Architecture & Roadmap
obacht is built on a single structural principle: your hardware runs the software, your hardware stores the data, and our servers act as a remote control — not as a cloud that incidentally stores things you could also keep locally.
Architecture
When you install an app on your device through obacht, the containers run on your device. The data those apps write stays on your device. Passwords, generated secrets, internal connections between services — all generated locally, stored locally, never transmitted back to obacht.
obacht's backend knows what you intended: which template, which domain, which version you installed. It does not know what is running: container IPs, generated database passwords, internal network topology.
If obacht's servers went offline tomorrow, every app on your device would keep running unchanged. You would lose the dashboard and the installer. You would not lose the service. That is a structural guarantee, not a marketing claim.
How a domain becomes a working app
What happens end-to-end when you attach blog.example.com to a template on your device.
You enter your domain in the dashboard and point DNS at the obacht gateway.
The gateway detects the DNS entry and instructs the agent running on your device.
The agent requests a TLS certificate directly from Let's Encrypt — issued to your device, not to obacht.
The device's local reverse proxy (Caddy) starts serving the domain over HTTPS.
The gateway forwards public traffic through the device's outbound WireGuard tunnel. No open ports. No NAT traversal. The certificate and the keys live on your hardware.
Templates
A template is a declarative description of one piece of software: Nextcloud, Ghost, Vaultwarden, Mealie, a static site. Every template is cryptographically signed. Every container image referenced inside is pinned to an exact digest fingerprint. A compromised upstream image cannot slip in — the signature check on the agent will fail.
Templates are typed. They declare compatible hardware, minimum RAM, required ports. The installer validates before it runs, not after.
Three trust tiers
Official
Written, reviewed and maintained by the obacht team.
Community
Submitted by external authors, reviewed before listing in the public catalogue.
Unverified
Off by default. Visible only when the user explicitly enables the channel. A clear warning is shown at install time.
Single · Bundle · System
Real software comes in different shapes. obacht has three runtime modes to match.
Single
One container, self-contained. Vaultwarden, Memos, Pocketbase. Smallest footprint, simplest backup.
Bundle
Multiple containers wired together — for apps that legitimately need a database or cache. Ghost (web + MySQL), Outline (web + Postgres + Redis), Plausible.
System
A system-level service that runs outside Docker. Reserved for edge cases like kiosk displays. Requires explicit Power Mode.
Why every Bundle is its own island
When a Bundle needs a database, that database lives inside the bundle. Not shared across apps. Not pooled. The trade-off is a few hundred extra megabytes per bundle. The gain is that a vulnerability in one app cannot reach another app's data. Uninstalling is atomic. Backup is one directory. This is an opinionated choice: resource pooling is what cloud platforms do because margins force them to. On hardware you own, isolation is cheap and worth it.
Where we are and where we're going
The roadmap follows a single direction: start with isolation, then build connectivity on your terms, and never sacrifice transparency to get there. No release dates. The phases below reflect what is built, what is next in the queue, and what we know we want — in that order.
Multi-container apps with per-bundle isolation. Cryptographic signing and image-digest pinning for every template and every container. Hardware compatibility declarations validated before install. Secrets generated on-device and never transmitted.
This is the foundation. Every bundle that ships is a self-contained, signed, sandboxed unit. The catalogue grows from here.
Today, wiring Ollama to Open WebUI means opening a config screen and typing an internal URL. With Interfaces, you pick from a dropdown — and obacht handles the wiring. The same pattern extends to any two apps that have a well-defined interface: an S3-compatible storage, an SMTP server, a Redis-compatible cache.
Templates will declare what they provide and what they consume. The v2.1 manifest vocabulary adds two fields: provides and consumes. Templates published today remain valid — they gain access to the picker automatically when a compatible provider is installed. No re-publishing required.
Every self-hosted app ships with its own account system and login screen. For a single user that is friction. For a group trying to build something shared, it is a wall.
Spaces installs a single-sign-on layer on your device. The implementation is Authentik — a mature, audited OIDC provider. After installation, every Spaces-aware template you add registers itself as an SSO application: one account for your file storage, your wiki, your media server. Your hardware, your domain, your users.
This is also where the Interfaces pattern pays off structurally. Spaces is a template that provides an OIDC identity provider. Any template that declares it consumes one gets auto-wired. No new format, no re-publishing.
The same model extends across multiple devices in a project. A small association running its newsletter on one device, file storage on a second, shared logins on a third — all under one identity, maintained by the group, all fully theirs. This is years away. It is on the map because the choices made in Phase 1 and 2 either keep this door open or close it permanently.
Why this shape, and why now
A Raspberry Pi 5 has the compute to run real software. Let's Encrypt eliminated certificate costs. A domain registration costs €10 per year. The barrier to running your own infrastructure has collapsed. What was missing was software that made the operational part tractable.
obacht is not a NAS, not a home server dashboard, not a VPN manager. It is the operational layer for device-based projects that need to work reliably over time — updates, domain management, service monitoring, secure remote access — across all of it.
Get started
Runs on Raspberry Pi, Mac Mini, or any machine running Linux.