SubakoOS

Learn

Features

SubakoOS groups day-to-day server operations into one web application. Availability can depend on the host distribution and optional feature groups selected during installation.

Storage

  • Block device inspection: View SMART health data and disk status for all connected drives.
  • Filesystem mounting: Mount and unmount filesystems with custom mount points and filesystem type selection.
  • Permission management: Configure ownership, groups, and ACL entries for each mount point.
  • SMB sharing: Create SMB shares with per-user access lists and monitor active connections.
  • Remote filesystems: Connect CIFS, NFS, and SSHFS remote shares with encrypted credential storage.
  • Auto-mount configuration: Manage UUID-based /etc/fstab entries with atomic writes and timestamped backups.

Containers

  • Full lifecycle management: Start, stop, restart, and remove rootless Podman containers.
  • Image management: Browse, pull, and inspect container images with live log streaming.
  • Docker Hub integration: Search Docker Hub and browse curated homelab applications by category.
  • Deployment configuration: Configure ports, volumes, environment variables, and restart policy before deployment.
  • Secret injection: Inject encrypted secrets from the vault into container environments at deploy time.

Networking

  • Interface inspection: View network interfaces, IP addresses, and traffic statistics.
  • DNS and IP configuration: Configure DNS servers and assign or remove IP addresses per interface.
  • Firewall management: Manage nftables firewall rules and port forwarding with a 5-minute auto-revert safety net.
  • Tailscale integration: Connect to Tailscale, advertise routes, and select exit nodes including Mullvad peers.
  • Network intelligence: Manage local DNS with ad-blocking, IPAM, and ACME certificate automation.

Automation and recovery

  • Scheduled tasks: Create jobs backed by systemd timers with visual schedule builders or cron expressions.
  • Backup profiles: Build rsync or Borg backup profiles with retention policies and automatic pruning.
  • Archive restoration: Browse Borg archives and restore selected files or directories to any path.
  • Multi-channel notifications: Receive in-app, email, Discord, Slack, or custom webhook alerts with per-event cooldowns.

Monitoring

  • Live metrics: View real-time CPU, memory, disk, network, and process data via WebSocket.
  • Historical tracking: Retain historical metrics, uptime, health scores, and SMART trends with configurable retention.
  • Update detection: Detect container image updates via digest comparison and host package updates.
  • Health checks: Configure container health checks and automatic recovery behavior.

Family and home

  • Family profiles: Create family accounts with role presets and device assignments.
  • Shared tools: Share lists, calendars, announcements, and chat across family members.
  • Home dashboard: Build a customizable home page from weather, RSS, presence, service-status, and daily-view widgets.

Security and administration

  • PAM authentication: Authenticate against Linux PAM without storing account passwords in the application.
  • Granular access: Grant module access per user with zero access by default and sudo/wheel toggling.
  • Sensitive action protection: Require recent password confirmation for administrative and security-sensitive operations.
  • Encrypted vault: Store credentials in an encrypted vault with container environment variable injection.
  • Activity auditing: Audit administrative and security-sensitive activity across the platform.

Plugins

  • Managed lifecycle: Install signed or trusted plugins through a managed installation and update process.
  • SDK support: Build integrations with Python and TypeScript SDKs for third-party plugin development.
  • Plugin infrastructure: Use plugin events, routes, health checks, and registry metadata for seamless integration.

Private AI

  • Optional and modular: AI features are completely optional, installed via dedicated plugins to respect homelab resource constraints.
  • Local Ollama: Lightweight, direct-to-model integration for stateless tasks like log summarization or configuration explanation.
  • Hermes Agent: Advanced agentic AI with persistent memory, tool-calling, sandboxed execution, and multi-platform gateway support (Telegram, CLI, Discord).
  • Secure by default: All AI processing remains on your local hardware. Hermes natively enforces strict user allowlisting for gateway access, ensuring no unauthorized external interaction.

Read Using SubakoOS for the operator workflow or Architecture for how these capabilities cross the host privilege boundary.

Edit this page on GitHub ↗