## What Software Tools Do You Need When Starting a Business? To directly answer the question: It depends. If you are starting a knitting or pottery business, you hardly need to host your own complex infrastructure (though a to-do list and a small ERP system might make sense). However, if your business is tech-adjacent and requires extensive project planning, there are plenty of free open-source solutions to choose from. This guide is not intended to teach you how to set everything up from scratch; instead, it aims to give you a general overview of the tools available and save you the pain of tracking them down yourself. If there is enough interest, we may start a series of step-by-step tutorials on how to build this exact system from the ground up. Most founders start with monthly SaaS subscriptions. This comes with the benefit of not having to worry about hosting your own tools. The major drawbacks, however, are the costs—especially for a young company on a tight budget—and the risk of vendor lock-in, which creates a dependency on products you might outgrow when your business takes off. Also, the question of data privacy and GDPR is important. Fortunately, there are great open-source solutions for almost every business need. They might not be perfect, but they are very close. With just a basic older computer, a couple of hard drives, and a few helper tools, you can build an IT infrastructure that will last for quite some time and cover almost all your needs. **TLDR for the lazy:** - **Proxmox:** A virtualization platform used to run and manage virtual machines and LXC containers. - **pfSense:** A FreeBSD-based firewall and routing software used to secure and manage network traffic. - **OpenZiti:** A zero-trust networking platform used to embed secure, overlay connectivity directly into software applications. - **Authentik:** An identity provider (OIDC) used to manage user authentication, authorization, and single sign-on (SSO). - **Vaultwarden:** A lightweight, Rust-based server implementation of the Bitwarden password manager. - **Mattermost:** A self-hosted team communication and chat platform used for collaboration and workflow integration. - **Opencloud:** A self-hosted cloud platform used for file storage, sharing, and data synchronization. - **Paperless-ngx:** A document management system used to scan, index, and archive physical documents into searchable digital files. - **Vikunja:** A task management application used to create to-do lists, track projects, and organize workflows. - **Outline:** A team wiki and knowledge base used to create and store internal documentation. - **Penpot:** A web-based design and prototyping tool used to create user interfaces using native SVG. - **ERPNext:** An enterprise resource planning system used to manage accounting, human resources, sales, and inventory. - **Grafana:** A visualization tool used to query, chart, and alert on metrics, logs, and system data. - **Open WebUI:** A web interface used to interact locally with self-hosted large language models. ### Base Infrastructure and Network Security When it comes to self-hosting your services, there are two main options. You can either rent a Virtual Private Server (VPS) from a commercial provider like Hetzner or All-Inkl, or you can take the fully self-hosted route and run your services on a machine you own, control, and can upgrade as you go. We chose the latter approach. The information below can be applied to either scenario, though keep in mind that running this many services on rented hardware will generally be much more expensive. #### Proxmox To make your life easier and maximize the utility of your available hardware, you can deploy Proxmox as your foundational hypervisor. It allows you to run and manage both virtual machines and lightweight LXC containers all in one place. It has a manageable learning curve and will definitely provide everything you need for self-hosting. Thanks to a large active community, you also have access to helper scripts that make installing services incredibly easy. The main things you will need to familiarize yourself with are how IP addresses and networks function, along with the basic Linux terminal toolset. For the time being, we chose to use a simple zone and isolate critical services into different virtual networks (vNETs). Each is separated by a firewall and secured via OpenZiti (see below). This setup ensures that an issue in one service does not impact the broader infrastructure. Additionally, you can run Proxmox Backup Service in a dedicated container directly on your Proxmox VE hypervisor. This allows you to configure snapshotting and easily back up your containers and their attached data. If you have another remote server running Proxmox, you can even schedule off-site backups to protect your data from physical disasters, such as fire or water damage. **Resources:** - Project: [Project page](https://www.proxmox.com/de/produkte/proxmox-virtual-environment/uebersicht) - Documentation: [Proxmox VE Documentation Index](https://pve.proxmox.com/pve-docs/) - Youtube: [Automation Avenue](https://www.youtube.com/watch?v=Iz76KqzloJY) - Youtube: [Koroma Tech](https://www.youtube.com/watch?v=orZ5LqUbTik) #### pfSense To protect your virtualized environment, strict network boundaries are necessary. Once you have fully separated your services into their respective VMs and LXCs, you need to restrict which service can talk to which other services, via what protocols and what ports. pfSense gives you the possibility to fully configure your firewall and implement add-ons like geoblock and CrowdSec that can directly block requests from unexpected locations. You can even use the built-in HAProxy as a reverse proxy for your service routing and TLS termination. **Resources:** - Documentation: [pfSense Documentation](https://docs.netgate.com/pfsense/en/latest/index.html) - Youtube: [Lawrence Systems](https://www.youtube.com/watch?v=fsdm5uc_LsU) ### Implementing Zero Trust and Identity Management If you want to prioritize the security of your infrastructure, you can go to the next level by applying the Zero-Trust Framework to your infrastructure. You can find more details about how we implemented Zero-Trust in our network [here](/case-studies/zero-trust-architecture). #### OpenZiti OpenZiti is our tool of choice when it comes to zero trust. OpenZiti is built on