{"id":50249180,"url":"https://github.com/itconnectge/netfleet","last_synced_at":"2026-05-31T23:00:34.311Z","repository":{"id":360541132,"uuid":"1250625345","full_name":"ITConnectGE/netfleet","owner":"ITConnectGE","description":"Open-source multi-vendor network fleet management for MSPs — MikroTik today, FortiGate/Cisco next.","archived":false,"fork":false,"pushed_at":"2026-05-27T00:46:49.000Z","size":273,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-27T01:02:00.245Z","etag":null,"topics":["docker","fastapi","mikrotik","mikrotik-api","msp","network-management","nextjs","open-source","rbac","routeros","self-hosted"],"latest_commit_sha":null,"homepage":"https://itconnectge.ge","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ITConnectGE.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-26T20:21:31.000Z","updated_at":"2026-05-27T00:46:49.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ITConnectGE/netfleet","commit_stats":null,"previous_names":["itconnectge/netfleet"],"tags_count":17,"template":false,"template_full_name":null,"purl":"pkg:github/ITConnectGE/netfleet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ITConnectGE%2Fnetfleet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ITConnectGE%2Fnetfleet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ITConnectGE%2Fnetfleet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ITConnectGE%2Fnetfleet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ITConnectGE","download_url":"https://codeload.github.com/ITConnectGE/netfleet/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ITConnectGE%2Fnetfleet/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33752286,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","fastapi","mikrotik","mikrotik-api","msp","network-management","nextjs","open-source","rbac","routeros","self-hosted"],"created_at":"2026-05-27T01:00:36.551Z","updated_at":"2026-05-31T23:00:34.293Z","avatar_url":"https://github.com/ITConnectGE.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"docs/assets/logo.svg\" alt=\"NetFleet\" width=\"160\" /\u003e\n\n# NetFleet\n\n### Multi-vendor network fleet management for MSPs\n\n**Open-source, self-hosted central management** for your routers, firewalls and edge\ndevices — with granular RBAC, delegated IT-support access, real-time monitoring,\nin-app updates, and one-command Ubuntu install.\n\n\u003e **Shipping now**: MikroTik RouterOS driver. \u0026nbsp;\n\u003e **Roadmap**: FortiGate · Cisco IOS-XE · Ubiquiti UISP · Aruba · MIST.\n\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)\n[![Made with FastAPI](https://img.shields.io/badge/Made%20with-FastAPI-009688.svg)](https://fastapi.tiangolo.com)\n[![Next.js](https://img.shields.io/badge/UI-Next.js%2015-black.svg)](https://nextjs.org)\n[![Docker](https://img.shields.io/badge/Deploy-Docker%20Compose-2496ED.svg)](https://docs.docker.com/compose/)\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](CONTRIBUTING.md)\n\n[**Why NetFleet?**](#-why-netfleet) · [**Quick Start**](#-quick-start) · [**Features**](#-features) · [**Architecture**](#-architecture) · [**Roadmap**](#-roadmap) · [**Docs**](docs/)\n\n\u003cbr/\u003e\n\n*An open-source project by* \u0026nbsp; **[ITConnectGE](https://itconnectge.ge)** \u0026nbsp; — built by MSP engineers, for MSP engineers.\n\n\u003c/div\u003e\n\n---\n\n## 🎯 The Problem\n\nIf you run an IT outsourcing company, you probably manage **dozens to hundreds of network\ndevices across many client sites**, often from **multiple vendors** — MikroTik routers\nat one client, FortiGate firewalls at another, a stray Cisco somewhere.