Memos
A privacy-first lightweight note-taking service.
Memos is an open-source, self-hosted note-taking app focused on quick capture of thoughts and ideas in a Twitter/X-like timeline format. It supports Markdown, tags, and public/private visibility per memo. Self-hosting keeps your notes fully private with no subscription fees.
Alternatives considered
Cloud Hosted
| Tool | Open Source | Free Tier | Monthly Cost |
|---|---|---|---|
| Notion | No | Limited | From $10/user |
| Obsidian | No | Yes | Free local; $4/mo for Sync |
Self Hosted
| Tool | Open Source | Full Features | Notes |
|---|---|---|---|
| Standard Notes | Yes | Limited | E2E encrypted; some features paywalled |
Installation
Architecture
- Deployment: Single
memosdeployment in thememosnamespace - Image:
neosmemo/memos:0.26.0(digest-pinned) - Database: CNPG PostgreSQL cluster with Longhorn-encrypted PVCs
- Storage: Longhorn PVC (
memos, 1Gi,longhorn-encrypted) for file attachments - Networking: ClusterIP service on port 5230, HTTPRoute via internal gateway
Security
readOnlyRootFilesystem: true,allowPrivilegeEscalation: false, capabilities dropped- Longhorn PVC and CNPG PVCs encrypted at rest
Updates
Managed by Renovate. Image is digest-pinned.
Data Management
- Database: CNPG PostgreSQL cluster (Longhorn-encrypted PVCs)
- PVC:
memos(1Gi,longhorn-encrypted) for file attachments - Backups: No k8up schedule present. No
k8up.io/backupcommandannotation on the CNPG cluster — only CNPG operator's native backup mechanism is active.
User Management
No OIDC configured. Users managed through the Memos admin UI. Registration settings configurable in the app.
Configuration Management
- Database credentials injected from CNPG-generated secret
- Longhorn encryption keys from SOPS-encrypted secrets
Administration
Usage
Capture quick notes using the web UI or mobile-friendly interface. Tag memos for organization and search across the timeline. Notes can be marked public (shareable via link) or kept private. Markdown formatting is supported inline.
Cluster-specific deviations from the above live in the per-cluster README — see k8s/apps/talos/memos/README.md.
Cluster Deployment
Memos — Talos cluster
Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/apps/memos.mdx.
Deviations from defaults
Defaults live in docusaurus/docs/apps/memos.mdx — document anything this cluster does differently here, with a one-line reason.
- Image:
neosmemo/memos:0.29.1@sha256:3e1253477066eb2aefa91145f7f9038bb931ed88c8a3ee05310a933594cdba7d
Rendered manifests (kustomize build)
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kustomize.toolkit.fluxcd.io/force: enabled
labels:
app: memos
name: memos
namespace: memos
spec:
replicas: 1
selector:
matchLabels:
app: memos
ingress: public
strategy:
type: Recreate
template:
metadata:
labels:
app: memos
ingress: public
spec:
containers:
- env:
- name: MEMOS_MODE
value: prod
- name: MEMOS_DRIVER
value: postgres
- name: MEMOS_DSN
valueFrom:
secretKeyRef:
key: uri
name: cnpg-app
- name: MEMOS_PORT
value: '5230'
image: neosmemo/memos:0.29.1@sha256:3e1253477066eb2aefa91145f7f9038bb931ed88c8a3ee05310a933594cdba7d
livenessProbe:
failureThreshold: 1
httpGet:
path: /
port: 5230
initialDelaySeconds: 15
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
name: memos
ports:
- containerPort: 5230
name: web
protocol: TCP
readinessProbe:
failureThreshold: 1
httpGet:
path: /
port: 5230
initialDelaySeconds: 15
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
startupProbe:
failureThreshold: 1
httpGet:
path: /
port: 5230
initialDelaySeconds: 15
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
volumeMounts:
- mountPath: var/opt/memos
name: memos-data
volumes:
- name: memos-data
persistentVolumeClaim:
claimName: memos