underground-nexus
Underground Nexus official repository: https://github.com/Underground-Ops/underground-nexus
10K+
(micro-hypervisor with Git-BIOS and robotics integration)
Policy-guided automation that builds and governs your infrastructure.
Underground Nexus is a sovereign systems layer that uses curated artifacts and an agentic kernel to assemble, harden, and prove compliant infrastructure — on any hardware or cloud.
Release Version 2.0.1 – RELEASE NAME: CodeHaven
The best way to build your agnostic technical skills using the Underground Nexus and all of Cloud Underground's agnostic develoment tools is to join the Cloud Jam Gauntlet. We'll guide you through a series of challenges, from setting up your sovereign environment to building your own private AI.
The Underground Nexus is a Sovereign Kernel Layer – a governance-first systems layer that compiles policy and requirements into sovereign zones and emits audit evidence by default. It’s artifact-driven and agent-operated, so you can evolve infrastructure from a living reference without vendor lock-in.
Use cases you can start with
Recommended for most users: the Cerberus (cerberus0) Manager CLI bundles the full pipeline and provides a smoother UX.
Kickstart with Cerberus (typical flow)
DEV command to set up your development workspace and fetch core artifacts.SEC command to run a chaos test that builds a golden host appliance template if the test succeeds. (the SEC command deploys the Dockerfile image in this repository)You can still use the manual Docker commands below. Commands, ports, credentials, and activation flow remain the same.
Assumes Docker is already installed. Open a command line and paste the appropriate
docker runfor your platform.
Dockerhub DEVELOPMENT pull for Docker Desktop or amd64 systems:
docker run -itd --name=Underground-Nexus -h Underground-Nexus --privileged --init \
-p 22:22 -p 80:80 -p 8080:8080 -p 443:443 -p 1000:1000 -p 2000:2000 \
-p 2375:2375 -p 2376:2376 -p 2377:2377 -p 9010:9010 -p 9050:9443 \
-p 18080:18080 -p 18443:18443 \
-v /dev:/dev -v underground-nexus-docker-socket:/var/run \
-v underground-nexus-data:/var/lib/docker/volumes -v nexus-bucket:/nexus-bucket \
natoascode/underground-nexus:amd64
Dockerhub SECURE pull for Docker Desktop or amd64 systems:
docker run -itd --name=Underground-Nexus -h Underground-Nexus --privileged --init \
-p 1000:1000 -p 9050:9443 \
-v /dev:/dev -v underground-nexus-docker-socket:/var/run \
-v underground-nexus-data:/var/lib/docker/volumes -v nexus-bucket:/nexus-bucket \
natoascode/underground-nexus:amd64
Dockerhub DEVELOPMENT pull for arm64 systems (examples include Apple M1, Raspberry Pi, NVIDIA Jetson, etc.):
docker run -itd --name=Underground-Nexus -h Underground-Nexus --privileged --init \
-p 22:22 -p 80:80 -p 8080:8080 -p 443:443 -p 1000:1000 -p 2000:2000 \
-p 2375:2375 -p 2376:2376 -p 2377:2377 -p 9010:9010 -p 9050:9443 \
-p 18080:18080 -p 18443:18443 \
-v /dev:/dev -v underground-nexus-docker-socket:/var/run \
-v underground-nexus-data:/var/lib/docker/volumes -v nexus-bucket:/nexus-bucket \
natoascode/underground-nexus:arm64
Dockerhub SECURE pull for arm64 systems (examples include Apple M1, Raspberry Pi, NVIDIA Jetson, etc.):
docker run -itd --name=Underground-Nexus -h Underground-Nexus --privileged --init \
-p 1000:1000 -p 9050:9443 \
-v /dev:/dev -v underground-nexus-docker-socket:/var/run \
-v underground-nexus-data:/var/lib/docker/volumes -v nexus-bucket:/nexus-bucket \
natoascode/underground-nexus:arm64
Run in the same shell used for docker run. Script builds and activates the stack. Expect 15–45 minutes on average.
Standard Activation (recommended):
docker exec Underground-Nexus bash deploy-olympiad.sh
Alternate Activation (inside container shell):
bash deploy-olympiad.sh
Lightweight Activation (for < 8GB RAM): Removes KuberNexus, underground-ops.me domain, and non-essential tools (Vault, SOC, Traefik, WordPress, GitLab, collaborator workbenches, k3d/Kubernetes).
bash olympiad-deploy-light.sh
Portainer login (https://localhost:9050):
docker exec Underground-Nexus docker restart Olympiad0Minimum hardware: Raspberry Pi 4 (4GB RAM+) or anything more powerful (amd64/arm supported).
