- delete internal infra docs: system-of-record.md, sitemap.html status board
(exposed live attack surface: subdomains, up/down status, client names)
- parameterize OS desktop: derive DOMAIN from location.hostname, u() helper
builds service URLs so a friend deploying at their domain just works
- scrub all live service links to service.{DOMAIN} placeholders
- remove client domains (bicos, hkintercare, etc.) everywhere
- collapse brand/client site tiles to one generic Website tile
- single public CTA -> atlascorporation.nl (Get a workspace)
- relative SSO sign-out; sanitized server scripts to example.com
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.2 KiB
1.2 KiB
Atlas Remote Desktop
A real Linux desktop in the browser — not a web app. Full XFCE on Ubuntu 26.04, streamed via Selkies/WebRTC, where you can run any application: Claude Code, Chromium, a terminal, editors, anything you apt-install.
URL: desktop.{DOMAIN} (login at the Caddy edge)
Why a real desktop
Unlike a headless server, a desktop has a browser — so the Claude Code OAuth login
flow works normally. Open the terminal, run claude, log in through Chromium. Done.
Stack
- Image: lscr.io/linuxserver/webtop:ubuntu-xfce (Selkies/WebRTC)
- Bind: 127.0.0.1:8131 (loopback only — never exposed directly)
- Edge: Caddy reverse_proxy + Authentik forward_auth (your atlasshb identity)
- Persistence: /opt/atlas/webtop/config (home survives restarts)
- Pre-installed: Claude Code CLI (on PATH), Chromium, XFCE terminal; desktop launchers for Claude + Chromium
Compose
See deploy/webtop-docker-compose.yml. Auth is your Authentik identity (no separate password). Old basic_auth creds in a local .env
(gitignored) and the Caddy basic_auth hash — never committed.
Roadmap
- DONE: edge auth is Authentik SSO (atlasshb identity)
- Optional: pin Claude to the Max subscription via the in-desktop browser login