Open source · Powered by Nix · Self-hosted

Ship products,
not plumbing.

One .stack/config.nix replaces dozens of config files. Reproducible dev environments, encrypted secrets, deterministic ports, and real HTTPS — generated for your whole team. No Nix knowledge required.

Open Studio demoGitHub
Reproducible
Self-hosted
No lock-in
Local-first
Works offline
MIT licensed
Studio preview
Open the studio
http://localhost:9876

Apps

Deterministic ports · stack-aware tasks · live status

Studio
WE

web

TanStack Start · Vite

running
web.myapp.local:4200
AP

api

Hono · Cloudflare Workers

running
api.myapp.local:4201
QU

queue-worker

Go · process-compose

building
:4202

Services

Postgres · Redis · Minio · Caddy + Step CA

Studio

PostgreSQL 16

Hashed from project name · isolated per-project

:4237

STACKPANEL_POSTGRES_PORT

Redis 7

Cache + pub/sub managed by process-compose

:4252

STACKPANEL_REDIS_PORT

Minio (S3)

Local object storage with presigned URLs

:4263

STACKPANEL_MINIO_PORT

Caddy + Step CA

Real HTTPS for *.myapp.local in dev

:4280

STACKPANEL_CADDY_PORT

Variables

SOPS + AGE · scoped per app and environment

Studio
secret

DATABASE_URL

ref+sops://prod.sops.yaml#/DATABASE_URL

api · worker
service

STACKPANEL_API_PORT

4201

all apps
config

VITE_PUBLIC_API_URL

https://api.myapp.local

web
secret

AGE_RECIPIENTS

age1qd…ek7c, age1n4…tlkq, +2

team · 4 keys
Resolved at shell entryType-safe codegen

1

config file

.stack/config.nix declares it all

Deterministic

ports

Hashed from project name

60+

agent endpoints

REST + Connect-RPC + SSE

Zero

vendor lock-in

Generated files look hand-written

How it works

Three planes, one project

Stackpanel runs as a Nix configuration, a local Go agent, and a web studio. Each plane has a clear job — together they replace the boilerplate that lives between your code and production.

01

Nix plane

Declarative source of truth

Evaluates your config, computes ports from your project name, provisions the devshell, and generates files. Runs once on shell entry.

  • flake-parts + devenv adapter
  • Per-app code generation
  • SOPS recipients in Nix config

02

Local agent

Bridge to your environment

A Go binary on localhost:9876 that wraps Nix evaluation, manages services via process-compose, watches files, and serves the studio.

  • REST + Connect-RPC + SSE
  • JWT pairing flow
  • Works fully offline

03

Web studio

Manage everything visually

A React app for browsing extensions, managing services, editing config, viewing generated files, and resolving secrets — without writing Nix.

  • Real-time SSE updates
  • Form-based config editor
  • Per-extension panels

Git is the deploy target

Studio writes to your real config files. Diffs show up in code review like any other change.

Real-time, locally

SSE streams config and service updates from the agent — no polling, no cloud round-trips.

Eject without migration

Generated files live in standard locations. Stop using Stackpanel and your repo keeps working.

Platform

Everything that lives between code and production

Stackpanel collapses the dozens of files, services, and integrations every team rebuilds from scratch into a single declarative configuration.

Nix · devenv

Reproducible devshells

flake.lock pins every package, runtime, and version. Every teammate gets the exact same Node, Bun, Go, Postgres — independent of their OS.

STACKPANEL_*_PORT

Deterministic ports

Ports are hashed from your project name, then sequenced for apps and services. Same ports on every machine, no .env coordination, no clashes between projects.

process-compose

Service orchestration

Postgres, Redis, Minio, Caddy, and Step CA managed by process-compose. One command to start the whole stack with health probes wired up.

SOPS · AGE

Encrypted secrets

SOPS-encrypted YAML with AGE recipients declared in Nix. Add a teammate's public key, run rekey, commit the diff. No external KMS to manage.

Step CA · Caddy

Real HTTPS in dev

Step CA issues internal certificates and Caddy reverse-proxies your apps to https://*.local — no browser warnings, no self-signed cert wrangling.

.vscode · .zed

IDE auto-config

VS Code and Zed workspace settings, recommended extensions, and devshell loaders are generated and committed. New hires open the repo and the editor is ready.

TS · Go · Python

Type-safe @gen/env

Per-app codegen turns your secret schemas into typed TypeScript modules with embedded encrypted payloads. Import from @gen/env/<app> and ship.

One-click install

Extension registry

Browse extensions in the studio and enable them with one click. Stackpanel writes the Nix config for you and contributes generated files, scripts, and panels.

Eject anytime

No vendor lock-in

Generated files are standard config in standard locations. Stop using Stackpanel and the repo keeps working — there is nothing to migrate.

No data leaves your machine in devComposes with devenv, flake-parts, and SSTLocal-first · works offline

One config, everything generated

Declare your stack once.

