Self-host anything, automatically test it works.

Scaffolds rootless, daemonless podman containers wired with the same authorization system (SSO), e-mail system (SMTP), and automatic end-to-end encrypted backups. The default registry covers useful services, each tested in a fresh virtual machine, and the test framework is simple enough that you can have an AI add new services and prove they work the same way.

See how it works

Podman

Tested

Free and open source forever

$ryra add immich

→ pulls ghcr.io/immich-app/immich-server:v2.7.4

→ pulls ghcr.io/immich-app/postgres:14-vectorchord0.4.3

→ writes ~/.local/share/services/immich/immich.container

→ provisioning HTTPS cert via tailscale

→ exposing https://immich.tail-ryra.ts.net (tailnet-only)

immich is running.

URL: https://immich.tail-ryra.ts.net

$ryra list

SERVICE	STATUS	URL
caddy	running	http://127.0.0.1:8080
forgejo	running	http://127.0.0.1:3000
immich	running	https://immich.tail-ryra.ts.net
vaultwarden	running	https://vault.tail-ryra.ts.net

What it does

Daemonless and simple.

Every service is one folder symlinked into systemd. Ryra writes the files and exits; systemctl and journalctl take it from there.

Rootless.

Every container runs under your user via podman, as a plain systemd unit you could have written by hand.

Every service tested in a VM.

A test.toml beside each service declares HTTP probes, Playwright clicks, and mail deliveries; ryra test runs them in throwaway QEMU VMs.

Easily upgradable.

Container images self-update via podman-auto-update; registry changes preview as a diff and revert cleanly if something breaks.

Encrypted backups, anywhere.

Per-service encrypted snapshots push to any S3-compatible store like MinIO. The key never leaves your machine.

One login across every service.

Any OIDC-capable service in the registry gets SSO via Authelia: clients registered, callbacks set, env vars injected.

Examples

Run ryra search or view available services to see what's in the default registry. A few of the highlights:

/01

Replace your cloud storage.

Block-level file sync to every device you own, with version history and selective sync. Your files, your disk, reachable on your Tailnet or your domain.

$ ryra add seafile

Seafile file storage: a light UI with a Workspace sidebar (Files, Favorites, Activities, Wikis, Share Admin) and a Files panel listing 'My Library' alongside empty 'Shared with me' and 'Shared with all' sections.

/02

Replace your todo list.

Tasks, kanban boards, and a calendar. Add a todo from your phone, tick it off on your laptop, share a project with your team.

$ ryra add vikunja

Vikunja task manager: a dark UI with sidebar (Overview, Upcoming, Projects, Labels, Teams) and an empty task list captioned 'Nothing to do, Have a nice day!'

/03

Run your own AI gateway.

Your own gateway in front of OpenAI and Anthropic. One place to hold the API keys, one URL to point your agents at, audit logs you control.

$ ryra add openclaw

More in the default registry. Browse them all →

OpenClaw AI gateway: a dark control panel with Chat, Control, Agent, and Settings sections in the sidebar, and a centered 'Assistant: Ready to chat' welcome screen with starter prompts like 'What can you do?' and 'Check system health'.

/04

Run anything.

The registry is a folder of service.toml and quadlet files. Drop a definition in for my_app (or whatever you need), point ryra at your own registry, install with the same command.

$ ryra registry add my_registry https://github.com/you/registry
$ ryra add my_registry/my_app

If you can write a systemd unit, you can extend ryra (or use ryra test to let an AI agent write one for you).

A service.toml definition for DocuSeal showing the [service] block (name, description, url, architecture), RAM requirements, an HTTP port on 3000, and a HOST environment variable templated from service.external_url.

/05

Encrypted backups.

Every backup-enabled service ships encrypted snapshots to an S3-compatible store like MinIO, ideally on a separate machine over your tailnet. The key stays on the box that made the backup; whoever holds the storage just sees ciphertext.

$ ryra backup

/06

One login across the stack.

Add the SSO provider with one command. Every service that speaks OpenID Connect hooks into it on ryra add after that. One sign-in for files, photos, tasks, the lot.

$ ryra add seafile immich

Philosophy

/01

A service is a folder.

Every quadlet, env file, network, and bind-mounted data directory for a service lives under ~/.local/share/services/<name>/. Back up the whole folder with tar, just the data dirs like db-data/ and upload/, or hand it off to ryra backup for encrypted snapshots pushed to any S3-compatible store like MinIO. Move it to another box, the service comes with it.

user@fedora:~/.local/share/services$ tree -L 2

.
├── immich
│   ├── configs
│   ├── db-data
│   ├── immich.container
│   ├── immich-machine-learning.container
│   ├── immich.network
│   ├── immich-postgres.container
│   ├── immich-valkey.container
│   ├── metadata.toml
│   ├── model-cache
│   ├── service.manifest
│   └── upload
├── openclaw
│   ├── config
│   ├── metadata.toml
│   ├── openclaw.container
│   └── service.manifest
└── seafile
    ├── configs
    ├── db-data
    ├── metadata.toml
    ├── seafile.container
    ├── seafile-mariadb.container
    ├── seafile.network
    ├── seafile-redis.container
    ├── service.manifest
    └── shared

/02

One file of preferences.

