{"slug": "remotepower-self-hosted-fleet-monitoring-with-built-in-vulnerability-scanning", "title": "RemotePower – self-hosted fleet monitoring with built-in vulnerability scanning", "summary": "RemotePower, a self-hosted fleet monitoring platform with built-in vulnerability scanning, has been released. The tool combines monitoring, alerting, CMDB, documentation with RAG search, CVE scanning, patching, and remote management into a single control plane for Linux fleets, with optional AI integration. It uses push-based agents with no inbound ports and can be set up in five minutes.", "body_md": "**The all-in-one, Swiss-army-knife control plane for your Linux fleet — and your homelab.**\nMonitoring with alerting, a CMDB, documentation with RAG search, CVE scanning, patching\nand remote management in one self-hosted place — with AI woven through all of it (optional).\nWeb dashboard, push-based agents, no inbound ports. Set it up in five minutes.\n\n[Live demo](https://demoremote.tvipper.com) · [Install](/tyxak/remotepower/blob/main/docs/install.md) · [Features](/tyxak/remotepower/blob/main/docs/features.md) · [Wiki](https://github.com/tyxak/remotepower/wiki) · [Discussions](https://github.com/tyxak/remotepower/discussions)\n\n**One tool instead of six.** Most teams stitch together a monitor, a CMDB, a wiki,\na vulnerability scanner, a patch tool and an SSH jump box. RemotePower is the\nSwiss-army-knife that does all of it from a single host you control — **monitoring\n& alerting**, an asset **CMDB**, **documentation with RAG search** over your own\nfleet, **CVE scanning**, **patching**, and **remote management** — and it's **heavily\nbound to AI as an option**: bring your own model (local Ollama/LocalAI or a cloud\nprovider) and ask questions answered from *your* infrastructure, or leave it off\nentirely. Everything stays self-hosted.\n\nA web dashboard that manages your Linux machines (and Windows, kind of) without\nopening firewall ports on them. Each host runs a small Python agent that **polls**\nthe central server every 60 seconds — outbound HTTPS only. Enrolment is a 6-digit\nPIN, like pairing a console controller.\n\nDeliberately small and **readable**: nginx + Python CGI + flat JSON files — about\n**60,000 lines** of server Python, one HTML file, one CSS file and a handful of\nhand-written JS files. No external database, no Node.js, no Redis, no Kubernetes,\n**no build step, no bundler, no framework** — you can read every line. The whole\n`/var/lib/remotepower/`\n\ndirectory backs up with `tar`\n\n. Tested on real homelabs\nrunning 5–50 devices, fine up to a few\nhundred — and for larger or write-heavy fleets you can switch to an optional\nembedded **SQLite** backend, or scale all the way to **PostgreSQL** (failover +\nread replicas), load-balanced **app nodes** and **relay satellites** for segmented\nnetworks. That's an **advanced, heavy-fleet** track — most installs never touch\nit. See ** docs/scaling.md**.\n\n**Server — one command, HTTPS out of the box:**\n\n```\n# Docker (recommended). Self-signed HTTPS on first boot; the one-time admin\n# password is printed to `docker logs remotepower`.\ndocker compose up -d\n\n# Or bare-metal: a single wizard installs nginx + the app + TLS + admin.\n# You never edit an nginx file — it writes the vhost and certificate for you.\ngit clone https://github.com/tyxak/remotepower && cd remotepower\nsudo bash install.sh\n```\n\nOpen the printed URL and log in. HTTPS is automatic — a self-signed CA by default (agents pin it), or a real Let's Encrypt cert when you give a public domain. No cert wrangling, no nginx editing.\n\n**Add a device — one line, nothing to configure:**\n\nIn the dashboard, *Add device → Quick install command*, then on the target host:\n\n```\nwget -qO- \"https://your-server/install?t=\" | sudo sh\n```\n\nIt downloads the **signed** agent, verifies its checksum, enrols with the baked\none-time token, and the host appears in the dashboard **by its hostname** within\n~60 seconds. Prefer Docker? *Add device → Generate Docker compose*. Onboarding\nmany hosts? Push the installer over SSH: `install.sh agent push user@h1 user@h2 …`\n\n.