When we looked at our monthly SaaS invoices and realized we were spending nearly $1,000 per month across four separate platforms, the frustration was familiar but hard to ignore. We were paying for a CRM, quoting software, a margin calculator, and an internal documentation platform, each with its own per-user pricing, its own annual price increases, and its own collection of features we had never asked for and would never use.
Combined, that came to roughly $12,000 per year flowing out to vendors for tools that were overbuilt for our needs and underbuilt for our workflows. As an MSP that advises clients on infrastructure decisions every day, the irony of renting our own operational tools from four different vendors while storing our business data on their servers was hard to overlook. We knew we had the infrastructure and the capacity to do something about it, so we did.
Why We Made the Move
Teclara Technologies is a cybersecurity firm based in Oakville, Ontario, serving clients across Canada. As the business grew, so did the need for internal tooling that fit the way the team actually works.
Off-the-shelf SaaS tools came with recurring per-user costs, limited customization, and data residency concerns that did not sit well with a company built around security and control. For a firm that helps clients make infrastructure decisions every day, relying entirely on third-party platforms for our own operations felt like a gap worth closing.
The question was how to close it without introducing operational overhead that would distract from client work.
What Made This Viable
Two developments converged to make the project realistic in a way it would not have been even a year earlier.
The first was AI-assisted development. We used Claude Code, Anthropic's AI development tool, to design, build, and ship four production applications. These were fully functional tools that replaced every capability we had been paying for, and a single team member built all four of them in under two weeks without bringing in external developers or standing up any kind of project management overhead. Claude Code handled our business logic, iterated on feedback in real time, and produced production-quality code that we own outright. The build-vs-buy equation has shifted in a meaningful way, and most businesses have not caught up to what that means yet.
The second was that the infrastructure already existed. Teclara operates a 3-node Proxmox virtualization cluster with 128GB of total RAM, a 16TB Synology NAS for backups and storage, and a Tailscale mesh network connecting everything. All of that capacity was already in place, already paid for, and already managed. We simply started using it for internal application hosting. We did not purchase new hardware, add any cloud compute bills, or create any new vendor relationships.
What We Built
We replaced each of the four SaaS subscriptions with a purpose-built internal application:
- Internal CRM : Handles contact management, pipeline tracking, and activity logging, scoped to exactly what our team uses on a daily basis.
- Quote Generator: Produces professional proposals with our branding, pricing logic, and approval workflows built into the tool itself.
- Margin Calculator: Provides real-time cost and margin analysis tailored to our specific service catalog and pricing model.
- Knowledge Base: A searchable internal wiki for SOPs, runbooks, onboarding documentation, and tribal knowledge that would otherwise live in someone's head or a scattered collection of shared documents.
Each tool was designed around how we actually work. There is no feature bloat, no unused modules, and no per-seat licensing tiers.
The Architecture
Rather than spinning up cloud instances or adopting a complex orchestration platform, we built a deliberately simple deployment model using the infrastructure we already had.
Development
All development happens on a desktop workstation running Windows with WSL2 and Ubuntu. Docker Compose provides a local development environment with hot reloading and a disposable Postgres instance. Developers work in VS Code connected via Remote SSH, which gives them the full compute resources of the desktop regardless of which laptop they happen to be working from.
Production
Each application runs as a bare Node.js process inside its own Proxmox LXC container. We chose LXC over full virtual machines for its near-native performance and lower resource overhead, which is particularly important for database I/O. Each app container contains only what it needs to run: Node.js, the application code, a systemd service, and a GitHub Actions runner.
The database layer is centralized. A single dedicated LXC container runs PostgreSQL 16 and hosts databases for all of the internal applications. Each app connects with its own credentials to its own database, so there is no shared access and no cross-app data leakage. The Postgres container sits on SSD storage for optimal I/O performance.
The entire production stack consists of Linux containers, a database, and a deployment pipeline. There is no Kubernetes, no container orchestration platform, and no service mesh.
Networking and Security
All communication between containers happens over Tailscale, which provides encrypted mesh networking between every node, MagicDNS for stable human-readable hostnames, and access control lists that restrict which containers can communicate with each other.
App containers can only reach the database on port 5432. None of the applications have public URLs, which means there is no attack surface for bots, scanners, or threat actors to probe. Despite that, the team accesses these tools seamlessly from home offices, client sites, and on the road, with the same ease they would expect from any cloud application and the security posture of an air-gapped network.
