Internal Tooling

Internal tools, communication platforms, and corporate IT for Silver Frog.

Last Updated: January 2026 Status: Draft

Principles

1. Avoid per-user pricing - Costs compound at scale
2. Self-hosted where practical - Data sovereignty, predictable costs
3. Central identity (SSO) - Single sign-on for all tools via Keycloak
4. Accessible for non-technical users - Most team members are not engineers

Team Profile

Role	Count	Notes
Engineers	4 (scaling to 20)	Technical
Product, Leadership, Ops	~16	Non-technical
Total team members	~20 initially

Recommended Stack

Identity & Access

Tool	Purpose
Keycloak	SSO/OIDC provider for all internal tools

Central authentication. Users authenticate once, access all integrated services.

Team Communication

Decision pending - evaluating Element (Matrix) and Zulip.

Tool	Strengths	Considerations
Element	Video rooms, no message limits, federation	Learning curve, mobile app maturing
Zulip	Superior threading model	Mobile push requires paid plan (>10 users)

Both support self-hosted SSO. Element has built-in video conferencing. Zulip has better threading but dated UI.

Reference: Vates (100+ person company) migrated from Mattermost to Element successfully.

Project Management

Tool	OIDC	Pricing Model	Notes
Huly	Yes	Unlimited users, by storage	All-in-one (PM + chat + docs + video). Self-hosted free.
Plane	Paid	$6/user/month	Best UX. At 100 users = $600/month.

Recommendation: Huly

• OIDC supported for self-hosted (docs)
• No per-user pricing (unlimited users)
• Includes: issues, sprints, kanban, roadmaps, time-blocking, chat, video calls, docs
• Cloud pricing: Free (10GB) → $100/mo (1TB) → $400/mo (10TB)
• Self-hosted: Free

Fallback: Plane if Huly doesn't meet needs. Cost is controllable at small scale.

Documentation

Tool	Use Case
MkDocs + Cloudflare Pages	Technical documentation, strategy docs
Outline	Wiki, meeting notes, real-time collaboration

MkDocs allows Git-based editing with polished web output. Protected via Cloudflare Access - team members receive email invite for access.

Monitoring & Observability

Tool	Purpose
Netdata	Real-time infrastructure monitoring
Prometheus	Metrics collection
Grafana	Dashboards and visualization
Loki	Log aggregation

Netdata provides per-second metrics with auto-discovery and minimal configuration. Prometheus + Grafana for deeper analysis and custom dashboards.

All self-hosted, no per-unit costs.

Source Control

Tool	Notes
GitHub	Team plan for required reviewers and advanced features

GitHub Team at ~$4/user/month (~$960/year for 20 users). Required for code owners, required reviewers, and draft PRs.

Remote Access / VPN

Tool	Purpose	Cost
Pangolin CE	All-in-one: tunnels + VPN + identity-aware proxy	Free (AGPL-3)
Pangolin EE	Enterprise features (geoblocking, audit logs)	Free < $100K rev
Headscale	Self-hosted Tailscale control server	Free
Tailscale	Zero-config mesh VPN	$18/user for OIDC

Recommendation: Pangolin Community Edition (CE)

• WireGuard-based tunnels (expose services without public IPs)
• Wildcard subdomain support (*.domain.com routing)
• Built-in VPN for private network access
• OAuth2/OIDC integration (Keycloak compatible)
• Auto-SSL via Let's Encrypt
• TCP/UDP support (not just HTTP)
• Self-hosted, no per-seat pricing
• AGPL-3 licensed - free regardless of company revenue

Why CE over EE: Enterprise Edition is free under $100K revenue but requires commercial license above that. CE remains free forever and has all core features. EE adds geoblocking, audit logs, advanced security - we handle geoblocking at Cloudflare instead.

Alternative: Headscale + Tailscale clients if you prefer Tailscale's UX.

Pangolin CE + Cloudflare Free is the recommended stack.

Access Model

Most users never need VPN. Identity-aware proxy handles authentication at the application layer.

