Software Stack
Opplet Operations: Software Stack Manifest
You're reading the public edition of Software Stack. The working source — drafts, change discussion, and member resources — lives in the community library.
Purpose and Scope
This document records the software running on every node in the enclave — operating systems, the hypervisor layer, the container runtime, and the deployed version of each service. It is the software companion to the Hardware Manifest: where that document records the physical machines and their RAM allocations, this one records what runs on them.
Like the Hardware Manifest, it is operational truth, not architectural law. Software upgrades update this document; they do not bump the Constitution. The Constitution and the per-service architecture define which services exist and why; this Manifest records which versions are deployed right now.
Version cells marked TBD are known gaps to be captured during the next operational review (see §8).
1. Platform Baseline
The common substrate shared across nodes.
| Layer | Software | Version |
|---|---|---|
| Hypervisor (all Hetzner physical nodes) | Proxmox VE on Debian | TBD |
| Den OS (Gateway + Engine VPSs) | Ubuntu Server (current LTS) | TBD |
| Container runtime (Den Engine) | Docker | TBD |
| Edge router | OPNsense | TBD |
| Private mesh (Den) | Tailscale | TBD |
Hetzner physical nodes (Manor, Annex, Outpost) run Proxmox VE on Debian per Constitution §5E and Hardware Manifest §7. The Den VPSs run Ubuntu Server directly — native services on the Gateway, Docker on the Engine, no nested hypervisor.
2. The Den — Zone 1 (Sovereign Life)
2A. Gateway VPS (“The Front Door”) — native services, no Docker
| Component | Software | Version |
|---|---|---|
| Exim + Dovecot + SpamAssassin | TBD | |
| Telephony | FreePBX / Asterisk | TBD |
| Reverse proxy | Nginx | TBD |
| Web control panel | TBD | TBD |
2B. Engine VPS (“The Workshop”) — Docker containers
| Component | Software | Version |
|---|---|---|
| Personal Identity & SSO | TBD | TBD |
| File sync & storage | TBD | TBD |
| Automation glue | TBD | TBD |
| Personal CRM | TBD | TBD |
| Personal Finance | TBD | TBD |
| Personal Task Management | TBD | TBD |
| CalDAV / CardDAV | TBD | TBD |
| Personal Dashboard | TBD | TBD |
| Credential storage | TBD | TBD |
The Hardware Manifest specifies these Engine workloads by function and RAM only; the specific products and versions are recorded here once captured.
3. The Manor — Zones 0, 2 (Sovereign Core)
3A. Zone 0 — Basement
| Component | Software | Version |
|---|---|---|
| Business identity | Authentik-Business | TBD |
| Directory | LDAP-Alpha (OpenLDAP) | TBD |
| Observability (Watchtower) | Wazuh + Loki + Grafana + Matomo | TBD |
| Automation | n8n-Alpha | TBD |
| Private documentation | BookStack-Alpha | TBD |
| Credential vault | Vaultwarden-Biz | TBD |
| Edge router | OPNsense | TBD |
3B. Zone 2 — Office
| Component | Software | Version |
|---|---|---|
| Finance / inventory / recruitment | ERPNext (the Bursar) | TBD |
4. The Annex — Zones 3, 4 (Delivery Edge)
4A. Zone 3 — Kitchen
| Component | Software | Version |
|---|---|---|
| Source-of-truth code | GitLab Core (The Forge) | TBD |
| Directory | LDAP-Beta (OpenLDAP) | TBD |
| CI/CD runners (Build Farm) | TBD | TBD |
| Developer forum | Discourse | TBD |
4B. Zone 4 — Lounge
| Component | Software | Version |
|---|---|---|
| Orientation gate | Moodle (The Ledger) | TBD |
| Community town square | HumHub (the Arena) | TBD |
| Video comms | Jitsi | TBD |
| Common Library | BookStack-Beta | TBD |
| Ingress + auth + air-lock | Traefik + Authentik outpost + Guacamole | TBD |
5. The Outpost — Zone 5 (Live Fire Range)
| Component | Software | Version |
|---|---|---|
| Range targets (defensible VMs, exploitation targets) | Varies by exercise | n/a |
| Local telemetry | Wazuh forwarders | TBD |
Range target software is intentionally variable — it is provisioned per exercise and is not held to the version-stability expectations of the rest of the enclave.
6. Cross-Cutting Software
| Layer | Software | Version |
|---|---|---|
| Backup server | Proxmox Backup Server | TBD |
| External watchdog | Uptime Kuma | TBD |
| Observability agents (enclave-wide) | Wazuh forwarders | TBD |
7. Version Policy
Service versions are tracked here and reviewed on the cadence defined in the SOP. Upgrades follow the SOP’s change procedures; this Manifest is updated to match the deployed state after each upgrade lands. The Hardware Manifest (§7) points here as the canonical record of Proxmox and Debian releases.
8. Open Questions for Future Refresh
- All version numbers. Every cell marked TBD above needs its deployed version captured during the next operational review.
- Den Engine products. The specific software behind each personal-service function (Identity/SSO, file sync, automation, CRM, finance, tasks, CalDAV/CardDAV, dashboard, credential storage) needs to be recorded.
- Gateway control panel. Product not yet captured.
- Build Farm runner. Confirm the CI/CD runner software (likely GitLab Runner, given GitLab is the Forge) and record it.
- Enclave container model. Confirm whether enclave services run as Proxmox VMs, LXC, or Docker, and note the convention here.
Changelog
v1.0 (2026-06-02)
- Initial document, companion to the Hardware Manifest, extracted during the Charter Split refactor.
- Service inventory carried forward from the Hardware Manifest’s per-zone component lists.
- Version specifics flagged in §8 for capture during the next operational review.
END OF DOCUMENT
All charter documents
- Opplet Master Architecture: Enclave Constitution, URL Strategy
- Opplet Operations: Enclave SOP, Hardware Manifest, Software Stack (this document)
- Opplet Development Plan: Den Migration