Tech Stack

Ansible

Agentless Configuration Management for sovereign fleets

We use Ansible for reproducible bare-metal provisioning, OS hardening aligned with CIS and BSI Grundschutz, patch management and controlled rollouts across Linux and Windows fleets, network devices (Cisco, Juniper, MikroTik) and cloud or on-prem APIs — fully agentless and auditable.

Capabilities: idempotent roles, internal collections in private Git repositories, Vault-based secret handling, Molecule tests in CI, signed artifacts and integration with GitLab/Argo CD for GitOps-driven configuration management.

Typical use cases: building and maintaining Proxmox and OpenStack clusters, hardening regulated Linux servers (NIS2, critical infrastructure), automated compliance reports and rolling out new versions without maintenance windows.

Argo CD

GitOps delivery for sovereign Kubernetes platforms

Argo CD turns Git into the single source of truth for your entire Kubernetes estate. Every change flows through a pull request, is traceable, signed, auditable and continuously reconciled against the cluster — drift becomes visible and correctable.

Capabilities: app-of-apps and ApplicationSets for multi-tenant platforms, progressive delivery with Argo Rollouts (canary, blue/green, analysis backed by Prometheus metrics), multi-cluster control, RBAC via Keycloak/Authentik OIDC and sealed/age-encrypted secrets stored in Git.

We deliver: repository structures, promotion strategies between environments, emergency rollback processes and training — so releases ship reproducibly, reviewed and without manual kubectl interventions.

Authentik

Modern Identity Provider — GDPR-compliant and self-hosted

Authentik is a modern, Python-based open-source identity provider (IdP). It speaks OAuth2, OpenID Connect, SAML 2.0, LDAP and proxy authentication and is an excellent fit for centralised single sign-on across internal services, customer portals and SaaS integrations — fully on-premise or in sovereign EU cloud.

Capabilities: flexible authentication flows (drag-and-drop), multi-factor authentication (TOTP, WebAuthn/Passkeys, Duo), Outpost architecture for forward-auth in front of any web app, fine-grained RBAC, self-service password reset and brokering to Active Directory, LDAP, Google, GitHub and arbitrary OIDC providers.

We deliver: architecture, high availability, integration with existing directories, migration from Microsoft Entra ID/Okta/Auth0 and ongoing operations — a sovereign alternative without US cloud dependency.

Cilium

eBPF-based networking & zero-trust for Kubernetes

Cilium delivers the next generation of Kubernetes networking on top of eBPF: high-performance CNI without classic iptables bottlenecks, identity-based network policies (L3-L7), transparent encryption with WireGuard or IPsec and a full service mesh without sidecar overhead.

Capabilities: deep observability via Hubble (flows, DNS, HTTP, gRPC), multi-cluster mesh for disaster recovery and tenant separation, BGP integration for bare-metal setups, egress gateways with stable source IPs and compatibility with kube-proxy replacement for maximum performance.

We deliver: Cilium designs for regulated workloads (NIS2, critical infrastructure), migrations from Calico or Flannel, NetworkPolicy libraries built on zero-trust principles and training for your platform teams — so you can run network security as code.

Docker

Reproducible, signed container images

We build lean, reproducible container images with multi-stage builds, BuildKit caches, distroless and minimal base images and complete SBOMs (Syft). Every image is signed with cosign and transparently verifiable via sigstore/Rekor — the foundation for supply-chain security under SLSA.

Capabilities: secure defaults (rootless, read-only filesystems, capability drops), vulnerability scanning with Trivy or Grype in CI, automated Renovate-driven base image updates and private OCI registries on your own infrastructure (Harbor, GitLab Container Registry).

We deliver: build pipelines, image promotion strategies across stages, image hardening per CIS Docker Benchmark and training for your developer teams — so containers do not just run, but remain auditable in regulated environments.

Elasticsearch

Search and analytics platform under your control

We run Elasticsearch and OpenSearch self-hosted for full-text search, SIEM-style log and event analytics, application search, e-commerce indexes and audit trails — entirely on your infrastructure, GDPR-compliant and without data transfer to the US.

Capabilities: cluster designs with hot/warm/cold architectures, index lifecycle management, snapshot/restore to object storage, secure multi-tenancy with spaces and role-based access, OIDC integration with Keycloak/Authentik and performance tuning for large data volumes.

