Everything Your Team Needs.
Nothing It Doesn't.

Ten best-in-class tools, one login, one config file. Klyvra replaces your SaaS sprawl with a unified, self-hosted workspace you actually control.

See How It Works ↓ View on GitHub
10
Integrated apps
1
Login for everything
0
Manual config steps
Users — free forever
Single Sign-On

One Login. Ten Apps. Zero Friction.

Your team logs in once through Authentik and gets immediate access to every tool — wiki, chat, code, files, tasks, email. No separate accounts, no password fatigue, no "which login was it again?"

  • 7 apps via OIDC, 1 via SAML — all pre-configured out of the box
  • First login auto-creates the user's account in each app
  • MFA support built into Authentik (TOTP, WebAuthn, Duo)
  • Branding-ready login pages — your logo, your domain
What your team sees:
🔐
Sign in to Klyvra
alice@company.com
Sign in
→ Redirected to wiki, chat, code, files... all seamless
Permissions

Define Teams Once. Access Syncs Everywhere.

Create an "engineering" group and Klyvra gives them code repos, wiki access, and a chat channel — automatically. HR gets timesheets and policies but no source code. New hires? Add them to a group and they get the right access on their first login.

  • Groups created in Authentik propagate to every app
  • Per-app role control — admin in one tool, viewer in another
  • Exclude groups from apps entirely (engineers don't see HR tools)
  • Membership queued for users who haven't logged in yet
One config, every app:
engineering:
  gitea: owner  # full repo access
  outline: member  # wiki read/write
  kimai: user  # track own time
hr:
  gitea: null  # no code access
  outline: admin  # wiki admin
  kimai: teamlead  # approve timesheets
Zero ClickOps

Deploy a Whole Company in One Command.

No clicking through admin panels. No setup wizards. Klyvra uses blueprints, init containers, and adapters to wire everything together before anyone logs in. The only manual step? Creating your first admin account.

  • 15 Authentik blueprints auto-configure all SSO providers
  • Init containers seed API keys, register auth sources, patch configs
  • 4 webhook adapters keep app permissions in sync in real time
  • Fully idempotent — safe to restart, re-deploy, upgrade
Your entire setup:
$
git clone github.com/klyvra-org/klyvra
cd klyvra
make bootstrap DOMAIN=company.com
make up
✓ 33 containers running
✓ SSO configured for 10 apps
✓ Webhooks armed, adapters listening
✓ Ready at https://auth.company.com
Deploy Anywhere

Compose Today. Kubernetes Tomorrow.

Start with Docker Compose on a single server for development or small teams. When you're ready to scale, the Helm chart deploys the same stack to any Kubernetes cluster — same config structure, same RBAC model, same apps.

  • Docker Compose for dev, staging, and small teams
  • Helm chart for Kubernetes production deployments
  • Same values.yaml RBAC structure in both
  • Runs on any cloud, any bare metal, any EU sovereign infra
Choose your path:
🐳
Docker Compose
Single server
Dev & small teams
make up
☸️
Kubernetes
Multi-node clusters
Production scale
helm install

Built for Real Teams

Whether you're a 5-person startup or a 500-person org, Klyvra adapts to how you actually work.

🚀

Startup / Small Team

Spin up a complete workspace in 5 minutes. Wiki, chat, code hosting, file sharing, passwords, email — all with one login. No per-seat costs eating your runway.

🏢

Growing Company

Define engineering, sales, HR, and ops as groups. Each team sees only what they need. Onboard new hires by adding them to a group — every app grants access automatically.

🇪🇺

EU / Regulated Industry

Data stays on your infrastructure. No US cloud dependencies, no third-party access. GDPR-compliant by architecture. Deploy on Hetzner, OVH, or your own racks.

🏫

Education / Nonprofits

Give students and staff a full collaboration suite at zero cost. Unlimited users, no feature gates. Self-host on whatever hardware you have.

🔒

Security-Conscious Orgs

Every component is open source and auditable. No black-box SaaS. Vaultwarden for passwords, end-to-end encryption in Seafile, MFA via Authentik.

🧪

Dev Teams / Agencies

Gitea for code, Mattermost for discussions, Outline for documentation, Vikunja for tasks, Kimai for time tracking — all connected, all with SSO. Ship faster.

Webhook Adapters

Apps That Talk to Each Other.

When you create a group in Authentik, four lightweight adapters instantly create the matching resources: a Gitea org, a Mattermost channel, an Outline group, and a Stalwart mailing list. Add a user to the group and they're added everywhere. Remove the group and everything's cleaned up.

  • Real-time sync — changes propagate in milliseconds
  • Stalwart auto-provisions mailboxes on first SSO login
  • Pending queue for users who haven't logged in yet
  • Each adapter is a tiny FastAPI service — easy to extend
What happens when you create a group:
1. Admin creates group "engineering" in Authentik
↓ webhook fires
2. Gitea → new org "engineering"
3. Mattermost → new channel "engineering"
4. Outline → new group "engineering"
5. Stalwart → mailing list engineering@company.com
Done. Under 1 second.
Email & Groupware

Mail, Calendar, Contacts. Self-Hosted.

Stalwart gives your team full email, calendar (CalDAV), and contacts (CardDAV) — with mailboxes auto-created the moment someone logs in via SSO. Group mailing lists are created automatically when you create a group in Authentik.

  • IMAP + SMTP + CalDAV + CardDAV in one server
  • Mailboxes provisioned automatically on first SSO login
  • Group mailing lists synced from Authentik groups
  • Works with any mail client — Thunderbird, Apple Mail, mobile
Auto-provisioned on login:
alice@company.com logs in via SSO
↓ webhook fires
📬 Mailbox created
📅 Calendar ready
👥 Added to engineering@company.com list
Configure your mail client:
IMAP: mail.company.com:993
SMTP: mail.company.com:465

Ready to Take Back Your Stack?

Deploy your entire office suite in under 5 minutes. Free forever, unlimited users, no strings attached.

Quick Start Guide View on GitHub