# RemotePower – self-hosted fleet monitoring with built-in vulnerability scanning > Source: > Published: 2026-06-19 08:08:23+00:00 **The all-in-one, Swiss-army-knife control plane for your Linux fleet — and your homelab.** Monitoring with alerting, a CMDB, documentation with RAG search, CVE scanning, patching and remote management in one self-hosted place — with AI woven through all of it (optional). Web dashboard, push-based agents, no inbound ports. Set it up in five minutes. [Live demo](https://demoremote.tvipper.com) · [Install](/tyxak/remotepower/blob/main/docs/install.md) · [Features](/tyxak/remotepower/blob/main/docs/features.md) · [Wiki](https://github.com/tyxak/remotepower/wiki) · [Discussions](https://github.com/tyxak/remotepower/discussions) **One tool instead of six.** Most teams stitch together a monitor, a CMDB, a wiki, a vulnerability scanner, a patch tool and an SSH jump box. RemotePower is the Swiss-army-knife that does all of it from a single host you control — **monitoring & alerting**, an asset **CMDB**, **documentation with RAG search** over your own fleet, **CVE scanning**, **patching**, and **remote management** — and it's **heavily bound to AI as an option**: bring your own model (local Ollama/LocalAI or a cloud provider) and ask questions answered from *your* infrastructure, or leave it off entirely. Everything stays self-hosted. A web dashboard that manages your Linux machines (and Windows, kind of) without opening firewall ports on them. Each host runs a small Python agent that **polls** the central server every 60 seconds — outbound HTTPS only. Enrolment is a 6-digit PIN, like pairing a console controller. Deliberately small and **readable**: nginx + Python CGI + flat JSON files — about **60,000 lines** of server Python, one HTML file, one CSS file and a handful of hand-written JS files. No external database, no Node.js, no Redis, no Kubernetes, **no build step, no bundler, no framework** — you can read every line. The whole `/var/lib/remotepower/` directory backs up with `tar` . Tested on real homelabs running 5–50 devices, fine up to a few hundred — and for larger or write-heavy fleets you can switch to an optional embedded **SQLite** backend, or scale all the way to **PostgreSQL** (failover + read replicas), load-balanced **app nodes** and **relay satellites** for segmented networks. That's an **advanced, heavy-fleet** track — most installs never touch it. See ** docs/scaling.md**. **Server — one command, HTTPS out of the box:** ``` # Docker (recommended). Self-signed HTTPS on first boot; the one-time admin # password is printed to `docker logs remotepower`. docker compose up -d # Or bare-metal: a single wizard installs nginx + the app + TLS + admin. # You never edit an nginx file — it writes the vhost and certificate for you. git clone https://github.com/tyxak/remotepower && cd remotepower sudo bash install.sh ``` Open the printed URL and log in. HTTPS is automatic — a self-signed CA by default (agents pin it), or a real Let's Encrypt cert when you give a public domain. No cert wrangling, no nginx editing. **Add a device — one line, nothing to configure:** In the dashboard, *Add device → Quick install command*, then on the target host: ``` wget -qO- "https://your-server/install?t=" | sudo sh ``` It downloads the **signed** agent, verifies its checksum, enrols with the baked one-time token, and the host appears in the dashboard **by its hostname** within ~60 seconds. Prefer Docker? *Add device → Generate Docker compose*. Onboarding many hosts? Push the installer over SSH: `install.sh agent push user@h1 user@h2 …` . **Uninstall:** `sudo bash install.sh uninstall` (server — keeps your data; `--purge` to wipe it) · `wget -qO- https://your-server/install | sudo sh -s -- --uninstall` (agent). For longer paths (Windows client, demo vhost, Ansible, advanced TLS), see ** docs/install.md**. A read-only demo deployment runs at ** https://demoremote.tvipper.com** — seeded with synthetic devices, alerts, CVE findings, and metrics so you can poke around without installing anything. Login: **/** `demo` **(reset every few hours, so feel free to break things).** `demo` One tool instead of six — the ten things it does best: Monitor everything | Live 60-second metrics, a CheckMK-style per-host Checks page, active monitors (HTTP / DNS / ICMP / TCP + credential-less DB liveness), and a composable dashboard. Every fired event lands in an Alerts inbox with acknowledge / auto-resolve. | See every signal | SMART & hardware health, GPU (NVIDIA + AMD, trend sparklines + thermal alerts), power / UPS, disk-fill forecasting, a per-host timeline, and logs with regex search — telemetry the agent already reports, surfaced as first-class views. | Manage remotely | Shell, multi-line scripts with dry-run lint, batch & scheduled runs, a real browser SSH terminal, VNC and SFTP over the same tunnel, Proxmox VM / LXC create, and host user / key / firewall edits — all with zero inbound ports. | Lock it down | Passkeys / WebAuthn, SAML / OIDC / LDAP, TOTP + recovery codes, per-role MFA enforcement, a tamper-evident (hash-chained) audit log, strict CSP, and SSRF-guarded outbound