Docker Deployment

Deploy NovaZel
with Docker

Identity-first overlay network — every connection is cryptographically verified. No IP-address trust. No faked certificates. Just unforgeable cryptographic identities.

docker run rocheston/novazel help
docker compose up

What is NovaZel?

NovaZel is a protocol that runs on top of the internet you already have. Instead of trusting raw IP addresses (which can be spoofed, hijacked, or change unexpectedly), every device, server, and AI agent gets a NZID — a cryptographic identity derived from a public key:

nzid:FBYOLXUDAVQBD3XIXHRSCA4EB4ZR2M4UG7J642ZEXMW774YKPTKA

When Alice connects to Bob, both sides prove their identity using Ed25519 signatures before a single byte of data is exchanged. There are no IP-based certificates that can be faked — the identity IS the key.

Core Concepts

Identity
NZID
nzid: + BASE32(SHA-256(public_key)) — your unforgeable identity
Resolver
Atlas
HTTP name resolver — maps bob.novazel to a signed identity bundle
Session
FUSE Flow
Verified session between two NZIDs — like a phone call, but cryptographic
Daemon
nova-node
Always-on daemon that receives messages and flows
Web
NovaWeb
Web server that serves novazel:// URLs over FUSE flows
CLI
zurl
curl for NovaZel — send messages and fetch novazel:// URLs
Encryption
Zelen
Quantum-safe file encryption — ML-KEM-1024 + AES-256-GCM

How It Works

Alice Atlas Bob | | | | resolve("bob.novazel") ---------> | | <-------- nzid:GCSGLY + quic:addr | | | | ---- HELLO (src_nzid, pub_key) ->| | <--- WELCOME (dst_nzid, pub_key) -| | ---- OPEN_FLOW (flow_id) -------> | | ---- DATA ("hello") -----------> | | <--- DATA ("ack: hello") --------| | | [OK] Verified FUSE flow established

Quick Start

Single service

# 1. Start the Atlas name resolver
docker run -d --name atlas -p 8080:8080 rocheston/novazel \
  atlas --listen 0.0.0.0:8080

# 2. Create identities (stored in a named volume)
docker run --rm -v nova-ids:/root/.nova rocheston/novazel \
  nova id create alice --dev-insecure
docker run --rm -v nova-ids:/root/.nova rocheston/novazel \
  nova id create bob --dev-insecure

# 3. Start Bob's node (registers bob.novazel with Atlas)
docker run -d --name bob-node \
  -p 4433:4433/udp -p 7777:7777 \
  -v nova-ids:/root/.nova \
  --link atlas rocheston/novazel \
  node --identity bob \
       --listen-quic 0.0.0.0:4433 \
       --atlas http://atlas:8080 \
       --register bob.novazel \
       --local-api 0.0.0.0:7777

# 4. Send a message from Alice to Bob
docker run --rm -v nova-ids:/root/.nova --link atlas rocheston/novazel \
  nova send bob.novazel "hello from docker" \
    --from alice --atlas http://atlas:8080

# 5. Use zurl (like curl, for novazel://)
docker run --rm -v nova-ids:/root/.nova --link atlas rocheston/novazel \
  zurl novazel://bob.novazel "hello" --from alice --atlas http://atlas:8080

Full Stack with Docker Compose

# Download the compose file
curl -O https://raw.githubusercontent.com/rocheston/novazel/main/docker-compose.yml

# Start everything
docker compose up -d

# Watch logs
docker compose logs -f

# Check Atlas is resolving names
curl http://localhost:8080/resolve/bob.novazel

# Check node status
curl http://localhost:7777/local/v1/status

# Stop
docker compose down

Services & Ports

ServiceContainerPortProtocolDescription
atlasnova-atlas8080TCP/HTTPName resolver — resolve .novazel names
nodenova-node4433UDP/QUICNovaZel node — FUSE flow handler
nodenova-node7777TCP/HTTPLocal REST API — status, flows, health
webnova-web7443UDP/QUICNovaWeb — identity-verified web serving

Command Reference

All commands run as: docker run rocheston/novazel <command>

Identity Management

# Create a new identity
nova id create <name> --dev-insecure

# Show an identity
nova id show <name>

# List all identities
nova id list

# Verify an identity
nova id verify <name>

Atlas — Name Resolution

# Register a name with Atlas
nova atlas register <name.novazel> \
  --identity <id-name> \
  --atlas http://atlas:8080 \
  --locator quic:0.0.0.0:4433