\n\nThe tools you have all fall short:\n\n- **WinBox / WebFig / FortiGate GUI / etc.** = one device at a time. Vendor silos.\n- **The Dude / FortiManager / Cisco Prime** = vendor-locked. You need N tools.\n- **Zabbix / LibreNMS** = monitoring only — you still SSH in to make changes.\n- **Splynx / UISP** = ISP-billing platforms, not MSP fleet management.\n- **Ansible / Salt** = great for engineers, terrible for L1 support staff.\n\n**None of them let you say:**\n\u003e *\"Junior support engineer Nika can read DHCP leases and edit NAT rules — only on\n\u003e Client A's MikroTik routers and Client B's FortiGate — and every action is logged.\"*\n\nThat's what **NetFleet** does.\n\n## ✨ Why NetFleet?\n\n| | The Dude | Splynx | Zabbix | UISP | FortiManager | **NetFleet** |\n|---------------------------------------|:---:|:---:|:---:|:---:|:---:|:---:|\n| **Multi-vendor** central management | ❌ | ⚠️ | ⚠️ | ❌ | ❌ | ✅ |\n| Central read **and write** management | ⚠️ | ✅ | ❌ | ❌ | ✅ | ✅ |\n| **Per-section** RBAC (DHCP / NAT / FW …) | ❌ | ❌ | ❌ | ❌ | ⚠️ | ✅ |\n| **Multi-client / multi-site** structure | ❌ | ✅ | ⚠️ | ❌ | ⚠️ | ✅ |\n| Granular delegated **IT-support** access | ❌ | ❌ | ❌ | ❌ | ⚠️ | ✅ |\n| Full **audit log** (who did what, where) | ❌ | ⚠️ | ⚠️ | ❌ | ✅ | ✅ |\n| **Entra ID OIDC** + Local + TOTP | ❌ | ⚠️ | ⚠️ | ⚠️ | ✅ | ✅ |\n| **In-app updates** (no SSH dance) | ❌ | ❌ | ❌ | ⚠️ | ⚠️ | ✅ |\n| **Open Source** (Apache 2.0) | ⚠️ | ❌ | ✅ | ⚠️ | ❌ | ✅ |\n| **Self-hosted**, one-command install | ❌ | ⚠️ | ✅ | ✅ | ❌ | ✅ |\n| **Built for MSPs** | ❌ | ⚠️ | ❌ | ❌ | ⚠️ | ✅ |\n\n\u003e ✅ = first-class · ⚠️ = partial / awkward · ❌ = not supported\n\n## 🚀 Features\n\n### Authentication \u0026 access\n- **Microsoft Entra ID (OIDC)** single sign-on with MFA\n- **Local authentication** with Argon2 password hashing and TOTP (Authenticator, Authy, etc.)\n- **JWT** access tokens + httpOnly refresh cookies\n\n### Multi-vendor device fleet\n- Plug-in **vendor driver** architecture — a single API surface across vendors\n- **Site → Device** hierarchy (one tenant = one MSP)\n- Encrypted credential storage (Fernet, KEK from `.env`)\n- Connection pooling with keepalives\n- Real-time **status monitoring** (CPU, memory, uptime, link state)\n- Historic metrics with 30-day retention\n\n### Granular RBAC\n- Roles scoped to **sites or specific devices**\n- Permissions per **functional section** (`dhcp`, `firewall.nat`, `qos`, `vpn`, …)\n- **Read / write / execute** as separate verbs\n- Casbin enforcer — policy-as-code, auditable\n\n### Operations (MikroTik MVP)\n- **DHCP** servers, leases, networks\n- **IP / Firewall / NAT / Mangle** rules\n- **Interfaces, addresses, routes, ARP, pools**\n- **Queues** (simple + tree)\n- **PPP** secrets, profiles\n- **System**: identity, resource, clock, reboot, config backup\n- **Tool**: ping, traceroute, fetch\n\n### Platform\n- **Audit log** of every action (user, device, section, payload, outcome, IP, UA)\n- **In-app updates**: see when a new release is out, click Update, done — automatic pre-update DB backup and rollback on failure\n- **Open REST API** with full OpenAPI / Swagger docs\n- **WebSocket** push for real-time status\n- **Webhooks** for integration with helpdesk / Slack / Teams\n\n## 🏁 Quick Start\n\n### One-command install (Ubuntu 22.04 / 24.04)\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/ITConnectGE/netfleet/main/install.sh | sudo bash\n```\n\nThe installer will:\n1. Install Docker \u0026 Docker Compose if missing\n2. Pull the latest `netfleet` images from `ghcr.io/itconnectge`\n3. Generate secrets and write `/opt/netfleet/.env`\n4. Start the stack and wait for healthchecks\n5. Print the URL + initial setup token\n\nThen open `https://your-server` and follow the setup wizard.