We deliver: search architectures for applications, SIEM and threat-hunting setups as a Splunk alternative, migrations between Elastic and OpenSearch, backup/DR strategies and training of your teams in Query DSL and KQL.

GitLab

Sovereign, integrated DevSecOps platform

We operate GitLab self-hosted as the central, sovereign platform for code, CI/CD, container registry, secrets, issue tracking and compliance — entirely on your infrastructure, GDPR-compliant and independent of GitHub.com or Atlassian cloud services.

Capabilities: end-to-end pipelines from commit to production with build, test, SAST/DAST, dependency scanning, container and IaC scanning, signed artifacts, merge-request reviews with four-eyes principle, plus audit logs and compliance reports out of the box.

We deliver: platform setup with high availability, backup/restore strategies, OIDC integration with Keycloak/Authentik, runner fleets on Kubernetes or bare metal, and migrations from GitHub Enterprise or Bitbucket — with clear training for your teams to operate it independently.

Grafana

Unified observability surface

Grafana is the central pane of glass for your entire platform: unified visualisation of metrics (Prometheus, Mimir), logs (Loki, Elasticsearch), traces (Tempo, Jaeger) and profiles (Pyroscope) in a single UI — fully self-hosted and free of external telemetry.

Capabilities: provisioning-as-code with Git-versioned dashboards, multi-tenant setups with Keycloak/Authentik OIDC, fine-grained RBAC, anomaly detection, unified alerting with templating and application/user-journey dashboards across multiple data sources.

We deliver: dashboard libraries for platform and applications, onboarding paths for new teams, secure embedding strategies for customer and management views and training — turning observability into a shared tool between dev, ops and business.

Helm

Structured Kubernetes packaging

Helm is our default way of making applications on Kubernetes packageable, versionable and reproducible. We build structured charts with JSON-schema-validated values, cleanly separated profiles for dev/staging/prod and secure defaults (resource limits, NetworkPolicies, PodSecurity).

Capabilities: distribution through internal OCI registries, signed charts (cosign), Renovate-driven lifecycle for upstream updates, compatibility tests in CI and clean migration paths on breaking changes.

We deliver: chart libraries for your application landscape, Argo CD integration with ApplicationSets, training for your developer teams and clear handover documentation — so you can run and evolve applications independently.

Keycloak

Sovereign Identity & Access Management

Open-source IAM with single sign-on, OpenID Connect, SAML 2.0, multi-factor authentication (TOTP, WebAuthn, FIDO2), federation and fine-grained authorization. GDPR-compliant identity management on-premise or in sovereign EU cloud — without dependency on Microsoft Entra ID, Okta or Auth0.

Typical use cases: central SSO for internal applications, B2B federation with partners, customer IAM for SaaS products, and hardening of regulated environments (BSI, ISO 27001, NIS2).

We deliver: realm design, brute-force and anomaly protection, brokering to Active Directory/LDAP, custom themes, high availability and secure backup/restore concepts.

Kubernetes

Sovereign Container Orchestration

We design, operate and harden production-grade Kubernetes clusters — preferably on European hardware, in GDPR-compliant EU data centers or fully on-premise. Self-healing, horizontal and vertical autoscaling, NetworkPolicies, RBAC, OPA/Gatekeeper policies and multi-tenant platforms come as standard.

Day-2 operations included: controlled cluster upgrades, backup/restore with Velero, disaster recovery, multi-cluster federation and automated patch management. We use exclusively CNCF open-source components — no proprietary lock-ins.

Typical SMB use cases: hyperscaler exit, building a sovereign platform for regulated workloads (BSI C5, ISO 27001, NIS2), and providing internal developer platforms with self-service.

Loki

Efficient, sovereign log aggregation

Loki is our log platform of choice: label-based indexing, cost-efficient storage in object storage (MinIO/S3), seamless Grafana integration and PromQL-like queries via LogQL — ideal for cloud-native workloads, audits and security analytics.

Capabilities: multi-tenant setup, high availability in microservices mode, long retention thanks to object storage, native correlation with metrics and traces, plus compliance features such as WORM buckets for tamper-proof logs.

We deliver: log pipelines with Promtail/Vector/Fluent Bit, structured log standards, alerting rules on logs, secure multi-tenant separation and migrations from Splunk or Elasticsearch — with significant cost reductions and full data control.

