Internal Portal — App Overview

All applications run on self-hosted infrastructure. Personal and financial data never leave our own server — no SaaS, no third-party providers.

14Apps + Services
1Login (SSO)
100%Self-hosted
E2EVault Encryption
01 Budget — Household Finance Book ✓ Live
Problem
Income, loan repayments and standing orders get lost without structure — no clear financial overview.
Solution
Transactions organised by account and category, real-time balances, loan and standing-order management in one interface.
Effect
Complete picture of the financial situation at any time — no more hunting through bank statements.
Features
Multiple accounts (bank, PayPal, cash)
Itemised receipts with line positions
Standing orders with due date
Loan management + repayment schedule
Separate deposit tracking
Multi-currency support
Technical Principle — Tamper-proof Balance
// No stored balance value — everything calculated at runtime:
balance = opening_balance
           + SUM(all credits on this account)
           - SUM(all debits from this account)

// Transfer = atomic pair: either both sides or neither
BEGIN TRANSACTION
  post_debit(source_account, amount)
  post_credit(target_account, amount)
COMMIT
Runtime Balance Calculation Atomic Transfers ACID Transactions
Self-hosted No third-party providers
02 Receipts — Document Management ✓ Live
Problem
Incoming invoices as paper stacks or unstructured files — tax evaluation nearly impossible.
Solution
Digital receipt capture with chart of accounts, scanned attachments and gap-free sequential numbering.
Effect
Tax reporting at the click of a button — filter receipts instead of searching for them.
Features
File attachment (PDF, image, max 10 MB)
Chart of accounts pre-configured
Split bookings (multiple cost centres)
Payment status + payment method
Project assignment for rechargeable costs
Period evaluation by account
Technical Principle — Secured File Download
// File stored OUTSIDE the public web directory
REQUEST: /receipts/download?id=42
  → Check session          // Is user logged in?
  → Check permission       // Does this receipt belong to the user?
  → Stream file from secured path
  // No direct URL to the file exists — bypass impossible

Sequential numbering: R-YYYY-00001, 00002, 00003 …
  // Gaps are detectable — audit trail integrity
Access-controlled File Storage Sequential Numbering Audit Trail
Audit-relevant Self-hosted No cloud
03 Calendar & Reminders ✓ Live
Problem
Appointments scattered across different apps — Nextcloud sync manual and error-prone.
Solution
Local + Nextcloud calendars in one view, tasks with priority visible directly in the calendar.
Effect
One glance shows appointments and to-dos — automatically synchronised, no Google, no Apple.
Features
Multiple calendars with colour coding
Week / month / list view
Tasks (Normal / High / Urgent)
Due dates shown as calendar markers
Nextcloud CalDAV sync (bidirectional)
Technical Principle — Open Protocol, No Vendor Lock-in
// Open standard: CalDAV (RFC 4791) + iCalendar (RFC 5545)
Local appointment
  → iCalendar format (VEVENT)
  → HTTPS PUT → Nextcloud CalDAV endpoint
  → Nextcloud syncs further to phone, desktop …

Incoming from server:
  → HTTPS GET → parse iCalendar → update local DB

// Compatible with: macOS, iOS, Android, Thunderbird, Outlook
CalDAV RFC 4791 iCalendar RFC 5545 Nextcloud No Vendor Lock-in
Own Nextcloud server GDPR-compliant operation
04 Contacts — with Nextcloud Sync ✓ Live
Problem
Customer and supplier data spread across programs and notebooks — filling invoice forms manually wastes time.
Solution
Central address book with automatic customer number, full-text search, tag filter and CardDAV sync.
Effect
Invoices and projects fill address fields automatically — contacts always in sync everywhere.
Features
Complete address and company data
Tag system (customer, supplier, private …)
Automatic customer number assignment
Full-text search + tag filter
Nextcloud CardDAV sync (bidirectional)
Technical Principle — Open Address Book Protocol
// Open standard: CardDAV (RFC 6352) + vCard 3.0 (RFC 6350)
Local contact (name, address, phone, e-mail …)
  → Serialise vCard: FN, ADR, TEL, EMAIL, ORG …
  → HTTPS PUT → Nextcloud CardDAV endpoint

