Cosmos-Server is a secure, modular self-hosted platform designed for individuals and families who want full control over their digital data without sacrificing ease of use. It acts as a secure gateway and server manager for applications like Plex, HomeAssistant, and custom Docker containers, solving the critical problem of vulnerable self-hosted services by enforcing security by design. Built with JavaScript and Docker, it integrates reverse proxy, authentication, monitoring, and backup tools into a single cohesive system that works with existing infrastructure.
The platform supports Docker Compose, RClone-based network storage, and OpenID SSO, and deploys via Docker containers on Linux servers, NAS devices, or Raspberry Pi. It’s designed to be both beginner-friendly and powerful enough for advanced users, with terminal access and no vendor lock-in. All features are modular, allowing users to enable only what they need while maintaining enterprise-grade security standards.
What You Get
- App Store - One-click installation and management of 250+ apps with automatic updates and security checks, supporting Docker Compose and manual container imports.
- SmartShield Technology - Intelligent anti-bot and anti-DDoS protection with IP rate limiting, geo-blacklisting, and TCP-level shielding for SSH, FTP, and gaming services.
- Reverse Proxy with Automatic HTTPS - Securely expose applications via domain-based routing with automatic Let’s Encrypt SSL certificate issuance and management.
- Container Manager - Full control over Docker containers including start/stop, logs, environment variables, and update monitoring with Docker Compose support.
- Built-in VPN - Secure remote access to your home network via WireGuard without opening router ports, enabling encrypted access to all hosted services.
- Storage Manager - Manage local disks with Parity Disks and MergerFS for redundancy and pooled storage, with a built-in file manager for navigation and operations.
- Network Storages (RClone) - Connect and manage remote storage like Dropbox, NFS, and FTP directly from the UI with end-to-end encryption and SmartShield protection.
- Authentication Server with MFA & OpenID - Centralized user management with multi-factor authentication, email-based password resets, and SSO integration via OpenID Connect.
- Backup System with Restic - Automated, encrypted, incremental backups to local or remote destinations with scheduling and restore functionality.
- Real-time Monitoring & Alerts - Persistent system monitoring with customizable alerts for CPU, memory, disk, and container health via a dashboard.
- Customizable Homepage - Unified dashboard to access all services with personalized widgets, icons, and layouts for family or business use.
- CRON Scheduler - Schedule and manage server-side and container-based tasks through a web-based interface without CLI knowledge.
Common Use Cases
- Running a secure home media server - A family uses Cosmos to host Plex and Jellyfin behind SmartShield and automatic HTTPS, allowing members to access media from anywhere via the built-in VPN without exposing ports.
- Managing a home lab with mixed applications - A tech-savvy user runs HomeAssistant, Nextcloud, and a custom Node.js app on the same server, using Cosmos to unify authentication, reverse proxy, and monitoring without reconfiguring each app manually.
- Securing a small business intranet - A local office deploys internal tools (CRM, file share, calendar) on a Cosmos server with OpenID SSO and MFA, ensuring no data leaves the premises and access is tightly controlled.
- Protecting IoT devices and cameras - A user connects IP cameras and smart home devices to Cosmos, using SmartShield to block bot scans and the VPN to securely view feeds remotely without public IP exposure.
Under The Hood
Architecture
- Monolithic Go-based server with tightly coupled HTTP handlers that directly access configuration, Docker, and database layers without clear service boundaries
- Absence of dependency injection or inversion of control, leading to global state dependencies and poor testability
- API routes defined as standalone functions across packages with no unified routing or middleware framework, resulting in inconsistent authentication and error handling
- Core functionalities like DNS, container management, and backups implemented as procedural code without interfaces or abstraction layers
- No modular plugin system or extension points; all features are hard-coded into the main binary
Tech Stack
- Node.js backend powered by Express with TypeScript for type-safe server logic
- React 18 frontend with MUI components and Redux Toolkit for state management, managed via Vite
- Comprehensive testing suite using React Testing Library and Jest with realistic user-event simulations
- Internationalization supported via i18next with dynamic locale detection and backend resource loading
- Docker-based deployment with environment-aware configuration for development and demo environments
Code Quality
- Limited testing coverage, primarily restricted to basic unit tests with no integration or end-to-end validation
- Inconsistent error handling with generic messages and no custom error types, reducing debuggability
- Fragmented code organization with mixed responsibilities in API handlers, blending HTTP logic with business rules
- Mixed naming conventions and ambiguous identifiers that impair code readability and maintainability
- Type safety undermined by extensive use of map[string]interface{} in configuration and API layers, introducing runtime instability
- Absence of linting, static analysis, or formal code style enforcement
What Makes It Unique
- Native integration of Nebula overlay network for secure, zero-trust device-to-device communication without external VPNs
- Unified orchestration of Docker, rclone, and system services through Go-generated systemd scripts
- Dynamic configuration templating for Nebula firewall and tunnel settings with automatic defaults
- Embedded backup system using atomic file operations to preserve system state without external dependencies
- Host-mode networking migration tool that bypasses Docker networking to expose services directly to the host
- Invitation-based user onboarding with role-based permissions enforced at the database layer, minimizing external auth dependencies