RemotePower — power, manage, anywhere

One dashboard for your whole fleet.

RemotePower is the all-in-one, Swiss-army-knife control plane for your Linux fleet — monitoring with alerting, a CMDB, documentation with RAG search, CVE scanning, patching and remote management in one place, with AI woven through all of it (entirely optional). Self-hosted: no SaaS, no agents phoning home, no per-node pricing.

Try the live demo View on GitHub

Demo login: demo / demo — read-only sandbox that resets periodically.

All-in-oneSelf-hostedPython + nginxLinux, Windows & macOS agentsJSON / SQLite / PostgreSQLMIT licensedv6.0.1
The RemotePower fleet dashboard

One tool instead of six

Most teams stitch together a monitor, a CMDB, a wiki, a vulnerability scanner, a patch tool and an SSH jump box. RemotePower is the Swiss-army-knife that does all of it — monitoring & alerting, CMDB, documentation with RAG, CVE scanning, patching and remote management — from a single host you control, with AI on tap throughout.

Monitoring & visibility

Live fleet status

Check-ins every 60s with CPU / RAM / swap / load sparklines, a service matrix, and a fleet-events timeline. Trends charts plot memory, swap, disk and CPU-load history per host.

Disk SMART & storage health v3.11

Per-disk SMART with failing / pre-fail alerts, kernel-reboot & livepatch awareness, a passive DIMM / temp / RAID inventory, and ZFS / mdadm / btrfs pool health with scrub-overdue and degraded-array alerts.

Forecasting & anomalies

Projects per-mount disk-fill — "/ fills in ~18 days" — and flags hosts whose memory, swap or disk jumps far outside their own normal range.

Power, thermal & predictive health v4.0

Fleet-wide thermal roll-up (hottest hosts), UPS / GPU power draw with a per-group energy-cost chargeback, a predictive disk-failure ETA from SMART trends, and an SSH-key audit (fingerprints, weak & reused keys) across every host.

Logs & listening ports

Tail any unit or file with regex alerting, and see exactly what's listening on every host with change detection.

Exposure & attack surface v3.11

Every listening socket classified world / LAN / local by its bind address — with an alert the moment a service first becomes world-reachable, and a host firewall-ruleset drift fingerprint.

CVE scanning & SBOMs v4.0

OSV.dev-backed, severity-ranked findings per host with a per-CVE ignore list, now prioritized by real-world risk — a daily CISA KEV + EPSS join puts exploited-in-the-wild CVEs first. Plus CycloneDX / SPDX SBOM export per host or fleet.

Health score & compliance

A 0–100 fleet health score, scheduled posture reports, and PCI / HIPAA / SOC 2 controls — or a real OpenSCAP CIS / STIG scan — scored pass / fail with evidence.

Remote management

Commands & scripts

Shutdown, reboot, Wake-on-LAN, arbitrary shell, multi-line scripts with a dry-run lint — single host or batched across many, now or on a schedule.

Browser SSH

A real xterm.js terminal proxied through a hardened daemon — no client to install — with session recording.

Proxmox v3.7

Start / stop VMs and containers, manage snapshots, watch for stale backups, and create VMs or LXC containers from a wizard — server-to-API, admin-only, audited.

Containers & compose v3.13

Start / stop / restart Docker & Podman, deploy docker-compose stacks, watch for stale image updates with one-click pull-and-recreate, and see per-container restart counts to spot crash loops.

Patching & ACME v3.7

Staggered rolling patch waves, scheduled auto-patch, optional maker-checker approval for risky changes, and per-device Let's Encrypt issuance / renewal via DNS-01.

Files, backups & host config v3.6

Browse & transfer files over SFTP, run restic / borg / rsync backups, manage host users, SSH keys and firewall ports, and enforce desired-state config on drift.

Ansible, scripts & IaC v3.7

Run Ansible playbooks fleet-wide with the server as control node, write bash health checks that run every few minutes, and export your inventory as Terraform / Ansible / Pulumi / cloud-init.

Scale to thousands · HA v4.0

Stay zero-dependency on flat JSON, step up to embedded SQLite, or run PostgreSQL with automatic failover and read replicas — pooled through PgBouncer, behind load-balanced app nodes, reaching segmented networks through relay satellites. The same push-based agents throughout. macOS joins the Linux & Windows agents.

Security & access

Auth that scales v4.2

bcrypt + TOTP 2FA with one-time recovery codes, passkeys (WebAuthn) for phishing-resistant passwordless sign-in, LDAP / Active Directory, OIDC and SAML 2.0 SSO (Okta, Entra, OneLogin, Ping, ADFS) with SCIM deprovisioning, per-role MFA enforcement, session caps, API-key expiry, and named API keys with custom scoped roles.

Hardened by design v4.0

PBKDF2 / bcrypt passwords, session tokens hashed at rest, AES-GCM vault, brute-force lockout, IP allowlist, strict CSP with no inline code, anti-DNS-rebinding SSRF guards, sandboxed SCAP reports, OIDC claim checks, and opt-in signed agent updates. Every hop can run over TLS — including the agent→satellite relay. Externally scanned (Bandit, ZAP, Nikto, Nuclei, Wapiti) with no exploitable findings.