the idea that rather than constructing one extremely secure network boundary, it is better to check identity and permissions on every node of the network and enforce mutual TLS between all parties that take part in a network connection. To make this happen, OpenZiti spans an overlay network over the already existing network for which you would typically define your firewall rules. As the administrator of your network, you have the obligation and privilege to define which user, or rather entity, can access which services and via which routers. In Ziti, you do this via a central management unit called a controller, edge routers that sit between the overlay and the underlying network of your company, and tunnelers that are placed directly at the location of the participants (your PC/client and the services hosted on VMs and LXCs). Only clients with a certificate called an identity can talk to the public edge router, which in turn holds a certificate through which it can talk to the controller and the services. The controller defines the scope of permissions directly within the certificate. To cut the explanation short, I want to add the concept of "dark fabric". By adding not only a public edge router but also a private edge router, you can make clients only talk to the public edge router, which then has to offload the requests to the private edge router, which in turn terminates the request at the target service. The service replies back to the private edge router, which offloads the request to the public edge router, which in turn returns the reply to the client. To the client, the service is invisible or "dark" because it can only interact with the public edge router, preventing port sniffing and similar threats. You can find an illustration of this concept below. **Resources:** - Youtube: [OpenZiti](https://www.youtube.com/@OpenZiti) - Documentation: [Official Documentation](https://openziti.io/) - Community: [Discourse Group](https://openziti.discourse.group/). #### Authentik Managing user credentials across numerous isolated systems presents a logistical challenge. Authentik serves as the central identity provider to solve this integration issue. By connecting every application via Single Sign-On, the framework creates a unified authentication layer that can be managed in one centralized place. Personnel log in once to gain role-appropriate access across the entire company ecosystem, significantly reducing administrative overhead. Most services nowadays use OIDC, and there are guides on Authentik for all kinds of services that you can use to set them up. The only tricky part is understanding how to set up good flows for authentication/passkeys, etc., though the basics already exist. **Resources:** - Project: [Authentik Project Page](https://goauthentik.io/) #### Vaultwarden Vaultwarden "is an alternative server implementation of the Bitwarden Client API." It is a great tool to use as a password manager. You host it on your own server; it is fully end-to-end encrypted and can be used from a browser, offline, and from a phone. You can share passwords between your founders and also manage which users in your company should have access to certain passwords. **Resources:** - Project: [Github Page](https://github.com/dani-garcia/vaultwarden) ### Facilitating Communication and Data Management Now that you have your network secured, your credentials stored, your authorization flows set up, and your services assigned to their dedicated containers, you can focus on the real work: collaborating with your peers. For day-to-day operations, you must be able to communicate, share documents, store them, and label them. The following tools take care of this beautifully. #### Mattermost Mattermost's self-hosted Entry Edition brings everything you need for basic communication with your team to the table. You can jump on calls, organize yourselves into channels, and even use templated boards to structure tasks and progress. You can find detailed instructions for the installation [here](https://mattermost.com/install/). Through plugins, you can add video calls and extend your audio capabilities. Besides these basic features, Mattermost writes audit-safe logs that track all user interactions, so nothing goes unnoticed. Permission-wise, access to resources like channels and boards can also be assigned granularly. Finally, Mattermost supports webhooks via its integrations to receive and send messages to and from external applications. The only annoying part for small teams is that you cannot reply inline to the messages of others. It always opens a thread that can go unnoticed by your peers. **Resources:** - Installation: [Mattermost installation guide](https://mattermost.com/install/) #### OpenCloud Opencloud offers you a proper file storage and collaboration solution. The collaboration feature is based on Collabora and lets you work on text files, spreadsheets, or presentations with your team. You can create spaces to distinguish between teams or projects and manage viewing and editing permissions. Plugins like Draw.io or a calendar add nice perks to your file storage. FYI: Originally, it started with Nextcloud, which offers a lot of built-in features (e.g., video calling) but is very resource-heavy. Nextcloud was forked by ownCloud. Then, ownCloud created ownCloud Infinite Scale (a rewrite in Go from PHP). After ownCloud was acquired by a Silicon Valley-based company called Kiteworks, the developers were triggered to leave and fork their own European open-source alternative, Opencloud. Quite a story. **Resources:** - Main Page: [Opencloud](https://opencloud.eu/en) #### Paperless-ngx Other than Opencloud, Paperless allows you to build a searchable document store with all your stored files. You can create workflows that, upon uploading, label your content according to preset rules or notify specific users of documentation edits to keep everyone informed. Paperless allows full customization of storage paths, so you can separate projects and company matters while still being able to share certain documents. You can make your labels shareable and create views to have your most important files always at the tip of your fingers. The workflows also work via your mobile devices by installing the mobile app PaperNext (not an official app from Paperless), which you can download from your regular app