A fully open-source platform for deploying and operating secure Kubernetes infrastructure — built by and for European public sector organisations.
Otobots is designed for organisations where digital sovereignty, compliance, and operational control are not optional.
National and regional government agencies requiring sovereign infrastructure under full jurisdictional control.
Local governments modernising their IT without surrendering data to external cloud providers.
Universities, research institutions, and school districts that need secure, reproducible compute environments.
Energy, water, and transport organisations subject to NIS2 and IEC 62443 requirements.
Hospitals and health services handling sensitive patient data under strict GDPR and national regulations.
State-owned companies and public-sector IT service providers delivering shared infrastructure.
Four integrated components — from bare metal to running workloads — all declarative, all auditable, all open source.
Automation Hub
An Ansible Controller with SemaphoreUI providing a web-based interface for orchestrating all platform operations. PostgreSQL-backed, Nginx-fronted, deployable on AlmaLinux/Rocky, or Debian/Ubuntu.
Kubernetes Deployment
Production-grade Kubernetes clusters deployed through Kubespray with structured inventory management. Supports control plane, worker, and bastion node topologies across any hypervisor.
Hardware-Rooted Security
A hardware-anchored zero-trust compute platform with offline Root CA, HSM-backed secrets, TPM-sealed credentials, and network-bound disk encryption. No persistent secrets anywhere.
Continuous Delivery
FluxCD-driven GitOps with Kustomize overlays for infrastructure components. OpenBao and tofu-controller managed declaratively from Git — the single source of truth.
Security is not a feature — it is the structure. Every layer enforces cryptographic boundaries anchored in hardware.
Physically secured, HSM-stored private key. Powered on only for controlled key ceremonies. Compromise of any online system cannot reach the root of trust.
Online Intermediate CA, NitroKey HSM, TPM 2.0 sealing, OpenBao secrets engine, Tang network-bound disk encryption. The trust anchor for all downstream services.
Stateless hypervisors with no persistent secrets. VM lifecycle managed declaratively. Cloud-init ephemeral identity injection. Hypervisors are untrusted compute fabric.
LUKS2 encrypted disks, network-bound unlock, short-lived certificates, single-use tokens. A stolen VM cannot decrypt outside the trusted network boundary.
The master key never leaves the HSM. The HSM PIN never leaves the TPM. No secret ever exists as copiable data on any filesystem.
Open-hardware security module manufactured in Berlin. Generates and stores non-extractable cryptographic keys. The root wrapping key for all platform secrets lives here — and only here.
The HSM PIN is sealed inside the server's TPM, bound to measured boot state (PCR values). If firmware, bootloader, or kernel are tampered with, the PIN is never released.
Secrets management engine (MPL 2.0 fork of Vault). Encrypts all data with a master key unwrapped by the HSM via PKCS#11. Zero-touch unseal on every boot — no operator intervention.
| Threat | Conventional Risk | Otobots Mitigation |
|---|---|---|
| Physical server theft | Key compromise | Hardware-sealed keys, encrypted disks |
| VM disk export | Data extraction | Network-bound unlock required |
| Hypervisor compromise | Secret exposure | No persistent secrets stored |
| Boot chain tampering | Rootkit persistence | TPM measured boot, PCR policy |
| CA compromise | Full trust collapse | Only intermediate affected; root offline |
Not a checklist — a structural design that satisfies regulatory requirements through engineering decisions.
Risk management, cryptographic controls, supply chain resilience, incident containment, deterministic rebuild capability.
Defence in depth, hardware root of trust, zone and conduit separation, least privilege cryptographic identity.
HSM-rooted key hierarchy, automated key lifecycle, recovery key distribution, encrypted secrets at rest.
ICT risk management, HSM-backed encryption, recovery key distribution, automated unseal and resilience.
Role-based access policies, TLS 1.3 enforcement, tamper-evident audit logging on every secret access.
Data sovereignty through local hardware trust. No third-party processors for key material. Article 17 via physical HSM destruction.
Every component is open source. No proprietary runtime dependencies. No per-node licenses. No metered API calls.
The root of trust is a physical device held by your organisation — not a cloud provider's managed service. Secret material never transits third-party infrastructure. Key management policies are set by you, not by a provider's terms of service. No data processing agreements required for the secrets management layer. No sub-processor notifications for key material.
Otobots is open source and available today on Codeberg. Explore the code, read the documentation, deploy on your terms.