Access Type	Method	Who	Example
Web apps	Identity proxy (OIDC)	Everyone	Huly, Outline, chat
Admin UIs	Identity proxy + admin role	Admins	Keycloak, Grafana, Portainer
Network-level	VPN (WireGuard)	Engineers	SSH, direct DB access

Benefits:

• Zero client installation for most users
• Works from any device, any network (mobile included)
• VPN reserved for infrastructure work only
• Simpler onboarding: Keycloak credentials = access to everything

Edge Services (Cloudflare)

Service	Purpose	Plan
DNS	Domain management, fast propagation	Free
CDN / DDoS	Edge caching, DDoS protection	Free
WAF (Geoblocking)	Country blocking via custom rules	Free
Rate Limiting	Basic rate limiting	Free
Zero Trust	Identity-aware access (50 users)	Free
Cloudflare Pages	Static site hosting (MkDocs, marketing)	Free

Cloudflare Free tier handles:

• DDoS protection (unmetered)
• Country blocking via WAF custom rules (5 rules)
• Rate limiting (unmetered, basic)
• Zero Trust for up to 50 users

When to upgrade:

Trigger	Plan	Cost
More than 5 WAF rules	Pro	$20/mo
Advanced bot protection	Business	$200/mo
More than 50 Zero Trust users	Per user	~$7/user/mo

For iGaming, expect to upgrade to Business ($200/mo) eventually for bot protection against scrapers and odds-bots. Start with Free.

Pangolin CE handles internal tunneling and VPN. Cloudflare handles public-facing edge concerns. Both are free.

Other Tools

Category	Tool	Purpose
Password Manager	VaultWarden	Team credential sharing
AI Tools	Open WebUI	Self-hosted LLM interface
Analytics	Umami	Privacy-focused web analytics
Security/IDS	CrowdSec	Intrusion detection (Pangolin integration)

Cost Estimate

Self-Hosted Stack

Team Size	Infrastructure	Subscriptions	Annual Total
~20 team members	~€70/month	~€900 (GitHub Team)	~€1,750
~100 team members	~€200/month	~€4,500 (GitHub Team)	~€6,900

Infrastructure on Hetzner. Most tools are free self-hosted. GitHub Team at ~$4/user/month.

Implementation Phases

Phase 1: Foundation

• Keycloak (identity)
• Pangolin (tunnels + VPN)
• Cloudflare (DNS)
• MkDocs + Cloudflare Pages (technical docs)
• Team chat (Element or Zulip)
• VaultWarden
• GitHub organization

Phase 2: Productivity

• Huly (project management)
• Outline (wiki)
• SSO integration for all tools

Phase 3: Operations

• Netdata + Prometheus + Grafana + Loki
• Open WebUI

Phase 4: Scale Preparation

• Infrastructure scaling review
• Evaluate tool performance

Open Items

1. Chat tool decision - Element vs Zulip requires team testing
2. Huly validation - OIDC confirmed in docs; test Keycloak integration in practice

Tools Reference

Curated list of self-hosted alternatives by category. Tools marked with ✓ are recommended or already selected.

Category	Options
Identity	✓ Keycloak, Authentik, Authelia
Remote Access	✓ Pangolin, Headscale, Tailscale, GoDoxy
Edge/CDN	✓ Cloudflare
Team Chat	✓ Element, Zulip, Rocket.Chat
Project Management	✓ Huly, Plane, Taiga
Wiki/Docs	✓ Outline, ✓ MkDocs, Docmost, AppFlowy
Version Control	✓ GitHub, Gitea, Forgejo
Collaboration	Affine, Excalidraw
Design	Penpot, Quant UX
File Storage	Seafile, Nextcloud, Zipline
Office Suite	Collabora, CryptPad, LibreOffice
Analytics	✓ Umami, Aptabase, Matomo
Database UI	Teable, NocoDB, Baserow
AI/LLMs	✓ Open WebUI + Ollama, vLLM
Spreadsheets	Grist, Office Suite Sheets
Social Media	Postiz, Mixpost
Notes	Memos, Blinko, Karakeep
Localization	Tolgee, Accent, Weblate
Mailing List	Listmonk, Keila
Document Signing	Documenso, DocuSeal, OpenSign
Password Manager	✓ VaultWarden
Monitoring	✓ Netdata, ✓ Prometheus, ✓ Grafana, ✓ Loki
Security/IDS	✓ CrowdSec, Fail2ban

Tools evaluated and selected based on: OIDC/SSO support, no per-user pricing, self-hosted capability, and accessibility for non-technical users.