Deployment
The CI/CD pipeline is intentionally simple. Each application's GitHub repository contains a GitHub Actions workflow that runs on a self-hosted runner installed directly on the app's own LXC container. When code is pushed to the main branch, the runner pulls the latest code, installs dependencies, builds the application, runs database migrations, restarts the systemd service, and confirms the app is healthy before marking the deployment as complete.
There are no container images to build, no registries to manage, and no remote SSH involved during deployment. The entire process is triggered by a git push.
Backups
Two layers of backup protection run automatically without any manual intervention:
- Database level: A nightly cron job runs
pg_dumpfor every database, compresses the output, and stores it on the Synology NAS via NFS with 30-day retention. - Infrastructure level: Proxmox snapshots the Postgres LXC daily and app LXCs weekly.
Database dumps allow granular point-in-time recovery for individual records or tables. LXC snapshots provide full disaster recovery at the container level. Both processes run on schedule without human involvement.
The Full Stack
| Component | Role | Technology |
|---|---|---|
| Desktop (WSL2) | Development environment | Docker Compose, VS Code Remote SSH |
| App LXCs | Production app hosting | Node.js, systemd, GitHub Actions runner |
| Postgres LXC | Centralized database | PostgreSQL 16, dedicated SSD storage |
| Tailscale | Networking and access control | Encrypted mesh, MagicDNS, ACLs |
| GitHub Actions | CI/CD pipeline | Self-hosted runners, push-to-deploy |
| Synology NAS | Backups and storage | NFS, pg_dump, Proxmox backup storage |
| Proxmox | Virtualization platform | LXC containers, snapshot backups |
Adding a new application follows a repeatable pattern: create a database, spin up an LXC, provision it with a short setup script, register a GitHub Actions runner, and push code. The first deployment takes about 15 minutes of manual setup, and every deployment after that is fully automated.
The Results
Financial Impact
| Metric | Before | After |
|---|---|---|
| Monthly SaaS spend (4 tools) | ~$1,000/mo | $0/mo |
| Annual software cost | ~$12,000/yr | Negligible (existing infrastructure) |
| New hardware purchased | - | None |
| New cloud services added | - | None |
| Projected 3-year savings | - | $36,000+ (accounting for annual price hikes) |
Security
Every design decision reinforced the security-first posture that we bring to our client work. None of the applications are exposed to the public internet. All traffic between containers is encrypted via Tailscale. Database access is restricted by both Tailscale ACLs and per-app Postgres credentials. App containers are isolated from each other. Client data stays on our infrastructure and never passes through an external vendor's servers. Backups are automated, layered, and stored on dedicated hardware.
Operations
A single team member built all four tools in under two weeks using Claude Code, with no external development resources involved. We own the code, the data, and the product roadmap for each application. A new app can go from nothing to production in about 15 minutes of setup, and after that initial provisioning, every subsequent deployment is triggered by pushing code to GitHub. The entire stack is simple enough that one engineer can understand, operate, and troubleshoot it without specialized knowledge.
Credibility
Our internal systems now run on the same Proxmox, Tailscale, and security-first architecture that we deploy and manage for our clients. The tools that power our daily operations were built on the same platforms and follow the same principles that we recommend to the businesses we serve. For a security firm, that consistency between what we recommend and what we actually run matters.
Key Takeaways
Most businesses that run any kind of server, NAS, or virtualization platform already have unused capacity that could host internal tools. The infrastructure is often already in place and already paid for, but underutilized.
AI-assisted development tools like Claude Code have meaningfully changed the economics of building custom software. What used to require a dedicated development team and months of work can now be done by a single person in a matter of weeks. That shift makes custom internal tools accessible to small teams in a way that was not previously realistic. The same principle applies to operational workflows. We used Claude and MCP connectors to build a complete sales pipeline in three hours, again without writing traditional integration code.
The architecture that made this work was deliberately simple. A single database server, one container per application, one deployment pipeline, and no public exposure. The most important decisions turned out to be the most straightforward ones, and the rest of the design followed naturally from those constraints.
Tailscale demonstrated that security and day-to-day usability do not have to be in tension with each other. Our team gets an experience that feels like using any cloud application, while the underlying network has no public attack surface and no exposed ports.
Every SaaS subscription a business continues to pay is a deliberate choice. For organizations that are ready to evaluate that choice, the best place to start is with the tool that causes the most frustration, delivers the least value relative to its cost, and charges the highest per-user fee.
If your business is paying for software that does not fit the way you work, contact Teclara to talk about what a leaner, more secure stack could look like.