SMTP credentials, OIDC provider, Tailscale key, custom registries: all the cross-service settings ryra reads at startup live in a single TOML file. The rest is just service folders.

user@fedora:~/.config/services$ tree -L 1

.
└── preferences.toml

/03

Symlinked into systemd.

Each .container and .network is symlinked from its service folder into ~/.config/containers/systemd/, where systemd's user generator picks it up. Remove the service and the symlink goes with it.

user@fedora:~/.config/containers/systemd$ tree

.
├── immich.container
│       → ~/.local/share/services/immich/immich.container
├── immich-postgres.container
│       → ~/.local/share/services/immich/immich-postgres.container
├── immich.network
│       → ~/.local/share/services/immich/immich.network
├── openclaw.container
│       → ~/.local/share/services/openclaw/openclaw.container
├── seafile.container
│       → ~/.local/share/services/seafile/seafile.container
└── seafile.network
        → ~/.local/share/services/seafile/seafile.network

/01

Least privilege

Containers run rootless under your user via podman. No Docker daemon, no privileged sockets, no permanent sudo. Elevated permissions only when there's no alternative, never sticky.

/02

Leaves no trace

Ryra is a scaffolding tool, not a runtime. It writes plain systemd units and exits; systemd owns the lifecycle, the data lives in plain folders, the configs are text. Uninstall ryra and your stack keeps running.

/03

Tested, every service

Every registry service has an end-to-end test that boots a fresh QEMU VM and asserts the full lifecycle: install, HTTP, OIDC, SMTP, removal. The same loop runs in CI and on your laptop.

Read the docs

Quickstart

Read the docs

install.sh step 1 / 3

# Linux · Debian / Ubuntu / Fedora / Arch
$ curl -fsSL https://ryra.dev/install.sh | sh

# browse the registry
$ ryra search
SERVICE       SUPPORTS      DESCRIPTION
────────────────────────────────────────────────
seafile       oidc, smtp    File sync & share
immich        oidc          Photo & video management
nextcloud     oidc, smtp    Files & collaboration
vaultwarden   smtp          Password vault
…

$ ryra add seafile
→ pulls docker.io/seafileltd/seafile-mc:13
→ pulls docker.io/mariadb:11
→ writes ~/.local/share/services/seafile/seafile.container

? SMTP for outgoing email? (y/N) › y
?   Relay host › smtp.fastmail.com
?   Username › user@example.com
?   Password › ********

? Sign-on via Authelia (OIDC)? (y/N) › y
→ registering OIDC client with authelia
→ injecting credentials into seafile .env

→ starts seafile on http://127.0.0.1:8000

seafile is running.
  URL: http://127.0.0.1:8000
  Sign in with the SSO button or admin/$INITIAL_PASSWORD.

# ryra has done its job. Everything that's running
# is plain systemd + rootless podman.

$ systemctl --user status seafile.service
● seafile.service - Seafile
     Active: active (running) since Tue 14:22:18 CEST

$ journalctl --user -fu seafile.service
$ podman logs systemd-seafile

# everything lives in plain files
$ ls ~/.local/share/services/seafile/
seafile.container  mariadb.container  .env  metadata.toml  data/  db-data/

# uninstall ryra. your services keep running.
$ rm /usr/local/bin/ryra
$ systemctl --user restart seafile.service
● seafile.service - active (running)   ← still works.

Test your stack with virtual machines

ryra test boots an ephemeral QEMU VM, installs whatever combination of services you want, and runs assertions end to end. Wire SSO, a reverse proxy, your photo library, and your file sync, prove sign-in works across all four, throw the VM away. Your real machine never sees the experiment until you're sure.

A safe sandbox for AI agents. Let Claude or Codex iterate on your stack: new services, quadlet tweaks, OIDC wiring, all inside a throwaway VM. Agents can break things until they don't, without ever touching your home server.
The same engine that gates the registry. Every service ships only after it boots cleanly in this loop. The CI you run on your laptop is the CI that protects the project.
Composable lifecycle tests. Chain services together (reverse proxy, auth provider, app) and verify the full picture, not just one container.

vm: fedora-43 · kvm

$ryra test immich-oidc --keep-alive

booting fedora-43 (qemu, kvm) ............ ok

ssh ready on 127.0.0.1:2222

▸ryra add caddy

▸ryra add authelia --url https://auth.test.local

▸ryra add immich --auth --url https://immich.test.local

probe https://immich.test.local .......... 200

browser oidc login flow .................. ok

smtp delivery to inbucket ................ ok

✓ all assertions passed in 2m41s

# vm kept alive: ssh -p 2222 ryra@127.0.0.1