Business ERP and Management Tools Deployed as Tor Hidden Services

Nextcloud provides file storage, calendar, contacts, collaborative document editing (Nextcloud Office), video calls (Nextcloud Talk), and project management (Nextcloud Deck) - a comprehensive business suite. Deploy Nextcloud on Ubuntu: install with the official installer script or Docker Compose. Configure Nextcloud to use localhost as the server address in config.php: 'trusted_domains' => ['youraddress.onion']. Configure the Tor hidden service: HiddenServiceDir /var/lib/tor/nextcloud/, HiddenServicePort 443 127.0.0.1:443. Enable HTTPS in Nginx (self-signed certificate for the .onion address, distributed to team members via fingerprint). Nextcloud's mobile clients (iOS, Android) support SOCKS5 proxy through Orbot, enabling mobile access to the .onion Nextcloud. Team members install Orbot, configure it to allow Nextcloud's app ID to use Tor, and configure the Nextcloud app to connect to youraddress.onion.

Odoo is a comprehensive open-source ERP covering CRM, sales, invoicing, inventory, HR, project management, and accounting. Deploying Odoo as a Tor hidden service provides: CRM data accessible only via Tor (client contact information not accessible from the clearnet), invoicing over .onion (finance team accesses billing through Tor Browser), and no public IP exposure for the Odoo server. Install Odoo 17 Community on Ubuntu: follow the official Odoo installation guide. Configure Nginx as a reverse proxy in front of Odoo (Odoo listens on 8069 by default). The Tor hidden service points to Nginx on port 443 or 80. The Odoo admin console and user interfaces work normally in Tor Browser. Performance consideration: Odoo's JavaScript-heavy interface is somewhat slower over Tor due to latency - each page load involves multiple requests. For teams accustomed to Odoo, the Tor latency is noticeable but manageable for internal tooling.

Kanban-based project management tools can be deployed as .onion services for privacy-conscious teams. Wekan (open-source Trello alternative) runs on Node.js - deploy with Docker: docker run -d -e MONGO_URL=mongodb://127.0.0.1:27017/wekan -e ROOT_URL=http://youraddress.onion -p 127.0.0.1:3000:3000 wekanteam/wekan. Configure Tor hidden service to port 3000. Wekan's interface works well in Tor Browser. Taiga (full project management with sprints, backlogs, issues) has a Django+Angular architecture. Deploy via Docker Compose, configure to use the .onion URL as the base URL. Taiga's real-time updates (WebSockets) work through Tor Browser. For GitHub/GitLab integration, configure webhooks to use Tor-exit-routed outbound requests so Taiga can reach clearnet CI/CD systems.

Employee data (salary, personal information, performance records) is among the most sensitive organizational data. Deploying HR tools as .onion services ensures: access to HR systems requires Tor, HR data never transits a clearnet connection, and the HR server's IP is not publicly exposed. Options: OrangeHRM (PHP, easy self-hosting), Frappe HR (Python, Django-based), or smaller tools like TimeOff Management. Configure as a standard web application behind Nginx, then expose via Tor hidden service. For payroll data specifically: apply full-disk encryption on the server (LUKS), use separate database credentials for HR and non-HR data, implement audit logging for all access to employee records, and limit the number of Tor-accessible accounts to those with actual HR function.

Managing access to multiple .onion business tools requires an organized approach. Options: (1) single .onion with path-based routing - one .onion address, Nginx routes /nextcloud to Nextcloud, /odoo to Odoo, etc. Simplifies address sharing but creates a single point of failure, (2) separate .onion per service - each service has its own .onion address, stored in an internal password manager, provides more isolation. For team authentication: single sign-on (SSO) with Authentik or Keycloak (deployed as a fourth .onion service) allows team members to log in once and access all .onion services. Authentik provides OIDC and SAML support compatible with Nextcloud, Odoo, and most web applications. Store the .onion addresses and access credentials in Bitwarden (self-hosted, deployed as yet another .onion service) for secure team password management.