A 45-person consulting firm across three offices replaced Microsoft 365, a shared NAS, and scattered cloud tools with a fully self-hosted, centrally managed open-source stack — delivered in eight weeks.
The client was spending heavily on SaaS subscriptions while struggling with fragmented data, no central authentication, and zero visibility into who was accessing what. Each office operated independently with no shared infrastructure.
Each user had separate credentials for file storage, email, and internal tools. Offboarding an employee took hours and often left orphaned accounts.
Files in OneDrive, email on Exchange Online, and CRM in a US-hosted SaaS — none of it under the firm's legal control or their country's jurisdiction.
All devices — workstations, servers, printers, and guest Wi-Fi — shared the same subnet with no firewall between them.
Data existed in a single location. One hardware failure or ransomware event would have been catastrophic with no tested recovery path.
We began with a structured two-week discovery process — no assumptions, no templates. Every finding shaped the final architecture.
Topology mapping, device inventory, traffic analysis, and firewall rule review across all three sites.
Identifying which services were business-critical, storage growth rate, email volume, and VPN usage patterns.
Data residency requirements, access control obligations, and audit trail needs for the firm's regulatory context.
Architecture document, bill of materials, phased timeline, and cost model presented to the client for approval.
Spread across OneDrive, local NAS, and personal laptops with no deduplication or lifecycle policy.
Laptops, workstations, and printers with no MDM, no patch policy, and mixed OS versions.
Overly permissive inbound and inter-VLAN rules that granted unnecessary lateral movement paths.
Three separate directory systems — one per office — with no federation or password sync.
Backups existed in theory. No restore test had ever been performed. Two drives were found to have failed silently.
Annual SaaS subscription savings identified after mapping every paid tool to a self-hosted equivalent.
Beyond infrastructure, we conducted a structured review of how the firm runs its core business operations — including project management, invoicing, client tracking, and procurement. We mapped each manual process to an Odoo module, identified gaps, and configured the platform to match how the team actually works — rather than forcing the team to adapt to a generic ERP template. The result was a deployed, trained, and live Odoo instance within the same eight-week window.
Every layer designed for redundancy, security, and operational simplicity. Open source throughout.
3-node HA cluster running all workloads as VMs and LXC containers. Live migration and automatic failover with no single point of failure.
Perimeter firewall with dual WAN failover, strict inter-VLAN routing rules, Suricata IDS/IPS, and WireGuard site-to-site VPN for all three offices.
Single directory for all employees across all sites. One account, one password — works for email, Nextcloud, VPN, and Wi-Fi (802.1X). Offboarding is one command.
Replaces OneDrive and Dropbox. File sync, document editing via Collabora Online, team calendars, contacts, and video calls — all authenticated via LDAP.
Full mail server handling inbound and outbound email for all staff. LDAP-authenticated IMAP/SMTP, DKIM/DMARC/SPF configured, spam filtering enabled.
Site-to-site tunnels connecting all three offices into one unified network. Remote employees connect via individual WireGuard peers — full access to internal resources.
We conducted a full workflow assessment of the client's business processes — accounting, HR, CRM, and procurement — then configured and deployed Odoo tailored to their exact operational model. Staff were trained before go-live.
Migration was executed in parallel with the existing SaaS stack. Employees cut over service by service — no big-bang migration, no weekend outages.
Post-deployment the client moved to Hanshala's Pro support plan. Their infrastructure is managed continuously — no internal IT hire needed.
Every service, VM, VLAN, and WAN link monitored continuously. Alerts fire before users notice a problem.
Security patches applied on a tested schedule. Wazuh SIEM actively monitored for threats and anomalies.
Automated encrypted backups run daily. Restore tests run quarterly. Recovery time objective maintained at under 4 hours.
New hires provisioned same day. Leavers fully offboarded across every service in minutes — not hours.
Numbers reported by the client six months post-deployment compared to the pre-migration baseline.
All business data — email, files, calendars — now resides on hardware the client owns, in their country, under their jurisdiction.
One LDAP account authenticates email, file storage, VPN, and Wi-Fi. New employees are productive within hours of joining.
VLANs isolate employee, server, and IoT traffic. Every inter-VLAN access is logged. The flat network that allowed unrestricted lateral movement is gone.
Daily encrypted snapshots, tested quarterly. The first successful restore test — ever — was completed in week 8 of the project with a 3h 42m RTO.
The managed support contract covers everything the client would have hired a sysadmin for — at a fraction of the cost, with deeper expertise.
Every component is open source and standards-based. The client can move, fork, or self-manage any service at any time — no contract holds them hostage.
Every engagement starts with a free assessment. We map what you have, identify the gaps, and propose what should be built — before you commit to anything.