Confidential client · Bucharest, Romania · Q3 2025
The on-premise server runs Docker Compose for the law firm's self-hosted tools. This guide covers exactly when that's the right call.
The Restic backup setup deployed alongside the law firm's TrueNAS cluster — encrypted offsite snapshots with automated restore testing and 3-year retention.
The Proxmox VE cluster configuration used in this law firm engagement — ZFS RAIDZ2, live VM migration, IPMI fencing, and the backup strategy that protects client data.
Every server in this engagement is managed by Ansible — from initial rack provisioning to ongoing configuration drift correction and rolling OS updates.
The 6-disk RAIDZ2 pool, daily snapshots retained 30 days, and weekly ZFS send/receive to the off-site backup server that protects all client data in this engagement.
During the retainer period one drive in the TrueNAS array showed early SMART failure indicators — detected proactively by our monitoring, replaced within the 4-hour SLA before any data was at risk.
A twelve-attorney Bucharest law firm handling M&A transactions and litigation for large corporate clients had attorney-client privileged data distributed across three consumer-grade NAS devices in a server cupboard under a staircase. Power came from a standard wall socket shared with the photocopier. There was no UPS. The "backup strategy" was an attorney manually copying files to an external drive once a week — if they remembered.
Two weeks before our engagement, a power fluctuation had corrupted one of the NAS units, taking two years of case files offline for four days while a local IT shop attempted data recovery. The firm's managing partner decided that day that the status quo was unacceptable. They needed everything on-premises — cloud storage for attorney-client privileged material was not an option under their professional obligations — but properly engineered.
The constraint was time: they had a two-week window before a major transaction kicked off that would require all hands on deck. We had to plan, procure, cable, configure, and hand over in that window.
We started with a site visit to assess the physical space, existing network topology, and power capacity. The server cupboard was salvageable with reinforcement — we specified a two-rack layout (19" open frame racks) that could fit in the existing space with proper ventilation.
We specified and procured two refurbished Dell PowerEdge R740 servers for the Proxmox HA cluster, a 48-port managed PoE switch (Mikrotik CRS354), a 24-bay ZFS NAS (TrueNAS Scale on dedicated hardware), a 3kVA double-conversion UPS, and a dedicated 32A circuit from the firm's electrical panel. Cat6A cabling throughout — future-proofed for 10GbE when they're ready.
Proxmox VE manages the two-node HA cluster. VMs run on shared ZFS storage — if one physical node fails, VMs migrate to the other within 30 seconds. TrueNAS provides file storage with RAIDZ2 redundancy (survives two simultaneous drive failures) and automated snapshots every four hours. Nightly replication to a secondary ZFS pool on a separate physical disk array provides a second recovery layer.
Access control was a key requirement. Pomerium provides zero-trust access to the file server and internal applications — attorneys can access case files remotely without a VPN, but every access attempt is authenticated against Keycloak with MFA. Network segments are isolated: the server network, the staff workstation network, and the guest Wi-Fi are on separate VLANs with firewall rules preventing lateral movement.
We pre-configured everything in our workshop before the site visit — all servers rack-mounted, OS installed, basic network config done. The site day was physical installation, cabling, UPS commissioning, and integration testing. We finished in 11 hours on day one. Day two was data migration from the old NAS units (14TB), validation, and a three-hour training session with the office manager who would be the first-line administrator.
"Two days. I was skeptical it was even possible. Everything works, our data is ours, and for the first time I actually understand what's happening in our server room."
— Managing Partner, Confidential Law Firm