NebulaCore is a pre-alpha control plane for single-host Docker environments. The repository combines:
nebula_core: FastAPI backend, runtime services, RBAC, plugin host, Docker orchestration.nebula_gui_flask: Flask-based panel that proxies and visualizes the Core API.install/: installer, first-run bootstrap, Docker helper, andsystemdautomation.
Nebula is not production-ready yet, but the codebase already contains a clear foundation for:
- container lifecycle management
- user and identity management
- role-aware workspace permissions
- plugin runtime with process isolation
- multilingual GUI and switchable panel themes
- telemetry, logs, and project grouping
nebula_core/main.pystarts FastAPI, CORS, runtime services, and internal gRPC observability.nebula_core/core/runtime.pyinitializes the event bus, plugin manager, and background services.nebula_core/services/docker_service.pyis the main Docker integration layer.nebula_core/api/*.pyexposes HTTP and WebSocket endpoints for users, containers, projects, plugins, logs, and metrics.
nebula_gui_flask/app.pystarts the Flask panel, Socket.IO updates, CSP handling, session support, and UI helpers.nebula_gui_flask/core/bridge.pyauthenticates against Core and proxies most panel requests to FastAPI.nebula_gui_flask/static/js/i18n.jshandles locale discovery, fallback chains, DOM translation, and locale persistence.nebula_gui_flask/static/panel_themes/*.jsondefine panel theme tokens.
storage/databases/system.db: system users, admin accounts, identity roles, identity tags, container access metadata, projects.storage/databases/clients/*.db: client/user databases for tenant-like user stores.containers/presets/*.json: deployment presets and default role-permission matrices.storage/container_workspaces/: managed container workspace directories when enabled by deployment profile.
NebulaCore is still pre-alpha, but the install flow is now centered around one guided path for regular users on a single Linux host:
./panelctl.sh installprepares Python, dependencies,.env, Core, GUI, and the first admin account.- when
systemdis available, the installer can set up bothnebula-coreandnebula-guiservices automatically - Docker can be checked and installed from the same installer flow
docker-compose.ymlis still not a real deployment stack today
The old manual multi-terminal flow still works for development, but it is no longer the primary path shown to new users.
Browser
-> Flask GUI (`nebula_gui_flask`)
-> Core HTTP API (`nebula_core`)
-> Core internal gRPC observability
-> FastAPI Core
-> SQLite metadata (`system.db`, client DBs)
-> Docker Engine
-> Plugin Manager
-> isolated plugin worker processes
- Authentication uses signed session cookies named
nebula_session. - Staff users live in
system.dband can access administrative routes. - Regular users authenticate either in
system.dbor a client DB. - Global identity metadata lives in
identity_rolesanduser_identity_tags. - Container access is controlled separately via:
- explicit user-to-container assignments in
container_permissions - role capability matrices in
container_role_permissions
- explicit user-to-container assignments in
- Sensitive internal automation can also authenticate with
X-Nebula-Token: <NEBULA_INSTALLER_TOKEN>.
Detailed explanation: RBAC model.
Nebula supports a plugin runtime with two modes:
- development-friendly in-process loading
- recommended process runtime with one worker process per plugin
The process runtime uses:
plugin.jsonmanifestplugin.pyfactory contract- gRPC over Unix socket
- scoped plugin capabilities
- timeout, health check, restart, and crash tracking
- optional cgroup v2 resource isolation
Detailed explanation: Plugin system docs.
- GUI locales live in
nebula_gui_flask/static/locales/*.json. /api/i18n/catalogis generated dynamically by scanning locale files and_meta.- English is the fallback locale.
- Panel themes live in
nebula_gui_flask/static/panel_themes/*.json. - Theme choice is persisted per user in browser storage and applied through CSS variables and
<meta name="theme-color">.
Detailed explanation: GUI, i18n, and themes.
From the project root:
chmod +x panelctl.sh
./panelctl.sh installThe guided installer will:
- create
.venv - install Core + GUI Python dependencies
- generate a ready-to-use root
.env - check Docker and offer to install/start it
- install
nebula-coreandnebula-guiservices whensystemdis available - create the first admin account
After installation, open:
http://127.0.0.1:5000
./panelctl.sh status
./panelctl.sh restart
./panelctl.sh logsIf you want the old manual development flow instead of the guided installer:
python3 -m venv .venv
source .venv/bin/activate
pip install --upgrade pip
pip install -r requirements.txt
pip install -r nebula_gui_flask/requirements.txt
python -m nebula_coreIn another terminal:
cd nebula_gui_flask
source ../.venv/bin/activate
python app.pyIf no admin exists yet, run:
python install/main.pyThen choose Easy install (recommended) or Create first admin.
On Linux, the recommended service path is now Core + GUI together:
./panelctl.sh install
./panelctl.sh restart
./panelctl.sh status
./panelctl.sh logsFor Core-only administration, ./corectl.sh still exists.
See Core service guide.
- Architecture overview
- RBAC and security model
- Plugin system and Plugin Manager API
- GUI, i18n, and panel themes
- Docker, runtime, and deployment notes
- Core API reference
- Installer and bootstrap API
- GUI:
http://127.0.0.1:5000 - Core API:
http://127.0.0.1:8000 - Internal gRPC observability:
127.0.0.1:50051by default
NEBULA_SESSION_SECRETNEBULA_INSTALLER_TOKENNEBULA_COOKIE_SECURE=trueNEBULA_GUI_SECRET_KEYNEBULA_CORS_ORIGINSNEBULA_GUI_CORS_ORIGINSNEBULA_CORE_GRPC_PORT
Copyright (c) 2026 Monolink Systems
Nebula Open Source Edition (non-corporate) is licensed under AGPLv3. See LICENSE.