The all-in-one, Swiss-army-knife control plane for your Linux fleet — and your homelab. Monitoring with alerting, a CMDB, documentation with RAG search, CVE scanning, patching and remote management in one self-hosted place — with AI woven through all of it (optional). Web dashboard, push-based agents, no inbound ports. Set it up in five minutes.
Live demo · Install · Features · Wiki · Discussions
One tool instead of six. Most teams stitch together a monitor, a CMDB, a wiki, a vulnerability scanner, a patch tool and an SSH jump box. RemotePower is the Swiss-army-knife that does all of it from a single host you control — monitoring & alerting, an asset CMDB, documentation with RAG search over your own fleet, CVE scanning, patching, and remote management — and it's heavily bound to AI as an option: bring your own model (local Ollama/LocalAI or a cloud provider) and ask questions answered from your infrastructure, or leave it off entirely. Everything stays self-hosted.
A web dashboard that manages your Linux machines (and Windows, kind of) without opening firewall ports on them. Each host runs a small Python agent that polls the central server every 60 seconds — outbound HTTPS only. Enrolment is a 6-digit PIN, like pairing a console controller.
Deliberately small and readable: nginx + Python CGI + flat JSON files — about
60,000 lines of server Python, one HTML file, one CSS file and a handful of
hand-written JS files. No external database, no Node.js, no Redis, no Kubernetes,
no build step, no bundler, no framework — you can read every line. The whole
/var/lib/remotepower/
directory backs up with tar
. Tested on real homelabs running 5–50 devices, fine up to a few hundred — and for larger or write-heavy fleets you can switch to an optional embedded SQLite backend, or scale all the way to PostgreSQL (failover + read replicas), load-balanced app nodes and relay satellites for segmented networks. That's an advanced, heavy-fleet track — most installs never touch it. See ** docs/scaling.md**.
Server — one command, HTTPS out of the box:
docker compose up -d
git clone https://github.com/tyxak/remotepower && cd remotepower
sudo bash install.sh
Open the printed URL and log in. HTTPS is automatic — a self-signed CA by default (agents pin it), or a real Let's Encrypt cert when you give a public domain. No cert wrangling, no nginx editing.
Add a device — one line, nothing to configure:
In the dashboard, Add device → Quick install command, then on the target host:
wget -qO- "https://your-server/install?t=<token>" | sudo sh
It downloads the signed agent, verifies its checksum, enrols with the baked
one-time token, and the host appears in the dashboard by its hostname within
~60 seconds. Prefer Docker? Add device → Generate Docker compose. Onboarding
many hosts? Push the installer over SSH: install.sh agent push user@h1 user@h2 …
.
Uninstall: sudo bash install.sh uninstall
(server — keeps your data;
--purge
to wipe it) · wget -qO- https://your-server/install | sudo sh -s -- --uninstall
(agent).
For longer paths (Windows client, demo vhost, Ansible, advanced TLS), see ** docs/install.md**.
A read-only demo deployment runs at ** https://demoremote.tvipper.com** — seeded with synthetic devices, alerts, CVE findings, and metrics so you can poke around without installing anything. Login:
/
demo
(reset every few hours, so feel free to break things).
demo
One tool instead of six — the ten things it does best:
Monitor everything | Live 60-second metrics, a CheckMK-style per-host Checks page, active monitors (HTTP / DNS / ICMP / TCP + credential-less DB liveness), and a composable dashboard. Every fired event lands in an Alerts inbox with acknowledge / auto-resolve. | See every signal | SMART & hardware health, GPU (NVIDIA + AMD, trend sparklines + thermal alerts), power / UPS, disk-fill forecasting, a per-host timeline, and logs with regex search — telemetry the agent already reports, surfaced as first-class views. | Manage remotely | Shell, multi-line scripts with dry-run lint, batch & scheduled runs, a real browser SSH terminal, VNC and SFTP over the same tunnel, Proxmox VM / LXC create, and host user / key / firewall edits — all with zero inbound ports. | Lock it down | Passkeys / WebAuthn, SAML / OIDC / LDAP, TOTP + recovery codes, per-role MFA enforcement, a tamper-evident (hash-chained) audit log, strict CSP, and SSRF-guarded outbound calls. | Scan for CVEs | OSV.dev-backed, CVSS-scored, prioritized by CISA KEV + EPSS (exploited-in-the-wild first), with SBOM export (CycloneDX / SPDX, VEX-style vulnerabilities embedded). | Pentest what you own | Authorized vulnerability scanning of your own hosts & domains — nuclei / nikto / nmap / OWASP ZAP / wapiti / lynis — on a hardened scanner satellite, authorization-gated and schedulable. | CMDB + RAG search | Asset DB, encrypted credentials vault, Markdown docs per asset, network map — and an AI assistant whose RAG answers from your fleet and docs and cites the source (local or cloud model; off by default). | Stay compliant | OpenSCAP CIS / STIG / PCI scans with downloadable HTML reports, plus PCI / HIPAA / SOC 2 control mapping and scheduled posture reports. | Integrate | 26 homelab-app health connectors (Pi-hole, TrueNAS, the *arr suite, …), Prometheus / Grafana / Uptime-Kuma endpoints, inbound webhooks & syslog, and an MCP server so an AI client can query your fleet. | Patch & automate | Auto-patch policies (cron, per group / tag / site, maintenance-aware), config-drift detection, ACME / Let's Encrypt, backup orchestration, and an IaC generator (Terraform / Ansible / Pulumi / …). |
Full feature inventory → docs/features.md.