A single .stack/config.nix describes your apps, services, secrets, ports, IDE settings, and deployment. Everything else — the dotfiles, the Caddyfile, the SOPS rules, the type-safe env modules — is build output.

.stack/config.nix
{ pkgs, ... }: {
  stackpanel = {
    enable = true;
    name   = "myapp";
 
    # Apps get sequential ports from the hashed base
    apps = {
      web = { port = 0; };  # → :4200
      api = { port = 1; };  # → :4201
    };
 
    # Background services managed by process-compose
    globalServices = {
      enable = true;
      postgres.enable = true;
      redis.enable    = true;
      minio.enable    = true;
    };
 
    # Real HTTPS for *.myapp.local
    caddy.enable     = true;
    step-ca.enable   = true;
 
    # Editor settings + extensions, generated for the team
    ide = {
      enable        = true;
      vscode.enable = true;
      zed.enable    = true;
    };
 
    # SOPS recipients live in Nix
    secrets.recipients = config.stackpanel.users.allKeys;
 
    # Project commands available on $PATH
    scripts.dev = {
      exec        = "bun run --filter './apps/*' dev";
      description = "Start every app in dev mode";
    };
  };
}

Don't want to write Nix? Open the studio — every option has a form, and changes are written back to this file.

Builds into

The dotfiles you would have written by hand.

Generated files live where every tool expects them, in formats every teammate already knows. Studio shows you which files are stale, which module wrote them, and what would change if you regenerated.

Generated by Stackpanel8 files

  • .vscode/settings.json

    Workspace settings + recommended extensions for VS Code

  • .zed/settings.json

    Language server config + Nix integration for Zed

  • .stack/secrets/.sops.yaml

    SOPS creation rules rendered from declared recipients

  • packages/gen/env/src/<app>.ts

    Type-safe env modules per app with embedded payloads

  • .stack/state/stack.json

    Resolved ports, URLs, services for the Go agent

  • .stack/gen/process-compose.yaml

    Service definitions with health probes and dependencies

  • .vscode/launch.json

    Debug configurations contributed by app modules

  • Caddyfile

    Reverse-proxy routes for *.local hostnames with TLS

Local infrastructure

Production-shaped services on your laptop.

Stackpanel runs the same data stores you use in production — Postgres, Redis, MinIO — orchestrated by process-compose with health probes and dependency ordering.

Caddy and an internal Step CA give you real HTTPS at clean hostnames like https://api.myapp.local — so OAuth, secure cookies, and webhooks behave like prod.

Open the StudioRead the docs
Same shape, your cloud

Modules can target NixOS or container runtimes for staging and production. Same config language, same generated Caddyfile, same SOPS recipients — different host.

global

PostgreSQL

Local cluster with persistent data dir, ready for migrations.

STACKPANEL_POSTGRES_PORT
global

Redis

Single-node cache for sessions, queues, and rate limits.

STACKPANEL_REDIS_PORT
global

MinIO

S3-compatible object storage with admin console exposed.

STACKPANEL_MINIO_PORT
network

Caddy

Reverse proxy that wires *.local hostnames to your apps.

STACKPANEL_CADDY_PORT
network

Step CA

Internal certificate authority — real HTTPS in dev, no warnings.

STACKPANEL_STEP_CA_PORT
orchestrator

process-compose

Health probes, dependencies, and restart policies for everything above.

STACKPANEL_PC_PORT

Production stacks

Deploy without becoming a platform team.

Production Stacks are maintained Nix flake inputs that take your app from .stack/config.nix all the way to production. Stick to the conventions and you should never need more than one option flip.

apps.<myapp>.nextjs.enable = true;

Alchemy

Stable · maintained

Resource-graph IaC for the full TypeScript stack — Cloudflare, AWS, Vercel.

CloudflareAWSVercelGitHubStripe
Example
# .stack/config.nix
apps.web = {
  framework = "nextjs";
  alchemy = {
    target = "cloudflare";  # or "aws" | "vercel"
    previews = true;
  };
};
  • Type-safe bindings generated into your app
  • Per-PR preview environments out of the box
  • Secrets pulled straight from .stack/secrets
  • State stored in your repo or your S3 bucket

Colmena

Stable · maintained

NixOS deploys for the people who want full control — Hetzner, bare metal, your own racks.

Hetzner CAX/CCXBare metalAny NixOS hostTailscale
Example
# .stack/config.nix
apps.api = {
  colmena = {
    host    = "cax21.fra";
    replicas = 2;
    rollback.enable = true;
  };
};
  • Atomic switch with one-command rollback
  • Machine groups for canary + production fleets
  • Secrets via agenix, recipients managed in Nix
  • Caddy + Step CA wired identically to dev

Fly.io

Stable · maintained

Containerized apps at the edge — regional placement, Fly volumes, Fly Postgres.