calls. | Scan for CVEs | OSV.dev-backed, CVSS-scored, prioritized by CISA KEV + EPSS (exploited-in-the-wild first), with SBOM export (CycloneDX / SPDX, VEX-style vulnerabilities embedded). | Pentest what you own | Authorized vulnerability scanning of your own hosts & domains — nuclei / nikto / nmap / OWASP ZAP / wapiti / lynis — on a hardened scanner satellite, authorization-gated and schedulable. | CMDB + RAG search | Asset DB, encrypted credentials vault, Markdown docs per asset, network map — and an AI assistant whose RAG answers from your fleet and docs and cites the source (local or cloud model; off by default). | Stay compliant | OpenSCAP CIS / STIG / PCI scans with downloadable HTML reports, plus PCI / HIPAA / SOC 2 control mapping and scheduled posture reports. | Integrate | 26 homelab-app health connectors (Pi-hole, TrueNAS, the *arr suite, …), Prometheus / Grafana / Uptime-Kuma endpoints, inbound webhooks & syslog, and an MCP server so an AI client can query your fleet. | Patch & automate | Auto-patch policies (cron, per group / tag / site, maintenance-aware), config-drift detection, ACME / Let's Encrypt, backup orchestration, and an IaC generator (Terraform / Ansible / Pulumi / …). | **Full feature inventory → docs/features.md.** **v4.9 — ResolutionMatters**— an** Admin → DNS**dashboard that reads and writes DNS records through your provider's API (Cloudflare, DigitalOcean, Hetzner, deSEC, Porkbun), plus a live**resolve/dig + propagation** panel, a**resolver-health** monitor (latency / NXDOMAIN alerts), and an**alert-resolution timeline (MTTR)** on the Alerts page.**v4.8 — OnboardingMatters**— turnkey onboarding: a unified one-commandwizard, one-command Docker with HTTPS by default, a self-hosted one-line`install.sh` **agent install**, SSH agent bootstrap and clean uninstall. Plus a new** Reputation/DMARC**monitor (mail-sending IPs checked against DNS blocklists, SPF/DKIM/DMARC posture, and IMAP RUA-report ingestion), accessibility work and agent parity.**v4.7 — IntegrationsMatters**— 26 read-only homelab software integrations, a** containerized agent**(monitor a Docker host with no OS install), and a fleet** GPU**page (NVIDIA + AMD, trend sparklines + thermal alerting).** v4.6 — RepellantMatters**— the distinctive** Industrial**UI becomes the default, alongside a project-wide reliability, security and performance pass. Full release history, newest first → ** CHANGELOG.md**. RemotePower is security-reviewed every few releases and **independently pentested clean** — the latest full run (Bandit SAST; OWASP ZAP, Nikto, Nuclei, Wapiti, WhatWeb DAST) reported **no exploitable findings**. Posture in brief: bcrypt (cost 12, PBKDF2-HMAC-SHA256 fallback) behind rate-limited login; TOTP 2FA with recovery codes; passkeys / SAML / OIDC / LDAP; 256-bit header session tokens (CSRF-safe by construction); a strict CSP with no `'unsafe-inline'` ; an AES-GCM CMDB vault; a tamper-evident audit log; and mandatory TLS verification plus connect-time anti-DNS-rebinding on every outbound call. Full posture, threat model, review history and an operator hardening checklist: ** docs/security.md**. Browse the full docs in the ** Wiki** (generated from `docs/` , organised by topic). Prefer the source? Everything lives in **— start with the index there. The essentials:** [docs/](/tyxak/remotepower/blob/main/docs)| Topic | Where | |---|---| Install (Linux, Docker, demo, Windows) | | **Full feature inventory**[docs/features.md](/tyxak/remotepower/blob/main/docs/features.md)** Architecture + on-disk layout**[docs/architecture.md](/tyxak/remotepower/blob/main/docs/architecture.md)** API reference**(endpoints + OpenAPI)[docs/api.md](/tyxak/remotepower/blob/main/docs/api.md)— interactive:`/swagger.html` **Security notes**[docs/security.md](/tyxak/remotepower/blob/main/docs/security.md)** Scaling & deployment**[docs/scaling.md](/tyxak/remotepower/blob/main/docs/scaling.md)** Troubleshooting / Upgrading**[docs/troubleshooting.md](/tyxak/remotepower/blob/main/docs/troubleshooting.md)·[docs/upgrading.md](/tyxak/remotepower/blob/main/docs/upgrading.md)A self-hosted Swiss-army knife for your Linux fleet or homelab: monitoring, alerting, CMDB, docs with **RAG**, CVE scanning, authorized pentesting, patching, compliance, and full remote management (browser SSH, Proxmox, files) — push-based agents, **zero inbound ports**, optional **local or cloud AI** that answers from *your* hosts. One tool instead of six. **Request a feature**— open a[Feature request](https://github.com/tyxak/remotepower/issues/new?template=feature_request.yml); it's labelled`enhancement` and triaged from there.**Report a bug**— open a[Bug report](https://github.com/tyxak/remotepower/issues/new?template=bug_report.yml).** Ask a question or float an idea**— head to[Discussions](https://github.com/tyxak/remotepower/discussions).** Found a security issue?**— please report it privately per[SECURITY.md](/tyxak/remotepower/blob/main/SECURITY.md); don't open a public issue.** Contributing code or docs?**— see[CONTRIBUTING.md](/tyxak/remotepower/blob/main/CONTRIBUTING.md). MIT — see [LICENSE](/tyxak/remotepower/blob/main/LICENSE). Made with care and vi