Active project

In development since 2019

Sovereign identity and policy management

Keystone is a self-hosted platform that aims to replace Active Directory, Entra ID, Intune, and Always-On VPN with a unified stack built on proven open-source components. The goal is to give organisations full sovereignty over identity, device compliance, and network access, without vendor lock-in, per-seat cloud licensing, or forced telemetry.

In development since 2019. The architecture, policy agent, plugin system, GPO conversion pipeline, compliance bridge, and management CLI are functional. Source is not yet public. If you want to follow progress or discuss deployment scenarios, reach out through the contact page.

Follow along

Components

What is in the stack

Directory and KDC

Authoritative directory, Kerberos KDC, integrated DNS, and SYSVOL share. Replaces AD DS and the AD CS KDC role.

Identity and SSO

Modern SSO with OIDC and SAML, MFA via TOTP, WebAuthn, and passkeys, and user self-service. Replaces Entra ID.

Mesh network

Self-hosted WireGuard mesh with ACLs derived from directory group tags. Replaces Always-On VPN and DirectAccess.

complyd

Compliance bridge that evaluates device state over mutually authenticated gRPC and gates network access via mesh ACL tags. Replaces Intune plus Conditional Access.

linpolld

On-endpoint policy agent that mounts SYSVOL via Kerberos, merges policies by OU precedence, dispatches to plugins, and reports compliance every 90 seconds.

polltool and keystonectl

Operator and management CLIs for enrolment, policy inspection, compliance history, and directory administration. Replaces RSAT and the AD Admin Center.

Architecture

A closed loop between seven services

The directory is the source of truth. The identity service federates SSO. A self-hosted WireGuard mesh runs the network. complyd evaluates device state and writes tags that gate network access. linpolld pulls policy from SYSVOL and reports compliance. Every inter-component call uses Kerberos. 

   polltool ----unix----> linpolld
                             |
            Kerberos TGS     |     Kerberos TGS
          (cifs/dc.realm)    |   (HTTP/complyd.realm)
                 |           |           |
                 v           |           v
           +-----------+     |     +-----------+
           | Directory |<----+---->|  complyd  |
           |  SYSVOL   |           +-----+-----+
           +-----------+                 |
                                    tag write
                                         |
                                         v
                                   +-----------+
                                   |   Mesh    |
                                   |   ACLs    |
                                   +-----+-----+
                                         |
                                    WireGuard
                                      mesh

Design decisions and trade-offs

Why the stack looks like this

Self-hosted, not cloud-hosted

Operators run the full stack on their own hardware. More operational responsibility, but no per-seat licensing, no forced telemetry, and no foreign jurisdiction over identity data.

Kerberos for every component

Higher setup complexity than bearer tokens, but inter-component authentication uses the same proven mechanism the directory already provides, no parallel secret store to compromise.

Compliance gates network access

Endpoints that fail policy evaluation lose mesh-network ACLs to sensitive subnets. Stricter than reporting-only models, but it makes "non-compliant" a real boundary instead of a dashboard color.

Roadmap

What is on the roadmap

What works today

  • Docker Compose stack with directory, identity, mesh networking, complyd, and a reverse proxy.
  • linpolld agent with Kerberos auth, SYSVOL read, plugin dispatch, and compliance reporting.
  • Reference plugins for nftables firewall and Linux desktop screen lock.
  • Policy merge across OU hierarchy with precedence, force, and inheritance blocks.
  • polltool CLI with enrol, run, policy show, and compliance list.

What is next

  • Tier-1 plugin suite: packages, mounts, sshd, updates, custom scripts, PAM, sudoers, DNS, NTP.
  • GPO conversion pipeline mapping 80+ Windows settings to linux-policy.yml.
  • Distro matrix testing across Ubuntu, Debian, RHEL, and Fedora.
  • Certificate auto-enrolment.
  • Keystone Console, REST API, RBAC, and OU-scoped delegation by v1.0.

Who it is for

Sovereignty over IT

Organisations that need to audit and operate their identity, device, and network stack without depending on a single vendor's cloud, pricing model, or geopolitical jurisdiction. Keystone is planned to be released under a permissive open-source licence once the foundation stabilises.

Follow the build

Source is not yet public. If you want progress updates or to discuss a deployment scenario, get in touch through the contact page.

Get in touch