Full-stack web console for Bacula Community + Bacularis, written in Rust (Axum + Leptos), with 42 UI modules covering dashboard KPIs, restore studio, config studio with 11-stage transactional pipeline, native integration with 11 PodHeitor plugins, AI Copilot, live topology, SLO dashboard, Argon2id + TOTP MFA, and multi-channel notifications (email/webhook/Telegram).
Companion document to the PodHeitor Web Interface page.
1. The problem: Bweb and Bacularis aged in opposite directions
Bacula operators today have two main web UIs — and neither solves the full use case:
- Bweb (Bacula Web) — classic PHP UI focused on monitoring and simple catalog queries. No real config-as-code, no AI assistance, no visual topology, no granular RBAC, no MFA. Works, but shows its age.
- Bacularis — modern PHP UI with config wizards and RBAC, but still single-language config flow, no transactional rollback, no hooks for third-party plugins (each plugin needs a custom PHP descriptor), no SLO dashboard.
- Bweb on Bacula Enterprise — paid, closed, supported — but with the same look and the same architectural limits.
PHWEB is built from scratch as a first-class operations console for the PodHeitor + Bacula stack, with Bweb-parity on basic features and new features even Bacula Enterprise lacks (AI Copilot, cost simulator, drift detection, SaaS onboarding wizard).
2. Tech stack
| Layer | Technology |
|---|---|
| HTTP backend | Rust + Axum |
| Frontend | Rust + Leptos (CSR + SSR + hydration) |
| Build tooling | cargo leptos (unified SSR/CSR workspace) |
| Database | PostgreSQL (migrations 0001–0016) |
| Auth | Argon2id + TOTP MFA, session cookies (HttpOnly/SameSite=Lax), RBAC |
| Bacula integration | bconsole wrappers + custom parsers (supports local-mode and SSH-mode) |
| Notifications | Email, webhook, Telegram (Bot API); WhatsApp schema ready |
| Observability | Prometheus /metrics, healthcheck, structured audit log |
v2/architecture status: 279/279 tests PASS, 0 clippy errors, 0 WASM build errors. Phases 0–4 fully implemented, feature-complete for production use.
3. Implemented phases
| Phase | Features |
|---|---|
| 0 — Foundation | Axum architecture, auth/RBAC/audit, bconsole integration, DB migrations 0001–0016, plugin hub |
| 1 — Bweb Parity | Dashboard KPIs, job management, restore studio, storage/media/clients, reports |
| 2 — Config Full | Config Studio (structured + text), 11-stage transactional pipeline, rollback, ACL validation |
| 3 — PodHeitor Native | All 11 plugins, DR center, BVFS granular restore, ransomware, dedup, replication, SFTP, PITR |
| 4 — Intelligence | AI Copilot, live topology, data explorer, SLO dashboard, cost simulator, SaaS onboarding |
4. Transactional config pipeline (Phase 2)
Editing Bacula configuration in production is risky: a typo in a FileSet or Pool wedges the Director on reload. PHWEB solves it with an 11-stage pipeline:
- Parse — validates syntax of the edited block
- Lint — catches broken deps (Schedule referencing nonexistent Pool, etc.)
- ACL check — RBAC: does the user have permission to edit this resource?
- Diff — produces a human-readable diff against live config
- Stage — writes to staging file in an isolated dir
- Test parse —
bacula-dir -t -c <staged>before apply - Snapshot — copies live configs to a snapshot directory
- Apply — atomically swaps staged → live via rename
- Reload —
bconsole reload - Verify — post-reload health check
- Commit or rollback — if verify failed, reverse swap to snapshot
The operator can revert any commit later via the UI; the snapshot history lives in DB and is browseable.
