luke

Sovereign Suite: assembling an NZ-resident cloud

An ad-free, New Zealand-resident alternative to the big-platform stack — assembled from unmodified open-source apps on my own hardware. The vision, the assemble-don't-fork rule, and why the licensing actually works.

Author’s note: this post was drafted by Claude (Anthropic) from my project notes and source code, then reviewed and edited by me before publishing. The voice and judgments are mine; the typing isn’t.

Sovereign Suite is my answer to a question I kept circling: what would it take to give a New Zealand family the things they actually use Google and Facebook for — files, documents, photos, chat, a social feed — without ads, without behavioural tracking, and with the data physically in this country under NZ law? The working title is Aotearoa Cloud. A first slice of it is live on my own hardware, and my family can use it. This post is the vision, the one engineering rule that shapes everything, and the licensing story — which turns out to be the most interesting part.

The principles, because they decide everything

The design doc opens with principles rather than features, and every trade-off since has been resolved against them:

  1. Data residency is absolute. All user data at rest lives on NZ infrastructure — including AI inference. No offshore processing. This is the product, not a feature.
  2. No ads, no data sale, no tracking. Revenue, if this ever becomes more than a family service, is subscription-only.
  3. Assemble, don’t reinvent. More on this below.
  4. One identity, one bill, one shell. A single sign-on and a single subscription across every service; the user should never feel they’re juggling nine apps.
  5. The AI is a guest in the user’s data, not the owner. Local open-weight models, per-user boundaries, a full audit log, revocable access. The planned private agent — ask questions across your own mail, files, and photos, with nothing leaving the country — is the differentiator, and it’s also the part I’ve deliberately scheduled after the boring foundations.

Assemble, don’t fork

The engineering rule: build on mature open source — Nextcloud for files, Collabora for documents, Immich for photos, Matrix for chat, Pixelfed and Mastodon for social, Keycloak for identity — and spend the actual engineering effort on integration, identity, UX, and the AI layer. Nobody needs me to re-implement a word processor.

The subtler half of the rule is don’t fork. Each app runs unmodified, as upstream ships it, and everything of mine talks to them over their network APIs. That’s partly maintenance sanity — unmodified apps take upstream updates forever — but it’s also, it turns out, the legal architecture.

The licensing story

I went into the licensing research braced for bad news and came out with the opposite: open source does not mean non-commercial. Every component in the stack permits charging for a hosted service. The obligations are about sharing modifications and respecting trademarks — not about whether you may profit. (Standard disclaimer: this is general information from my own notes, not legal advice, and the plan explicitly includes a real open-source-licensing lawyer before any significant scale.)

The core of it is the AGPL, which most of the big apps use (Nextcloud, Immich, Mastodon, Pixelfed, Synapse, OnlyOffice). AGPL §13 closes the “SaaS loophole”: if users interact over a network with a modified AGPL app, you must offer them your modified source. The key word is modified. Run the apps unmodified — the assemble-don’t-fork rule — and the duty is trivial: link upstream, publish your configs and any patches, keep the notices.

And the same rule is what keeps my own code mine. A launcher, an orchestrator, or a billing system that talks to Nextcloud over its HTTP API is a separate work, not a derivative — it doesn’t inherit the AGPL. Fork an app and edit its source, and everything you wrote there is AGPL-bound. The safe side of the line is a documented network protocol; the copyleft side is modifying or linking their code. Assemble-don’t-fork isn’t just an engineering preference; it’s the moat.

The rest of the licensing map, briefly: trademarks are separate from code licenses — you can’t market a service as “Nextcloud” or use upstream logos, which is exactly why the rebrand-to-our-own-name approach is correct. Collabora expects a paid subscription for production use (fair; or swap to OnlyOffice, which is AGPL). Redis relicensed to an anti-SaaS license, so the stack uses Valkey, the BSD drop-in fork. And LLM weights vary wildly — Llama carries use restrictions; Apache-licensed Qwen or Mistral models are the clean choice for anything commercial.

What’s actually running

The demo slice — files, collaborative documents, and a custom launcher page (the genuinely-ours part) — runs in containers behind a Caddy reverse proxy on my own machine, on the home LAN. Family members reach it through the router’s VPN rather than anything exposed to the public internet, and I’m keeping the specifics (addresses, ports, the exact access path) off this page on purpose: the suite’s whole premise is that its infrastructure is private.

Two build stories are worth telling honestly. Docker Desktop on Windows kept crashing on a component I couldn’t disable, so the stack pivoted to plain Docker Engine inside WSL2 — less convenient, far more reliable. Then came the mystery outage where the site was down for everyone but every check I ran passed: WSL2 idle-shuts-down the distro when nothing’s using it, and each diagnostic command I ran was itself rebooting the distro before testing it. A keepalive task holds it open now. The lesson generalises: a health check that can revive the thing it’s checking will lie to you.

Backups got the most careful engineering in the slice. The user data lives in Docker volumes inside WSL2, invisible to the Windows backup tool, so a nightly script exports it first: the file store goes into maintenance mode so the database and files stay mutually consistent (with a trap that guarantees it comes back off even on failure), the database is dumped uncompressed so the deduplicating backup tool sees mostly-unchanged content each night instead of a new opaque blob, and everything is written to a temp name then renamed so a half-written dump can never be swept up. The restore path isn’t theoretical either — I’ve restored the dump into a scratch container and verified table counts and file records match the live system. A backup you haven’t restored is a hope, not a backup.

What’s next

The backlog, in order: single sign-on across the apps, photos with phone auto-backup, then the local AI agent — the piece the whole design is really for — then mail, calendar, chat and video, then the private social layer. Each slice has to earn its place by being something my family actually uses, because the honest test of a Google alternative isn’t whether it runs. It’s whether people who don’t care how it works choose to keep using it.

— Luke Simmons, Auckland

project-writeupsovereign-suiteopen-sourcelicensingdesign-log