v4.9 — ResolutionMatters— an** Admin → DNSdashboard that reads and writes DNS records through your provider's API (Cloudflare, DigitalOcean, Hetzner, deSEC, Porkbun), plus a liveresolve/dig + propagation** panel, aresolver-health monitor (latency / NXDOMAIN alerts), and analert-resolution timeline (MTTR) on the Alerts page.v4.8 — OnboardingMatters— turnkey onboarding: a unified one-commandwizard, one-command Docker with HTTPS by default, a self-hosted one-lineinstall.sh
agent install, SSH agent bootstrap and clean uninstall. Plus a new** Reputation/DMARCmonitor (mail-sending IPs checked against DNS blocklists, SPF/DKIM/DMARC posture, and IMAP RUA-report ingestion), accessibility work and agent parity.v4.7 — IntegrationsMatters— 26 read-only homelab software integrations, a containerized agent**(monitor a Docker host with no OS install), and a fleet** GPUpage (NVIDIA + AMD, trend sparklines + thermal alerting). v4.6 — RepellantMatters**— the distinctive** Industrial**UI becomes the default, alongside a project-wide reliability, security and performance pass.
Full release history, newest first → ** CHANGELOG.md**.
RemotePower is security-reviewed every few releases and independently pentested
clean — the latest full run (Bandit SAST; OWASP ZAP, Nikto, Nuclei, Wapiti,
WhatWeb DAST) reported no exploitable findings. Posture in brief: bcrypt
(cost 12, PBKDF2-HMAC-SHA256 fallback) behind rate-limited login; TOTP 2FA with
recovery codes; passkeys / SAML / OIDC / LDAP; 256-bit header session tokens
(CSRF-safe by construction); a strict CSP with no 'unsafe-inline'
; an AES-GCM CMDB vault; a tamper-evident audit log; and mandatory TLS verification plus connect-time anti-DNS-rebinding on every outbound call. Full posture, threat model, review history and an operator hardening checklist: ** docs/security.md**.
Browse the full docs in the ** Wiki** (generated from
docs/
, organised by topic). Prefer the source? Everything lives in — start with the index there. The essentials:
docs/| Topic | Where | |---|---| Install (Linux, Docker, demo, Windows) | |
Full feature inventorydocs/features.md** Architecture + on-disk layout**docs/architecture.md** API reference**(endpoints + OpenAPI)docs/api.md— interactive:/swagger.html
Security notesdocs/security.md** Scaling & deployment**docs/scaling.md** Troubleshooting / Upgrading**docs/troubleshooting.md·docs/upgrading.mdA self-hosted Swiss-army knife for your Linux fleet or homelab: monitoring, alerting, CMDB, docs with RAG, CVE scanning, authorized pentesting, patching, compliance, and full remote management (browser SSH, Proxmox, files) — push-based agents, zero inbound ports, optional local or cloud AI that answers from your hosts. One tool instead of six.
Request a feature— open aFeature request; it's labelledenhancement
and triaged from there.Report a bug— open aBug report.** Ask a question or float an idea**— head toDiscussions.** Found a security issue?— please report it privately perSECURITY.md; don't open a public issue. Contributing code or docs?**— seeCONTRIBUTING.md.
MIT — see LICENSE.
Made with care and vi