Quollix

Motivation

Mon, 01 Jan 0001 00:00:00 +0000

Citizens and small and medium-sized enterprises (SMEs) need digital infrastructure, such as servers for data storage, chatting and wikis. However, none of the existing options for acquiring such infrastructure meets all the following needs:

privacy
convenience
long-term security
option for customization

Let’s look at some typical approaches, why they fall short, and what a better solution should provide.

Option 1: Hosted Services

Although outsourcing to an external cloud offers the convenience of taking over server management, there are serious trade-offs.

Features

Mon, 01 Jan 0001 00:00:00 +0000

Quollix is offered in two editions. The Community Edition (CE) is designed for casual and small-scale users. The Premium Edition (PE) adds commercial features for users who require more advanced functionality.

Business Philosophy

CE is fully usable: The CE supports real, long-term self-hosting without artificial limits.
PE is for professional operation: Paid features of PE focus on organizational control, governance, and compliance.
No artificial upgrade pressure: Premium features are purely additive. Community functionality is never removed.

Features by Edition

Below are the key features. A check mark means the feature is available, and a cross means it’s not available in the associated edition.

Server Host

Mon, 01 Jan 0001 00:00:00 +0000

The server host value is needed to access installed apps. For example, if you set the host to company.com and click Open on the forgejo app on the Installed Apps page, forgejo.company.com will open in a new tab. For local testing, you can simply use localhost as the host value.

Note: This proxying requires that the domain (e.g. forgejo.company.com) resolves to the server where Quollix is installed, either via a DNS record or an entry in your system’s hosts file.

Apps

Mon, 01 Jan 0001 00:00:00 +0000

Quollix only takes care of the system administration. The actual day-to-day functionality like chat or data cloud comes from the installed apps.

App Store

Digital infrastructure can be installed as apps, much like a smartphone. An app store simplifies the process of discovering and installing new apps, while allowing anyone to upload their own apps.

List of Official Apps

These are the apps of the official maintainer quollix available in the App Store.

Certificate

Mon, 01 Jan 0001 00:00:00 +0000

There are multiple ways to operate certificates in Quollix.

1) Default Certificate

By default, Quollix is available on port 443 via HTTPS using a universal self-signed wildcard certificate. This default certificate works for all domains or IP addresses through which you access Quollix and any host configured in the Settings. This option may be sufficient for test deployments or private LAN networks. However, for most real-world use cases, a valid, properly signed wildcard certificate is recommended.

Getting started

Mon, 01 Jan 0001 00:00:00 +0000

Local Test Setup

Install Docker and run Quollix as described below. Visit http://localhost in your browser, log in with the default credentials (admin/password).

Production Setup

This is a quick guide for a production installation of Quollix. For the sake of example, assume you have a domain like example.com, which we will call <SERVER_HOST> in the instructions below.

Choose a server: for example, a virtual private server (VPS) from a hosting provider, or a physical server at home.
Set DNS records: Create a wildcard A DNS record pointing to the IP address of the Quollix server for your domain: *.<SERVER_HOST>
Install Docker: For installation instructions, see the Docker Installation Guide.
Create a docker-compose.yml file with the following content:

services:
 quollix:
 image: quollix/quollix:latest
 container_name: quollix
 ports:
 - "80:80"
 - "443:443"
 volumes:
 - /tmp:/tmp
 - /var/run/docker.sock:/var/run/docker.sock
 restart: unless-stopped

If you want extra security to prevent other people or bots logging in with the default credentials, add the following environment variables:

services:
 quollix:
 # ...
 environment:
 INITIAL_ADMIN_NAME: <replace-me>
 INITIAL_ADMIN_PASSWORD: <replace-me>
 INITIAL_ADMIN_EMAIL: <replace-me>

Run the following command in the same directory as the docker-compose.yml file:

sudo docker compose up -d

Visit the Quollix web interface at https://quollix.<SERVER_HOST>.
Log in using the default credentials (admin / password).
Go to the Settings page, set Server Host to <SERVER_HOST>, and save.
Set up certificate by either:
- uploading your own wildcard certificate covering the domains above
- or generating a wildcard certificate via DNS-01 challenge and restarting the browser afterwards

Next Steps

The Operations section provides additional guidance for running Quollix in a self-hosted environment, including configuration and security best practices.

