Self-host anything, automatically test it works.

Scaffolds rootless, daemonless podman containers wired with the same authorization system (SSO) and e-mail system with SMTP. The bundled registry covers useful services, each end-to-end tested in a fresh virtual machine, and the test framework is simple enough that you can have an AI add new services and prove they work the same way.

See how it works

Podman

End-to-end tested

Free and open source forever

$ryra add immich

→ pulls ghcr.io/immich-app/immich-server:v2.7.4

→ pulls ghcr.io/immich-app/postgres:14-vectorchord0.4.3

→ writes ~/.local/share/services/immich/immich.container

→ provisioning HTTPS cert via tailscale

→ exposing https://immich.tail-ryra.ts.net (tailnet-only)

immich is running.

URL: https://immich.tail-ryra.ts.net

$ryra list

SERVICE	STATUS	URL
caddy	running	http://127.0.0.1:8080
forgejo	running	http://127.0.0.1:3000
immich	running	https://immich.tail-ryra.ts.net
vaultwarden	running	https://vault.tail-ryra.ts.net

What it does

Ryra is the only self-hosting tool that runs daemonless and rootless on podman and systemd, with every service tested in virtual machines.

Daemonless.

Ryra writes systemd units and exits; systemd owns the lifecycle from there. Your services run as normal user-level units: restarted by systemd, logged to journald, managed with systemctl.

Rootless.

Containers run under your user via podman, and each service is a plain systemd unit you could have written by hand. Elevated permissions only when there's no alternative.

Every service tested in a VM.

Each registry service ships a test that boots a fresh QEMU VM, installs the service, and asserts the full lifecycle: HTTP, OIDC login, SMTP delivery, removal. The same loop runs in CI and on your laptop.

Easily upgradable.

Container images update themselves on a systemd timer via podman-auto-update. When the registry ships a new env var or a quadlet fix, ryra upgrade shows you the diff, backs up the old version, and re-renders in place. Roll back with ryra revert if something breaks.

Run your own registry to install anything.

The registry is plain TOML and quadlet files in a folder. Drop a definition in for your internal app, point ryra at your own registry, and install it the same way as anything bundled.

One login across every service.

Bundled SSO via Authelia. Every service in the registry that speaks OIDC gets wired up automatically with --auth: clients registered, callbacks set, env vars injected. One sign-in for files, photos, tasks, the lot.

Examples

Run ryra search or view available services to see what's in the bundled registry. A few of the highlights:

/01

Replace your cloud storage.

Block-level file sync to every device you own, with version history and selective sync. Your files, your disk, reachable on your Tailnet or your domain.

$ ryra add seafile

Seafile file storage: a light UI with a Workspace sidebar (Files, Favorites, Activities, Wikis, Share Admin) and a Files panel listing 'My Library' alongside empty 'Shared with me' and 'Shared with all' sections.

/02

Replace your todo list.

Tasks, kanban boards, and a calendar. Add a todo from your phone, tick it off on your laptop, share a project with your team.

$ ryra add vikunja

Vikunja task manager: a dark UI with sidebar (Overview, Upcoming, Projects, Labels, Teams) and an empty task list captioned 'Nothing to do, Have a nice day!'

/03

Run your own AI gateway.

Your own gateway in front of OpenAI and Anthropic. One place to hold the API keys, one URL to point your agents at, audit logs you control.

$ ryra add openclaw

More in the bundled registry. Browse them all →

OpenClaw AI gateway: a dark control panel with Chat, Control, Agent, and Settings sections in the sidebar, and a centered 'Assistant: Ready to chat' welcome screen with starter prompts like 'What can you do?' and 'Check system health'.

/04

One login across the stack.

Add the bundled SSO provider with one command. Every service that speaks OpenID Connect hooks into it on ryra add after that. One sign-in for files, photos, tasks, the lot.

$ ryra add seafile immich

/05

Run anything.

The registry is a folder of service.toml and quadlet files. Drop a definition in for my_app (or whatever you need), point ryra at your own registry, install with the same command.

$ ryra registry add my_registry https://github.com/you/registry
$ ryra add my_registry/my_app

If you can write a systemd unit, you can extend ryra (or use ryra test to let an AI agent write one for you).

