sandstorm-io/sandstorm

Features

• Self-Hosted Productivity App Hosting - Installs and manages web apps like documents and spreadsheets on a self-hosted server with built-in login and access control.
• Self-Hosted Web App Platforms - An open-source platform that packages and runs web applications in security-hardened sandboxes with built-in user management.
• One-Click Web App Installers - Installs and runs web applications on a personal server with one-click ease like a mobile app store.
• Personal Server App Installers - Installs web productivity apps on a personal Linux server with one-click ease.
• Productivity App Package Managers - Installs productivity apps from a curated catalog with one-click ease.
• Curated App Marketplaces - Provides a curated marketplace where users discover and install sandboxed web applications on personal servers.
• Centralized App Authentication Layers - Provides a single login system that handles authentication and permission checks for all installed apps.
• Self-Hosted Productivity Suites - Hosts a collection of productivity tools like documents and spreadsheets on a personal server.
• Inter-Grain Data Sharing - Passes references to documents between app grains so they can collaborate on the same content.
• Self-Contained App Manifests - Distributes apps as self-contained bundles declaring dependencies and entry points in a manifest file.
• Self-Hosted - Provides a collection of web productivity tools like documents and spreadsheets that runs on a user's own server with centralized access control.
• App Store - Installs web applications from a curated catalog onto a self-hosted server with one-click ease.
• Linux Web App Runtimes - Runs any Linux-compatible web application with optional sandbox modifications.
• Personal Server - Packages any Linux web app into a secure, isolated container that runs on a personal server.
• Personal Server Operations - Operates a personal server that hosts productivity applications, giving the owner full control over data and infrastructure.
• Personal Server Platforms - Hosts a self-contained server that runs productivity applications and handles all server-side operations.
• Security-Hardened Sandboxes - Provides security-hardened sandboxes that isolate each web application from the host and other apps using Linux kernel features.
• Curated App Installers - Installs web productivity apps from a curated package manager onto a self-hosted server as easily as installing apps on a phone.
• Wildcard DNS Domain Configurations - Maps a wildcard DNS domain to the server so each app grain receives its own subdomain for isolated access.
• Subdomain Routing - Assigns each app grain a unique subdomain so the reverse proxy routes requests to the correct container.
• Capability-Mediated App Sharing - Shares data between apps by passing capability references through a system-level permission dialog.
• Reverse Proxy Configurations - Routes incoming web traffic through an intermediary server that forwards requests to the application.
• Linux Sandboxes - Executes any Linux-compatible web application inside a security-hardened sandbox to isolate it from the host system.
• Web App Sandbox Runtimes - Runs Linux web applications inside security sandboxes with optional modifications.
• Access Control Centralization - Provides a single authentication layer that manages login and permissions for all installed apps.
• TLS Certificate Management - Obtains and renews TLS certificates from a certificate authority for a custom domain automatically.
• Powerbox Identity Requests - Provides a system-level dialog for apps to request the user's verified identity without handling credentials.
• Application Sandbox Runtimes - Provides a container runtime that isolates each web application from the host and other apps using Linux kernel security features.
• Capability-Based Security - Implements a capability-based security model where each app grain accesses only explicitly granted resources.
• Third-Party Authentication Providers - Integrates with third-party identity services so users can log in without a local account.
• User Access Controls - Manages login and permissions for every installed app so each user sees only their own data and sessions.
• User Access Management - Controls who can log in and which apps each user can access through a built-in authentication and permission system.
• Per-Application Access Management - Controls which users can log into each installed app and manages their permissions without the app handling authentication itself.
• Web App Catalog Installers - Installs third-party web applications from a curated catalog with a single click.
• Per-Instance Container Isolations - Runs every app instance as an isolated Linux process in its own container with a dedicated subdomain.
• Home Server Operating Systems - Operates as an operating system for personal servers that installs and manages web productivity apps with one-click ease.
• Automated Server Configurations - Configures HTTPS, DNS, backups, and email for a self-hosted server without manual intervention.
• App Store Bundles - Packages web apps into secure, distributable bundles for installation through the platform's app store.
• App Store Submissions - Packages web apps into distributable bundles and submits them to a public app store for installation.
• Personal Server Sandbox Bundles - Packages Linux web apps into self-contained bundles for sandboxed hosting on personal servers.
• Sandboxed App Bundles - Packages Linux web apps into self-contained bundles that run inside security-hardened sandboxes.
• Sandboxed Web App Distributions - Bundles Linux web apps into isolated containers and distributes them through a curated app store.
• Self-Hosted App Bundles - Packages Linux web apps into self-contained bundles for installation and running on personal servers.
• Capability Request Dialogs - Provides a system-level permission dialog for apps to request capabilities from other apps or user accounts.
• Internal Function Exposures - Exposes internal web app functions as HTTP endpoints for programmatic access by external services.
• Server Backup Snapshots - Creates full snapshots of server app data and configuration for restoration after failure.
• Dynamic DNS - Claims a free, human-readable subdomain under a dynamic DNS service for a self-hosted server with automatic DNS updates.
• DNS Record Updaters - Keeps the server's DNS record current by periodically updating the IP address with the dynamic DNS provider.
• Dynamic DNS Clients - Includes a built-in dynamic DNS client that automatically updates DNS records for user-friendly subdomains.
• Port Sharing Mechanisms - Routes multiple web apps through a single HTTPS port by inspecting the Host header and proxying each request to the correct backend.
• Role-Based Access Control - Checks a user's assigned permissions on each request and blocks actions the role is not allowed to perform.
• Directory Service Authenticators - Validates user credentials against an Active Directory server to control access to the platform.
• HTTPS Servers - Sets up TLS certificates and encryption so all traffic between users and the server is secured.

Star history