\n\n### Manual install (any Docker host)\n\n```bash\ngit clone https://github.com/ITConnectGE/netfleet.git\ncd netfleet\ncp .env.example .env\n# Edit .env — set secrets, OIDC config if you want SSO\ndocker compose up -d\n```\n\n### Configuration\n\nAll configuration is environment-variable driven — see [`.env.example`](.env.example).\n\nKey sections:\n- `NETFLEET_JWT_SECRET`, `NETFLEET_FERNET_KEY` — secrets (autogenerated by `install.sh`)\n- `NETFLEET_OIDC_*` — Microsoft Entra ID (or any OIDC IdP) setup\n- `NETFLEET_UPDATE_CHANNEL` — `stable` / `beta` / `manual`\n- `NETFLEET_SMTP_*` — for invite emails \u0026 update notifications\n\n## 🏗 Architecture\n\n```\n ┌──────────────────────────────────────────────────┐\n │ Host: Ubuntu + Docker │\n │ │\n Admin ───HTTPS──┼──▶ caddy ─┬──▶ web (Next.js) │\n IT Support │ └──▶ api (FastAPI + Casbin) ──▶ postgres │\n │ │ ↑ ↑ │\n │ â–¼ │ │ │\n │ vendor drivers â–¼ │\n │ ┌──────────┐ redis │\n │ │ mikrotik │ │\n │ │ fortigate│ (cache + pubsub) │\n │ │ cisco … │ │\n │ └────┬─────┘ │\n │ │ │\n │ worker updater (docker.sock) │\n │ (polling) (in-app updates) │\n └────────────────┼──────────────┼──────────────────┘\n │ │\n ┌────────▼─┐ ┌────────▼──────────┐\n │ Device │ │ ghcr.io + GitHub │\n │ fleet │ │ (image + releases)│\n │ (multi- │ └───────────────────┘\n │ vendor) │\n └──────────┘\n```\n\n📐 **Full architecture diagrams**: see [`docs/architecture.drawio`](docs/architecture.drawio)\n(6 pages: system overview, Docker layout, auth flows, RBAC model, update flow, vendor-driver call flow).\n\n## 🔌 Vendor Driver Model\n\nNetFleet abstracts vendor differences behind a stable `VendorDriver` interface. Each device\ndeclares its `vendor` field; the API routes calls through the matching driver:\n\n```python\nclass VendorDriver(Protocol):\n async def connect(self, device: Device) -\u003e Connection: ...\n async def system_info(self, conn) -\u003e SystemInfo: ...\n async def dhcp_leases(self, conn) -\u003e list[DhcpLease]: ...\n async def firewall_nat_list(self, conn) -\u003e list[NatRule]: ...\n async def firewall_nat_add(self, conn, rule: NatRule) -\u003e str: ...\n # ... per-section methods\n capabilities: set[Capability] # what this driver supports\n```\n\nA driver only needs to implement the sections relevant to its platform. The UI auto-hides\nsections that the active device's driver doesn't expose.\n\n| Driver | Status | Library / API |\n|---|---|---|\n| **MikroTik (RouterOS 7.x)** | 🟢 MVP — in active development | `librouteros` + REST fallback |\n| **MikroTik (RouterOS 6.x)** | 🟡 planned | legacy API |\n| **FortiGate (FortiOS)** | 🔵 roadmap | FortiOS REST API |\n| **Cisco (IOS-XE / NX-OS)** | 🔵 roadmap | RESTCONF / NETCONF |\n| **Ubiquiti (UISP / UniFi)** | 🔵 roadmap | UISP API |\n| **Aruba / HPE** | 🔵 roadmap | AOS-CX REST |\n\n\u003e Want to contribute a driver? See [`docs/vendor-drivers.md`](docs/vendor-drivers.md) (writing in progress).\n\n## 🔐 RBAC Philosophy — a concrete example\n\nSay you have a junior support engineer \"Nika\" who should handle DHCP \u0026 NAT for Client A only.\n\n```yaml\n# In NetFleet UI: Settings → Roles → New Role\nrole: dhcp-nat-l1\nscope:\n type: site\n id: client-a\npermissions:\n - section: dhcp\n actions: [read, write]\n - section: firewall.nat\n actions: [read, write]\n - section: system.identity\n actions: [read] # so Nika can see which device is which\n\n# In Users → Nika → Assign role\nuser: nika@example.com\nrole: dhcp-nat-l1\n```\n\nNika now sees only Client A's devices, only DHCP/NAT/identity tabs are visible,\nand every action is recorded in the audit log with the request payload. She literally\n**cannot** see other clients or other sections — the API rejects with 403 and audits the attempt.