\n\n**Uninstall:** `sudo bash install.sh uninstall`\n\n(server — keeps your data;\n`--purge`\n\nto wipe it) · `wget -qO- https://your-server/install | sudo sh -s -- --uninstall`\n\n(agent).\n\nFor longer paths (Windows client, demo vhost, Ansible, advanced TLS), see\n** docs/install.md**.\n\nA read-only demo deployment runs at ** https://demoremote.tvipper.com** —\nseeded with synthetic devices, alerts, CVE findings, and metrics so you can poke\naround without installing anything. Login:\n\n**/**\n\n`demo`\n\n**(reset every few hours, so feel free to break things).**\n\n`demo`\n\nOne tool instead of six — the ten things it does best:\n\nMonitor everything |\nLive 60-second metrics, a CheckMK-style per-host Checks page, active monitors (HTTP / DNS / ICMP / TCP + credential-less DB liveness), and a composable dashboard. Every fired event lands in an Alerts inbox with acknowledge / auto-resolve. |\nSee every signal |\nSMART & hardware health, GPU (NVIDIA + AMD, trend sparklines + thermal alerts), power / UPS, disk-fill forecasting, a per-host timeline, and logs with regex search — telemetry the agent already reports, surfaced as first-class views. |\nManage remotely |\nShell, multi-line scripts with dry-run lint, batch & scheduled runs, a real browser SSH terminal, VNC and SFTP over the same tunnel, Proxmox VM / LXC create, and host user / key / firewall edits — all with zero inbound ports. |\nLock it down |\nPasskeys / WebAuthn, SAML / OIDC / LDAP, TOTP + recovery codes, per-role MFA enforcement, a tamper-evident (hash-chained) audit log, strict CSP, and SSRF-guarded outbound calls. |\nScan for CVEs |\nOSV.dev-backed, CVSS-scored, prioritized by CISA KEV + EPSS (exploited-in-the-wild first), with SBOM export (CycloneDX / SPDX, VEX-style vulnerabilities embedded). |\nPentest what you own |\nAuthorized vulnerability scanning of your own hosts & domains — nuclei / nikto / nmap / OWASP ZAP / wapiti / lynis — on a hardened scanner satellite, authorization-gated and schedulable. |\nCMDB + RAG search |\nAsset DB, encrypted credentials vault, Markdown docs per asset, network map — and an AI assistant whose RAG answers from your fleet and docs and cites the source (local or cloud model; off by default). |\nStay compliant |\nOpenSCAP CIS / STIG / PCI scans with downloadable HTML reports, plus PCI / HIPAA / SOC 2 control mapping and scheduled posture reports. |\nIntegrate |\n26 homelab-app health connectors (Pi-hole, TrueNAS, the *arr suite, …), Prometheus / Grafana / Uptime-Kuma endpoints, inbound webhooks & syslog, and an MCP server so an AI client can query your fleet. |\nPatch & automate |\nAuto-patch policies (cron, per group / tag / site, maintenance-aware), config-drift detection, ACME / Let's Encrypt, backup orchestration, and an IaC generator (Terraform / Ansible / Pulumi / …). |\n\n**Full feature inventory → docs/features.md.**\n\n**v4.9 — ResolutionMatters**— an** Admin → DNS**dashboard that reads and writes DNS records through your provider's API (Cloudflare, DigitalOcean, Hetzner, deSEC, Porkbun), plus a live**resolve/dig + propagation** panel, a**resolver-health** monitor (latency / NXDOMAIN alerts), and an**alert-resolution timeline (MTTR)** on the Alerts page.**v4.8 — OnboardingMatters**— turnkey onboarding: a unified one-commandwizard, one-command Docker with HTTPS by default, a self-hosted one-line`install.sh`\n\n**agent install**, SSH agent bootstrap and clean uninstall. Plus a new** Reputation/DMARC**monitor (mail-sending IPs checked against DNS blocklists, SPF/DKIM/DMARC posture, and IMAP RUA-report ingestion), accessibility work and agent parity.**v4.7 — IntegrationsMatters**— 26 read-only homelab software integrations, a** containerized agent**(monitor a Docker host with no OS install), and a fleet** GPU**page (NVIDIA + AMD, trend sparklines + thermal alerting).