The Federal Private Cloud Initiative.

Opplet is an open-source research project building a sovereign, segmented ecosystem. We balance centralized utility with individual digital autonomy through a strict Tiered Zone Architecture.

View Engineering Roles

The Philosophy

Moving beyond monolithic servers to federated resilience.

The Fragile Monolith

In traditional self-hosting, personal data (photos, finances) often lives on the same server as public services (websites, chat). If the public service crashes or is compromised, the private data goes down with it.

Opplet solves this by enforcing a Federal Separation between the "State" (Public Infrastructure) and the "Citizen" (Private Data).

Facility vs. Car

Opplet treats the infrastructure like a secure parking facility. You need a key card (SSO) to enter the building. But once you enter your private room (The Bunker) or your personal vehicle (VM), you are the sovereign owner.

Sovereignty First

Zone 1 (The Bunker) is designed to survive a total collapse of the corporate structure. It uses local authentication and physically separate hardware.

Liability Isolation

By strictly segmenting the "Academy" (Zone 4) from the "Private Suite" (Zone 1), we can offer learners root access and risky simulation tools without exposing the host to liability.

The 5-Zone Topology

Opplet organizes infrastructure based on trust levels and dependency chains.

Opplet Zone Architecture Diagram
ZONE 0 :: UTILITY LAYER TRUST: ROOT
The critical "dial-tone" infrastructure. Must be online 24/7.
Hetzner Cloud VPS OpenLDAP Registry Grafana/Loki Watchtower Tailscale Gateway
ZONE 1 :: SOVEREIGN LAYER (The Bunker) TRUST: OWNER ONLY
Physically isolated bare metal for private data and business logic. Air-gapped from learner traffic. uses local auth.
Bare Metal Auction Docker n8n Automation Brain Local Encrypted Storage
ZONE 2 :: GOVERNANCE LAYER TRUST: ADMIN
The management plane for the public cloud. Handles SSO federation and orchestration.
Hetzner Dedicated AX52 Proxmox VE Host Authentik SSO
ZONE 3 :: COMMUNITY LAYER (Production) TRUST: AUTHENTICATED USERS
The primary workspace for staff and learners to collaborate.
GitLab CE Jitsi Meet HumHub & Discourse
ZONE 4 :: ACADEMY LAYER (Simulation) TRUST: ZERO / UNTRUSTED
Isolated "Wild West" environment for learner VMs. Contains an internal simulated internet.
Learner VMs (Root Access) Internal Technitium DNS Internal Postfix Relay Strict Egress Firewall

The Tech Stack

We build on proven, modern open-source foundations.

Infrastructure

  • Utility Cluster (Zone 0 VPS)
  • The Bunker (Zone 1 Metal)
  • The Lab (Zone 2-4 Metal)
  • Tailscale Mesh VPN

Identity & Security

  • OpenLDAP (Registry)
  • Authentik (Federation)
  • WireGuard (Encryption)
  • UFW / Fail2Ban

Observability

  • Grafana Dashboards
  • Loki (Log Aggregation)
  • Prometheus (Metrics)
  • Matomo (Privacy-first Tracking)

Automation & Apps

  • Docker Compose
  • n8n (Workflow Automation)
  • GitLab CE
  • Jitsi Meet

Current Status: Phase 1 Build

We are currently preparing the Zone 0 Utility Cluster and the Tailscale Mesh backbone. We are actively seeking senior engineers who understand this architecture and want to help build it.

Find our open roles on Upwork