\n\nThe same policy works the same way whether Client A runs MikroTik or FortiGate; the\ndriver translates `firewall.nat` to the right vendor-native call.\n\n## 🧱 Tech Stack\n\n| Layer | Choice | Why |\n|---|---|---|\n| Backend | **Python 3.12 · FastAPI** | Async, OpenAPI-native, Pydantic v2 |\n| Vendor drivers | **Pluggable Protocol-based** | Add new vendors without touching API code |\n| Authorization | **Casbin** | Policy-as-code RBAC with scopes |\n| DB | **PostgreSQL 16** | RBAC ergonomics, JSONB audit, row-level security |\n| Cache / Pub-sub | **Redis 7** | Status cache + WebSocket fan-out |\n| Frontend | **Next.js 15 · shadcn/ui · Tailwind** | Polished, accessible, fast |\n| Reverse proxy | **Caddy 2** | Auto HTTPS, zero config |\n| Deploy | **Docker Compose** | One-command self-host |\n| CI/CD | **GitHub Actions → ghcr.io** | Free public images |\n\n## 🗺 Roadmap\n\n- [x] Phase 0 — Architecture \u0026 branding\n- [ ] Phase 1 — **Skeleton** (Docker, FastAPI, Next.js, DB) ← *we are here*\n- [ ] Phase 2 — Auth (local + TOTP + Entra OIDC)\n- [ ] Phase 3 — Sites \u0026 devices CRUD + encrypted creds + connection test\n- [ ] Phase 4 — RBAC engine + roles UI + audit log\n- [ ] Phase 5 — **MikroTik driver** complete: DHCP, IP, Firewall/NAT, Interfaces, System\n- [ ] Phase 6 — Real-time status (worker + WebSocket)\n- [ ] Phase 7 — In-app updater + GitHub Releases integration\n- [ ] Phase 8 — Audit UI, exports, webhooks\n- [ ] **v1.0** — production-ready (MikroTik fully supported)\n- [ ] Phase 9 — **FortiGate driver** (FortiOS REST)\n- [ ] Phase 10 — Config backup/restore, scheduled jobs\n- [ ] Future — Cisco IOS-XE driver, Ubiquiti driver, multi-tenant SaaS mode, OpenTelemetry, Grafana dashboards, Ansible-compatible export\n\nSee [open issues](https://github.com/ITConnectGE/netfleet/issues) for tracked work.\n\n## 🤝 Contributing\n\nWe welcome contributions — bug reports, PRs, docs, translations, **new vendor drivers**.\n\nStart with [`CONTRIBUTING.md`](CONTRIBUTING.md). All contributors agree to the [Code of Conduct](CODE_OF_CONDUCT.md).\n\n## 📜 License\n\nApache License 2.0 — see [LICENSE](LICENSE). Patent grant included; safe for commercial and MSP-internal use.\n\n## ❤️ By ITConnectGE\n\nNetFleet is built and maintained by **[ITConnectGE](https://itconnectge.ge)**, a Georgian IT\noutsourcing company. We built it because we needed it ourselves — and we believe the MSP\ncommunity deserves an open, modern, vendor-agnostic alternative to expensive proprietary tools.\n\nIf NetFleet saves you time, ⭐ the repo, [tell us](https://github.com/ITConnectGE/netfleet/discussions), or contribute back.\n\n---\n\n\u003csub\u003eMikroTik® and RouterOS® are registered trademarks of MikroTÄ«kls SIA. FortiGate® is a registered trademark of Fortinet, Inc. Cisco® is a registered trademark of Cisco Systems, Inc. NetFleet is an independent, community-driven project and is not affiliated with or endorsed by any of these companies. Vendor names are used solely for descriptive interoperability purposes.\u003c/sub\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitconnectge%2Fnetfleet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fitconnectge%2Fnetfleet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fitconnectge%2Fnetfleet/lists"}