MinIO

S3-Compatible Object Storage — sovereign and scalable

On-premise object storage with full AWS S3 API compatibility, erasure coding, server-side encryption (SSE-S3, SSE-KMS), object locking (WORM), versioning and bucket replication — ideal as a drop-in replacement for AWS S3 in sovereign environments.

Use cases: backups (Veeam, Restic, Borg), data lakes, ML training data, archives, application storage and cloud-native workloads in Kubernetes — fully GDPR-compliant and without US cloud dependency.

We deliver: capacity planning, multi-site replication, identity federation via Keycloak, monitoring, lifecycle policies and integration into existing backup and data pipelines.

Nextcloud

GDPR-Compliant Collaboration — replace Microsoft 365 sovereignly

Self-hosted alternative to Microsoft 365 and Google Workspace: files (Nextcloud Files), calendar, contacts, mail, office (Collabora Online / OnlyOffice), chat (Talk) and video conferencing — fully under your own data sovereignty, on-premise or in sovereign EU cloud.

Schrems II-safe: no data transfer to the US, fully GDPR-compliant, BSI Grundschutz-ready, and approved for critical infrastructure, public sector and healthcare.

We deliver: architecture (high availability, object storage, full-text search), migration from Microsoft 365/Google Workspace including mail, file and calendar takeover, single sign-on via Keycloak, end-to-end encryption, backup and 24/7 support.

Nginx

Edge, reverse proxy and application gateway

We deploy Nginx as a high-performance edge and reverse proxy — for TLS termination with modern cipher suites, HTTP/2 and HTTP/3, rate limiting, geo-blocking, mTLS and as a caching layer in front of APIs, static assets and web applications.

Capabilities: ModSecurity or Coraza WAF integration aligned with the OWASP Core Rule Set, bot protection, OIDC forward-auth against Keycloak/Authentik, secure defaults aligned with BSI and Mozilla guidelines, and automated certificate rotation via Let’s Encrypt or your own CAs.

We deliver: high-availability setups (Keepalived, BGP, Anycast), performance tuning under load, observability via Prometheus exporters and migrations from commercial load balancers — all on European hardware or in your own data center.

OpenTofu

Sovereign Open-Source Alternative to Terraform

OpenTofu is the community-driven, MPL-licensed fork of Terraform under the Linux Foundation. Full HCL compatibility, identical providers, a clear roadmap without licence risk and an open ecosystem — ideal for organisations protecting long-term IaC investments against vendor lock-in.

Capabilities: end-to-end state encryption, module registry mirrors on your own infrastructure, compatible with existing Terraform modules and pipelines. We typically migrate existing Terraform estates including state takeover and pipeline adjustments within a few days.

We deliver: migration strategy, team training, integration into GitLab CI/Argo CD and the build-out of an internal module library — keeping you independent of single-vendor licence decisions.

PostgreSQL

Sovereign, highly available relational database

PostgreSQL is our default for serious workloads: ACID-compliant, high-performance, with a rich type system (JSONB, GIS, vector search via pgvector) and a vast open-source ecosystem — a sovereign alternative to Oracle, MS SQL Server and hyperscaler DBaaS offerings.

Capabilities: high availability via Patroni/CloudNativePG on Kubernetes or classic streaming replication, PITR backups with pgBackRest or WAL-G, logical replication for migrations, partitioning and connection pooling via PgBouncer.

We deliver: architecture reviews, performance tuning, secure defaults (transparent data encryption, row-level security), migrations from Oracle/MS SQL Server and training for your teams — so you can operate critical data under your own control, free of licence traps.

PostgreSQL

Sovereign, highly available relational database

PostgreSQL is our default for serious workloads: ACID-compliant, high-performance, with a rich type system (JSONB, GIS, vector search via pgvector) and a vast open-source ecosystem — a sovereign alternative to Oracle, MS SQL Server and hyperscaler DBaaS offerings.

Capabilities: high availability via Patroni/CloudNativePG on Kubernetes or classic streaming replication, PITR backups with pgBackRest or WAL-G, logical replication for migrations, partitioning and connection pooling via PgBouncer.

We deliver: architecture reviews, performance tuning, secure defaults (transparent data encryption, row-level security), migrations from Oracle/MS SQL Server and training for your teams — so you can operate critical data under your own control, free of licence traps.