Maintenance

Mon, 01 Jan 0001 00:00:00 +0000

The features Automatic Updates and Automatic Backups are enabled by default and are handled by the Maintenance Agent in the background. The Maintenance Agent runs once a day.

If both options are enabled, the Maintenance Agent compares the version of each locally installed app with the latest version in the App Store. If an update is available, a backup is created, then the update is applied. If the update fails, you can restore the previous version.

Roadmap

Mon, 01 Jan 0001 00:00:00 +0000

The following milestones outline the upcoming release phases for Quollix:

First release: Initial public version of Quollix with open-source core functionality, alongside selected premium features.
Completing feature set: Implementing all planned features for the current major version.
Opening App Store for everyone: Allowing third-party developers to publish and distribute apps.
Launching managed SaaS offering: Providing a fully hosted version of Quollix with automated setup and maintenance.

Users

Mon, 01 Jan 0001 00:00:00 +0000

To access private apps in the Quollix, you need a local account. The Users page enables you to create and delete these accounts. Users with the “User” role can only access apps and their own account and have no access to administrative features.

Inviting Users and Password Reset

Administrators can generate an invitation link for a user. When the user opens the link, they are prompted to set a password, which completes the account creation process. If a user forgets his password, an administrator can generate a new link to allow them to set a new one.

Automatic Updates

Mon, 01 Jan 0001 00:00:00 +0000

This article is on automatic updates of Quollix itself. The apps installed in Quollix are already automatically updated by Quollix. On the server, run:

sudo crontab -e

Add a cronjob automatically updating quollix image, for example:

0 3 * * * /usr/bin/bash -c "docker pull quollix/quollix:latest && docker compose -f /path/to/docker-compose.yml up -d"

Is it recommended to test the bash command above for correct execution by manually running it.

Backups

Mon, 01 Jan 0001 00:00:00 +0000

Once a backup server has been configured in the settings, users can create backups of each app on the Installed Apps page. The Backups page allows you to view and restore backups of apps.

Note

Restoring an app backup will erase any previously existing app data that was not backed up. Consider creating a current backup before restoring an old backup.

FAQ

Mon, 01 Jan 0001 00:00:00 +0000

How difficult is it to install Quollix?

Quollix can be installed on any device that supports a widely used technology called ‘Docker’, making it largely hardware and operating system independent. Installation requires only a single Docker command on the command line. All server maintenance tasks are done automatically by Quollix in the background.

Is Quollix secure?

Quollix is designed with security as a priority, and we have built in extensive protections. See the Threat Model article for details. No system can be guaranteed to be 100% secure, but we use a security-by-design approach and continue improving the platform over time.

How does Quollix compare to Nextcloud?

Nextcloud is primarily an application focused on file storage and collaboration. Quollix, by contrast, is a general-purpose platform for installing and managing multiple applications.

Pricing

Mon, 01 Jan 0001 00:00:00 +0000

Quollix is available in community and premium editions. A complete feature comparison by edition is available on the Features page.

Editions

Community Edition
- Price: Free
- No subscription required
Premium Edition
- Price: 15 € per month
- Billed monthly
- VAT or applicable sales tax is calculated at checkout by Paddle, the Merchant of Record.

Billing and Cancellation

Subscriptions are billed on a monthly basis
You can cancel your subscription at any time
After cancellation, access to premium features remains available until the end of the current billing period

Purchase and Payment

Payments are processed by Paddle, which acts as the Merchant of Record.

Remote Backup

Mon, 01 Jan 0001 00:00:00 +0000

By default, when you create a backup of an app, Quollix will create a local backup of it. However, if remote backups are enabled, an additional remote backup is created and sent to an external SSH server.

Note

We strongly recommend that you enable this feature. If your hard drive becomes irreversibly damaged, remote backup may be the only way to recover your data.

Quollix uses the restic tool in the backend, which provides end-to-end encryption. This means that even if someone intercepts the traffic or gains access to the backup server, they cannot read your encrypted backup data.

Feedback

Mon, 01 Jan 0001 00:00:00 +0000

We welcome feedback about Quollix and the website.

Send feedback to quollix-feedback@mailbox.org.