5. Frontend pages (42 modules)
Each page is its own folder in crates/phweb-frontend/src/pages/:
login · mfa · mfa_setup · change_password · dashboard · backup_operations · reports_analytics · scheduled_reports · restore · pitr_studio · dr_center · config_studio · job_wizard · fileset · filesets · jobdefs_wizard · schedule_wizard · pool_wizard · storage_wizard · device_wizard · client_wizard · catalog_wizard · console_wizard · counter_wizard · messages_wizard · directors · director · plugins · plugin · deployment · sftp_agentless · ai_copilot · topology · data_explorer · cost_simulator · dedup_observability · slo_dashboard · policy_as_code · marketplace · security · administration · onboarding · legacy_bweb · bconsole · drift
6. Native integration with 11 PodHeitor plugins (Phase 3)
Unlike Bacularis (where each plugin needs a custom PHP descriptor), PHWEB has first-class integration with all 11 PodHeitor plugins: HPC, MongoDB, Informix, ADABAS, Notes, SFTP, AD/LDAP, global dedup, file replication, granular restore, ransomware detection. Dedicated UI for PITR studio, DR center, BVFS granular restore, dedup observability.
7. Phase 4 — Intelligence
| Feature | Role |
|---|---|
| AI Copilot | Assistant that answers questions about the catalog, suggests FileSet/Schedule optimizations, and can apply changes via the Config Pipeline (with human confirmation) |
| Live topology | Visual map of Director ↔ SDs ↔ FDs ↔ devices, with real-time health LEDs |
| Data Explorer | Catalog browser: ad-hoc query over Job/File/Path/Client with filters |
| SLO Dashboard | Per-Job configurable SLOs (RPO/RTO target), compliance tracking |
| Cost Simulator | Retention-policy what-ifs vs storage cost |
| SaaS Onboarding | Guided wizard for multi-tenant deploy |
| Drift Detection | Compares live config vs expected (git, IaC) and alerts on divergence |
8. Authentication and RBAC
- Argon2id for password hashing — PHC’s first choice, tunable parameters
- TOTP MFA with setup wizard and per-role enforcement
- Session cookies HttpOnly + SameSite=Lax — no token in localStorage (XSS defense)
- Granular RBAC — permissions by resource type (FileSet, Pool, Job, Storage)
- Structured audit log (JSON-Lines) — who did what, when, where, with diff
9. Multi-channel notifications
Email, generic webhook, and Telegram via Bot API. Schema ready for WhatsApp (API-key decision — Twilio vs WhatsApp Business — pending). Configuration:
Channel kind: telegram
Target format: {bot_token}/{chat_id}
Example: 123456:AAEhBbCcDd-ef/987654321Created via Administration > Notifications > New Channel. The bot must be added to the target chat before sending.
10. Deploy
Build via cargo leptos build --release on a build host (recommended VM with 8 GB RAM, ~23 min cold build). Artefacts: phweb-server binary + site/ directory with WASM bundle + assets. Typical deploy on a dedicated VM (Bacula Community + PHWEB co-located).
# Typical production env vars:
DATABASE_URL=postgres://phweb:phweb_dev@localhost/phweb
PHWEB_AUTO_MIGRATE=1
PHWEB_CONFIG_APPLY_ENABLED=1
PHWEB_DIRECTOR_HOST=localhost
LEPTOS_OUTPUT_NAME=phweb
LEPTOS_SITE_ADDR=0.0.0.0:3001Bootstrap credentials: admin / admin — rotate on first login.
11. Not started / blocked
| Item | Blocker |
|---|---|
| Phase 5 — Billing | Commercial strategy decision (metering: API-first vs serial key) |
| WhatsApp channel | API-key decision (Twilio vs WhatsApp Business API) |
| Mobile app | Out of scope |
12. License posture
Proprietary — Copyright (c) 2026 Heitor Faria. PHWEB consumes the Bacula File Daemon and Storage Daemon only via public APIs (bconsole, plugin ABI), without statically linking any Bacula AGPLv3 source. Transitive Rust dependencies (Axum, Leptos, sqlx, tokio, etc.) are all MIT / Apache-2.0.
Ready to evaluate?
30-day free trial for qualified Bacula Community deployments (Bacula 15.0.3+ or Bacularis). We guarantee at least 50% off vs Bweb Enterprise, with more features — including AI Copilot, drift detection, and a transactional config pipeline that no competitor delivers.
Heitor Faria — Founder, PodHeitor International
✉ [email protected]
☎ +1 (789) 726-1749 · +55 (61) 98268-4220 (WhatsApp)
🔗 PodHeitor Web Interface page
Disponível em: 
Português (Portuguese (Brazil))
English
Español (Spanish)
