rsmcc.org
All systems operational Log in
Personal infrastructure · v1

A quieter stack for the people you trust.

Self-hosted infrastructure for friends and family. Tools that respect your data and your time, running on a single bare-metal server — no third-party telemetry, no upsells.

Log in 12 services · single sign-on

Services

Each tile is an open-source application running on rsmcc, federated behind a single account.

Productivity 03
Forgejo

Self-hosted Git, code review, CI runners.

Replaces GitHub Enterprise $21/user/mo
OpenCloud + Collabora

Files and collaborative documents.

Replaces Dropbox + MS 365 $32/user/mo
Paperless-ngx

OCR'd document archive with full-text search.

Replaces Evernote / DocuWare $15/mo
Communication 01
Element / Matrix

End-to-end encrypted chat with federation.

Replaces Slack $7–12/user/mo
Identity 02
Kanidm

SSO and account management.

Replaces Okta / Auth0 $2–8/user/mo
Vaultwarden

Password vault for the household.

Replaces 1Password Families $5/mo
Media 04
Immich

Photo and video library with face recognition.

Replaces Google Photos / iCloud+ $2–10/mo
Jellyfin

Personal media server.

Replaces Netflix / Plex Pass $15/mo
Audiobookshelf

Audiobook and podcast library.

Replaces Audible $15/mo
Calibre-Web-Automated

Ebook library with sync to Kindle and Kobo.

Replaces Kindle Unlimited $12/mo
Knowledge 01
SearXNG

Privacy-respecting metasearch.

Replaces Kagi $10/mo
AI 01
OpenWebUI + llama-server

Self-hosted chat UI on local Llama models.

Replaces ChatGPT Plus / Claude Pro $20/mo
Trust

Trust

No NDAs. The infrastructure is auditable; the architecture is open.

Security

  • TLS everywhere via Let's Encrypt (DNS-01 challenges).
  • Zero-trust ingress: every service forward-auths through Pomerium against Kanidm.
  • FIDO2 / WebAuthn and TOTP supported on admin accounts.
  • Group-based RBAC — one identity, scoped capabilities per service.
  • Secrets stored in OpenBao with vault-agent rendering at runtime.
  • Encrypted at rest: LUKS for system volumes, ZFS for data.
  • Bare-metal, single tenant. No shared compute, no cloud control plane.

Auditing

  • Every host configured declaratively in NixOS. Full Git history of every change.
  • Atomic upgrades with rollback — bad deploys revert in seconds.
  • Logs aggregated in Loki, metrics in Prometheus, dashboards in Grafana.
  • Alertmanager pages on failures — disk pressure, failed services, expired certs.
  • Backups verified by restic check; restore drills run on a schedule.
  • WAL-G continuous Postgres archive to encrypted offsite storage.

Privacy

  • Zero third-party analytics. No Tag Manager, no Sentry, no telemetry SDKs.
  • No advertising. No upsells. No data resale.
  • Personal data lives on the server and does not leave the boundary.
  • DNS resolved locally via CoreDNS; outbound queries minimized.
  • Transactional email via Postmark for password resets — the only third party in the stack.
  • SSO scopes only what each service needs; no shared account credentials.

Frameworks ·Controls are designed against the SOC 2 Trust Service Criteria and ISO 27001 Annex A. Self-attested. Independent audit on the roadmap when scale justifies the cost.

About

About

Personal infrastructure for friends and family. Hosted on bare-metal in California, operated by @ryanmccullough:rsmcc.org.

No commercial intent, no telemetry, no third parties. If you have an account, you already know how to reach me.