** v4.6 — RepellantMatters**— the distinctive** Industrial**UI becomes the default, alongside a project-wide reliability, security and performance pass.\n\nFull release history, newest first → ** CHANGELOG.md**.\n\nRemotePower is security-reviewed every few releases and **independently pentested\nclean** — the latest full run (Bandit SAST; OWASP ZAP, Nikto, Nuclei, Wapiti,\nWhatWeb DAST) reported **no exploitable findings**. Posture in brief: bcrypt\n(cost 12, PBKDF2-HMAC-SHA256 fallback) behind rate-limited login; TOTP 2FA with\nrecovery codes; passkeys / SAML / OIDC / LDAP; 256-bit header session tokens\n(CSRF-safe by construction); a strict CSP with no `'unsafe-inline'`\n\n; an AES-GCM\nCMDB vault; a tamper-evident audit log; and mandatory TLS verification plus\nconnect-time anti-DNS-rebinding on every outbound call. Full posture, threat\nmodel, review history and an operator hardening checklist:\n** docs/security.md**.\n\nBrowse the full docs in the ** Wiki**\n(generated from\n\n`docs/`\n\n, organised by topic). Prefer the source? Everything lives\nin **— start with the index there. The essentials:**\n\n[docs/](/tyxak/remotepower/blob/main/docs)| Topic | Where |\n|---|---|\nInstall (Linux, Docker, demo, Windows) |\n|\n\n**Full feature inventory**[docs/features.md](/tyxak/remotepower/blob/main/docs/features.md)** Architecture + on-disk layout**[docs/architecture.md](/tyxak/remotepower/blob/main/docs/architecture.md)** API reference**(endpoints + OpenAPI)[docs/api.md](/tyxak/remotepower/blob/main/docs/api.md)— interactive:`/swagger.html`\n\n**Security notes**[docs/security.md](/tyxak/remotepower/blob/main/docs/security.md)** Scaling & deployment**[docs/scaling.md](/tyxak/remotepower/blob/main/docs/scaling.md)** Troubleshooting / Upgrading**[docs/troubleshooting.md](/tyxak/remotepower/blob/main/docs/troubleshooting.md)·[docs/upgrading.md](/tyxak/remotepower/blob/main/docs/upgrading.md)A self-hosted Swiss-army knife for your Linux fleet or homelab: monitoring,\nalerting, CMDB, docs with **RAG**, CVE scanning, authorized pentesting, patching,\ncompliance, and full remote management (browser SSH, Proxmox, files) — push-based\nagents, **zero inbound ports**, optional **local or cloud AI** that answers from\n*your* hosts. One tool instead of six.\n\n**Request a feature**— open a[Feature request](https://github.com/tyxak/remotepower/issues/new?template=feature_request.yml); it's labelled`enhancement`\n\nand triaged from there.**Report a bug**— open a[Bug report](https://github.com/tyxak/remotepower/issues/new?template=bug_report.yml).** Ask a question or float an idea**— head to[Discussions](https://github.com/tyxak/remotepower/discussions).** Found a security issue?**— please report it privately per[SECURITY.md](/tyxak/remotepower/blob/main/SECURITY.md); don't open a public issue.** Contributing code or docs?**— see[CONTRIBUTING.md](/tyxak/remotepower/blob/main/CONTRIBUTING.md).\n\nMIT — see [LICENSE](/tyxak/remotepower/blob/main/LICENSE).\n\nMade with care and vi", "url": "https://wpnews.pro/news/remotepower-self-hosted-fleet-monitoring-with-built-in-vulnerability-scanning", "canonical_source": "https://github.com/tyxak/remotepower", "published_at": "2026-06-19 08:08:23+00:00", "updated_at": "2026-06-19 08:31:56.805330+00:00", "lang": "en", "topics": ["ai-tools", "developer-tools", "ai-infrastructure"], "entities": ["RemotePower", "Ollama", "LocalAI", "nginx", "Python", "SQLite", "PostgreSQL", "Let's Encrypt"], "alternates": {"html": "https://wpnews.pro/news/remotepower-self-hosted-fleet-monitoring-with-built-in-vulnerability-scanning", "markdown": "https://wpnews.pro/news/remotepower-self-hosted-fleet-monitoring-with-built-in-vulnerability-scanning.md", "text": "https://wpnews.pro/news/remotepower-self-hosted-fleet-monitoring-with-built-in-vulnerability-scanning.txt", "jsonld": "https://wpnews.pro/news/remotepower-self-hosted-fleet-monitoring-with-built-in-vulnerability-scanning.jsonld"}}