NASty is a NAS operating system built on NixOS and bcachefs. It turns commodity hardware into a storage appliance serving NFS, SMB, iSCSI, and NVMe-oF - managed from a single web UI, updated atomically, and rolled back when things go sideways.

This is the nginx → Caddy migration release. The reverse proxy and TLS terminator under the WebUI moved from nginx to Caddy. ACME issuance is now driven directly through Caddy (lego dropped), per-app ingress applies at runtime via Caddy's admin API, and the v0.0.7 NetworkManager compatibility scaffolding has been removed — boxes upgrading from 0.0.7 should be reconciled before jumping. Anything still on 0.0.6 or earlier should pass through 0.0.7 first.

Headline changes

• Caddy replaces nginx as the reverse proxy and TLS terminator. App ingress routes apply through Caddy's admin API at install / remove time — config changes take effect in-process with no file rewrite and no reload. TLS automation is one atomic admin-API PATCH per change, so per-host issuance state shows up live on the TLS page.
• Per-app subdomain ingress (V1 of #99). Apps can now be served at app.example.com instead of (or alongside) /apps/<name>/. Subdomain mode is selectable at install time and editable later, conflicts are detected before submit, and ingress-incompatible apps (whose absolute-path assets break path-prefix mode) auto-detect themselves and surface a clear reason in the install UI.
• Self-signed certs now cover both nasty.local and the box's LAN / Tailscale IPs. Direct-IP HTTPS (https://10.x.x.x) validates the cert against the IP directly — only the "untrusted CA" warning remains, which clears once you import Caddy's root via the Download CA Root button on the TLS page. Unknown SNI (tailnet *.ts.net names, anything not on the cert) falls back cleanly to the internal cert.
• Files page learned copy, move, and bulk actions (#88). Per-row Copy / Move icons + multi-select bulk action bar (Copy / Move / Delete) using the existing PathPicker. The same dialog handles files and directories regardless of which bcachefs pool the destination lives on.
• NetworkManager compatibility scaffolding from v0.0.7 has been removed. The legacy networking layer, the one-shot migration cutover, and the Phase-X comments are gone. A clean reconcile of orphan interfaces + NM profiles runs at startup, per-connection NM apply errors surface individually in the UI, and DBus type encoding for MAC / DNS fields aligns with what NetworkManager expects.

And bunch of other changes/bugfixes. More details in release notes.

NASty is a NAS operating system built on NixOS and bcachefs. It turns commodity hardware into a storage appliance serving NFS, SMB, iSCSI, and NVMe-oF — managed from a single web UI, updated atomically, and rolled back when things go sideways.

⚠ Heads-up: this is the NetworkManager-migration release. v0.0.7 runs both the legacy networking layer and NM in parallel for a transparent migration. v0.0.8 will drop the compat shim, so don't jump from 0.0.6 straight to 0.0.8 — go through 0.0.7 first.

Highlights:

• Networking on NetworkManager with confirm-or-rollback safety. Network edits stage, apply, and auto-revert if you don't confirm in time — no more SSH-locking yourself out from a typo.
• Encrypted filesystem lifecycle is end-to-end. Lock / unlock / mount-with-keyring-key all work, the WebUI shows which apps / VMs / shares / backups would break before you lock, with a 🔒 badge linking to the unlock dialog.
• Hardware passthrough UI. IOMMU groups, USB device list, edit USB passthrough on existing VMs, bridge selector, inline disk-import wizard.
• Subvolumes overview is the new default landing view. One table grouped by filesystem, real disk-usage progress bars, block-image actual allocation (no more iSCSI / NVMe-oF images reading 100% full).
• Update flow rebuilt. Dev-build channel actually bumps the kernel now (refreshes all flake inputs), failed rebuilds dump the activation journal, nasty-cleanup is a one-shot fix for /boot full.
• Live per-app resource usage on the Apps page (CPU%, memory, network I/O, disk I/O), à la docker stats.

Notable bug fix: filesystem quotas were stored 1024× larger than requested (bytes vs KiB units) — a 5 Gi NFS PVC ended up with 5 TiB cap. Engine fixed; startup reconcile auto-corrects existing installs.

aarch64 boxes (Pi / Odroid / Rockchip) now hit cachix for prebuilt binaries instead of compiling Rust + npm on every upgrade.

NASty is a NAS operating system built on NixOS and bcachefs. It turns commodity hardware into a storage appliance serving NFS, SMB, iSCSI, and NVMe-oF — managed from a single web UI, updated atomically, and rolled back when things go sideways.

Highlights of 0.0.6:

• OIDC / Single Sign-On — Log in with Google, Authentik, Keycloak, or any OIDC provider. Configure from Access Control → Identity Providers.

• Security hardening pass — Browser sessions moved to httpOnly cookies, per-IP login rate-limit with persisted lockouts, WebSocket origin validation, gated WS endpoints, legacy ?token= URL auth removed, tightened HTTP security headers, {@html} XSS sinks killed, compose deploys sandboxed, NFS exports hardened, secret files locked down.

• Network bridges — Linux bridges as a virtual switch for VMs (and apps), composable with bonds and VLANs (closes #27).

• MTU configuration — Configurable MTU on physical interfaces, bonds, bridges, and VLANs from the WebUI — including jumbo frames (9000) for SMB / NFS workloads (closes #62).

• Filesystem wizard upgrades — Drive model / serial / vendor / transport on the disk picker, usable-capacity estimate that matches the filesystems list, and a summary line on the filesystem card showing device count, erasure coding, and encryption.

• Apps allow_unsafe escape hatch — Deploy compose stacks (or simple apps) that need privileged options with explicit user opt-in, surfaced in the deploy form and app list. Internal port now editable on Apps.

• Background alert evaluation — Alerts fire from the engine's background notifier instead of waiting for a browser to be connected.

• Test & CI footprint — fmt / clippy / svelte-check / test gates in CI, pinned Rust toolchain, integration nixosTest that drives JSON-RPC over the appliance, bcachefs smoke test, and unit tests across JSON-RPC framing, alert evaluation, sharing config, storage parsers, update rollback, the WebSocket client, the toast queue, and IO history.

• Dependency refresh — rusqlite 0.34 → 0.39, openidconnect 3 → 4, vitest 3 → 4, plus major bumps to sha2 / rand / x509-parser / bollard / reqwest, nixpkgs to 549bd84 (2026-05-05), and bcachefs-tools to v1.38.2.

• Smaller polish — SSH banner is now dismissible and renamed to "Configure SSH", banner buttons actually navigate, VM-detect loop fix, audit log rotation fix, dead nft -f - spawn removed.

NASty is a NAS operating system built on NixOS and bcachefs. It turns commodity hardware into a storage appliance serving NFS, SMB, iSCSI, and NVMe-oF — managed from a single web UI, updated atomically, and rolled back when things go sideways.

Highlights of 0.0.4:

Docker Apps

The apps runtime has been rewritten. Deploy single containers or paste a docker-compose.yml with syntax highlighting, port conflict detection, and live deploy output. Apps are automatically accessible through the built-in reverse proxy — no firewall changes needed.

bcachefs 1.38

Full compatibility with bcachefs 1.38. Per-subvolume options (data_replicas, compression, tiering targets) are now visible in the WebUI. New dataReplicas StorageClass parameter lets the CSI driver create volumes with reduced replication for expendable data.

Quality of Life

• Global progress indicator for all operations
• File preview and download in the file browser
• nasty-top TUI for live bcachefs monitoring
• Audit logging for all mutations
• Firmware update support via fwupd