Sovereign Comms Appliance
This document outlines the baseline logical and software-defined architecture for the Cloud / VPS edition of the Sovereign Comms Appliance. It details the container deployment fabric, unified storage cryptography boundaries, and network ingress rules governing a single-instance virtual environment.
π Scope of Architecture: Cloud / VPS vs. Dedicated Bare-Metal
The architecture detailed on this page applies exclusively to our Cloud / Virtual Private Server (VPS) product line.
Unlike our Dedicated Bare-Metal tier, which isolates workloads across distinct hardware-fenced virtual machines via Proxmox VE, the Cloud / VPS tier packages the entire sovereign software suite into a single, high-efficiency, multi-tenant virtual machine. This tier utilizes a single master Linux Unified Key Setup (LUKS) block layer to secure data at rest, while utilizing a simple-to-manage Docker Compose runtime fabric to handle process isolation. Because it minimizes monthly infrastructure hosting overhead while retaining the platform’s privacy, security, and digital sovereignty advantages, this Cloud / VPS tier is our baseline recommendation for small teams, startups, and personal use cases.
Architecture Topology
The Cloud / VPS appliance consolidates application services onto a single virtual machine instance. Process isolation and resource multiplexing are managed natively by the Linux container runtime engine via an optimized software network bridge.
========================================================================================
VIRTUAL INFRASTRUCTURE STORAGE PERIMETER
[ Cloud/VPS Compute Virtualization Layer ] [ Shared Host Hardware ]
ββββββββββββββββββββββββββ
β LUKS ENCRYPTED VM β
β BLOCK DATA STORAGE β
βββββββββββββ¬βββββββββββββ
========================================================================================
β
========================================================================================
SINGLE-INSTANCE DOCKER WORKLOAD CORE LAYER
(CONTAINERIZED DEPLOYMENT ON LINUX BASE)
========================================================================================
β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββ
βΌ βΌ βΌ
ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
β π INGRESS & AUTOMATION β β π¬ CORE SYSTEM SERVICES β β ποΈ SOVEREIGN APP MODULES β
ββββββββββββββββββββββββββββ€ ββββββββββββββββββββββββββββ€ ββββββββββββββββββββββββββββ€
β β’ Traefik Proxy β β β’ Tuwunel Matrix β β β’ Nextcloud Core β
β (TLS & ACME) β β β’ LiveKit Media β β β’ OnlyOffice Server β
β β’ Defguard Gateway β β β’ Coturn Media Relay β β β’ Vaultwarden β
β (WireGuard Engine) β β β’ Stalwart Mail Engine β β β’ ntfy Notification β
ββββββββββββββββββββββββββββ€ ββββββββββββββββββββββββββββ€ ββββββββββββββββββββββββββββ€
β STORAGE MOUNT: β β STORAGE MOUNT: β β STORAGE MOUNT: β
β - ./traefik-acme β β - ./tuwunel-data β β - ./nextcloud-data β
β β β - ./stalwart-data β β - ./vault-data β
ββββββββββββββββββββββββββββ€ ββββββββββββββββββββββββββββ€ ββββββββββββββββββββββββββββ€
β COMPUTE ENVIRONMENT: β β BACKEND DATABASE REFS: β β DEPENDENCIES & CACHING: β
β - Host Networking Mode β β - defguard-db (Postgres) β β - nextcloud-db (Postgres)β
β (WireGuard/Coturn) β β - defguard-proxy (gRPC) β β - nextcloud-redis (Cache)β
ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VIRTUALIZED RUNTIME ISOLATION LAYER (BRIDGE NETWORKING) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β’ System Bridge: Inter-container traffic isolated strictly on internal subnet pool. β
β β’ VPN Isolation: Internal admin dashboards locked natively behind a WireGuard mask. β
========================================================================================
Core Infrastructure & Cryptographic Boundaries
To deliver cloud agility without compromising data confidentiality, our Cloud / VPS deployment model shifts the multi-VM hardware fortress down to an elegant, single-kernel cryptographic pipeline:
- Unified Storage Cryptography (LUKS): The underlying virtual block storage attached to your VPS is wrapped entirely in an un-scannable LUKS volume container. All application databases, user uploads, cryptographic keys, and configuration states are encrypted using standard kernel-level
dm-cryptprocessing before hitting the VPS provider’s shared storage array. The entire system is unlocked remotely by an administrator at boot via a single master passphrase. - Process Isolation via Linux Namespaces: Rather than running heavy hypervisor operating systems that consume massive memory allocations, isolation is managed at the kernel level using cgroups and Linux namespaces. Each component (Nextcloud, Matrix, Mail) runs inside an isolated, unprivileged container context, completely blocking cross-application security vulnerabilities while using a fraction of the compute resources.
