What is Soverstack?
Soverstack is a CLI that turns YAML files into production-ready infrastructure.
You describe what you want -- a database cluster, a firewall, a VPN, monitoring -- and Soverstack figures out how to deploy it. No Ansible playbooks to write. No glue scripts to maintain. No 47-tab browser session on "how to set up Patroni with etcd".
soverstack init my-project
soverstack validate
soverstack preflight
soverstack plan
soverstack apply
That's it. Five commands, from zero to a fully operational infrastructure.
The problem
Setting up production infrastructure on bare metal is hard. Not because any single piece is complicated, but because there are so many pieces:
- Firewalls with failover
- VPN for secure access
- DNS with load balancing
- PostgreSQL with HA replication
- Secret management with auto-unsealing
- SSO across all services
- Monitoring, logging, alerting, SIEM
- Proxmox VE clusters with Ceph storage
- Backup with retention policies
Each one has its own config format, its own quirks, its own failure modes. And they all need to talk to each other. Getting one service running is a weekend project. Getting all of them running together, with HA, security, and proper networking? That's months of work.
Soverstack does this in minutes.
How it works
- You declare your infrastructure in simple YAML files -- servers, networks, services
- Soverstack validates everything: correct types, cross-references, HA constraints, security rules
- Soverstack preflights each node: SSHs in, inventories disks and NICs, computes the disk plan
- Soverstack plans the deployment: what to create, update, or destroy
- You review the plan -- nothing happens without your approval
- Soverstack applies the changes using Ansible under the hood
You never touch Ansible directly. You never SSH into machines to run commands. You declare what you want, and the CLI orchestrates the rest.
What gets deployed
A typical production setup on 3 bare-metal servers gives you:
| Service | Role | HA |
|---|---|---|
| VyOS | Firewall with VRRP failover | 2 instances |
| Headscale | VPN mesh network | 2 instances |
| PowerDNS + dnsdist | DNS with load balancing | 2+2 instances |
| PostgreSQL + Patroni | Relational database with auto-failover | 3 instances |
| OpenBao | Secret management (Vault fork) | 3 instances |
| Keycloak | Single sign-on for all services | 2 instances |
| Prometheus | Metrics collection | 2 instances |
| Grafana | Dashboards | 1 instance |
| Loki | Log aggregation | 2 instances |
| Alertmanager | Alert routing | 2 instances |
| Teleport | Bastion / SSH gateway | 2 instances |
| Wazuh | Security monitoring (SIEM) | 1 instance |
| HAProxy | Load balancer | 2 instances |
| PBS | Backup server | 1 instance |
| MinIO | Object storage | 2 instances |
All of this is pre-configured, interconnected, and secured by default. Every service authenticates through Keycloak. Every secret lives in OpenBao. Every metric flows to Prometheus. Every log goes to Loki.
Three infrastructure tiers
Soverstack adapts to your scale:
| Local | Production | Enterprise | |
|---|---|---|---|
| Servers | 1 | 3+ | 5+ |
| HA | Optional | Mandatory | Mandatory |
| Use case | Dev / Homelab | Startups / SaaS | Regulated / Compliance |
Same YAML, same commands. The tier determines validation strictness and default instance counts.
Project structure
After soverstack init, your project looks like this:
my-project/
├── platform.yaml # Global config (images, flavors, tier)
├── .env # Bootstrap passwords (never commit)
├── .ssh/ # SSH keys (never commit)
├── inventory/
│ └── eu/ # Region
│ ├── region.yaml # Region metadata
│ └── datacenters/
│ ├── hub-eu/ # Backup/storage hub
│ │ ├── nodes.yaml # Server definitions
│ │ ├── network.yaml # VLANs and IPs
│ │ └── ssh.yaml # SSH access config
│ └── zone-paris/ # Compute zone
│ ├── nodes.yaml
│ ├── network.yaml
│ └── ssh.yaml
├── workloads/
│ ├── global/ # Deployed once (DB, DNS, secrets...)
│ ├── regional/eu/ # Per-region (monitoring, bastion...)
│ └── zonal/eu/ # Per-zone (firewall, LB...)
│ ├── hub-eu/ # Hub workloads (backup, storage)
│ └── zone-paris/ # Zone workloads (firewall, LB)
└── .soverstack/ # Internal state (auto-managed)
Every YAML file is human-readable, well-commented, and editable. Soverstack generates sensible defaults, but you're always in control.
Next steps
- Install the CLI and get running in 5 minutes
- Create your first project with a guided walkthrough
- Understand the workflow: validate, plan, apply