You can use this for:

ideas for improving the website
information that is missing or hard to find
unclear explanations or confusing wording
suggestions for better documentation
general product feedback about Quollix

Positive feedback is also welcome and motivates us.

Please keep in mind: while we do appreciate your feedback, this is not a support channel, and we will very likely not reply.

Glossary

Mon, 01 Jan 0001 00:00:00 +0000

Abbreviation	Meaning
0BSD	Zero-Clause BSD (License)
AGPL	GNU Affero General Public License
AI	Artificial Intelligence
BIOS	Basic Input/Output System
CE	Community Edition
CI	Continuous Integration
CLI	Command-Line Interface
CRUD	Create, read, update and delete
EULA	End-User License Agreement
FAQ	Frequently Asked Questions
FDE	Full-Disk Encryption
GUI	Graphical User Interface
HTTP	Hypertext Transfer Protocol
HTTPS	Hypertext Transfer Protocol Secure
LAN	Local Area Network
LLM	Large Language Model
MITM	Man-in-the-middle
OIDC	OpenID Connect
OS	Operating System
PE	Premium Edition
PR	Pull Request
SaaS	Software as a Service
QSC	Quollix Store Client
SSO	Single Sign-On
SSR	Server-Side Rendering
UEFI	Unified Extensible Firmware Interface
WSL	Windows Subsystem for Linux

Mon, 01 Jan 0001 00:00:00 +0000

Frontend Development Workflow

Persistent Development State

When starting Quollix in TEST mode, you can use the -k flag which preserves database is preserved across restarts and preserves Login state, so you do not need to log in again after each backend code change and restart.

Quollix uses SSR with Go HTML templates.

When running in TEST mode:

Backend code changes still require a container restart
Frontend resource changes do not require a restart

Instead, the GUI provides a Reload Frontend button:

'NETWORK_CHANGED' error and 'TypeError: Failed to fetch'

Mon, 01 Jan 0001 00:00:00 +0000

During some operations such as starting an app, browsers may report a NETWORK_CHANGED or TypeError: Failed to fetch error. This is expected behavior and does not indicate a failed operation.

Why this happens

Quollix runs inside a Docker container and dynamically connects to and disconnects from app-specific Docker networks during certain operations. If a browser request is in flight while Docker reconfigures the container’s network, the browser may abort the request and report one of the above errors, even though the backend operation completes successfully.

App Design Recommendations

Mon, 01 Jan 0001 00:00:00 +0000

This document is intended for developers who develop software and want to distribute it through the Quollix App Store. You are free to design your app in any way you like. However, following the recommendations ensures smooth integration with Quollix and improves the experience for administrators and end users.

Introduction and development model

Any software that provides a web interface can be published as an app in the Quollix App Store. At a high level, the development and distribution flow looks like this:

Architecture

Mon, 01 Jan 0001 00:00:00 +0000

Quollix is a monolithic application that runs on a single server. Each HTTP request from users is either processed by Quollix directly or passes through Quollix and is proxied to an app. The apps are “hidden” behind Quollix. This way, Quollix serves as an extra layer of security, as only authenticated users have access to the apps by default.

For security reasons, each app runs in its own isolated space with its unique Docker network and volumes. So, apps are isolated from each other.

Code of Conduct

Mon, 01 Jan 0001 00:00:00 +0000

We are committed to a professional, productive, and welcoming environment for everyone involved in this project - contributors, maintainers, and users alike.

Expected Behavior

Act with courtesy, respect, and empathy.
Foster an inclusive atmosphere that values diverse perspectives.
Offer constructive, actionable feedback oriented toward improving the project.
Collaborate in good faith.

Unacceptable Behavior

Harassment, discrimination, or personal attacks.
Derogatory, inflammatory, or otherwise abusive language.
Sustained disruption of discussions or workflows.

Enforcement

Violations will result in consequences proportionate to the severity and frequency of the behavior, ranging from a warning to temporary or permanent removal from project spaces.

Contributing

Mon, 01 Jan 0001 00:00:00 +0000

Note

GitHub is the right place for contributions and development discussions, but not for user support requests.

Improve the Website

Website contributions are welcome as well. The website repository is github.com/quollix/website. Website content contributions only require basic Markdown knowledge and knowing how to contribute through GitHub, so non-programmers are welcome. Read the README.md for further contribution information.