Incoming:
  → Parse vCard → update local DB

// Customer number: assigned atomically → no duplicates possible
New customer number = MAX(existing) + 1  ← inside a transaction
CardDAV RFC 6352 vCard RFC 6350 Atomic Number Assignment
GDPR — deletion possible at any time No third-party provider
05 Mileage Log ✓ Live
Problem
Documenting business trips completely for tax purposes — spreadsheets are error-prone and changes hard to track.
Solution
Digital mileage log with automatic km calculation and server-side 7-day lock mechanism.
Effect
Tamper-resistant, print-ready proof — inspection and insurance deadlines always in view.
Features
Multiple vehicles manageable
Trip type: private / business / commute
Entries locked after 7 days
Service log + fuel log
Inspection warning 60 days before expiry
Print-ready export
Technical Principle — Server-side Lock Logic
// Lock is server-side — UI manipulation has no effect
EDIT REQUEST for entry dated [date]:

  days_elapsed = TODAY − ENTRY_DATE

  IF days_elapsed > 7:
    → Reject request (403)   // independent of user, independent of browser
  ELSE:
    → Editing permitted

// Inspection warning: checked daily, 60-day lead time
IF (inspection_date − TODAY) < 60 days → dashboard warning
Server-side Immutability Tax Compliance Proactive Deadline Monitoring
Immutability (tax law) Self-hosted
06 Time Tracker — Working Hours ✓ Live
Problem
Creating rosters and time records manually — target/actual comparison, sick days and holidays get lost.
Solution
Digital weekly schedule, clock-in/out with one click, holiday allowance and automatic overtime calculation.
Effect
CSV export with full working-time record — balance always up to date.
Features
Calendar-week-based weekly roster
Clock in / clock out with one click
Status: sick / holiday / public holiday
Holiday allowance + annual consumption
Over- / under-hours calculated automatically
CSV export with decimal hours
Technical Principle — Employee-Friendly Rounding + Balance
// Rounding in favour of the employee (15-minute increments)
Arrived late → deviation is ROUNDED UP   // employee gets less minus
Left early   → deviation is ROUNDED DOWN  // employee gets less minus

// Uniform daily-target calculation for sick / holiday / public holiday:
daily_target = weekly_hours ÷ 6   // Mon–Sat, regardless of reason

// Monthly balance:
balance = (worked + holiday_hrs + sick_hrs + public_holiday_hrs)
          − (planned_working_days × daily_target)
// positive = overtime  /  negative = shortfall
Employee-Friendly Rounding Automatic Balance GDPR Working-Time Data
GDPR — staff data internal No third-party provider
07 Notice Board — Internal Requests ✓ Live
Problem
Cross-department requests sent by email or verbally get lost — processing status impossible to track.
Solution
Internal ticket system between departments — with priority, status workflow and automatic escalation.
Effect
No request gets lost — processing status transparent, escalation automatic.
Features
Send ticket to a department
Priorities: Normal / Urgent / Critical
Status: Open → In Progress → Closed
Internal notes (only target department sees them)
Read confirmations
Automatic escalation after 72 h
Technical Principle — Automatic Escalation
// Time-based escalation — runs server-side
FOR EACH open ticket:

  hours_without_response = NOW − last_activity_timestamp

  IF hours_without_response > 72:
    → Status    → "Escalated"
    → Priority  → at least "Urgent"
    → Visibility → flagged for department management

// Internal notes are a separate data type —
// they cannot accidentally be forwarded to external parties.
Automatic Escalation Logic Role-based Visibility Type-safe Internal Notes
Internal communication stays internal No external services
08 Projects — with Vault Encryption ✓ Live
Problem
Time tracking, receipts, meeting notes and credentials for client projects scattered across spreadsheets, emails and sticky notes.
Solution
Project hub with time tracking, P&L overview and encrypted credentials vault — invoice at the push of a button.
Effect
Everything for the project in one place — credentials secure, billing without manual transcription.
Features
Time tracking + flat rates
Assign receipts directly (rechargeable costs)
Meeting minutes
P&L overview (income vs. costs)
Generate invoice from line items
Vault: encrypted credentials
Technical Principle — End-to-End Encryption (Vault)
// Encryption: XSalsa20-Poly1305 (libsodium) — same as Signal/WhatsApp
ENCRYPT:
  key        = Argon2id(master_password, random_salt)
               ↑ memory+CPU-intensive → brute-force economically infeasible
  nonce      = 24 random bytes (unique per entry)
  ciphertext = XSalsa20-Poly1305(plaintext, nonce, key)
  → stored: nonce ‖ ciphertext   ← only this in the DB

