opencloud

Open source file management and collaboration platform that keeps your data under your control, no database required.

5.7Kstars
214forks
Apache License 2.0
Go

OpenCloud is a self-hosted file management and collaboration platform engineered for organizations that require complete data sovereignty. It enables teams to securely store, share, and collaborate on files without relying on third-party cloud infrastructure — deployable on your own servers or via certified partners. Designed from the ground up in Go, it serves public sector bodies, research institutions, educational organizations, and enterprises subject to GDPR and zero-trust security requirements.

Unlike conventional file platforms, OpenCloud stores all data directly on the filesystem — no database engine required. Authentication is handled via OpenID Connect, integrating with external identity providers such as Keycloak or the bundled LibreGraph Connect IDP. The platform exposes a Microsoft Graph-compatible REST API, supports WebDAV, and implements Open Cloud Mesh (OCM) for cross-instance federated sharing between independent OpenCloud deployments.

The platform is decomposed into 41 independent microservices — spanning storage, collaboration, search, antivirus scanning, event processing, and policy enforcement — all compiled into a single binary for straightforward deployment. Real-time co-editing is provided through the WOPI protocol, enabling integration with ONLYOFFICE, Collabora Online, or Microsoft Office Online. Full-text content search is built in via an embedded Bleve engine or pluggable OpenSearch backend.

OpenCloud has grown rapidly since its 2025 launch, reaching v7.1 in mid-2026 with over 5,600 stars and active releases every few weeks. The project is backed by OpenCloud GmbH and a contributor community of 100+ developers, making it a credible enterprise-grade alternative to proprietary cloud storage platforms.

What You Get

  • File Management & Granular Sharing - Upload, organize, and share files or folders with configurable access controls, password-protected links, expiration dates, and upload-only link options.
  • Real-Time Document Co-Editing - Built-in WOPI integration enables simultaneous editing of documents, spreadsheets, and presentations in ONLYOFFICE, Collabora Online, or Microsoft Office Online without leaving the browser.
  • Federated Cross-Instance Sharing (OCM) - Open Cloud Mesh support lets users on separate OpenCloud instances share files with each other using a trusted-provider invitation workflow — no vendor account required.
  • Full-Text Content Search - An embedded Bleve engine indexes file content and metadata out of the box; pluggable OpenSearch backend is available for larger deployments requiring horizontal search scaling.
  • Policy-Based Access Control - The policies service uses Open Policy Agent (OPA) and Rego rule files to enforce custom authorization logic at both the HTTP proxy layer and in async post-processing pipelines.
  • Antivirus Scanning & Post-Processing Pipeline - Uploaded files pass through a configurable post-processing pipeline that includes ClamAV-backed antivirus scanning before files are made available to users.
  • Activity Logs & Audit Trails - The activitylog and eventhistory services capture distributed audit events using Protocol Buffers, providing administrators with tamper-evident records of file operations.
  • Resumable Uploads with TUS Protocol - Large file uploads use TUS resumable upload protocol, ensuring uploads survive network interruptions without requiring a restart from scratch.

Common Use Cases

  • Government Agency Document Exchange - A public sector body deploys OpenCloud on-premise to exchange sensitive citizen documents between departments, satisfying GDPR and NIS2 requirements while retaining exclusive control over encryption keys and infrastructure.
  • University Research Data Repository - A research consortium uses OpenCloud’s OCM federation to share multi-terabyte datasets across three university instances, with versioning ensuring reproducibility and ransomware protection for long-term archival.
  • Enterprise Replacing Cloud Storage - A mid-sized company migrates from Dropbox or OneDrive to OpenCloud, eliminating per-seat SaaS costs and vendor lock-in while enforcing department-level access policies through OPA Rego rules.
  • School District Collaboration Platform - A district runs OpenCloud on its own infrastructure so students and teachers can collaborate on assignments and projects with role-based access controls, keeping student data off external cloud services entirely.
  • Regulated Industry File Workflows - A pharmaceutical company uses the antivirus scanning pipeline and audit eventhistory to satisfy file-handling compliance requirements, while the policies service enforces upload restrictions by file type and size.