Expand the App Store

If you have software with a web interface that you would like to share with the community, you can simply package it as an app and upload it. If an app becomes popular, we will consider adopting it as an official app.

Forgejo

Mon, 01 Jan 0001 00:00:00 +0000

A general rule in Forgejo is that many settings cannot be changed via the web GUI once the installation wizard is completed. However, you can still modify them by directly editing the app.ini file inside the container as described below. As this is a somewhat hacky solution, we recommend deciding whether to allow self-registration before deploying a production instance.

Installation Wizard

When visiting the Forgejo web UI for the first time:

GDPR compliance

Mon, 01 Jan 0001 00:00:00 +0000

Note

This section provides general information only and does not constitute legal advice. No responsibility or liability is assumed for how this information is used.

Quollix includes features that can support GDPR-aligned operation. This page provides additional legal context for selected features, explaining their relevance from a data protection perspective. The information here is not comprehensive and does not cover all GDPR obligations.

User invites

The link generated for user invitation contains only a temporary token, not a password. The token is valid for a limited time, can only be used once, and is protected by HTTPS provided that a properly signed certificate is configured, which is required for secure operation. Transmitting such links, even over insecure channels, is considered GDPR-compliant. Administrators may distribute the link through the following channels:

Groups (premium)

Mon, 01 Jan 0001 00:00:00 +0000

The Groups feature takes effect when an app is configured with a group-restricted access policy on the Installed Apps page. Access is granted to any user who is a member of at least one group authorized for the app.

To grant a user access:

Create a group
Add the user as member of the group
Grant the group access to the app

Jitsi

Mon, 01 Jan 0001 00:00:00 +0000

By default, Jitsi does not enforce authentication and allows anyone with access to the web interface to create and join meetings. Access is managed through Quollix’s access policies. The following access policies are available:

Public: Anyone with access to the Jitsi web interface can create and join meetings. No authentication is required.
Authenticated / Group restricted: Anonymous users have no access and cannot create or join meetings. Access is limited to authenticated users / to users who are members of specific groups that are allowed to use the Jitsi app.

Local Development

Mon, 01 Jan 0001 00:00:00 +0000

For local development, you should run Quollix in TEST mode docker container using the ci-runner tool. This mode is optimized for development and testing, so there are some features implemented which make the development experience smoother. This includes:

when running docker container in test mode, you can add the flag -k to keep the database and uploaded files between restarts. This way, you don’t have to login or set up everything from scratch on each change of backend code and subsequent restart.
Changing web resource files (HTML, CSS, JS) on the host system can be reloaded from the GUI, so no restart is necessary.
a dummy SSH server is started to allow SSH connections and creating backups.
Usually when working on local OIDC integration testing, you might need a valid TLS certificate for testing integration with Quollix as an OIDC provider.
- Set the domain in the /etc/hosts file to point to localhost (e.g. quollix.test.quollix.org -> 127.0.0.1), do this also with all expected app domains.
- Run Quollix in prod mode
- Set a test domain in the settings that you own (e.g. we usually use test.quollix.org)
- Generate a TLS certificate via DNS-01 challenge
- Download the generated certificate (certificate.pem)
- Stop Quollix and restart it in TEST mode
- Set the host again and upload the previously downloaded certificate
- Restart your browser and revisit Quollix under quollix.<test-domain> (for example quollix.test.quollix.org)

For local development, Quollix should usually be run in TEST mode inside a Docker container using the ci-runner tool. TEST mode provides features optimizing development.

Odoo

Mon, 01 Jan 0001 00:00:00 +0000

Setup

At first visit, write down or save the master password presented.
Set Database: odoo
Enter email and password, which are the future login credentials for the admin account
Click “Create database”
Login with the just set credentials

Single-Sign On / OIDC

Odoo icon > Settings > Integrations
- enable ‘OAuth Authentication’ > Save
- You will be logged out. Login and go to the same page again.
- OAuthAuthentication > OAuth Providers:
  - Delete existing proiders
  - New > Provider:
    - Provider Name: Quollix
    - Client ID: enter client ID from OIDC page
    - Allowed: enable
    - Login button label: “Login with Quollix”
    - Authorization URL: https://quollix.<server-host>/api/authorize
    - Scope: openid profile email (leave default)
    - UserInfo URL: https://quollix.<server-host>/api/userinfo

OIDC clients

Mon, 01 Jan 0001 00:00:00 +0000

This page lists the installed apps and their OIDC client configurations. Each app can use this configuration to authenticate against Quollix, which acts as the OIDC provider.