store. **Resources:** - Installation: [guide](https://docs.paperless-ngx.com/setup/) ### Equipping Engineering and Design Teams Now that we have file storage covered, we need to focus on the actual content of our files. Aside from writing code, you may need to design marketing content or your website, organize the little to-dos that you come across throughout the day, and, if time allows, write some documentation. The following open-source software is what gets the job done. #### Vikunja Vikunja is a handy to-do application that organizes your tasks across teams and projects. It features the usual attributes of a task, and allows nesting, linking, and ownership of tasks. As a bonus, you can view your to-dos as a list, table, Kanban board, or Gantt chart. All in all, it is very lightweight and easy to install. **Resources** - Installation: [guide](https://vikunja.io/install/) #### Outline Within Outline, you gather findings, documentation of setups, and manuals. You can cluster content in so-called collections, which allow nesting. Each collection allows permission management to keep things private or share them with a target audience. A very handy feature is that Outline has built-in markdown support, so your documentation can easily be imported from .md files or exported as .md files. In addition, you have plenty of embeddings like code blocks, Mermaid diagrams, math support, and other third-party applications. We mainly chose Outline due to its feature that allows us to collaborate live. **Resources** - Installation: [guide](https://docs.getoutline.com/s/hosting/doc/hosting-outline-nipGaCRBDu) #### Penpot While the majority of programmers know Figma from their designer counterparts, Penpot is a very good open-source alternative to it. It offers almost the same features and has a very convenient porting mode that gives you the computed HTML and CSS output of a generated design. Penpot truly shines via its token sets. You can create token sets that carry defined characteristics which can be used to style components. As we use Tailwind for styling our webpage, we developed a Tailwind token set which lets us design content in Penpot and retrieve the already Tailwind-like styling directly in our HTML and CSS. You can take a look at our Penpot design system [here](https://penpot.app/penpothub/libraries-templates/design-tokens-helionox). **Resources:** - Installation: [guide](https://penpot.app/self-host) - Youtube: [Penpot Channel](https://www.youtube.com/@Penpot) ### Managing Business Administration and System Observability Where there is a company, there is accounting. If you plan on handling some or the major portion of your accounting duties yourself, ERPNext is a great choice to self-host your chart of accounts, book transactions, and keep track of your inventory and balances. Monitoring, however, does not stop at accounting. You must also wield tools that can handle server and service logs, and monitor the technical infrastructure that your company relies on. #### ERPNext ERPNext, like the name suggests, is a full-fledged enterprise resource program that combines HR and CRM tooling, inventory management, and a full accounting engine with a chart of accounts, transactions, and balancing. ERPNext is part of the ever-growing Frappe ecosystem. It comes from a company based in India whose mission is to provide free and open software. You can find more information [here](https://github.com/frappe/erpnext). The nice part is that there are a few small German companies that provide all the required regulatory financial frameworks for ERPNext, making it perfect as a business application for any company. Furthermore, if there is a specific feature that you want to see in the tool, you can propose it and pitch in the development money for them to build it. This works via a crowdfund where many companies come together. Although the installation is quite challenging, it is worth the trouble because it easily scales to several companies if you plan on expanding your corporate structure or founding a subsidiary. Of course, you can also delegate your entire financial obligations to a tax counsel, but we believe that a decent businessperson needs to know their numbers. **Resources:** - Main Page: [ERPNext](https://github.com/frappe/erpnext) - Introduction: [Intro Documentation](https://docs.frappe.io/erpnext/introduction) #### Grafana A business owner must not only understand the financials but also what is happening on the company's servers. Proper monitoring of logs, traces, and metrics is essential to guarantee high uptimes and quick turnarounds when things go south. Grafana offers Prometheus for metrics, Loki for log aggregation, and Tempo for traces. **Resources:** - Main Page: [Grafana](https://grafana.com/) #### Open WebUI We encourage the responsible usage of AI, and hence we know that not all company information is suitable for a web-based LLM. Open WebUI gives you a proper UI that connects with a vast number of LLM models, tools, skills, and prompts. You can freely choose which models your servers can support and how much your hardware can handle. Note that for actually running LLM models on limited hardware, you require quantization to break down the intensive compute that is linked to regular models. We use Ollama to handle the LLM models for us and connect it to Open WebUI. To reasonably run some of the models that can support your typical work like summarization, rewrites, etc., you will need a graphics card that has a minimum of 16 GB. If you want to go with something that is worth your time, you should look into server GPUs, where good ones can cost you around 1000 EUR (note the cost of electricity as well). **Resources:** - Installation: [Open WebUI](https://docs.openwebui.com/getting-started/) - Installation: [Ollama](https://docs.ollama.com/quickstart) ### Conclusion Constructing a complete technological framework from the ground up requires a lot of thought. By integrating the mentioned open-source applications, you can build a highly secure and cost-efficient infrastructure for your company. Feel free to expand this blueprint by adding more services of your liking (e.g., BentoPDF) to make it truly your own. We are sure that adopting this tech stack will get your startup going and scale with your growth. Let us know if you are interested in tutorials on how to set up those tools.