RemotePower – self-hosted fleet monitoring with built-in vulnerability scanning

RemotePower, a self-hosted fleet monitoring platform with built-in vulnerability scanning, has been released. The tool combines monitoring, alerting, CMDB, documentation with RAG search, CVE scanning, patching, and remote management into a single control plane for Linux fleets, with optional AI integration. It uses push-based agents with no inbound ports and can be set up in five minutes.

The all-in-one, Swiss-army-knife control plane for your Linux fleet — and your homelab. Monitoring with alerting, a CMDB, documentation with RAG search, CVE scanning, patching and remote management in one self-hosted place — with AI woven through all of it optional . Web dashboard, push-based agents, no inbound ports. Set it up in five minutes. Live demo https://demoremote.tvipper.com · Install /tyxak/remotepower/blob/main/docs/install.md · Features /tyxak/remotepower/blob/main/docs/features.md · Wiki https://github.com/tyxak/remotepower/wiki · Discussions https://github.com/tyxak/remotepower/discussions One tool instead of six. Most teams stitch together a monitor, a CMDB, a wiki, a vulnerability scanner, a patch tool and an SSH jump box. RemotePower is the Swiss-army-knife that does all of it from a single host you control — monitoring & alerting , an asset CMDB , documentation with RAG search over your own fleet, CVE scanning , patching , and remote management — and it's heavily bound to AI as an option : bring your own model local Ollama/LocalAI or a cloud provider and ask questions answered from your infrastructure, or leave it off entirely. Everything stays self-hosted. A web dashboard that manages your Linux machines and Windows, kind of without opening firewall ports on them. Each host runs a small Python agent that polls the central server every 60 seconds — outbound HTTPS only. Enrolment is a 6-digit PIN, like pairing a console controller. Deliberately small and readable : nginx + Python CGI + flat JSON files — about 60,000 lines of server Python, one HTML file, one CSS file and a handful of hand-written JS files. No external database, no Node.js, no Redis, no Kubernetes, no build step, no bundler, no framework — you can read every line. The whole /var/lib/remotepower/ directory backs up with tar . Tested on real homelabs running 5–50 devices, fine up to a few hundred — and for larger or write-heavy fleets you can switch to an optional embedded SQLite backend, or scale all the way to PostgreSQL failover + read replicas , load-balanced app nodes and relay satellites for segmented networks. That's an advanced, heavy-fleet track — most installs never touch it. See docs/scaling.md . Server — one command, HTTPS out of the box: Docker recommended . Self-signed HTTPS on first boot; the one-time admin password is printed to docker logs remotepower . docker compose up -d Or bare-metal: a single wizard installs nginx + the app + TLS + admin. You never edit an nginx file — it writes the vhost and certificate for you. git clone https://github.com/tyxak/remotepower && cd remotepower sudo bash install.sh Open the printed URL and log in. HTTPS is automatic — a self-signed CA by default agents pin it , or a real Let's Encrypt cert when you give a public domain. No cert wrangling, no nginx editing. Add a device — one line, nothing to configure: In the dashboard, Add device → Quick install command , then on the target host: wget -qO- "https://your-server/install?t=<token " | sudo sh It downloads the signed agent, verifies its checksum, enrols with the baked one-time token, and the host appears in the dashboard by its hostname within ~60 seconds. Prefer Docker? Add device → Generate Docker compose . Onboarding many hosts? Push the installer over SSH: install.sh agent push user@h1 user@h2 … . Uninstall: sudo bash install.sh uninstall server — keeps your data; --purge to wipe it · wget -qO- https://your-server/install | sudo sh -s -- --uninstall agent . For longer paths Windows client, demo vhost, Ansible, advanced TLS , see docs/install.md . A read-only demo deployment runs at https://demoremote.tvipper.com — seeded with synthetic devices, alerts, CVE findings, and metrics so you can poke around without installing anything. Login: / demo reset every few hours, so feel free to break things . demo One tool instead of six — the ten things it does best: Monitor everything | Live 60-second metrics, a CheckMK-style per-host Checks page, active monitors HTTP / DNS / ICMP / TCP + credential-less DB liveness , and a composable dashboard. Every fired event lands in an Alerts inbox with acknowledge / auto-resolve. | See every signal | SMART & hardware health, GPU NVIDIA + AMD, trend sparklines + thermal alerts , power / UPS, disk-fill forecasting, a per-host timeline, and logs with regex search — telemetry the agent already reports, surfaced as first-class views. | Manage remotely | Shell, multi-line scripts with dry-run lint, batch & scheduled runs, a real browser SSH terminal, VNC and SFTP over the same tunnel, Proxmox VM / LXC create, and host user / key / firewall edits — all with zero inbound ports. | Lock it down | Passkeys / WebAuthn, SAML / OIDC / LDAP, TOTP + recovery codes, per-role MFA enforcement, a tamper-evident hash-chained audit log, strict CSP, and SSRF-guarded outbound calls. | Scan for CVEs | OSV.dev-backed, CVSS-scored, prioritized by CISA KEV + EPSS exploited-in-the-wild first , with SBOM export CycloneDX / SPDX, VEX-style vulnerabilities embedded . | Pentest what you own | Authorized vulnerability scanning of your own hosts & domains — nuclei / nikto / nmap / OWASP ZAP / wapiti / lynis — on a hardened scanner satellite, authorization-gated and schedulable. | CMDB + RAG search | Asset DB, encrypted credentials vault, Markdown docs per asset, network map — and an AI assistant whose RAG answers from your fleet and docs and cites the source local or cloud model; off by default . | Stay compliant | OpenSCAP CIS / STIG / PCI scans with downloadable HTML reports, plus PCI / HIPAA / SOC 2 control mapping and scheduled posture reports. | Integrate | 26 homelab-app health connectors Pi-hole, TrueNAS, the arr suite, … , Prometheus / Grafana / Uptime-Kuma endpoints, inbound webhooks & syslog, and an MCP server so an AI client can query your fleet. | Patch & automate | Auto-patch policies cron, per group / tag / site, maintenance-aware , config-drift detection, ACME / Let's Encrypt, backup orchestration, and an IaC generator Terraform / Ansible / Pulumi / … . | Full feature inventory → docs/features.md. v4.9 — ResolutionMatters — an Admin → DNS dashboard that reads and writes DNS records through your provider's API Cloudflare, DigitalOcean, Hetzner, deSEC, Porkbun , plus a live resolve/dig + propagation panel, a resolver-health monitor latency / NXDOMAIN alerts , and an alert-resolution timeline MTTR on the Alerts page. v4.8 — OnboardingMatters — turnkey onboarding: a unified one-commandwizard, one-command Docker with HTTPS by default, a self-hosted one-line install.sh agent install , SSH agent bootstrap and clean uninstall. Plus a new Reputation/DMARC monitor mail-sending IPs checked against DNS blocklists, SPF/DKIM/DMARC posture, and IMAP RUA-report ingestion , accessibility work and agent parity. v4.7 — IntegrationsMatters — 26 read-only homelab software integrations, a containerized agent monitor a Docker host with no OS install , and a fleet GPU page NVIDIA + AMD, trend sparklines + thermal alerting . v4.6 — RepellantMatters — the distinctive Industrial UI becomes the default, alongside a project-wide reliability, security and performance pass. Full release history, newest first → CHANGELOG.md . RemotePower is security-reviewed every few releases and independently pentested clean — the latest full run Bandit SAST; OWASP ZAP, Nikto, Nuclei, Wapiti, WhatWeb DAST reported no exploitable findings . Posture in brief: bcrypt cost 12, PBKDF2-HMAC-SHA256 fallback behind rate-limited login; TOTP 2FA with recovery codes; passkeys / SAML / OIDC / LDAP; 256-bit header session tokens CSRF-safe by construction ; a strict CSP with no 'unsafe-inline' ; an AES-GCM CMDB vault; a tamper-evident audit log; and mandatory TLS verification plus connect-time anti-DNS-rebinding on every outbound call. Full posture, threat model, review history and an operator hardening checklist: docs/security.md . Browse the full docs in the Wiki generated from docs/ , organised by topic . Prefer the source? Everything lives in — start with the index there. The essentials: docs/ /tyxak/remotepower/blob/main/docs | Topic | Where | |---|---| Install Linux, Docker, demo, Windows | | Full feature inventory docs/features.md /tyxak/remotepower/blob/main/docs/features.md Architecture + on-disk layout docs/architecture.md /tyxak/remotepower/blob/main/docs/architecture.md API reference endpoints + OpenAPI docs/api.md /tyxak/remotepower/blob/main/docs/api.md — interactive: /swagger.html Security notes docs/security.md /tyxak/remotepower/blob/main/docs/security.md Scaling & deployment docs/scaling.md /tyxak/remotepower/blob/main/docs/scaling.md Troubleshooting / Upgrading docs/troubleshooting.md /tyxak/remotepower/blob/main/docs/troubleshooting.md · docs/upgrading.md /tyxak/remotepower/blob/main/docs/upgrading.md A self-hosted Swiss-army knife for your Linux fleet or homelab: monitoring, alerting, CMDB, docs with RAG , CVE scanning, authorized pentesting, patching, compliance, and full remote management browser SSH, Proxmox, files — push-based agents, zero inbound ports , optional local or cloud AI that answers from your hosts. One tool instead of six. Request a feature — open a Feature request https://github.com/tyxak/remotepower/issues/new?template=feature request.yml ; it's labelled enhancement and triaged from there. Report a bug — open a Bug report https://github.com/tyxak/remotepower/issues/new?template=bug report.yml . Ask a question or float an idea — head to Discussions https://github.com/tyxak/remotepower/discussions . Found a security issue? — please report it privately per SECURITY.md /tyxak/remotepower/blob/main/SECURITY.md ; don't open a public issue. Contributing code or docs? — see CONTRIBUTING.md /tyxak/remotepower/blob/main/CONTRIBUTING.md . MIT — see LICENSE /tyxak/remotepower/blob/main/LICENSE . Made with care and vi