Admin desktop: Open the Nexus MATE admin desktop at http://localhost:1000.
Secure port strategy: Nexus is designed to operate primarily from one open port: 1000.
Kubernetes (KuberNexus):
In Portainer, find KuberNexus for Kubernetes. Use the MATE terminal with k3d to create/modify clusters.
Nexus apps: Accessible via Firefox (or any browser) inside the MATE admin desktop.
SSO / Developer flow: GitHub works well for SSO. VS Code + GitHub Codespaces is a fast way to scale dev compute.
Kali shell security: Kali is locked behind Portainer by default. Configure SSH to allow access to the entire Nexus through the Kali Athena0 node as a gateway.
Monitoring: The Athena0 (Kali) node feeds Grafana and Loki and includes radare2 for deep analysis.
Pi-hole mode: Open DNS ports (53, 67) to run Nexus as a powerful Pi-hole + SOC source. Integrate Pi-hole data with Grafana/Loki.
Default internal URLs (available inside the Nexus desktop browser):
Portainer: https://10.20.0.1:9443
Pi-hole: http://inner-dns-control/admin/login.php (change password in Portainer)
Grafana: https://grafana.underground-ops.me/ and http://10.20.0.1:3000/
admin:notiaPoint1Wazuh: https://wazuh.underground-ops.me:5601/ and https://10.20.0.1:5601/
admin:adminMinIO (Cyber Life Torpedo): http://10.20.0.1:9010
minioadmin:minioadminUbuntu MATE Admin Desktop: http://10.20.0.1:1000
abc:abc (runs as root; don’t access this host from inside the MATE desktop)Ubuntu KDE SOC Desktop: http://10.20.0.1:2000
abc:abcVault: http://10.20.0.1:8200
myroot (do not expose externally)VS Code (browser): http://10.20.0.1:18443
VM Engine (Hyperscaler): http://10.20.0.1:18080
External development ports (open intentionally––recommended defaults are 1000 and 9443):
https://localhost:9050http://localhosthttp://localhost:9010http://localhost:1000http://localhost:2000http://localhost:18443Athena0 (Kali) for pentest & chaos:
terraform), Metasploit (msfconsole), nmap, Kali Bleeding Edge repodocker exec Athena0 <cmd> (e.g., docker exec Athena0 terraform -v)Terraform pre-installed:
rootGitLab (amd64 standard activation):
Learn GitLab + DevSecOps with Cloud Underground: https://learn.gitlab.com/cloud-underground/
Nexus includes Virtual Machine Manager and QEMU for running VMs inside the stack.
Screenshots:
Cloud-Native Server Architecture (PDF): https://github.com/Underground-Ops/underground-nexus/blob/main/Underground_Nexus_Architecture.pdf
Quick Start Guide (pay special attention to Step 4; dockerhub users start at Step 3): https://github.com/Underground-Ops/underground-nexus/blob/main/Underground_Nexus_Quick_Guide.pdf
This section replaces and modernizes the older "super root" content.
A Super Root is the privileged sovereign-kernel control plane for an Underground Nexus deployment. It is the logical layer that:
The Super Root is not a single binary. It is a configuration of kernel-level controls, hypervisor boundaries, curated artifacts, and agent interfaces that together form a secure substrate for sovereign zones.
A Super Root configuration typically includes:
DEV and SEC commands.DEV to design and test a Super Root configuration in a dev workspace.SEC to exercise the stack as a chaos test and, on success, promote validated artifacts to the Production Artifacts folder.Additional architecture diagrams for software factory pipeline management:
Open-core model: the FOSS edition exposes the open core filesystem and artifacts. Enterprise deployments may run Nexus OS (no privileged container; KVM talks directly to OS services) and add private file system + intelligence feeds.
docker exec), pulling the repo’s artifacts and exercising the stack. Configurations that survive are promoted into Production Artifacts:
https://github.com/Underground-Ops/underground-nexus/tree/main/Production%20ArtifactsBuild appliances with Cerberus: Use DEV to design and SEC to validate appliances.
Flywheel: The more controls you encode, the more operations the system can automate and keep in continuous compliance.
A great first project is a sovereign smart home lab. You’ll learn how to secure, govern, and automate a real environment—then apply the same patterns at work.
Docker Desktop is recommended for developing with Underground Nexus: https://www.docker.com/products/docker-desktop
Natively powered by GitLab and OpenZiti
Learn to master cloud skills with Underground Nexus — join the Cloud Jam Gauntlet: https://cloudunderground.dev/products/cloud-jam
Content type
Image
Digest
sha256:28e9ca67b…
Size
218.7 MB
Last updated
3 months ago
docker pull natoascode/underground-nexus