The sovereign-stack is a project dedicated to regaining digital autonomy by hosting essential services on a local Raspberry Pi 5. It is a robust, privacy-first infrastructure blueprint designed for those who believe that data sovereignty is a fundamental right.
This stack is designed to be a complete replacement for proprietary ecosystems. By deploying this blueprint, you can replace centralized communication tools like WhatsApp and Signal with your own Prosody (XMPP) infrastructure, and transition away from Microsoft Office/365 or Google Workspace by utilizing the full power of Nextcloud.
Although it is tested and running on a Raspberry Pi 5 with a 1TB NVMe SSD, it can be easily installed on other hardware using Debian Linux with small adaptations, as Raspberry Pi OS is a Debian variant.
In an era of centralized "cloud" monopolies and constant data harvesting, this project provides a path to technical independence.
- Autonomy: Reducing dependency on centralized infrastructure and foreign "Big Tech" clouds.
- Privacy: Keeping community and personal data (GDPR) within your own physical walls.
- Agency: Utilizing hardware (like CCTV/NVR) without allowing it to "phone home" to foreign servers.
- Resilience: Services remain functional and trusted even if external certificate authorities or providers fail.
The stack is a curated collection of industry-standard services, optimized to run harmoniously on the Raspberry Pi 5.
| Service | Role | Purpose |
|---|---|---|
| Nextcloud | Cloud Hub | Office/365 Replacement: File sync, contacts, calendar, and collaborative office. |
| Forgejo | Git Service | GitHub Replacement: Self-hosted software forge for local code and version control. |
| MariaDB | SQL Database | High-performance backend for Nextcloud and other services. |
| Redis | In-memory Cache | Acceleration for Nextcloud file locking and session handling. |
| Nginx Proxy Manager | Reverse Proxy | Manages SSL (Let's Encrypt/Step-CA) and secure traffic routing. |
| Service | Role | Purpose |
|---|---|---|
| Prosody | XMPP Server | WhatsApp/Signal Replacement: Private, lightweight, and federated instant messaging. |
| AdGuard Home | DNS & Ad-block | Network-wide ad-blocking and privacy-focused DNS (DoH/DoT). |
| Step-CA | Internal PKI | Your own Certificate Authority for internal TLS/SSL management. |
| Vaultwarden | Password Manager | Bitwarden-compatible server for secure credential storage. |
| Fail2Ban | Active Defense | Automated intrusion prevention; blocks malicious IP addresses. |
| File / Directory | Purpose |
|---|---|
.env |
Active Secrets: Local environment variables (Git-ignored). |
.env.example |
Template for environment variables and secrets. |
backup_stack.sh |
Master Backup: Handles DB dump, AES encryption, and SFTP push. |
Checklist.md |
Pre-Flight: Final verification steps before live deployment. |
docker-compose.yaml |
Master Orchestration: Defines all 19+ services and networks. |
INSTALL.sh |
Master Setup Wizard: Installs dependencies and configures .env. |
LICENSE |
Project license (GNU GPL-3.0). |
monitor_backup.sh |
Dead Man's Switch: Integrity check and cross-platform verification. |
TECHNICAL_SPEC.md |
Source of Truth: Defines all technical requirements and script flows. |
verify_env.sh |
The Gatekeeper: Validates all mandatory environment variables before execution. |
wake_target.sh |
WOL Utility: Modular script to wake remote targets via Magic Packets. |
Every script in this stack is protected by a multi-layer security shell:
- Root Prevention: Blocks execution as root/sudo to protect SSH identities.
- Anti-Stacking (Flock): Kernel-level locking prevents concurrent process pile-ups.
- Environment Guard:
verify_env.shensures all 11+ required secrets are present. - Path Validation: Explicit checks for
DOCKER_ROOTexistence before any I/O operation.
Backups are automated and secured with industry-standard encryption:
- Database: MariaDB is exported via
mariadb-dumpto a secure SQL file. - Granular Excludes: Dynamically excludes Frigate videos or Nextcloud data via
.env. - Security: Archives are secured with AES-256-CBC (PBKDF2) using OpenSSL.
- Dynamic Retention: Automatically purges local backups older than
${BACKUP_RETENTION_DAYS}. - SFTP Push: Transfers archives to remote targets. Supports Windows paths (
/H:/Backup).
The monitor_backup.sh script performs a multi-layer health check every morning:
- Integrity Test: Decrypts the latest archive in-memory to verify stream and password.
- Cross-Platform Check: Employs OS-aware logic to verify file presence on the target.
- Windows Logic: Automatically strips leading slashes for Windows CMD (
if exist) compatibility. - WOL Integration: Uses
wake_target.shto ensure the remote target is awake before checking. - Email Alerting: Dispatches high-priority (X-Priority: 1) status reports via
msmtp.
The recovery process follows the Selective Injection method:
- Decrypt: Use OpenSSL to decrypt the archive.
- Inject SQL: Re-import the SQL dump into the MariaDB container.
- Data Sync: Restore user data and fix permissions (
chown 33:33). - Refer to RESTORE.md for the full procedure.
This documentation is part of the Sovereign Stack project. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. Copyright (c) 2026 Henk van Hoek. Licensed under the GNU GPL-3.0 License.