daviestechlabs/homelab-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f94945fb4606d61b8884571ce68c622c95add03f
homelab-design/decisions/0049-self-hosted-productivity-suite.md
Billy D. 5846d0dc16
All checks were successful
Update README with ADR Index / update-readme (push) Successful in 6s
Details
docs: add ADRs 0043-0053 covering remaining architecture gaps 
New ADRs:
- 0043: Cilium CNI and Network Fabric
- 0044: DNS and External Access Architecture
- 0045: TLS Certificate Strategy (cert-manager)
- 0046: Companions Frontend Architecture
- 0047: MLflow Experiment Tracking and Model Registry
- 0048: Entertainment and Media Stack
- 0049: Self-Hosted Productivity Suite
- 0050: Argo Rollouts Progressive Delivery
- 0051: KEDA Event-Driven Autoscaling
- 0052: Cluster Utilities (Spegel, Descheduler, Reloader, CSI-NFS)
- 0053: Vaultwarden Password Management

README updated with table entries and badge count (53 total).
2026-02-09 18:37:14 -05:00

4.8 KiB
Raw Blame History

Self-Hosted Productivity Suite

  • Status: accepted
  • Date: 2026-02-09
  • Deciders: Billy
  • Technical Story: Select and deploy self-hosted alternatives to commercial cloud productivity services

Context and Problem Statement

Commercial cloud services (Google Workspace, iCloud, Notion) centralize personal data with third parties and incur ongoing subscription costs. A homelab with sufficient compute and storage can host equivalent services with full data ownership.

Which self-hosted applications best replace commercial productivity services, and how should they share infrastructure?

Decision Drivers

  • Data sovereignty — all personal data stays on-premises
  • Feature parity with commercial alternatives where possible
  • SSO integration via Authentik for unified login
  • Shared infrastructure (database, cache, storage) to reduce overhead
  • Public access via Cloudflare Tunnel for mobile/remote use

Decision Outcome

Deploy five productivity applications sharing a common infrastructure layer (CNPG PostgreSQL, Valkey cache, NFS storage), exposed publicly via Cloudflare Tunnel with Authentik SSO where supported.

Components

Application Replaces Image/Chart Database Cache Storage
AFFiNE Notion ghcr.io/toeverything/affine:stable CNPG (VectorChord) Valkey DB 2 10Gi Longhorn
Immich Google Photos immich chart v0.10.3 CNPG (VectorChord) Valkey DB 3 10Gi NFS
Nextcloud Google Drive nextcloud chart v8.8.1 CNPG Valkey DB 1 200Gi NFS
Kasm — (unique) kasm chart v1.18.1 CNPG Valkey 50Gi Longhorn
Kavita Kindle/Calibre ghcr.io/kareadita/kavita:latest Embedded 30Gi NFS (3 libraries)

All deployed in the productivity namespace, exposed via envoy-external at *.daviestechlabs.io.

Shared Infrastructure

Valkey Cache (Shared Instance)

A single Valkey instance (valkey/valkey:9.0.2) with per-application ACL users and database isolation:

User DB Index Application
nextcloud 1 Nextcloud
affine 2 AFFiNE
immich 3 Immich
kasm Kasm

Default user disabled. Per-user passwords from Vault. 20Gi Longhorn storage.

CloudNativePG Databases

Each application with a relational database gets its own CNPG cluster (single instance, 10Gi Longhorn, amd64 affinity). AFFiNE and Immich use PostgreSQL 18 with the VectorChord extension for vector search capabilities.

Application Details

AFFiNE (Notion Alternative)

Knowledge base and project management with real-time collaboration.

  • OIDC SSO via Authentik (openid, profile, email scopes)
  • VectorChord extension enables AI-powered semantic search
  • OTEL tracing to OpenTelemetry collector
  • Init container runs database migration (self-host-predeploy.js)

Immich (Google Photos Alternative)

Photo and video management with ML-powered search and face recognition.

  • Built-in ML sidecar for facial recognition and smart search
  • VectorChord PostgreSQL extension for similarity search
  • OTEL tracing enabled
  • Library stored on NFS for large photo collections

Nextcloud (Google Drive Alternative)

File sync, calendar, contacts, and collaboration.

  • Imaginary sidecar for image processing
  • Custom reverse-proxy config for trusted proxies (RFC1918 ranges)
  • CalDAV/CardDAV .well-known URL redirects via HTTPRoute
  • PHP cron job for background tasks
  • Chart pinned to v8.8.1 (v8.9.0 has timeout issues)

Kasm Workspaces (Browser Isolation)

Remote browser isolation and desktop streaming.

  • Small deployment (10-15 concurrent sessions)
  • WebSocket support via custom BackendTrafficPolicy (no request timeout, 1h idle, TCP keepalive)
  • applySecurity: false for Talos compatibility
  • Dedicated Let's Encrypt certificate for *.kasm.lab.daviestechlabs.io

Kavita (Digital Library)

Ebook, manga, and comic reader.

  • Simplest deployment — no external database, no cache, no SSO
  • Three NFS-backed content libraries: manga (10Gi), comics (10Gi), books (10Gi)
  • Embedded database in config PVC

Network Access

All productivity apps are publicly accessible via Cloudflare Tunnel:

Service URL
AFFiNE affine.daviestechlabs.io
Immich immich.daviestechlabs.io
Nextcloud nextcloud.daviestechlabs.io
Kasm kasm.daviestechlabs.io
Kavita kavita.daviestechlabs.io

Links

  • Related to ADR-0027 (CNPG databases)
  • Related to ADR-0023 (Valkey caching)
  • Related to ADR-0026 (NFS + Longhorn storage)
  • Related to ADR-0028 (SSO integration)
  • Related to ADR-0044 (Cloudflare Tunnel access)
Reference in New Issue View Git Blame Copy Permalink