# Resolve a name
nova atlas resolve bob.novazel --atlas http://atlas:8080

Send Messages

# Send a message to a named identity
nova send bob.novazel "your message here" \
  --from alice \
  --atlas http://atlas:8080

# Send and wait for reply
nova send bob.novazel "ping" --from alice --atlas http://atlas:8080

NovaWeb

# Start a NovaWeb server
novaweb \
  --identity web1 \
  --name mysite.novazel \
  --atlas http://atlas:8080 \
  --listen-novazel 0.0.0.0:7443 \
  --serve /data/sites

# Fetch a page over NovaZel
nova web get novazel://mysite.novazel/index.html \
  --from alice --atlas http://atlas:8080

zurl — curl for NovaZel

# Send a message (no path = message mode)
zurl novazel://bob.novazel "hello world" --from alice

# Fetch a web page (with path = web fetch mode)
zurl novazel://site.novazel/index.html --from alice

# Verbose output (like curl -v)
zurl -v novazel://bob.novazel "test" --from alice

# Save output to file
zurl novazel://site.novazel/index.html --from alice -o page.html

# Silent mode (body only)
zurl -s novazel://bob.novazel "query" --from alice

# Custom Atlas endpoint
zurl novazel://bob.novazel "hello" --from alice --atlas http://atlas:8080

Node Operations

# Check node status
nova node status --url http://localhost:7777

# List active flows
nova node status --url http://localhost:7777

Zelen Encryption

# Seal a file (encrypt)
nova zelen seal --file secret.txt --output secret.zelen --identity alice

# Unseal a file (decrypt)
nova zelen unseal --file secret.zelen --output secret.txt --identity alice

# Inspect a zelen file
nova inspect secret.zelen

Demo — End-to-End Test

# Run the full automated demo (starts all services, tests everything)
docker run --rm rocheston/novazel demo

# Keep services running after demo
docker run --rm rocheston/novazel demo --no-cleanup

Environment Variables

VariableDefaultDescription
NOVA_HOME/root/.novaIdentity storage directory
ATLAS_ADDR0.0.0.0:8080Atlas listen address
NODE_QUIC_ADDR0.0.0.0:4433Node QUIC listen address
NODE_API_ADDR0.0.0.0:7777Node local API address
WEB_ADDR0.0.0.0:7443NovaWeb QUIC listen address

Volumes

PathPurpose
/root/.novaIdentity key files (alice.json, bob.json, …)
/data/sitesNovaWeb static site files to serve
 
# Persist identities across container restarts
docker run -v nova-identities:/root/.nova rocheston/novazel ...

# Mount your website directory
docker run -v /my/website:/data/sites rocheston/novazel web \
  --identity web1 --name mysite.novazel --atlas http://atlas:8080 \
  --listen-novazel 0.0.0.0:7443 --serve /data/sites

Included Binaries

nova
Main CLI — all commands in one binary
nova-atlas
Atlas name-resolver service
nova-node
Node daemon (QUIC + local API)
novaweb
NovaWeb site server
nova-relay
Relay daemon
nova-gateway
Gateway daemon
nova-console
Interactive TUI console
nova-playground
Browser-based playground server
nova-inspect
Inspect capsule / zelen files
nova-bench
Performance benchmarking tool
nova-security-test
Security test suite
nova-sim
Network simulator
zurl
curl for novazel:// URLs
novademo
Automated end-to-end demo

Architecture

+----------------------------------------------------------+ | NovaZel Network | | | | Alice --[1. resolve bob.novazel?]--> Atlas | | <--[2. nzid + quic addr]---- | | | | Alice --[3. HELLO + OPEN_FLOW]-----> Bob's Node | | <--[4. WELCOME + DATA]------- | | | | Alice --[5. GET /index.html]-------> NovaWeb | | <--[6. HTML body]----------- | | | | +-------------------------------------------------+ | | | QUIC Transport * Zelen Encryption * FUSE | | | +-------------------------------------------------+ | +----------------------------------------------------------+

Built by Rocheston

Cybersecurity research and education.
Docker Hub: hub.docker.com/r/rocheston/novazel
Platform: linux/amd64 · Base image: debian:bookworm-slim