Fly MachinesFly PostgresFly VolumesTigris (S3)
Example
# .stack/config.nix
apps.api.fly = {
  regions  = [ "iad" "fra" "sin" ];
  machines = 3;
  postgres.cluster = "myapp-pg";
  autoscale.maxMachines = 10;
};
  • Multi-region machines from one Nix config
  • Health probes, autoscale, and graceful drain
  • Fly secrets sync from .stack/secrets at deploy
  • Built-in observability via Fly Metrics
Our promise

You write the convention. We keep it green.

Stacks are versioned Nix flake inputs. Subscribers get the private stable channel and a maintenance commitment — same-day patches, tested against every nixpkgs and provider API change.

Browse all stacks

  • Same-day patches when nixpkgs ships breaking updates

  • Tested against every flake.lock bump before release

  • Provider API drift handled before it breaks your deploys

  • Marketplace coming soon

    Third-party creators can ship and sell their own Production Stacks — Stackpanel takes 20%, you keep 80%.

Solo developers always have free access to the community branch of every stack.

Developer experience

Onboarding measured in minutes, not days.

The README on most repos starts with a 14-step setup guide. Stackpanel replaces it with direnv allow — and a teammate is running the full stack on the same ports as everyone else.

New hire, day one
  1. 1

    $ git clone …

    Pull the repo as usual

  2. 2

    $ direnv allow

    Devshell builds in the background

  3. 3

    $ dev

    Apps + services come up; studio opens

≈ 2 commands

Onboarding without docs

git clone, direnv allow, done. Devshell installs every runtime, generates IDE settings, drops scripts on $PATH, and opens the studio.

TLS in dev

Real URLs, real ports

Hit https://web.myapp.local in any browser. OAuth callbacks, secure cookies, and webhooks behave the same as in production.

SOPS · AGE

Secrets that just work

Add a teammate's AGE key, rekey the SOPS files, commit the diff. Their next direnv reload pulls the new keys with zero config.

scripts.* in Nix

Project commands on $PATH

Declared scripts (dev, lint, test, deploy) become real binaries. Every teammate runs the same command — no per-shell aliases.

CLI

Real commands, no proprietary glue

The stackpanel CLI speaks Nix, SOPS, and process-compose. Every command operates on standard files in your repo.

~/myapp $nix flake init -t github:darkmatter/stackpanel#default
→ Cloning template into ./
✓ flake.nix written
✓ .stack/config.nix written
✓ .envrc written (direnv)
Next:
direnv allow # build & enter the devshell
dev # start every app + service
stackpanel studio # open Studio in your browser

Same command works on macOS, Linux, and NixOS — same versions, same output.

Comparison

Why not just use what we already have?

Each of these tools solves part of the problem. Stackpanel composes them — so you stop maintaining the glue.

Capability
StackpanelOpen source
Raw Nix / devenvDIY
Docker ComposeContainer-only
Hosted PaaSVercel · Render · Fly

Reproducible across machines

Same Bun, Go, Postgres versions

Deterministic shared ports

Same ports on every laptop

Real HTTPS in dev

Internal CA + reverse proxy

Encrypted secrets in repo

SOPS + AGE recipients in Nix

Type-safe env per app

Generated TS / Go / Python

IDE settings & extensions

VS Code + Zed, version-controlled

Visual studio for the team

Web UI for non-Nix users

Maintained deployment recipes

Production Stacks updated for you

No vendor lock-in

Eject and the repo still works

Self-hosted

Runs on your laptop and your cloud

Comparison reflects out-of-the-box behavior on a fresh repo. Most stacks can replicate parts of Stackpanel with enough custom tooling — that's the tooling we're replacing.

Pricing

Free dev environment. Paid production support.

The Stackpanel core is MIT and free forever. Subscribe when you're ready to outsource the maintenance of your production deploys to a team that does it full-time.

Community

Solo dev. Free forever.

$0

1 seat · no card required

  • Stackpanel core (MIT)
  • All 3 stacks on community branch
  • Best-effort patches
  • GitHub Discussions support

Team

Most popular

For shipping teams.

$19

per user / month, billed monthly

  • Everything in Community
  • Stable branch of every Production Stack
  • 30-day patch SLA
  • Email support, next business day

Business

For platform teams.

$49

per user / month, billed monthly

  • Everything in Team
  • 7-day patch SLA + early access channel
  • Multi-org, SSO, audit logs
  • Discord channel + 4-hour email response

Enterprise

For companies that ship the world.

Custom

from $5,000 / month

Talk to us
  • 24-hour critical CVE SLA
  • Air-gapped mirror license
  • Slack channel, on-call, named CSM
  • Indemnification, SCIM, custom RBAC

Same Production Stacks across every tier. You pay for SLA, support, and team features — not for access to the recipes.

Compare every feature
Private beta · Open source core (MIT)

Reserve your spot in the beta.

Stackpanel core ships free for everyone. Production Stacks land as managed subscriptions on top. Join the beta to get early access to both, plus a direct line to the team building it.

Try the demoGitHub

Step 1

nix flake init -t …

Step 2

direnv allow

Step 3

dev

Prefer to read first? Browse the docs

Morty Proxy This is a proxified and sanitized view of the page, visit original site.