Software policy & access watch v3.11

Banned / required / min-version package rules over the existing inventory, new-source-IP login alerts, and a scheduled-job (systemd timer) failure lens — all edge-triggered, optionally tag-scoped.

Audit trail & SIEM v3.7

Every privileged action is recorded — who, what, when — with optional forwarding to a SIEM or syslog collector, and one-click quarantine to freeze a suspect host server-side.

CMDB, vault & sites v3.5

Asset metadata, an encrypted credentials vault with rotation reminders, Markdown docs per asset, a network topology map, and Sites / teams to scope who sees what.

AI & automation

RAG over your fleet v3.4

The assistant retrieves facts from your own hosts, CVEs, CMDB and runbooks and cites them — so answers reference your infrastructure, not generic advice.

AI Investigate v3.8

One click on a Needs-Attention item runs a diagnosis and proposes a fix — across ~20 kinds: disks, CVEs, drift, failed units, AV posture, hardware, and more. Security-sensitive ones never propose a blind destructive command.

Automation rules v3.4

When an event fires, auto-run a saved script or notify a destination — e.g. restart a service the moment it goes down. Plus a plain-English cron builder and RAG-aware runbook drafts.

MCP server (read-only)

Connect an MCP client like Claude Desktop to ask about your fleet in plain language — 12 read tools over devices, journals, services, containers, CVEs, drift and more. Deliberately read-only: it can inspect, never change anything.

Alerts & integrations

An alerts inbox with a routing matrix, on-call & escalation, Slack / Discord / Teams / ntfy / email / PagerDuty, inbound webhooks & syslog, SNMP, and Prometheus metrics.

See it in action

A few corners of the dashboard. Everything below is one self-hosted app — no tabs sprawling across a dozen tools.

Fleet overview
Fleet overview — every host at a glance
Monitoring page
Monitoring — metrics, ports, scripts, processes
Device metrics
Device metrics — CPU, memory, swap, disk over time
Device drawer
Device drawer — everything about one host
Logs
Logs — tail any unit or file with regex alerts
CVE scanning
CVE scanning — OSV-backed, severity-ranked
Pentest page
Pentest — authorized scans of hosts & sites you own
Patching
Patching — pending updates & reboots, fleet-wide
Software center
Software — inventory, policy & install
Custom scripts
Custom scripts — your own checks, dry-run linted
CMDB
CMDB — assets, docs, encrypted vault
IaC generator
IaC generator — export your fleet as code
Release signing
Release signing — verify agent self-updates
Ticket system
Tickets — a built-in helpdesk with SLAs
AI assistant
AI assistant — RAG over your own fleet
Settings
Settings — integrations, security, AI & more
Browser terminal
Browser SSH — a real terminal, no client
Compliance
Compliance — CIS / STIG / PCI, scored pass/fail
Calendar
Calendar — shared team events & on-call
WG Access VPN
WG Access — WireGuard VPN to your fleet

New in v6.0.1 — "RefineMatters"

A refinement release — a broad polish, hardening and correctness pass over the whole product, with no breaking changes. Sharper alerts, tidier screens, and a few genuinely new touches. As always, scanned clean with CodeQL, bandit and gitleaks, and pentested live; nothing Critical, High or Medium ships.

Alerts that don't miss

Certificate expiry now raises a real alert by default — plus two new ones: a filesystem the kernel flips read-only (a silent data-loss outage) and a backed-up mail queue. Recovering one process or storage pool no longer clears the others' alerts.

Patch your way

Auto-patch policies can now target a single device, not just a group or the whole fleet. The patch report exports as PDF alongside CSV and XML, and the app catalog is a proper sortable table.

Sites, mapped for real

The Sites page draws your fleet on an actual world map now, coloured by rolled-up health. Services gains a dedicated baselines editor, and the sidebar is reorganised with every sub-menu sorted A–Z.

Tidier, everywhere

Consistent button sizing (no more full-width buttons), aligned table actions and value columns, standard typography and spacing, and calmer card headers — the kind of polish you feel more than notice.

Quicker under load

Several per-request maintenance checks and report builders no longer copy whole data stores on the common path, so heartbeats stay light as the fleet grows. Same push-based agents, zero inbound ports.

Pentested for the public

A whole-project audit + full SAST (CodeQL 0, bandit & gitleaks clean), live TLS & vulnerability scanning and an authenticated API pentest — two Medium correctness findings and every Low fixed before release. Security review →

Run it on your own terms

One script gets you nginx + a Python backend + an admin login. Add a host by running the agent installer and pasting a PIN. Stores everything in flat JSON by default — or grow into SQLite, then PostgreSQL with failover, read replicas and relay satellites when you reach thousands of hosts. No cloud account, your data stays yours.

RemotePower is self-hosted software you run yourself. The live demo is a read-only sandbox (log in with demo / demo).

Fleet dashboard (enlarged) Fleet overview (enlarged) Monitoring (enlarged) Ticket system (enlarged) Device metrics (enlarged) Device drawer (enlarged) Logs (enlarged) CVE scanning (enlarged) Pentest page (enlarged) Patching (enlarged) Software center (enlarged) Custom scripts (enlarged) CMDB (enlarged) IaC generator (enlarged) Release signing (enlarged) AI assistant (enlarged) Settings (enlarged) Browser terminal (enlarged) Compliance (enlarged) Calendar (enlarged) WG Access (enlarged)