Depending on the software, OIDC integration may be configured automatically. If not, the required values can be manually copied from this page and applied to the app using its preferred configuration method, such as a web interface or configuration file.

OIDC Integration Testing Strategy

Mon, 01 Jan 0001 00:00:00 +0000

This article describes the recommended strategy for testing OIDC integrations in a local development setup between apps and Quollix.

Theory

Quollix acts as the OIDC provider. Apps act as OIDC clients.
Apps started by Quollix resolve the OIDC provider via the domain quollix.<host> inside the shared Docker network.
Many OIDC clients require the provider’s endpoints to be served over HTTPS with a valid TLS certificate.
Quollix’s well-known endpoint is available at quollix.<host>/.well-known/openid-configuration.
While some apps may allow self-signed certificates, using a valid certificate is the safest option and avoids the need to relax or disable client-side TLS verification.
Quollix can automatically generate and manage certificates for a test domain, making it easy to reproduce a production-like setup locally.

Practice

Add a DNS entry for your test domain in /etc/hosts (e.g. we use quollix.test.quollix.org → 127.0.0.1)
Start Quollix in PROD mode using the CI runner.
Open the settings in the Quollix UI and set your test domain as the host. For example, we use test.quollix.org.
Generate a TLS certificate via the DNS-01 challenge.
Download the generated certificate (certificate.pem).
Stop Quollix and restart it in TEST mode.
Set the host again and upload the previously downloaded certificate.
Restart your browser and revisit Quollix under quollix.<test-domain> (for example quollix.test.quollix.org).
Install and start your app via the mocked App Store and verify that the OIDC login flow works as expected.

OpenCloud integration issues

Mon, 01 Jan 0001 00:00:00 +0000

Quollix acts as the reverse proxy in front of OpenCloud. OpenCloud uses a mandatory OpenID Connect (OIDC) authentication flow. Even when using local users (IDM), OpenCloud always authenticates via its internal OIDC provider. Because of this, OpenCloud must be able to reach its own OIDC discovery endpoint at the URL defined by OC_URL.

During authentication, OpenCloud performs OIDC discovery and token validation requests from its own container to the URL defined by OC_URL. These requests are routed through the reverse proxy (Quollix) and then forwarded back to the OpenCloud service itself. This internal request loop only happens during authentication, but it is the source of most issues in local, containerized setups.

Scaling

Mon, 01 Jan 0001 00:00:00 +0000

Quollix is designed to run as a single-node system. There is no built-in horizontal clustering. Scaling is achieved using one of the following approaches.

Vertical Scaling

The primary scaling strategy is vertical scaling. Run Quollix on a machine with more CPU, memory, and disk space. This can be done by migrating the instance to a larger server. The server migration guide might be helpful for that.

Federation

Communities or larger organizations may federate multiple Quollix servers. Each server represents an organizational unit. Identity and access are shared through a central Identity Provider server.

Server migration

Mon, 01 Jan 0001 00:00:00 +0000

Server migration means moving Quollix and apps data from one server to another. This could be for reasons such as switching cloud providers, upgrading hardware or moving from SaaS to self-hosted infrastructure.

With Quollix, migration is straightforward: simply create remote backups of all apps, set up a new Quollix instance, configure access to the remote backup server, and restore the apps from the remote backup server. To avoid compatibility issues, ensure that the Docker image tags of the old and new Quollix containers are the same.

Server preparations

Mon, 01 Jan 0001 00:00:00 +0000

This sample guide walks you through setting up a hardened Ubuntu Server host for Quollix. Adapt it to your own environment as needed.

Restrict Physical Access

Place the device in a locked rack or drawer.

OS Installation

Download Ubuntu Server: Grab the latest ISO from Canonical’s download page.
Flash it to a USB drive (Rufus, balenaEtcher, etc.). You will need to connect a screen and a keyboard in order to complete the initial setup.
During setup:
- Pick minimal installation, no GUI.
- Enable SSH server.
- Optional: Choose LVM with full-disk encryption (FDE) if you want encrypted storage (see below).

