Why We Built a Self-Hosted FOSS Infrastructure in the EU

1. Introduction

Many small software companies start by relying on Big Tech SaaS platforms for source code hosting, documentation, authentication, monitoring, and internal processes. These services are convenient but come with increasing costs, vendor lock-in, and limited control over where data is stored. Because of the changing geopolitical landscape and the EU's increasing focus on digital sovereignty, we also saw value in keeping our internal systems and data fully under our own control and inside the EU. As a small Danish development team, we looked closely at what we actually need in order to operate efficiently and securely.

Our requirements turned out to be simple: Git hosting, documentation, password management, identity, monitoring, reliable backups, and file management. We do not need enterprise scale workflow engines or large automation frameworks. What we want is stability, predictable costs, and full control over our internal environment.

This led us to build a fully self-hosted internal platform based on FOSS, Free and Open Source Software. Even though many of the tools we use are not developed inside the EU, their open-source nature allows us to operate them ourselves on EU infrastructure. Jurisdiction is determined by where the software runs, not where it was written. By hosting everything inside the EU, we ensure that all operational data remains under European governance and aligned with EU expectations for privacy and security.

2. Why We Moved Away From Big Tech

Our decision to move away from Big Tech services was practical. As a small company, we can save a significant amount of money by hosting our own internal tools. SaaS platforms typically charge per user or per feature, and these recurring costs grow quickly even when our needs remain simple. Our entire platform costs around 10 to 11 euros per month.

The main server is a Hetzner CX33 instance, which currently costs about 5.49 euros per month for 4 vCPUs, 8 GB RAM, and 80 GB SSD. Encrypted backups are stored in Hetzner's EU based Object Storage, which costs 4.99 euros per month and includes 1 TB of storage and 1 TB of traffic before additional usage is billed. These prices remain stable and predictable. There are no extra costs for additional users, repositories, passwords, or documentation, which allows us to scale our work without scaling our expenses.

We also avoid unnecessary complexity. Large SaaS platforms include extensive enterprise features that we do not require. By selecting FOSS tools that do exactly what we need, we reduce operational overhead and remove reliance on external vendors. Because we host everything ourselves, we decide how long logs are kept, how access is controlled, and how authentication is configured. This makes ISO 27001 alignment easier and more cost effective.

3. FOSS Tools and EU Data Residency

The tools we use are not exclusively developed in the EU, but they are genuine open-source projects with OSI approved licenses such as Apache 2.0, MIT, AGPLv3, and GPLv3. This gives us full control over how the software runs and how data is handled.

Data residency and legal jurisdiction depend on the location of the servers, not the origin of the developers. Since we host all services on Hetzner servers located within the EU, all logs, authentication events, backups, documentation, and files remain inside EU borders and protected by EU law. No foreign cloud provider processes our internal data. This supports privacy requirements, security expectations, and long-term stability.

4. Private EU Based Network and VPN Access

Our environment runs entirely inside a private network hosted in the EU. None of the internal services are exposed to the public internet. The only publicly reachable component is the WireGuard VPN port. Once authenticated through WireGuard, team members enter a secured internal environment using private IPs. This creates a simple and strong security boundary that limits exposure and reduces attack surface.

5. Centralized Identity Using Keycloak and FIDO2

Identity is central to our security model and to ISO 27001 readiness. We use Keycloak for authentication, multi-factor authentication, and single sign-on.

Administrative accounts must authenticate using FIDO2 hardware keys, which significantly reduces the risk of phishing and password based attacks and supports stronger control over privileged access. Access rights are controlled through Keycloak groups, ensuring that all services follow the same consistent identity model, with auditable permissions and clear role separation.

6. Internal Productivity Tools Based on FOSS

For daily development work, we use Gitea for source code hosting and lightweight project management, Wiki.js for documentation and ISO processes, Vaultwarden for password management, and Nextcloud for internal file management.

Gitea covers what we need for planning and coordination through built-in issues, milestones, and project boards. That means we do not need a separate project management platform with its own access control model.

Nextcloud gives us practical file management and sharing while still fitting into our identity-first approach. We connect Nextcloud to Keycloak and use group-based access, so permissions remain consistent across our internal services. This keeps file access auditable and avoids the separate login and separate permissions problem that often appears when mixing many SaaS tools.

All services run in Docker and authenticate through Keycloak. These tools are lightweight, reliable, and easy to maintain. Since they are self-hosted, our repositories, documentation, files, and credentials never leave EU controlled infrastructure.

7. HTTPS, Reverse Proxy, and Certificate Management

We use Nginx as a reverse proxy to handle HTTPS for all internal services. Certificates are issued automatically using DNS-01 validation from Let's Encrypt. This ensures encryption without requiring any additional public service exposure beyond the VPN endpoint.

8. Logging, Metrics, and Authentication Monitoring

Log aggregation and monitoring are handled by Promtail, Loki, Prometheus, and Grafana. Promtail forwards logs from all services into Loki, and Grafana provides visual dashboards secured with Keycloak. Prometheus collects metrics across the platform, including failed login attempts, lockouts, and authentication performance from Keycloak. This helps us detect unusual activity early and maintain strong oversight. These capabilities support ISO 27001 monitoring and incident detection requirements.

9. Encrypted Backups and Disaster Recovery

We use Restic to perform encrypted backups of all critical components, including Keycloak, Gitea, Wiki.js, Vaultwarden, Nextcloud data, configuration files, and TLS certificates.

Backups are stored in Hetzner's EU based Object Storage. Restore testing is performed regularly to ensure reliable recovery. All backups stay inside the EU and remain fully encrypted.

10. Hardening and ISO 27001 Alignment

We follow a structured hardening process that includes MFA enforcement, least privilege access, log retention, credential rotation, review of VPN peers, and consistent service configuration. Running everything inside a controlled environment with centralized logging and identity makes ISO 27001 alignment significantly easier.

11. Controlled Integrations With an MCP Server

As we improve productivity, we also want to improve how our internal systems connect to developer tooling and AI assistants, without weakening security or compliance.

We are planning to build an MCP server (Model Context Protocol server) that can connect to Wiki.js and Gitea in a controlled way. The goal is not to expose everything. The goal is to provide a strictly limited integration surface with clear rules, so we can enable useful automation while staying compliant.

In practice, a compliant MCP approach means we can:

• restrict which repositories, issues, and wiki spaces can be accessed
• enforce authentication and authorization through Keycloak
• log and audit every request and response that flows through the integration
• apply rate limiting, token scoping, and environment separation
• prevent accidental data leakage by limiting what the MCP server is allowed to return

This is the same design principle we apply elsewhere. We prefer small, well-defined integration points with strong identity controls, rather than broad access from many different tools.

12. Conclusion

By building a self-hosted platform based entirely on FOSS and operating it on EU based infrastructure, we have created a secure, cost effective, and transparent environment that meets the needs of a small Danish development team. We maintain full control over identity, logging, documentation, files, passwords, monitoring, and backups. Our data never leaves European jurisdiction, our costs stay predictably low, and our internal platform remains fully under our control.

This approach gives us stability, independence, and a strong foundation for ISO 27001 compliance. It supports our work without unnecessary complexity and keeps our internal systems entirely under our own control.