Company news
Galaxus.de opens new location in Neuenburg am Rhein set to employ 1,200 workers
by Daniel Borchers
Digital sovereignty: why we trust our developers more than big tech
14.11.2025
Translation: Patrik Stainbrook
Cloud limitations, proprietary interfaces, vendor-locked hardware, inflexible and outdated VPN protocols, overpriced «managed» services – while many still celebrate these apparent added conveniences, here at Galaxus, our needs have shifted.
Today, Galaxus has about 30 locations. Warehouses, stores, offices, clouds, all spread across Europe, connected with fibre optics, copper or even mobile communications. Depending on the use case, our software runs on Azure, GCP, Hetzner and our own servers directly in our warehouses and office buildings. The range of clouds, connection types and locations is constantly growing.
That’s why we’re investing in flexible IT infrastructure. This is particularly vital for the component underlying everything: the network.
Who on earth would build a company’s nervous system – the network that connects everything and everyone – based on inflexible and expensive contracts? Using hardware that dictates what’ll work, even making your options dependent on high licence fees? All from providers who calculate network development projects in years, not weeks?
That’s just not us.
The Planet Express development team – responsible for the IT infrastructure at Galaxus – has spent the last two years building our own network based entirely on open source technologies. No locked-in cloud service, no gag contracts. Only free, encrypted and scalable peer-to-peer connections. All this with software that we fully control.
A clever strategic positioning: open standards allow for freedom of choice, competition and better conditions. Depending on individual providers would cost us flexibility and money. For example, thanks to our flexible network, we can run our build pipelines on affordable servers from Hetzner or idle capacity in our own infrastructure.
And no, this isn’t a mere proof of concept. We’re not just «giving it a try». It’s been deployed for months. It transports your orders and parcel labels to our warehouse in Wohlen. Also, it enables our online shop to pull APIs from Azure and Google in real time while you browse our website.
The building blocks
1. Infrastructure
Let’s start with the main discipline of our Digitec community: building PCs. At our own locations, we use MinisForum MS-01 computers with 2×10 Gbit/s SFP ports. This way, we can connect our Internet providers directly to our hardware, easily achieving 10 gigabits.
We add the following software:
Proxmox: the hypervisor that holds everything together. We’re essentially building our own (network) cloud, also allowing us interesting emergency access in case something goes wrong with the VMs.
OpenWRT: the operating system for our routers. It runs virtualised on the Proxmox nodes. Probably about half of everyone reading this article will access this page via a derivative of OpenWRT.
2. Network and connection
Tailscale: the client that establishes all connections. It turns any router or computer into a part of the network without having to bother with IP addresses or firewalls.
Headscale: the self-hosted controlplane alternative to our managed tailscale service. We don’t use SaaS, since that often changes conditions arbitrarily. Headscale manages who’s allowed to communicate with whom.
3. Automation and scaling
And how do we make the whole thing scalable? How do we prevent our developers from having to make configurations on 30 gateways?
Terraform: for the automatic instantiation of gateways on Proxmox or with our cloud providers.
Ansible: for configuration with Jinja2 templates and YAML files. It enables us to configure all gateways with one run. We’ve opensourced our code to show you just how we do this. You can find the link below.
How does the whole thing work technically?
The red dotted lines show direct peer-to-peer VPN connections between our locations and clouds. We use endpoints at Google, Microsoft, Hetzner and on-premise environments. Our VPN automatically establishes direct connections between the locations that are allowed to communicate with each other.
The green lines show how all locations obtain their configuration from our control server (headscale), which configures the network but doesn’t route any VPN connections itself.
Opensourcing of our Ansible OpenWRT Framework
As mentioned above, we opensource our Ansible OpenWRT framework on Github. So if any of you’d like to use it yourself, go ahead. We look forward to PRs and discussions in the repository.
Conclusion: taking charge pays off many times over
We’ve seen where unhealthy dependencies on individual companies lead us: bad offers, slow and complicated processes and difficult collaboration. Our network is the opposite: fast, secure, flexible and controllable.
The best part? Our devs enjoy working with it and you can build it yourself, no matter what you need it for – your own company or your Arrr stack at home. Do you have any technical questions? Put them in the comments!
P.S.: whatever happened to the Linux thin clients?!
They’re still in service, and their use area has grown to around 640 simultaneously active clients in the last three years. This means the number of devices used has roughly doubled since we started.
And the Github Repository is still active, getting lots of engineering love from us!
Thomas Gfeller
Teamleader Engineering
Thomas.Gfeller@digitecgalaxus.chThe first server I had was back at my parents’ house: a Debian jam-packed with videos and games. After spending many years as a Windows gamer, I fell into the open source rabbit hole, and I'm not coming out again. The power that ecosystem gives you as an engineer is just too awesome. At Galaxus, I’ve been a team leader since 2018. Both at my job and in my spare time, I enjoy hacking and tinkering.
Tech
Follow topics and stay updated on your areas of interest
Network
Follow topics and stay updated on your areas of interest
Behind the scenes
News about features in our shop, information from marketing and logistics, and much more.
Show allThese articles might also interest you
79 comments
later