Self-hosting a business suite today means juggling Docker + nginx + certbot + a dozen separate auth setups + per-service backups + a hope-and-pray deploy. PMA collapses that into one manifest-per-service, one
just release-run TICKETdeploy, one Authentik for everything, and an MCP gateway so AI agents operate the same surface humans do.
This page is the headline. For long-form: Essay — the magic of PMA.
git clone <your-pma-fork>
cd pma
just bootstrap-local enterprise
# 15-30 minutes later: Redmine + Mattermost + n8n + ERPNext + Wiki.js +
# Superset + Grafana + Authentik + … all live, all sharing SSO,
# all reachable on https://<svc>.your-domain.
What you don't do: write per-service nginx configs, install
certbot, register each service with Authentik manually, set up
per-service backup cron jobs, write deploy scripts, or pay a SaaS
vendor.
The rest of this page is what that one command enables and what
PMA adds on top once you decide it's worth it.
You see the SaaS line items: €500/month CRM + €300 project mgmt +
€800 ERP + €200 chat = €1,800/month, €21,600/year. Add
integration costs and you're at €30k/year for tooling. PMA
delivers the same functional surface for €0 in licensing — the
laptops + a server you already pay for are the platform.
"What you pay in SaaS bills today becomes infrastructure you
own tomorrow."
Each vendor has its own SSO config, its own user-management API,
its own export format, its own pricing-change letter. Your team
logs in five times a day. With PMA: one Authentik login, fifteen
services, zero per-service SSO config (declared in the manifest
field sso.type: oauth). n8n connects services into the dataflows
you used to coordinate by hand.
"One Authentik login. Fifteen services. Zero per-service SSO
config."
When a SaaS vendor breaks something, your only recourse is a
support ticket and waiting. PMA runs on your infrastructure;
every incident leaves a machine-readable recovery playbook
(recovery/playbooks/*.yaml) so the next operator (or AI agent)
walks a known fix instead of inventing one.
"Every incident leaves a playbook. The next incident is
shorter."
"Where does our customer data go?" with a SaaS stack: ten
different answers, each with its own privacy policy. With PMA:
one answer — on our infrastructure. Authentik holds identity
(not Microsoft / Google / Okta). Backups are local files.
Manifests in git are an audit trail of every service exposed.
"Your customer data doesn't leave your infrastructure."
You're building AI agents that need to read tickets, file bugs,
update workflows, send mail, query analytics. With SaaS each
service has a different API + auth model + rate limit. With PMA:
one MCP gateway, structured output everywhere (--json),
attributable audit trail per agent (X-Redmine-Switch-User).
"Your AI agent gets a real Redmine login, a real Zammad seat,
real write access — through the same gateway your humans use."
packages/<svc>/manifest.yaml declares: container, ports, DB, SSO
type, backup strategy, health endpoint, E2E test config.
packages/<svc>/net.manifest.yaml declares the route.
The framework reads these. Adding a 16th service is one new
directory with two YAML files — no if service == "redmine"
anywhere in the framework. Each service is an interchangeable
part.
just release-run TICKET does fetch → pull → backup → migrate →
ticket-script → verify in one halt-on-failure pipeline.
just release-revert TICKET restores the backup and reverts the
merge commit. Single command rollback, no per-deploy snapshot to
remember.
Every bootstrap fix ships with a YAML entry in
recovery/playbooks/ describing: symptom → detection commands →
root cause → fix script → verify command. An AI agent can read a
JSONL failure log, look up the playbook, execute the fix.
sso.type: oauth (or oidc, saml, proxy, wikijs, frappe)
in a manifest gets the service auto-integrated with Authentik
during bootstrap. No per-service SSO configuration ceremony.
PMA ships an MCP server (claude_ai_PMA) that exposes Redmine,
Zammad, n8n, email, service health, logs, etc. as agent-callable
tools with proper attribution per agent.
| Item | SaaS today | PMA |
|---|---|---|
| CRM / helpdesk | €500/mo | €0 (Zammad) |
| Project management | €300/mo | €0 (Redmine) |
| ERP basics | €800/mo | €0 (ERPNext) |
| Team chat | €200/mo | €0 (Mattermost) |
| Wiki | €100/mo | €0 (Wiki.js) |
| BI dashboards | €300/mo | €0 (Superset) |
| Monitoring | €200/mo | €0 (Grafana + Prometheus + Loki) |
| Workflow automation | €100/mo | €0 (n8n) |
| Subtotal | €2,500/mo | €0 |
| Annual | €30,000 | infrastructure cost only |
Real-world infrastructure cost for the full stack: ~€100-300/mo
depending on scale. Net savings: ~€26k+/year for a small team,
scaling with team size.
Vendor lock-in lever matters as much as the bill: when Salesforce
/ Atlassian / Slack change pricing or feature-gating, your stack
acquires their problem. PMA removes that lever.
| If you'd otherwise use… | …PMA replaces |
|---|---|
| 8+ SaaS subscriptions stitched together | All the licenses + the integration work |
| Cloudron / Yunohost for self-hosted bundles | Adds atomic releases, MCP gateway, manifest-driven SSO, recovery playbooks |
| Bare docker-compose with services you wire up yourself | The framework. The SSO. The release ceremony. The backup pipeline. |
| Building a custom internal platform | Don't — PMA already did it |
For long-form: /pma/compared — head-to-head with
Cloudron, Yunohost, and the SaaS stacks.
Be honest:
/pma/learn/00-start-here./pma/concepts.