
RemotePower is the all-in-one, Swiss-army-knife control plane for your Linux fleet — monitoring with alerting, a CMDB, documentation with RAG search, CVE scanning, patching and remote management in one place, with AI woven through all of it (entirely optional). Self-hosted: no SaaS, no agents phoning home, no per-node pricing.
Demo login: demo / demo — read-only sandbox that resets periodically.
Most teams stitch together a monitor, a CMDB, a wiki, a vulnerability scanner, a patch tool and an SSH jump box. RemotePower is the Swiss-army-knife that does all of it — monitoring & alerting, CMDB, documentation with RAG, CVE scanning, patching and remote management — from a single host you control, with AI on tap throughout.
Check-ins every 60s with CPU / RAM / swap / load sparklines, a service matrix, and a fleet-events timeline. Trends charts plot memory, swap, disk and CPU-load history per host.
Per-disk SMART with failing / pre-fail alerts, kernel-reboot & livepatch awareness, a passive DIMM / temp / RAID inventory, and ZFS / mdadm / btrfs pool health with scrub-overdue and degraded-array alerts.
Projects per-mount disk-fill — "/ fills in ~18 days" — and flags hosts whose memory, swap or disk jumps far outside their own normal range.
Fleet-wide thermal roll-up (hottest hosts), UPS / GPU power draw with a per-group energy-cost chargeback, a predictive disk-failure ETA from SMART trends, and an SSH-key audit (fingerprints, weak & reused keys) across every host.
Tail any unit or file with regex alerting, and see exactly what's listening on every host with change detection.
Every listening socket classified world / LAN / local by its bind address — with an alert the moment a service first becomes world-reachable, and a host firewall-ruleset drift fingerprint.
OSV.dev-backed, severity-ranked findings per host with a per-CVE ignore list, now prioritized by real-world risk — a daily CISA KEV + EPSS join puts exploited-in-the-wild CVEs first. Plus CycloneDX / SPDX SBOM export per host or fleet.
A 0–100 fleet health score, scheduled posture reports, and PCI / HIPAA / SOC 2 controls — or a real OpenSCAP CIS / STIG scan — scored pass / fail with evidence.
Shutdown, reboot, Wake-on-LAN, arbitrary shell, multi-line scripts with a dry-run lint — single host or batched across many, now or on a schedule.
A real xterm.js terminal proxied through a hardened daemon — no client to install — with session recording.
Start / stop VMs and containers, manage snapshots, watch for stale backups, and create VMs or LXC containers from a wizard — server-to-API, admin-only, audited.
Start / stop / restart Docker & Podman, deploy docker-compose stacks, watch for stale image updates with one-click pull-and-recreate, and see per-container restart counts to spot crash loops.
Staggered rolling patch waves, scheduled auto-patch, optional maker-checker approval for risky changes, and per-device Let's Encrypt issuance / renewal via DNS-01.
Browse & transfer files over SFTP, run restic / borg / rsync backups, manage host users, SSH keys and firewall ports, and enforce desired-state config on drift.
Run Ansible playbooks fleet-wide with the server as control node, write bash health checks that run every few minutes, and export your inventory as Terraform / Ansible / Pulumi / cloud-init.
Stay zero-dependency on flat JSON, step up to embedded SQLite, or run PostgreSQL with automatic failover and read replicas — pooled through PgBouncer, behind load-balanced app nodes, reaching segmented networks through relay satellites. The same push-based agents throughout. macOS joins the Linux & Windows agents.
bcrypt + TOTP 2FA with one-time recovery codes, passkeys (WebAuthn) for phishing-resistant passwordless sign-in, LDAP / Active Directory, OIDC and SAML 2.0 SSO (Okta, Entra, OneLogin, Ping, ADFS) with SCIM deprovisioning, per-role MFA enforcement, session caps, API-key expiry, and named API keys with custom scoped roles.
PBKDF2 / bcrypt passwords, session tokens hashed at rest, AES-GCM vault, brute-force lockout, IP allowlist, strict CSP with no inline code, anti-DNS-rebinding SSRF guards, sandboxed SCAP reports, OIDC claim checks, and opt-in signed agent updates. Every hop can run over TLS — including the agent→satellite relay. Externally scanned (Bandit, ZAP, Nikto, Nuclei, Wapiti) with no exploitable findings.
Banned / required / min-version package rules over the existing inventory, new-source-IP login alerts, and a scheduled-job (systemd timer) failure lens — all edge-triggered, optionally tag-scoped.
Every privileged action is recorded — who, what, when — with optional forwarding to a SIEM or syslog collector, and one-click quarantine to freeze a suspect host server-side.
Asset metadata, an encrypted credentials vault with rotation reminders, Markdown docs per asset, a network topology map, and Sites / teams to scope who sees what.
The assistant retrieves facts from your own hosts, CVEs, CMDB and runbooks and cites them — so answers reference your infrastructure, not generic advice.
One click on a Needs-Attention item runs a diagnosis and proposes a fix — across ~20 kinds: disks, CVEs, drift, failed units, AV posture, hardware, and more. Security-sensitive ones never propose a blind destructive command.
When an event fires, auto-run a saved script or notify a destination — e.g. restart a service the moment it goes down. Plus a plain-English cron builder and RAG-aware runbook drafts.
Connect an MCP client like Claude Desktop to ask about your fleet in plain language — 12 read tools over devices, journals, services, containers, CVEs, drift and more. Deliberately read-only: it can inspect, never change anything.
An alerts inbox with a routing matrix, on-call & escalation, Slack / Discord / Teams / ntfy / email / PagerDuty, inbound webhooks & syslog, SNMP, and Prometheus metrics.
A few corners of the dashboard. Everything below is one self-hosted app — no tabs sprawling across a dozen tools.




















A refinement release — a broad polish, hardening and correctness pass over the whole product, with no breaking changes. Sharper alerts, tidier screens, and a few genuinely new touches. As always, scanned clean with CodeQL, bandit and gitleaks, and pentested live; nothing Critical, High or Medium ships.
Certificate expiry now raises a real alert by default — plus two new ones: a filesystem the kernel flips read-only (a silent data-loss outage) and a backed-up mail queue. Recovering one process or storage pool no longer clears the others' alerts.
Auto-patch policies can now target a single device, not just a group or the whole fleet. The patch report exports as PDF alongside CSV and XML, and the app catalog is a proper sortable table.
The Sites page draws your fleet on an actual world map now, coloured by rolled-up health. Services gains a dedicated baselines editor, and the sidebar is reorganised with every sub-menu sorted A–Z.
Consistent button sizing (no more full-width buttons), aligned table actions and value columns, standard typography and spacing, and calmer card headers — the kind of polish you feel more than notice.
Several per-request maintenance checks and report builders no longer copy whole data stores on the common path, so heartbeats stay light as the fleet grows. Same push-based agents, zero inbound ports.
A whole-project audit + full SAST (CodeQL 0, bandit & gitleaks clean), live TLS & vulnerability scanning and an authenticated API pentest — two Medium correctness findings and every Low fixed before release. Security review →
One script gets you nginx + a Python backend + an admin login. Add a host by running the agent installer and pasting a PIN. Stores everything in flat JSON by default — or grow into SQLite, then PostgreSQL with failover, read replicas and relay satellites when you reach thousands of hosts. No cloud account, your data stays yours.
RemotePower is self-hosted software you run yourself. The live demo is a read-only sandbox (log in with demo / demo).