KiwiStack

№ A · 05 / OSS vs EE

What we buy,
what we don't, and why.

We run ~95% Community editions across the stack. That's deliberate. Every paid edition we don't buy is one fewer vendor we depend on, one fewer billing line that leaks customer-shape information upstream, and one fewer black-box behaviour we can't fix ourselves. But "Community" doesn't always mean "production-ready at SME scale." This page lists the gaps that matter, the ones that don't, and the upgrades worth pricing in. ranked by value-per-euro.

Must-buy

One upgrade doesn't
survive contact with a real team.

№ 01

Collabora Online: CODE → paid

Locked · Mesh & Fleet

Role

Real-time .docx / .xlsx / .pptx co-editing

CE pain

Collabora Online Development Edition (CODE) is hard-capped at 20 concurrent users / 10 documents and labelled 'not for production' by the vendor. The cap is enforced in the binary; no config flag turns it off. The moment a 25-person customer signs and three teams open spreadsheets at lunch, edits stall.

Paid adds

Removes the user cap. Vendor-signed builds. Support contract. Branded mobile / desktop installers. Security advisories on the same timeline as paying customers, not when CODE catches up.

Cost

~€18–22 / user / year (annual, 10-user min, on-prem self-hosted).

When

Locked at the Mesh tier. Core (1–10 users) stays on CODE; Mesh and Fleet ship paid Collabora.

Already solved upstream

One Enterprise gap
that turned out not to be one.

OpenProject · Keycloak SSO

OpenProject's published docs explicitly gate OIDC behind Enterprise: "OpenID Connect providers is an Enterprise add-on. If you do not see the button you will have to activate the Enterprise edition first."

But we deploy the OpenDesk-integrated build (Nubus + the OpenDesk helmfile), and that build ships custom OIDC integration that wires OpenProject directly into Keycloak. Empirically confirmed: OpenProject opened from the OpenDesk portal logs in via Keycloak with no extra hop.

Net effect: OpenProject Enterprise is off the upgrade list.

This page exists partly so the next person reading the upstream OpenProject docs doesn't waste a research cycle on it.

Buy support, not the product

When the customer count
makes the contract cheaper than nights and weekends.

These have paid editions; the product is fine in CE. What we'd be buying is "someone to call when an incident happens at 3am on a delivery storm." Decision is binary: buy the contract once the operator's nights and weekends cost more than the SLA does.

Component

Trigger

Indicative cost

What it actually buys

OX App Suite: commercial

Customer 3

Per-tenant negotiated (~€2–5 / user / month equivalent)

Vendor support contract, advanced anti-spam (SpamExperts / Cloudmark), tested upgrade paths, push reliability guarantees. The OSS code is the same; what we'd pay for is 'someone to call at 3am on a delivery storm'.

Nextcloud Enterprise

Customer 3+

Standard from €71 / user / yr at 100+ users; for SMEs (<100) on quote

Vendor SLA, tested upgrade paths, hardening guidance, performance patches before they hit upstream. Note: Nextcloud Office (Collabora) is NOT bundled, since it's listed as 'Optional (extra costs)' across all three tiers. We don't use Talk (Jitsi handles video) and branded mobile apps don't matter today, so the pitch reduces to support.

Element Server Suite (ESS) / Element Cloud

>50 chat users on a single tenant, or federation across tenants

~€5 / user / month (Cloud); ESS self-hosted from ~€2K / server / yr + per-MAU

Clustered Synapse with HA workers, advanced moderation, federation policies, dehydrated devices, vendor SLA. Stock Synapse handles a single ~50-user tenant fine.

Zammad Enterprise / hosted

≥3 customers depending on the helpdesk

~€60 / agent / yr (hosted)

Custom reports, premium integrations (MS Teams native, etc.), SLA-monitoring dashboards, vendor support, priority bug fixes.

Scale-driven mid-tier

Already known
optional upsells.

Component

Trigger

Cost

What it buys

FleetDM Premium

>50 managed endpoints across customers

~€80 / host / yr

GitOps fleet config (matches our state-repo pattern), script library + scheduled execution, advanced MDM commands, Microsoft Graph integration for hybrid M365 customers, vendor support.

Ubuntu Pro

Compliance-driven customer (per ADR-03: Fleet-tier upsell, never default)

$25 / desktop / yr · $300 / server / yr

ESM (10y CVE backports), Livepatch (rebootless kernel patching), FIPS modules, USG hardening profiles. CE Ubuntu hardened with OpenSCAP + community CIS roles already covers ~90% of this for free.

Where community is the right answer

Wide list,
no immediate upgrades.

Per-component, the EE pitch doesn't move the needle at SME scale. Either we don't use the EE-only feature, or the alternative cost is lower than the EE subscription, or the EE target customer is two orders of magnitude larger than ours.

Component

Why CE is fine

Keycloak

Same binary as Red Hat Build of Keycloak; RHBK is the support contract (~€10K+/yr), not worth it for single-tenant per-customer K3s.

PostgreSQL

EnterpriseDB sells Oracle compatibility + 24/7. We have neither requirement.

MariaDB

Enterprise adds MaxScale + Galera scale features we don't reach at 25-user customers.

Prometheus / Loki / Grafana

Per-cluster, internal-only. Grafana Cloud may be interesting later if we want to not run observability infra ourselves; not now.

MinIO

Enterprise starts ~$10K / cluster / yr and targets 100+ TB ops shops.

Argo CD

Codefresh adds a SaaS UI we don't need. Argo-per-cluster is the recommended OSS shape; see ADR-07.

smallstep CA

smallstep's paid tier adds audit-stream + team features unused for per-customer intermediates.

Headscale

Tailscale SaaS at €6–18 / user / month inverts our sovereignty story. Don't.

Vaultwarden

Already a FOSS Bitwarden-compatible server; 'upgrading' would mean swapping projects, not paying.

Jitsi (self-hosted)

JaaS makes sense at thousands of meetings / month. SMEs under ~50 simultaneous calls are fine self-hosted.

Jitsi Skynet

Apache-2.0, upstream Jitsi, production-used at meet.jit.si for meeting transcription. No EE upgrade exists. Voxtral is API-billed per minute on Mistral La Plateforme, separate from any Skynet licensing.

CryptPad

E2EE community works; CryptPad-as-a-service is for orgs that can't run a Node app.

XWiki

XWiki's paid tier adds workflow + real-time WYSIWYG. For SME knowledge-base use, CE is enough; reconsider only if we sell the wiki as a workflow product.

Terraform

CLI is free for orgs under $25M revenue under the BSL; OpenTofu fork is the contingency if HashiCorp ever changes that.

One observation worth pricing into the model

Core-tier published price (€7 / user / month) absorbs CODE; the Core→Mesh delta (€7→€13) absorbs paid Collabora (~€1.67 / user / month) cleanly with room to spare. Collabora is the only EE upgrade with material per-user impact. Everything else is a per-customer support contract or a per-host SKU. That keeps the published prices durable as the ranking above evolves.