A secure, Docker-based remote desktop environment featuring XFCE4, KasmVNC, and Traefik reverse proxy.
- XFCE4 Desktop: Full Linux desktop environment on Ubuntu 24.04.
- KasmVNC: High-performance, browser-native access (no client software needed).
- Traefik Proxy: Secure HTTPS routing with automated subdomain management.
- Tier 2 Proxy:
remote-dev-box-proxy(rdb) for dynamic, container-internal routing of user apps.- Persistence: Routes are automatically saved to
~/.config/rdb/routes.jsonand survive container restarts.
- Persistence: Routes are automatically saved to
- LLM Gateway: Integrated, centralized local LLM API proxy (
llm.${DOMAIN_NAME}) routing to a dedicatedllama.cppinference engine. - Portability-First: Environment-specific settings managed via
.env(Domain, UID/GID, IP). - Hashed Auth: Zero-trust credential management via
htpasswd. - Isolated Containers: Dedicated, private environments with standardized
remote-dev-box-naming and matching internal hostnames. - Customizable: Supports standard
docker-compose.override.ymlfor overriding image versions, extra labels, or environment-specific configurations. - Integrated Smoke Testing: New users are provisioned with
admin/testing/scripts for immediate end-to-end verification of their environment. - Consolidated Template: A single, highly configurable
dockerfile.baremetaltemplate with toggleable "APP" sections for lean setups or full AI toolkits (Claude, Gemini, Cursor). - Security Hardened:
- Docker Socket Proxy: Traefik is isolated from the host's Docker daemon via a filtered proxy (
remote-dev-box-proxy). - Version Pinning: All images are pinned to specific, verified tags for build stability and auditability.
- Least Privilege: Passwordless
sudois disabled; root access requires explicit user authentication. - Resource Hardening: Configurable CPU, Memory, SHM, and PID limits enforced via
.envto ensure host stability. - Network Tiering: Strict isolation between infrastructure (
infranet), AI models (modelsnet), and user containers (usernet). - Capability Management: All infrastructure containers run with minimal privileges (
ALLcaps dropped by default). - Seccomp Sandboxing: Fine-grained system call filtering for both infrastructure and user containers.
- Disk Quotas: Configurable hard limits per user (default 10GB) enforced via Sparse File Virtual Disks.
- Reboot Resilience: Reboot-resistant "re-alignment" mechanism keeps virtual disks active.
- Automated Verification: Integrated health checks and routing tests in deployment scripts.
- Docker Socket Proxy: Traefik is isolated from the host's Docker daemon via a filtered proxy (
- Remote Host OS: Linux Ubuntu 24.04 (only supported OS)
- Docker & Docker Compose: Installed and running.
- Git & OpenSSL: Required for deployment and security.
-
Configure Environment
cp .env.example .env # Edit .env to set your DOMAIN_NAME nano .env -
Deploy: Initialize the deployment and roll out update infrastructure.
# Generic command structure ./admin/deploy_update.sh --help -
Create User: Provision new developer containers and virtual disks.
# By default, uses dockerfile.baremetal ./admin/manage_users.sh add myuser mypassword -
Configure DNS: See the setup guide for instructions. Option B is recommended.
-
Connect: Navigate to
https://desktop.myuser.remote-dev-box/and log in.
For detailed information, please refer to the following guides:
- Overview: Features, architecture, and core concepts.
- Setup & Deployment: Hardware requirements, installation, and DNS setup.
- User Management: Adding/removing users and admin script references.
- Development Workflow: Persistence strategy and container lifecycle.
- Internal Proxy: Guide to
rdbCLI, dynamic routing, and persistence. - Included Tools: Full list of AI CLI tools, editors, and utilities.
- Troubleshooting: Solutions to common connection and GUI issues.
This environment is designed for private network use. If hosting on a public IP, you MUST use a VPN/FIREWALL to access it. Never expose the backend ports directly to the internet.
Maintained by the Agentic Dev Team.