Prometheus

Sovereign metrics platform and alerting

Prometheus is the de-facto standard for cloud-native observability — we operate it as a central, sovereign metrics platform across Kubernetes, OpenStack, Proxmox, bare metal and applications. Service discovery, a multi-dimensional data model, PromQL and Alertmanager form the basis for meaningful dashboards and SLO-based alerting.

Capabilities: high availability via Thanos or Mimir, long-term storage in object storage (MinIO/S3), multi-tenancy, automatic scraping through the operator pattern and thousands of existing exporters for databases, network, hardware and applications.

We deliver: SLI/SLO workshops, alert libraries based on best practices (RED/USE), integration with existing on-call processes (OpsGenie, Alerta, Mattermost) and training — so your team can manage performance and availability issues proactively.

Proxmox VE

On-Premise Virtualization with Data Sovereignty

Open-source virtualization on your own hardware: KVM for VMs, LXC for lightweight containers, live migration across nodes, cluster HA with automatic failover and integrated, encrypted backups via Proxmox Backup Server.

Full control, zero vendor lock-in: your data never leaves your data center. Ideal as a VMware replacement, as a hyperscaler alternative for SMBs, and for GDPR/BSI-compliant environments with elevated protection requirements.

We deliver: cluster design, storage concepts (ZFS, Ceph), network segmentation, backup and disaster recovery plans, monitoring, and reproducible provisioning via Terraform/Ansible.

Redis

High-performance in-memory data store

We use Redis (or the open-licence fork Valkey) as an in-memory data store for caching, session storage, queues, pub/sub, streams and distributed rate limiting — with sub-millisecond latency and strong scalability, entirely on your infrastructure.

Capabilities: high availability via Sentinel or Redis Cluster, persistent storage (RDB/AOF), TLS encryption, ACLs for fine-grained access and modules for search, time-series and JSON — all as an open-source stack.

We deliver: architecture guidance (when Redis, when Postgres, when Kafka), migrations from ElastiCache or MemoryStore, hardening, monitoring with Prometheus exporters and training — so cache and messaging reliably contribute to platform performance.

Redis

High-performance in-memory data store

We use Redis (or the open-licence fork Valkey) as an in-memory data store for caching, session storage, queues, pub/sub, streams and distributed rate limiting — with sub-millisecond latency and strong scalability, entirely on your infrastructure.

Capabilities: high availability via Sentinel or Redis Cluster, persistent storage (RDB/AOF), TLS encryption, ACLs for fine-grained access and modules for search, time-series and JSON — all as an open-source stack.

We deliver: architecture guidance (when Redis, when Postgres, when Kafka), migrations from ElastiCache or MemoryStore, hardening, monitoring with Prometheus exporters and training — so cache and messaging reliably contribute to platform performance.

Terraform

Declarative Infrastructure as Code for sovereign platforms

We deliver complete infrastructures as code — reusable modules for Proxmox, OpenStack, Kubernetes, Hetzner, IONOS, OVH and arbitrary on-premise APIs. Encrypted remote state under your control, workspaces, drift detection, plan reviews as pull requests and policy-as-code with OPA/Conftest or Sentinel.

Day-2 included: automated plan pipelines in GitLab CI, signed modules from internal registries, safe secret handling via OIDC logins (Keycloak/Authentik) instead of long-lived tokens, and disaster-recovery strategies for state backends.

Typical use cases: building sovereign multi-cluster platforms, hyperscaler exits with measurable migration phases, and reproducible setups for regulated workloads (BSI Grundschutz, ISO 27001, NIS2) — all fully auditable.

Traefik

Cloud-native ingress for Kubernetes and sovereign platforms

Traefik is our preferred ingress and edge router for Kubernetes, Docker and bare-metal setups: automatic service discovery, declarative configuration via CRDs, middleware pipelines for auth, rate limiting, header manipulation and canary routing.

Capabilities: Let’s Encrypt / ACME with DNS-01 challenges, OIDC and JWT auth against Keycloak/Authentik, mTLS between services, a plugin system for company-specific extensions and seamless observability via Prometheus, Loki and OpenTelemetry.

We deliver: multi-tenant ingress designs, secure defaults (TLS 1.3, hardened ciphers, HSTS), high availability with BGP/MetalLB, plus migrations from Nginx ingress or commercial API gateways — reproducible as code and entirely on your infrastructure.