flareover reads your existing edge setup — DNS, TLS certificates, redirects, WAF rules, caching — and rebuilds it faithfully on your own EU servers (open-source, self-hosted). It never emits config that silently changes how your site behaves: what it can't map exactly, it asks about or flags — it never guesses.
● AGPL-3.0 · self-hostable · no lock-in
Every element of your edge gets exactly one verdict. Behavior-changing config is emitted only when equivalence is proven or you answer a bounded yes/no. That honesty is the product.
A provably-equivalent target mapping exists. Config is generated.
A faithful mapping exists with one enumerable ambiguity. A single yes/no resolves it — cached, reviewable.
No faithful mapping (arbitrary edge code, ML bot-scoring). Surfaced with a reason, never guessed.
Read-only extraction to a gated, reversible cutover. Every step is deterministic; the parity gate blocks the flip unless the new edge behaves identically.
The engine tells you exactly what carries, what needs a decision, and what it won't touch — before anything changes.
$ flareover assess zone.snapshot.json ╭─ flareover · assessment · example.com ─────────────╮ │ 43 elements ● 31 AUTO ● 11 ASK ● 1 MANUAL ╰────────────────────────────────────────────────────╯ MANUAL (1) ● config-rule tweak features on /api → — Provider-only edge feature (email obfuscation): no Caddy equivalent. ASK (11) ● dns A app.example.com → powerdns ? Real origin (host:port) behind the orange cloud? AUTO (31) ● tls hsts → caddy ● waf-custom block bad UA → caddy-waf ● redirect apex → www → caddy
A real zone was migrated and cut over off its old managed edge, then verified end-to-end. The parity gate first blocked a divergence, and only passed once the new edge behaved identically — these are the checks it ran:
GATE: PASS no behavior-changing divergence — cutover permitted.
No traffic or egress fees. No exposure to a future price or policy change. Every target is tagged with its jurisdiction, so the migration provably stays EU-scoped.
| Concern | Tool | where |
|---|---|---|
| Authoritative DNS | PowerDNS | EU |
| Reverse proxy · TLS · HTTP/3 | Caddy | free |
| WAF | caddy-waf | free |
| Edge cache | souin | free |
| Certificates | CertMate · Let's Encrypt / Actalis | EU CA option |
| Object storage (S3-compatible →) | MinIO | no egress fee |
| Landing zone | refurbished bare metal → Proxmox → LXC | EU |
The same 0% FP discipline migrates S3-compatible object storage (R2, S3, …) onto sovereign MinIO. The engine maps the configuration; rclone copies the data — into the EU, with no egress fee. A public bucket is never made public without your explicit yes; an IAM policy is flagged, never guessed.