1 Remote Desktop
Chaib Aarab edited this page 2026-06-22 21:58:12 +02:00

Remote Desktop

A full Linux desktop, running in your browser, behind single sign-on. Atlas OS ships a Webtop (ubuntu-xfce) instance so you can drive a real graphical environment — with Claude Code and Chromium pre-installed — from any device, without exposing the box to the public internet.

Why it exists: some tools refuse to behave on a headless server. A real desktop with a real browser is the difference between "works" and "stuck on a login screen." This page covers the what, the why, and exactly how to open it and boot Claude.


At a glance

Property Value
App name Remote Desktop
Category Ops
URL desktop.atlascorporation.nl
Base image Webtop, ubuntu-xfce flavour
Streaming Selkies over WebRTC
Access control Authentik SSO (Caddy forward_auth)
Pre-installed Claude Code, Chromium
Hosting Single EU-sovereign Hetzner VPS (NL/DE)

What it is

Webtop is a containerized desktop environment streamed to the browser. The Atlas instance runs the XFCE desktop on Ubuntu, rendered to your browser via Selkies / WebRTC — so it feels like a local machine, with mouse, keyboard, clipboard and windowed apps, but nothing is installed on your end. Any browser on any device that can reach the URL is enough.

It is one of the apps in the Ops category of Atlas-OS, alongside Forgejo git, n8n, Uptime Kuma, MeshCentral, Command and the Architecture map.

%%{init:{'theme':'base','themeVariables':{'primaryColor':'#0c1428','primaryTextColor':'#cfe2ff','primaryBorderColor':'#1F6FE0','lineColor':'#4EA0FF'}}}%%
flowchart LR
    U["Your browser<br/>(any device)"] -->|HTTPS| C["Caddy<br/>TLS + forward_auth"]
    C -->|auth check| A["Authentik SSO<br/>embedded outpost"]
    A -->|allowed| C
    C -->|WebRTC stream| W["Webtop<br/>ubuntu-xfce"]
    subgraph desk["Inside the desktop"]
        CC["Claude Code"]
        CR["Chromium<br/>(real browser)"]
    end
    W --- desk
    CR -->|OAuth login| ANT["Anthropic"]

Why a real browser solves Claude OAuth on a server

Logging Claude Code into Anthropic uses an OAuth flow that wants to open a browser, complete a redirect, and hand the token back. On a bare headless server there is no browser to open and no graphical session to complete the redirect in — so the login stalls.

The Webtop desktop fixes this directly:

  • It provides a real, full desktop session — not a headless shell.
  • Chromium is pre-installed inside that session, so the OAuth redirect opens and completes like it would on a laptop.
  • Claude Code runs in the same desktop, so the token lands back in the right place with no copy-paste gymnastics or tunneling tricks.

The result: you get the same smooth claude login you would have on a local machine, but the agent and its workspace live on the server — close to the rest of the Atlas stack.


How to open it

  1. From the Atlas-OS desktop, open the Remote Desktop app (Ops category), or go directly to desktop.atlascorporation.nl.
  2. You will hit Authentik SSO first (enforced by Caddy forward_auth). Sign in with your Atlas identity. See Authentik and Security for MFA details.
  3. Once authenticated, the Webtop ubuntu-xfce desktop streams into the browser over WebRTC. Use it like any desktop — taskbar, file manager, terminal, windows.

How to boot Claude

Inside the desktop:

  1. Open a terminal from the XFCE taskbar.
  2. Run Claude Code:
    claude
    
  3. On first run it will start the OAuth login. Chromium opens automatically (or open it from the taskbar and paste the auth URL).
  4. Complete the Anthropic sign-in in Chromium. Because this is a real browser in a real session, the redirect completes and the token is captured — no extra steps.
  5. You are now in an authenticated Claude Code session, running server-side, next to the rest of the Atlas stack.

Tip: keep the Chromium window open during the login redirect. The flow needs the browser to finish the handshake before the token is written.


Security notes

  • SSO-gated. Every request passes Authentik via Caddy forward_auth on the embedded outpost before the desktop loads. No anonymous access.
  • TLS everywhere. Caddy terminates HTTPS for the public hostname.
  • EU-sovereign. Like the rest of Atlas-OS, it runs on a single Hetzner VPS in the NL/DE region.
  • Secrets discipline. Anthropic credentials obtained through the in-desktop OAuth flow stay on the server. Long-lived secrets live in Vaultwarden / /opt/atlas/secrets (chmod 600), never in git. See Security.

  • Atlas-OS — the browser desktop and app catalog this lives in
  • Authentik — the SSO gate in front of Remote Desktop
  • Security — EU-sovereign hosting, MFA, secrets policy
  • AI-Stack — the LLM router and Atlas Brain that Claude Code works alongside
  • Architecture — the full container and service map