concurrent sessions)
- WebSocket support via custom `BackendTrafficPolicy` (no request timeout, 1h idle, TCP keepalive)
- `applySecurity: false` for Talos compatibility
- Dedicated Let's Encrypt certificate for `*.kasm.lab.daviestechlabs.io`
### Kavita (Digital Library)
Ebook, manga, and comic reader.
- Simplest deployment — no external database, no cache, no SSO
- Three NFS-backed content libraries: manga (10Gi), comics (10Gi), books (10Gi)
- Embedded database in config PVC
## Network Access
All productivity apps are publicly accessible via Cloudflare Tunnel:
| Service | URL |
|---------|-----|
| AFFiNE | `affine.daviestechlabs.io` |
| Immich | `immich.daviestechlabs.io` |
| Nextcloud | `nextcloud.daviestechlabs.io` |
| Kasm | `kasm.daviestechlabs.io` |
| Kavita | `kavita.daviestechlabs.io` |
## Links
* Related to [ADR-0027](0027-database-strategy.md) (CNPG databases)
* Related to [ADR-0023](0023-valkey-ml-caching.md) (Valkey caching)
* Related to [ADR-0026](0026-storage-strategy.md) (NFS + Longhorn storage)
* Related to [ADR-0028](0028-authentik-sso-strategy.md) (SSO integration)
* Related to [ADR-0044](0044-dns-and-external-access.md) (Cloudflare Tunnel access)
Reference in New Issue View Git Blame Copy Permalink