The Stack Desktop app is a ( mac) desktop app capable of running software stacks. It is built in Rust and leverages Tauri as the framework and runtime.
It works alongside a website that provides a catalog of software stacks over at https://stack.lol.
The catalog is a collection of stack bundles which are compressed archives (<name>.stack) each containing a full-fledged software stack. The stack is a collection of software components that work together to provide a specific functionality.
The website is able to notify the app to download and run a software stack from a stack bundle.
The app exposes a secured API that the website can use to notify it to download and run a software stack.
graph LR
catalog[Stack Catalog] --> stackBundle[Stack Bundle<br><q><name>.stack</q>]
subgraph "Stack Bundle"
stackBundle --> metadata[Metadata<br><q>stack.yaml</q>]
stackBundle --> dockerCompose[Docker Compose]
end
subgraph "Desktop App"
stackApp[Stack Desktop] --> stackBundle
stackApp --> metadata
stackApp --> dockerCompose
stackApp --> containers[Containers]
end
website[Website] --> catalog
website --> stackApp
subgraph "External dependencies"
docker[Docker Engine]
end
docker[Docker Engine] -.-> stackApp
dockerCompose -.-> docker
docker --> containers
GEThttps://0.0.0.0:57404/health- Returns
OKif the app is running.
- Returns
POSThttps://0.0.0.0:57404/run- Accepts a JSON payload with the following structure:
{ "slug": "<name>" } - Downloads and runs the software stack from the catalog with the given
<name>.
- Accepts a JSON payload with the following structure:
The app exposes an API that the website can use to communicate with it. To ensure this communication is secure:
- The app generates a self-signed certificate when initializing which is used for HTTPS communication;
- API connections are restricted to localhost (127.0.0.1) to prevent external network access;
- All API requests require authentication using time-limited JWT tokens;
- The website and app share a secret key for mutual authentication;
- The app is signed and notarized for macOS to verify its authenticity;
- Users must explicitly approve downloading and running stacks via confirmation dialogs;
- User preferences can be configured for trusted stacks to reduce prompts;
- All stack bundles are digitally signed by the catalog publisher;
- Bundle checksums and signatures are verified before extraction;
- Downloaded bundles are scanned for potentially malicious content;
- Corrupted or tampered bundles are rejected with appropriate error messages;
- Containers run with minimal required privileges by default;
- Resource limits (CPU, memory, network) are enforced for all running stacks;
- Volume mounts are restricted to designated directories;
- Network access for containers is properly segmented and controlled;
- The app monitors running containers for unusual behavior;
sequenceDiagram
actor user as User
participant web as Website
box grey
participant app as Stack Desktop
participant fs as File system
end
user->>+web: Click on "Start it now"
web->>-app: Notify the app
activate app
app->>+web: Download the bundle
web->>-fs: Store the bundle
activate fs
Note over fs: Bundle file
fs-->>app: Read the bundle
deactivate fs
app->>fs: Unpack the bundle
activate fs
Note over fs: Unpacked directory
fs-->>app: Read metadata<br>Detect name, flavor
deactivate fs
app->>app: Run the stack
app-->>web: Notify the website
deactivate app
link web: Website @ https://stack.lol
link app: Download @ https://stack.lol/download