- Granular Data Bind Mounts: All persistent state engines are bound strictly to local, human-readable file systems on the host machine (e.g.,
./nextcloud-data,./stalwart-data, and./tuwunel-data). This ensures that full system maintenance, local cold-data archival, and standard snapshot operations remain highly accessible and straightforward to manage.
Functional Workload Core
The Cloud / VPS topology uses our production-grade Docker Compose layer to execute all platform components side-by-side with minimal memory overhead:
1. Ingress Perimeter & Zero-Trust Access Routing
- Traefik Edge Routing: Traefik functions as the central point of ingress, intercepting all external port
80/443HTTPS connections. It features fully automated Cloudflare ACME DNS certificate registration and injects robust HTTP Strict Transport Security (HSTS) validation layers natively to protect client sessions. - Defguard WireGuard Gateway: Running in high-performance host network mode, the Defguard gateway establishes a cryptographically secure virtual private network.
2. Deep Layer-7 Edge Filter Masking
Our Cloud / VPS script implements the exact same rigorous security policies found in our enterprise tiers to protect administrative landing pages from automated internet bots:
- The VPN-Only Allowlist Middleware: Critical backend administrative controlsβsuch as the Stalwart Mail admin dashboard, the main Defguard dashboard, OnlyOffice, Vaultwarden, and the Matrix Homeserver consoleβare bound to an internal IP allowlist (
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) via Traefik. Public internet scrapers face an immediate HTTP 403 Access Denied block if they attempt discovery on these services. - Nextcloud Path Decoupling: Nextcloudβs administrative login screens and core data engines are masked securely behind the WireGuard VPN block. However, Traefik exposes a highly specific, token-restricted public route for public file shares and anonymous folders (
/s/,/public.php). Small teams can confidently share public document drops without revealing their backend server interfaces or core infrastructure ports to the open web.
3. Integrated Databases & Media Multiplexing
- Localized Relational Databases: Independent PostgreSQL application engines run within dedicated Alpine-based containers to partition internal relational memory tables.
- High-Throughput Communication Components: LiveKit Server and the Coturn relay engine coordinate WebRTC signaling directly via host network translation. This layout leverages high-speed single-port UDP multiplexing to bypass standard Docker container bridge overhead, preserving sub-100ms real-time conferencing latency on compact cloud nodes.
Operational Efficiency Matrix
The Cloud / VPS blueprint delivers the absolute leanest path to full-stack digital sovereignty, making it easy to compare resource requirements against our bare-metal dedicated platforms:
| Architectural Metric | Cloud / VPS Tier (Standard Instance) | Dedicated Bare-Metal Tier |
| Ideal Operational Size | Small consulting teams, personal environments, lightweight testing. | Mid-market enterprises, distributed workspaces, defense/legal compliance. |
| Isolation Architecture | Linux Namespaces, Docker Containerization, Bridge Networks. | Type-1 Hypervisor (Proxmox VE), Multi-VM Hardware Segmentation. |
| Minimum Hardware Footprint | Low overhead (e.g., 4 vCPUs / 8 GB or 16 GB RAM). | High performance (12+ Threads / 32 GB+ RAM Dedicated). |
| RAM Footprint Efficiency | Peak. Shared kernel allocations mean 0% compute virtualization tax. | Reserved. Discrete memory bounds allocated cleanly per target VM context. |
| Storage Architecture | Single consolidated LUKS container over a unified virtual drive. | Dynamic host-managed RAID layouts with independent SSD / HDD pools. |
| Administration Profile | Single configuration environment. Managed via a single, automated script. | Advanced multi-node management via Proxmox cluster consoles. |
Lifecycle & Maintenance
By deploying the appliance on a unified Cloud / VPS server instance, lifecycle management functions are drastically simplified for lean operations:
- One-Command Controls: The entire stackβdatabases, caches, media routing engines, and data poolsβcan be initialized, paused, audited, or safely terminated via standard, unified container management commands.
- Fast Platform Migrations: Because the entire system profile state resides cleanly within a singular directory hierarchy, executing server-to-server infrastructure migrations requires nothing more than copying the local directory structure onto a new encrypted virtual machine target.