Under The Hood

Architecture OpenCloud is structured as a purpose-built microservice system where each domain concern — storage, authentication, collaboration, search, event routing, policy enforcement — lives in its own isolated service package. All 41 services are registered through a shared runtime and compiled into a single binary, allowing both single-process deployment and selective standalone scaling without changing any application code. Service contracts are defined via Protocol Buffers and CS3 APIs, making inter-service communication strongly typed and amenable to independent versioning. The system achieves a clean separation between data concerns (decomposed filesystem with posix, decomposeds3, and owncloudsql drivers), identity (OIDC with pluggable external IdPs or embedded LibreGraph Connect), and policy (OPA-driven Rego evaluation in both synchronous proxy middleware and asynchronous post-processing pipelines). This design means the core storage abstraction can be swapped or extended without touching authentication or collaboration logic.

Tech Stack The backend is written in Go 1.25, built with a Cobra-based CLI and organized into the go-micro v4 service framework with gRPC transport. NATS JetStream acts as the event bus and key-value store, replacing the need for an external message broker in most deployments. The storage layer avoids a relational database entirely: files are written directly to POSIX-compliant filesystems (decomposedfs) or to S3-compatible object storage (decomposeds3). A Microsoft Graph-compatible REST API sits alongside WebDAV endpoints, served through go-chi. Document collaboration is implemented via the WOPI protocol so any WOPI-compatible document server — ONLYOFFICE, Collabora, Microsoft Office Online — can attach without custom integration. Full-text search uses Bleve (embedded) or OpenSearch (external), with content extraction from files happening in the search service. Node.js with pnpm and Rollup handles frontend asset generation, and PHP 8.3 with Composer manages static analysis tooling. The Docker build uses a multi-stage pipeline on Alpine to produce a minimal production image.

Code Quality The test suite centers on an extensive Gherkin-based acceptance test library covering authentication, sharing, antivirus, archiving, download, search, OCM federation, and the Graph API — organized into dozens of feature files with hundreds of scenarios. Go unit tests exist in the service packages, and PHP-based API tests complement the Gherkin layer for specific API contract checks. CI runs on a self-hosted Woodpecker instance. Linting is enforced with golangci-lint, and formatting through .editorconfig. Configuration structs are thoroughly annotated with environment variable names, introduction versions, and inline descriptions, which doubles as machine-readable documentation. The codebase shows explicit and consistent error handling patterns with typed errors and HTTP semantic enforcement rather than swallowed errors, though inline comment density in some service packages is moderate rather than extensive.

What Makes It Unique OpenCloud’s most distinctive technical choice is its database-free storage model: the decomposedfs driver stores both blob data and metadata directly on POSIX filesystems, eliminating a relational database as an operational dependency while preserving strong consistency semantics. The Open Cloud Mesh implementation provides genuine federated file sharing between independent instances using an invitation workflow — a capability rarely found in self-hosted platforms. The embedded LibreGraph Connect IDP means OpenCloud can bootstrap a functional OpenID Connect identity provider without any external IAM infrastructure, removing a major barrier for small-team deployments. Combining OPA-based policy enforcement with a pluggable post-processing pipeline (antivirus, policies, custom steps) gives operators fine-grained control over file workflows that most self-hosted platforms expose only at the application layer.

Self-Hosting

OpenCloud is licensed under the Apache License 2.0, one of the most permissive open source licenses available. This means you can use it commercially, modify the source code, distribute your changes, and include it in proprietary systems without any copyleft obligations. There are no contributor license agreement surprises that would prevent you from forking or customizing the platform for your specific deployment. The Apache 2.0 license also provides an explicit patent grant from contributors, which matters for organizations with legal review requirements around open source adoption.

Running OpenCloud yourself requires a Linux server (or container environment) with sufficient disk I/O throughput for your expected file volume, since all data lands on a POSIX filesystem rather than a database. The single-binary deployment model simplifies initial setup considerably: two commands (init and server) start a functioning instance. For production, you will need to provision NATS for event routing, configure an external identity provider or rely on the embedded LibreGraph Connect IDP, and set up TLS termination via a reverse proxy. Scaling individual services horizontally (particularly storage and search) requires understanding which services maintain local state and which can safely run multiple instances. Operational responsibility for backups, version upgrades, and security patching sits entirely with you — OpenCloud releases frequently (roughly bi-weekly), so staying current requires an active maintenance process.

OpenCloud GmbH offers commercial support, managed hosting via certified partners, and enterprise agreements for organizations that want professional SLAs, assisted deployment, or hands-off managed upgrades. Compared to running the open source version yourself, the managed offering removes the operational burden of NATS management, storage driver tuning, and certificate rotation. The open source version provides full feature parity with no artificial restrictions; there is no “community edition vs enterprise edition” split that gates functionality behind a paywall.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search