A service.toml definition for DocuSeal showing the [service] block (name, description, url, architecture), RAM requirements, an HTTP port on 3000, and a HOST environment variable templated from service.external_url.

Quickstart

Read the docs

install.sh step 1 / 3

# Linux · Debian / Ubuntu / Fedora / Arch
$ curl -fsSL https://ryra.dev/install.sh | sh

# browse the registry
$ ryra search
SERVICE       SUPPORTS      DESCRIPTION
────────────────────────────────────────────────
seafile       oidc, smtp    File sync & share
immich        oidc          Photo & video management
nextcloud     oidc, smtp    Files & collaboration
vaultwarden   smtp          Password vault
…

$ ryra add seafile
→ pulls docker.io/seafileltd/seafile-mc:13
→ pulls docker.io/mariadb:11
→ writes ~/.local/share/services/seafile/seafile.container

? SMTP for outgoing email? (y/N) › y
?   Relay host › smtp.fastmail.com
?   Username › user@example.com
?   Password › ********

? Sign-on via Authelia (OIDC)? (y/N) › y
→ registering OIDC client with authelia
→ injecting credentials into seafile .env

→ starts seafile on http://127.0.0.1:8000

seafile is running.
  URL: http://127.0.0.1:8000
  Sign in with the SSO button or admin/$INITIAL_PASSWORD.

# ryra has done its job. Everything that's running
# is plain systemd + rootless podman.

$ systemctl --user status seafile.service
● seafile.service - Seafile
     Active: active (running) since Tue 14:22:18 CEST

$ journalctl --user -fu seafile.service
$ podman logs systemd-seafile

# everything lives in plain files
$ ls ~/.local/share/services/seafile/
seafile.container  mariadb.container  .env  metadata.toml  data/  db-data/

# uninstall ryra. your services keep running.
$ rm /usr/local/bin/ryra
$ systemctl --user restart seafile.service
● seafile.service - active (running)   ← still works.

Test your stack with virtual machines

ryra test boots an ephemeral QEMU VM, installs whatever combination of services you want, and runs assertions end to end. Wire SSO, a reverse proxy, your photo library, and your file sync, prove sign-in works across all four, throw the VM away. Your real machine never sees the experiment until you're sure.

A safe sandbox for AI agents. Let Claude or Codex iterate on your stack: new services, quadlet tweaks, OIDC wiring, all inside a throwaway VM. Agents can break things until they don't, without ever touching your home server.
The same engine that gates the registry. Every service ships only after it boots cleanly in this loop. The CI you run on your laptop is the CI that protects the project.
Composable lifecycle tests. Chain services together (reverse proxy, auth provider, app) and verify the full picture, not just one container.

vm: fedora-43 · kvm

$ryra test immich-oidc --keep-alive

booting fedora-43 (qemu, kvm) ............ ok

ssh ready on 127.0.0.1:2222

▸ryra add caddy

▸ryra add authelia --url https://auth.test.local

▸ryra add immich --auth --url https://immich.test.local

probe https://immich.test.local .......... 200

browser oidc login flow .................. ok

smtp delivery to inbucket ................ ok

✓ all assertions passed in 2m41s

# vm kept alive: ssh -p 2222 ryra@127.0.0.1

Philosophy

Most of the time, all you need is one single machine to run a website, sync your files, or keep your photos. A few hours, and the right tools. Ryra is the right tools: opinionated where it has to be, out of the way everywhere else.

/01

Least privilege

Containers run rootless under your user via podman. No Docker daemon, no privileged sockets, no permanent sudo. Elevated permissions only when there's no alternative, never sticky.

/02

Leaves no trace

Ryra is a scaffolding tool, not a runtime. It writes plain systemd units and exits; systemd owns the lifecycle, the data lives in plain folders, the configs are text. Uninstall ryra and your stack keeps running.

/03

Tested, every service

Every registry service has an end-to-end test that boots a fresh QEMU VM and asserts the full lifecycle: install, HTTP, OIDC, SMTP, removal. The same loop runs in CI and on your laptop.

Read the docs