← Back to Index

Project Proposal: Ubuntu-Based Open-Source Sovereign Enterprise Architecture

Server: Kubernetes (Rancher)

IAM/MFA: Authentik

Directory: Samba AD + Zimbra CE

Client: Ubuntu LTS and Derivatives

Abstract

This project presents a fully on-premise, Ubuntu LTS-based open-source enterprise architecture designed to reduce cloud dependence and strengthen data sovereignty. Server-side services run as containers on Kubernetes managed by Rancher; identity and MFA are provided by Authentik; directory and mail services are implemented with Samba 4 Active Directory and Zimbra Community Edition. Security and observability layers rely on Wazuh (SIEM) and Prometheus + Grafana (metrics and alerting). The network perimeter is protected by physical firewalls, and backups are handled by physical appliances (e.g., QNAP NAS). The initiative aims to produce comparative evidence—against Microsoft’s cloud-first ecosystem—across TCO, security, usability, and portability, with a primary legal focus on data residency and sovereignty.

Vision & Problem Statement

Cloud-first mandates and the U.S. CLOUD Act create extraterritorial exposure even when data is hosted in-region. The vision is an on-prem, open-source stack where compute, identity, keys, and backups remain under the organization’s legal and operational control, avoiding vendor-operated control planes. See Background Analysis for legal/strategic context.

1. Introduction

Accelerated digitalization in the public and private sectors has made cloud computing platforms attractive; however, it has also brought critical issues such as data sovereignty, privacy, and Total Cost of Ownership (TCO) to the forefront. Regulations like the US CLOUD Act increase the risk of data being subject to foreign legal demands. Specifically within the Microsoft ecosystem, steps such as the Azure-centric evolution of Windows Server 2019–2025 and the deprecation of WSUS are driving organizations towards hybrid/cloud solutions. This project evaluates an open-source, on-premise architecture against these risks using technical and managerial metrics.

2. Background – Microsoft’s Cloud-First Strategy vs. On-Prem Trends

Windows Server 2019: Focus on sustaining classic on-prem workloads.
Windows Server 2022: Azure Edition, Hotpatch, SMB over QUIC, Azure Extended Networking.
Windows Server 2025: Emphasis on Azure Local/Arc/Entra ID integrations.
WSUS Deprecation: 2024 deprecation; push to Azure Update Manager/Intune/Autopatch.
Licensing Dynamics: Core-based licensing and subscriptions increase long-term cost pressure.

See Background Analysis for details.

3. Purpose and Research Questions

Purpose: Design a manageable, reproducible Ubuntu-based open-source enterprise architecture that reduces dependence on cloud providers and strengthens data sovereignty; benchmark against the Microsoft ecosystem.

Research Questions:
1) TCO advantage vs proprietary licensing
2) Security/Compliance (SSO/MFA/SIEM/Vuln)
3) Usability & Manageability (Rancher/K8s experience)
4) Data Sovereignty (reducing CLOUD Act exposure)

4. Scope and System Architecture

Server Side: 1× control plane + 2× worker (Ubuntu Server LTS) running RKE2; Rancher for lifecycle, RBAC, observability. Helm/manifests; CI/CD-ready. See System Architecture for topology.
Runtime: Podman-only (daemonless/rootless); Docker explicitly excluded.
Storage/Network/PKI: Longhorn (CSI) for PVCs; MetalLB (L2) for service IPs; Cert-Manager for internal PKI.
Backup: Velero + MinIO (S3-compatible) for cluster and volume protection; CSI/kopia snapshots; periodic recovery drills.
Client Side: Ubuntu LTS derivatives (Linux Mint, Zorin OS, etc.) via phased pilots. See Client Strategy for the “Flexible 10”.
Network Security: Physical firewall; segmentation/VPN; IDS/IPS options.

4.1 Open Source Components

See Tools & Components for detailed definitions and selection rationale.

Service Area	Component	Key Features
OS	Ubuntu LTS (Server) + Mint/Zorin (Client)	LTS stability, broad ecosystem, user-friendly desktop.
Cluster Mgmt	Kubernetes + Rancher	Multi-cluster GUI, RBAC, catalog, upgrade workflows.
Directory	Samba 4 Active Directory	AD-compatible LDAP/Kerberos; Windows/Linux clients.
IAM / SSO	Authentik	SAML/OIDC/LDAP/RADIUS; MFA (TOTP/WebAuthn); policy engine.
Email/Collab	Zimbra CE	External auth with AD; web client; calendar/contacts; on-prem storage.
SIEM/XDR	Wazuh	Centralized logging, correlation, compliance reports.
Observability	Prometheus + Grafana	Metric collection, dashboards, alerting.
Storage	Longhorn (CSI)	Distributed block storage with snapshots.
Load Balancing	MetalLB (L2)	Service IPs on bare-metal via ARP/NDP.
PKI	Cert-Manager	Automated internal certificates.
Backup	Velero + MinIO (S3)	Cluster + PVC backups with CSI/kopia.
IaC	Ansible	Infrastructure as Code; reproducible & portable setups.

4.2 Methodology & Project Management

The project follows a strict DevOps and PM framework to ensure reproducibility and timely delivery.

See Methodology & Metrics for the evaluation framework (TCO, Security Tests).
See Project Management for the timeline, WBS, and risk registry.

5. Client Strategy (“Flexible 10”)

Persona-based desktop catalog: Ubuntu Desktop (baseline), Linux Mint/Zorin (Windows converts), Pop!_OS (engineers), Kubuntu (power users), Xubuntu/Lubuntu (legacy/thin), Ubuntu MATE (traditional), elementary OS (kiosk/public), KDE Neon (R&D). See Client Strategy for details.

6. Operating Model (IaC + GUI)

Provisioning/rebuilds via Ansible (repeatable, testable).
Day-2 ops via Rancher UI plus GitOps-friendly manifests and Helm charts.

7. Objectives & Measures

TCO: Avoid CALs/O365/Azure licensing; quantify infra + ops cost.
Legal Security: Keep control planes, keys, and backups on-prem to avoid CLOUD Act reach.
Usability/Manageability: Compare Rancher/K8s ops to Azure Portal experience.
Reproducibility: Time-to-rebuild via Ansible + Velero restores.