Internet Connection

Connect the server to a wired LAN to avoid having to configure a Wi-Fi connection on boot. With FDE, Wi-Fi setup would even be required twice: once in the encrypted-mode initramfs and again in the decrypted-mode main operating system. Please note that the LAN IP address of the server may differ between initramfs mode and the main operating system, since the router may recognise them as two distinct devices.

Software EULA

Mon, 01 Jan 0001 00:00:00 +0000

Last Updated: 26.02.2026

This End-User License Agreement (“EULA”) governs the use of the proprietary components of Quollix (the “Software”).

By installing, accessing, or using the proprietary components of the Software, you agree to this EULA.

1. Scope and Structure

Quollix may include both open-source components and proprietary components.

Open-source components are governed exclusively by their respective open-source licenses.

This EULA applies only to proprietary components, including premium features distributed in compiled or containerized form.

Software Privacy Notice

Mon, 01 Jan 0001 00:00:00 +0000

Last Updated: 26.02.2026

This Software Privacy Notice applies only when proprietary components of Quollix that require license validation are used.

If you use only open-source components of Quollix without enabling premium features, no data is transmitted to or processed by the Maintainer.

1. Controller

The controller within the meaning of applicable data protection laws is the Maintainer of Quollix.

2. Scope

This Notice applies solely to data transmitted to maintainer-operated infrastructure in connection with license validation and service protection for proprietary components.

Terminal (premium)

Mon, 01 Jan 0001 00:00:00 +0000

The Terminal feature lets you open an interactive shell inside an app’s running container. Since containers may include different shells, Quollix does not assume a specific one. When opening a terminal, it first attempts to start bash. If that is not available, it falls back to POSIX sh, followed by additional shells to support less common container setups.

To open a terminal, simply select the app you are interested in and choose the corresponding service / container.

Terms of Service

Mon, 01 Jan 0001 00:00:00 +0000

Last Updated: 26.02.2026

These Terms of Service (“Terms”) govern access to the Quollix website and the subscription of premium features.

Subscriptions are purchased via Paddle, which acts as Merchant of Record and processes payments on behalf of the Maintainer.

By purchasing a subscription or using this website, you agree to these Terms.

1. Provider

Quollix is provided by the person or entity identified in the Imprint (“Maintainer”).

2. Description of the Product

Quollix is a software platform that simplifies the deployment and management of containerized applications. It may be used in self-hosted environments or, where offered, as a hosted service.

Threat model

Mon, 01 Jan 0001 00:00:00 +0000

A threat model outlines the security assumptions, potential risks, and defense strategies of a system. This document describes how Quollix mitigates threats to protect its digital infrastructure.

Security Measures

Cryptography

We only use modern, well-tested cryptographic algorithms. Administrators can generate Let’s Encrypt–signed certificates or provide their own certificates to secure HTTPS endpoints.

Container Isolation

Every app runs in its own Docker container with no shared volumes, networks, or Docker socket access, and with restricted Linux capabilities.

Troubleshooting

Mon, 01 Jan 0001 00:00:00 +0000

I have forgotten my Quollix password. How can I reset it?

You can ask an admin to reset your account password. If you are the only admin and have lost access to your account, you can reset the password by running the following command on the server:

docker exec -i quollix_postgres_postgres psql -U postgres -d postgres -c "DELETE FROM users WHERE user_name = 'admin';"
docker restart quollix

This deletes the admin account. On restart, since no admin account exists, Quollix will create a new one with the credentials: admin/password.

Website Privacy Policy

Mon, 01 Jan 0001 00:00:00 +0000

Last Updated: 26.02.2026

This Privacy Policy applies to visits to the publicly accessible Quollix website.

1. Controller

The controller within the meaning of applicable data protection laws is the person identified in the Imprint.

2. Scope

This Privacy Policy applies when you visit the Website for informational purposes.

3. Server Log Data

When you access the Website, technical data is automatically processed by the hosting infrastructure. This may include:

IP address
Date and time of access
Requested pages or resources
Referrer information
Browser type and version
Operating system
Technical request metadata

This data is processed to ensure security, stability, and proper operation of the Website.