PILOT BOOK GUIDES / OPERATIONAL NOTES

Pilot Book: Business Stack

Replacing Microsoft 365 and Google Workspace with a self-hosted sovereign stack.

What you're building

A complete business collaboration stack: mail, file storage and sharing, document editing, calendar and contacts, team chat, and video — all self-hosted, all open source (mostly), all EU jurisdiction.

The equivalent of Microsoft 365 or Google Workspace, running on infrastructure you control.

The components

Function Tool What it replaces
Mail iRedMail + Roundcube or Snappymail Exchange / Gmail
Files Nextcloud OneDrive / Google Drive / SharePoint
Documents OnlyOffice (via Nextcloud) Word / Docs
Calendar Nextcloud Calendar Outlook Calendar / Google Calendar
Contacts Nextcloud Contacts Outlook Contacts / Google Contacts
Chat Mattermost Teams / Slack
Video Jitsi Meet Teams / Zoom / Meet
Identity Authentik Azure AD / Google SSO

Note on the mail row: In self-hosted deployments, Roundcube or Snappymail are the open source webmail options. For spam filtering, Rspamd (included in iRedMail) is the self-hosted choice. In PILOT managed deployments we add Proofpoint as a security gateway and CrossBox as a more polished webmail UI — both proprietary, both optional upgrades.

Server requirements

Minimum for 20 users:

  • Nextcloud server: 4 vCPU, 8GB RAM, 500GB+ storage
  • Mail server: 2 vCPU, 4GB RAM, 100GB storage
  • Chat/Video server: 4 vCPU, 8GB RAM (Jitsi is resource-intensive under load)
  • Identity server: 2 vCPU, 2GB RAM

Total: 12 vCPU, 22GB RAM, 600GB+ storage across 4 VMs (or combined on fewer, larger VMs).

Scale storage independently of compute — storage grows with user files, compute requirements are relatively stable.

Nextcloud: the centerpiece

Nextcloud is the most complex component to deploy correctly. The easy part is installation. The hard parts are performance tuning, background jobs, and caching.

# Docker Compose deployment (simplified)
version: '3'
services:
  nextcloud:
    image: nextcloud:latest
    environment:
      - POSTGRES_HOST=db
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=your-password
      - REDIS_HOST=redis
    volumes:
      - nextcloud-data:/var/www/html
    depends_on:
      - db
      - redis

  db:
    image: postgres:16
    volumes:
      - db-data:/var/lib/postgresql/data

  redis:
    image: redis:alpine

Critical configuration after installation:

  1. Enable Redis for file locking (prevents corruption under concurrent access)
  2. Configure cron for background jobs (not AJAX — use system cron)
  3. Set up object storage backend for files if you have >500GB
  4. Configure SMTP for notifications
  5. Install and configure OnlyOffice Document Server as a separate container

OnlyOffice requires its own server with 4GB+ RAM. It is resource-hungry. If budget is tight, use Collabora Online instead — lighter, less Word-compatible.

Calendar and contacts sync

Nextcloud Calendar and Contacts use CalDAV and CardDAV — standard protocols supported natively by iOS, Android, macOS, and Windows.

iOS: Settings → Mail → Accounts → Add Account → Other → Add CalDAV Account. Server: your-nextcloud-url/remote.php/dav

Android: Install DAVx⁵ from F-Droid. Connect to your Nextcloud URL. Sync runs automatically.

macOS: System Preferences → Internet Accounts → Add Other Account → CalDAV/CardDAV account.

This is significantly better than it was 3 years ago. The main friction: initial setup per device. After that, sync is automatic and reliable.

Mattermost: team chat

Mattermost is the closest self-hosted equivalent to Slack. The free tier supports unlimited message history (Slack archives after 90 days on free) and unlimited integrations.

mattermost:
  image: mattermost/mattermost-team-edition:latest
  environment:
    - MM_SQLSETTINGS_DRIVERNAME=postgres
    - MM_SQLSETTINGS_DATASOURCE=postgres://mattermost:password@db/mattermost
  volumes:
    - mattermost-data:/mattermost/data
    - mattermost-logs:/mattermost/logs
    - mattermost-config:/mattermost/config

Connect Mattermost to Authentik via SAML or OAuth. When users log into Mattermost, they authenticate against Authentik — same credentials as Nextcloud and everything else.

Integrate Mattermost with Nextcloud for file sharing directly in channels. Install the Nextcloud integration from the Mattermost marketplace.

Jitsi Meet: video

Jitsi is the most resource-intensive component. Video transcoding is CPU-heavy.

Minimum for reliable video: 4 vCPU, 8GB RAM for up to 10 simultaneous participants. Scale up for larger meetings.

# Quick start with Docker
git clone https://github.com/jitsi/docker-jitsi-meet
cd docker-jitsi-meet
cp env.example .env
# Edit .env: set strong passwords, your domain, HTTPS
docker-compose up -d

TURN server (coturn): required for participants behind NAT (most corporate networks, home offices). Without coturn, video will fail for many users. Configure coturn before declaring Jitsi production-ready.

Authentik: tying it together

Authentik is the identity layer that makes the stack feel integrated. One login for everything.

Install Authentik, create providers for each application (Nextcloud, Mattermost, Woodpecker, etc.), and configure each application to use Authentik for authentication.

When a new employee joins: create one Authentik account. They get access to everything. When someone leaves: disable their Authentik account. Access revoked everywhere.

Authentik also handles MFA centrally. Enable TOTP or hardware key (FIDO2/WebAuthn) at the Authentik level — all applications inherit it.

What breaks

Nextcloud performance — unconfigured Nextcloud is slow. Redis caching and system cron are not optional. Without them, large file uploads fail and the web UI is painful.

OnlyOffice memory — OnlyOffice Document Server uses 2–3GB RAM just idling. On a small server this is a problem. Budget accordingly or use Collabora instead.

Mobile sync reliability — CalDAV/CardDAV sync on Android is less reliable than iOS. DAVx⁵ helps but requires user setup. Budget time for per-device support.

Jitsi under load — Jitsi works well for 1:1 and small group calls. Large all-hands meetings (50+ participants) require a more complex deployment with multiple videobridges (JVB). Not a quick setup.

User resistance — "this isn't Outlook" is a real friction point. The interfaces are different. Give people 2 weeks to adjust before responding to complaints.

Honest cost breakdown

Infrastructure

  • 4 VMs as described: €80–150/month depending on provider
  • Storage growth: budget €20–30/TB/month
  • Total ongoing: €100–200/month for 20–50 users

vs. Microsoft 365 Business Standard €12.50/user/month × 20 users = €250/month. Plus Copilot if you're using it. Self-hosted: €100–200/month infrastructure + your maintenance time.

Time investment

  • Initial setup: 20–40 hours
  • Ongoing: 4–6 hours/month (updates, user support, monitoring)
  • Major incidents: 2–4 per year, 2–8 hours each

Or let PILOT run it

Business Stack mission package — the full stack, managed, on sovereign EU infrastructure.

Request access →