AFTER USE:
  key        = sodium_memzero()   ← immediately erased from RAM

// Without master password: vault content unreadable even with DB access.
XSalsa20-Poly1305 Argon2id Key Derivation libsodium Zero-Knowledge Vault
End-to-End Encryption Own infrastructure No third-party providers
09 Invoices ✓ Live
Problem
Creating invoices manually in Word — numbering, payment tracking and dunning error-prone.
Solution
Invoices from line items with automatic numbering, payment monitoring and direct receipt posting.
Effect
Invoice status always in view — payment posted with one click, no double entry.
Features
Dynamic line items (qty × price)
Contact lookup fills address fields
Status: Draft → Open → Paid
Overdue marking
Print payment reminder
Project integration
Technical Principle — Immutability + Atomic Numbering
// Finalisation = snapshot + number assignment in one transaction
FINALISE INVOICE:
  → Status: "Draft" → "Open"
  → Freeze customer data: copy name, address, VAT ID
    // Later address changes no longer affect this invoice
  → Assign invoice number: INV-YYYY-NNN  ← atomic, no duplicates
  → Invoice is now write-protected

// Payment received → automatically creates receipt entry
POST PAYMENT: 1 click → receipt INV-2025-042 appears in receipts
Audit Immutability Customer Snapshot Atomic Number Assignment
Audit-relevant No cloud invoicing service Customer data internal
10 Ticket System — Customer Support ✓ Live
Problem
Customers without portal access write requests by email — processing status impossible to track for customers or internally.
Solution
Public submission form (DE/EN) without mandatory login, internal admin backend with filter functions.
Effect
Structured inbox, prioritised processing — no Zendesk, no Freshdesk, full data control.
Features
Public form DE/EN
Check ticket status by email
Various request types
Admin backend with portal auth
Filter by status, category, search
Technical Principle — Input Sanitisation Chain
// Every incoming value passes through this chain — no exceptions:
PUBLIC FORM (no login required):

  input = { name, email, subject, description }

  → HTML escape          // prevents XSS attacksLimit length          // prevents overflow attacksVerify CSRF token     // prevents cross-site submissions
  → save as new ticket

ADMIN BACKEND:
  → Portal authentication required
  → only users with ticket permission
XSS Protection CSRF Protection Role-based Access
Customer data internal No Zendesk / Freshdesk
11 Website Admin — Custom CMS ✓ Live
Problem
Maintaining website content without a heavy CMS — bilingual content, images and navigation should be easy to manage.
Solution
Lightweight CMS with bilingual articles, flexible column layout (1–6 columns) and visual menu editor.
Effect
Content live immediately — no WordPress, no Joomla for the own site, no plugin updates.
Features
Articles: draft / published / archived
Bilingual: DE + EN per article
Column layout: 1–6 columns per row
Column types: text, image, HTML block
Media manager with alt texts
Menu editor for navigation + footer
Technical Principle — Database-driven Frontend Routing
// No static HTML files — every page is assembled at runtime
REQUEST: /?lang=en&slug=about-us

  → Language from URL (de / en, default: de)
  → Load article by slug from DB
  → Load sections + columns (order from DB)
  → Per column: check type
      Text  → output HTML content of chosen language
      Image → output alt text of chosen language
      HTML  → output raw block (admin-created content only)
  → Load menu from DB → render navigation

