Every tool we use. Every reason we chose it.
We run open source. Not because it's cheaper — because it means you're never locked in. Your data and your configuration belong to you, not to a vendor whose pricing can change overnight.
This page is a full inventory of our stack. If you're evaluating us as an infrastructure provider, this is where you verify that we know what we're doing.
Virtualization & Compute
| Tool | Role | Why |
|---|---|---|
| Proxmox VE | Hypervisor — KVM + LXC | Open source VMware alternative. ZFS-native, HA clustering, web UI, no per-core licensing. |
| Proxmox Backup Server | VM backup | Incremental, deduplicated, encrypted. Integrates natively with Proxmox VE. |
| ZFS | Storage filesystem | Copy-on-write, snapshots, deduplication, self-healing. Gold standard for storage reliability. |
Networking & Security
| Tool | Role | Why |
|---|---|---|
| OPNsense / pfSense | Perimeter firewall | Open source, full-featured, auditable. No vendor backdoors. |
| MikroTik | Core switching/routing | Proven, cost-effective, feature-rich for VLAN and BGP requirements. |
| WireGuard | VPN | Modern, fast, minimal attack surface. Replaces OpenVPN for most use cases. |
| Zenarmor | IDS/IPS | Deep packet inspection on OPNsense. Subscription-free for basic use. |
| Cloudflare | DNS, CDN, Zero Trust, Email Routing | Used as backend layer — not exposed to clients as part of the stack. |
| Tool | Role | Why |
|---|---|---|
| iRedMail | Mail server suite | Postfix + Dovecot + Rspamd + admin panel. Production-ready, actively maintained. |
| Proofpoint | Security gateway | Industry-standard inbound/outbound filtering. Managed separately from mail server for defense-in-depth. |
| CrossBox | Webmail UI | Modern IMAP-connected webmail with chat and file sharing. White-label capable. |
→ tresor.email — our sovereign mail service for individuals and small teams who don't need a full managed deployment.
Cloud & Storage
| Tool | Role | Why |
|---|---|---|
| Nextcloud | File sync, calendar, contacts, collaboration | Self-hosted Google Drive / SharePoint replacement. CalDAV/CardDAV compatible. Largest self-hosted cloud platform. |
| OnlyOffice | Document editing | .docx/.xlsx/.pptx compatible. Real-time collaboration. Integrates natively with Nextcloud. |
| MinIO | S3-compatible object storage | High-performance, S3 API compatible. Used as backend for Nextcloud and application storage. |
| TrueNAS | NAS / high-throughput storage | ZFS-based NAS for workloads requiring high IOPS or large sequential I/O. |
| Synology | Backup NAS | Used for backup storage tiers. |
AI & GPU
| Tool | Role | Why |
|---|---|---|
| Ollama | Local LLM serving | Simple deployment, supports most open-weight models. Ideal for single-user and small team inference. |
| vLLM | High-throughput LLM serving | PagedAttention for efficient memory use. Production inference at scale. |
| LiteLLM | AI model gateway | Unified API endpoint across models. Key management, cost tracking, rate limiting, fallback routing. |
| Open WebUI | AI chat interface | ChatGPT-like interface for private models. Supports RAG, agents, and multi-model switching. |
| AnythingLLM | AI assistant + RAG | Document-connected AI assistant. Easier RAG setup than raw pipeline. |
| Qdrant | Vector database | High-performance vector search for RAG workloads. |
Identity & Access
| Tool | Role | Why |
|---|---|---|
| Keycloak | Identity provider | Enterprise-grade SSO, SAML, OIDC, LDAP. Broad app compatibility. |
| Authentik | Identity provider | Lighter alternative to Keycloak. Better UX, simpler deployment for smaller environments. |
Developer Tools
| Tool | Role | Why |
|---|---|---|
| Gitea / Forgejo | Git hosting | Lightweight GitHub alternative. GitHub-compatible API. Actions-compatible CI/CD. |
| Woodpecker CI | CI/CD | Simple, powerful, GitHub Actions-compatible. Lighter than GitLab CI. |
Monitoring
| Tool | Role | Why |
|---|---|---|
| Zabbix | Infrastructure monitoring (TOWER) | Battle-tested, agent-based and agentless, extensive check library. |
Automation & Integration
| Tool | Role | Why |
|---|---|---|
| n8n | Workflow automation | Visual workflow builder, 400+ integrations, self-hosted. Sovereign Zapier replacement. |
| Terraform | Infrastructure as code | Proxmox provider available. Reproducible infrastructure definitions. |
| Ansible | Configuration management | Agentless, simple, widely supported. Configuration drift detection. |
Hardware
| Platform | Role |
|---|---|
| HPE ProLiant | Primary server platform |
| Dell PowerEdge | Secondary server platform |
| Netgear | Access switching |
Own racks in Zagreb, Croatia and Vienna, Austria — EU jurisdiction, GDPR-governed.
For GPU workloads and scale compute, we extend to Hetzner (Germany) — EU-owned, EU-operated, cost-effective backbone for workloads that don't require our own datacenter presence. Hardware selection depends on workload requirements.
What's not in our stack
Microsoft — no Windows Server, no Active Directory, no Azure. By design.
VMware — replaced by Proxmox. No Broadcom licensing dependency.
AWS / Azure / GCP — we use Cloudflare as a network layer, but no hyperscaler infrastructure in the managed stack.
Proprietary hypervisors — no VMware, no Hyper-V, no vendor licensing dependency on the compute layer.
Note — we do use a small number of proprietary tools where no open source equivalent meets the requirement: Proofpoint for mail security, CrossBox for webmail. Both are replaceable without data loss or migration complexity.
Questions about the stack?
If you're evaluating specific components, have compatibility questions, or want to understand how we'd deploy for your requirements — request access and we'll get into the details.