// Change in admin → live immediately, no deployment, no cache flush
Database-driven Routing Multilingual (DE/EN) No WordPress / Joomla
Self-hosted Editorial access requires portal login
12 Notes — with Nextcloud Sync ✓ Live
Problem
Notes out of sync across devices — iPhone, desktop and browser show different states.
Solution
Notes app with Nextcloud backend, categories, Markdown support and IndexedDB offline cache.
Effect
One app, all devices in sync — iPhone sync via Nextcloud Notes app, no iCloud, no Google Keep.
Features
Create, edit, delete in the browser
Categories with filter view
Favourites marking
Markdown preview (headings, lists, code)
iPhone sync via Nextcloud Notes app (native)
Offline writing with automatic synchronisation
Technical Principle — Offline Queue + Nextcloud REST API
// All write operations land in an IndexedDB queue
OFFLINE:
  create/update/delete → IDB pending-store (localId, action, data)
  Note immediately visible (temporary ID, negative)

ONLINE (reconnect):
  FOR EACH pending operation (in order):
    → POST   /nextcloud/notes/api/v1/notes        (create)
    → PUT    /nextcloud/notes/api/v1/notes/{id}  (update)
    → DELETE /nextcloud/notes/api/v1/notes/{id}  (delete)
    → temporary ID → replaced by real NC ID

// iPhone sync runs in parallel via the same NC API — no extra effort
Nextcloud Notes REST API IndexedDB Offline Queue Markdown (marked.js) No iCloud / Google Keep
Own Nextcloud server Notes never leave own server
13 PLU List — Product Reference ✓ Live
Problem
PLU codes for products on scraps of paper and spreadsheets — not searchable, not always up to date.
Solution
Digital PLU reference list in the portal: fast full-text search, category overview, Nextcloud sync.
Effect
Products found instantly by code or name — always current, available across all devices.
Features
Full-text search by code or name
Filter by category
Create, edit, delete entries
Nextcloud synchronisation
Access via portal login (role-based)
Technical Principle — Server-side Search with NC Data Source
// Search runs server-side — no full list download required
REQUEST: /plu/api.php?q=apple

  → Check session         // Portal auth required
  → SQL LIKE search:
      WHERE code        LIKE '%apple%'
         OR description  LIKE '%apple%'
  → JSON response to browser

// Data synced via Nextcloud —
// changes on one device instantly visible on all others.
Server-side Full-text Search Nextcloud Sync Role-based Access
Self-hosted No external services
14 Matrix — Own Communication Server ✓ Live
Problem
Internal communication runs over WhatsApp, Signal or Slack — messages on foreign servers, no control over metadata and history.
Solution
Own Matrix homeserver (Synapse) on the VPS — end-to-end encrypted, open standard, accessible via Element (web, iOS, Android).
Effect
No WhatsApp, no Slack, no Teams — full control over messages, participants and history on own infrastructure.
Features
Direct and group chats (E2E encrypted)
File and image transfer via own media store
Element app: web, iOS, Android
Open standard (Matrix protocol / RFC)
Federatable — communication with other Matrix servers possible
No metadata at third-party providers
Technical Principle — Decentralised Messaging Protocol
// All messages run exclusively through own server
CLIENT (Element app / browser):
  → HTTPS to Matrix API on own VPS
  → End-to-end encryption via Megolm (Olm/Double-Ratchet)
  → Keys stored locally only on the device

SERVER (Synapse on VPS):
  → stores only encrypted messages
  → no plaintext readable server-side
  → federates only on request with other Matrix servers

// Federation can be disabled — purely internal operation possible
Matrix Protocol (open standard) Synapse Homeserver Megolm E2E Encryption No WhatsApp / Slack / Teams
Own VPS Messages never leave own server
Shared Platform Features
Unified loginOne login for all 14 apps (Single Sign-On) — no separate password per app
Role-based accessEach app is released per user or role — the admin manages permissions
CSRF protectionEvery write action is secured by cryptographically signed one-time tokens
EncryptionVault: XSalsa20-Poly1305 + Argon2id (libsodium) — state of the art
Open standardsCalDAV, CardDAV, iCalendar, vCard — no vendor lock-in for sync protocols
Self-hostedAll data in own databases on own infrastructure — no SaaS
GDPR operationPersonal data (contacts, employees, customers) exclusively internal
Audit complianceGap-free numbering (receipts), immutable snapshots (invoices), lock mechanism (mileage log)