{"id":42811273,"url":"https://github.com/jaro-c/lynx","last_synced_at":"2026-05-23T00:04:40.118Z","repository":{"id":276404012,"uuid":"929188012","full_name":"Jaro-c/Lynx","owner":"Jaro-c","description":"⚡ A blazingly fast, modern, and secure process manager for Linux. The zero-overhead, systemd-native alternative to PM2 powered by Go.","archived":false,"fork":false,"pushed_at":"2026-03-08T18:02:19.000Z","size":491,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-08T21:33:14.226Z","etag":null,"topics":["community","daemon","deployment","devops","golang","isolation","linux","non-commercial","open-source-like","pm2","pm2-alternative","process-manager","sandboxing","security","supervisor","systemd"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Jaro-c.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":"Jaro-c"}},"created_at":"2025-02-08T01:11:49.000Z","updated_at":"2026-03-08T18:02:23.000Z","dependencies_parsed_at":"2025-02-09T16:46:03.325Z","dependency_job_id":null,"html_url":"https://github.com/Jaro-c/Lynx","commit_stats":null,"previous_names":["jaro-c/lynx"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/Jaro-c/Lynx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jaro-c%2FLynx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jaro-c%2FLynx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jaro-c%2FLynx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jaro-c%2FLynx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Jaro-c","download_url":"https://codeload.github.com/Jaro-c/Lynx/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jaro-c%2FLynx/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30327588,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T05:25:20.737Z","status":"ssl_error","status_checked_at":"2026-03-10T05:25:17.430Z","response_time":106,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["community","daemon","deployment","devops","golang","isolation","linux","non-commercial","open-source-like","pm2","pm2-alternative","process-manager","sandboxing","security","supervisor","systemd"],"created_at":"2026-01-30T05:17:31.834Z","updated_at":"2026-05-20T14:01:18.544Z","avatar_url":"https://github.com/Jaro-c.png","language":"Go","funding_links":["https://github.com/sponsors/Jaro-c"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"lynx/dashboard/ui/public/logo.webp\" alt=\"Lynx\" width=\"140\" /\u003e\u003cbr /\u003e\u003cbr /\u003e\n\n  # Lynx\n\n  **Self-hosted VPS \u0026 container manager.**\u003cbr /\u003e\n  Containers · Firewall · VPN — from one dashboard, across any number of servers.\n\n  \u003cbr /\u003e\n\n  [![CI — Agent](https://github.com/Jaro-c/Lynx/actions/workflows/agent.yml/badge.svg)](https://github.com/Jaro-c/Lynx/actions/workflows/agent.yml)\n  [![CI — Dashboard](https://github.com/Jaro-c/Lynx/actions/workflows/dashboard-server.yml/badge.svg)](https://github.com/Jaro-c/Lynx/actions/workflows/dashboard-server.yml)\n  [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n  ![Rust](https://img.shields.io/badge/Agent-Rust-orange?logo=rust)\n  ![Next.js](https://img.shields.io/badge/Dashboard-Next.js-black?logo=next.js)\n\n  \u003cbr /\u003e\n\n  [Install](#-install) · [Architecture](#-architecture) · [vs Alternatives](#-vs-alternatives) · [Security](#-security)\n\n\u003c/div\u003e\n\n---\n\n\u003e **The cPanel/Plesk/Coolify alternative built for people who care about security.**  \n\u003e One binary per VPS. All traffic encrypted over WireGuard. No SaaS. No cloud lock-in. No Docker daemon.\n\n---\n\n## ✨ Features\n\n**📦 Containers** — Podman rootless, per-organization isolation, survive VPS reboots without Lynx running  \n**🔥 Firewall** — Full nftables control from the dashboard, three-layer hierarchy, atomic apply, auto-restore on any tampering  \n**🔒 Networking** — All dashboard → agent traffic over WireGuard + mTLS. Cross-VPS scaling via direct agent tunnels — no relay through dashboard  \n**🔑 Encryption** — PostgreSQL AES-256 at rest (pg_tde) + per-user envelope encryption (KEK/DEK)  \n**📁 Single binary** — No runtime dependencies on the server. No Node.js, no Bun, no Docker Engine. Install one binary, uninstall one binary  \n**🔄 Auto-update** — Hourly GitHub Releases check, Ed25519 signature verification before any swap, automatic rollback if the new binary fails to start\n\n---\n\n## 🏗 Architecture\n\n```\nDashboard VPS\n├── Frontend ── Next.js (compiled binary, no runtime)\n├── Backend  ── Rust\n│    ├── WireGuard ──► Agent (local, same VPS)\n│    ├── WireGuard ──► Agent (remote VPS #1)\n│    └── WireGuard ──► Agent (remote VPS #2)\n│\n└── Each agent: Podman + nftables + WireGuard\n```\n\nEach agent connects to the dashboard over a **1:1 WireGuard tunnel** with its own PSK. Agents never talk to each other through the dashboard — cross-VPS scaling uses direct agent-to-agent tunnels.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eFirewall hierarchy (nftables)\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr /\u003e\n\n```\ntable inet lynx-agent {\n    chain lynx-base    ← Lynx invariants. Never editable. Auto-restored instantly on any change.\n    chain lynx-global  ← Rules pushed to ALL agents simultaneously\n    chain lynx-local   ← Per-VPS rules for this agent only\n}\n```\n\n- **`lynx-base`** — default deny, WireGuard allowlist, inter-org isolation, anti-spoofing\n- **`lynx-global`** — IP blocklists, protocol restrictions — propagated to all agents in parallel; agents offline receive pending rules on reconnect\n- **`lynx-local`** — per-VPS port rules, IP allowlists\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eHorizontal scaling — cross-VPS\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr /\u003e\n\n```\nInternet → 80/443\n    ↓\nlynx-nginx (Agent-1, entry point)\n    ├── replica:1  (Agent-1, local Podman network)\n    └── WireGuard ──► Agent-2\n                          ├── replica:2\n                          └── replica:3\n```\n\nAgent-2 never exposes public ports for the project. All traffic enters through Agent-1 via WireGuard.\n\n\u003c/details\u003e\n\n---\n\n## ⚡ Install\n\n### Dashboard\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/Jaro-c/Lynx/main/install.sh | sudo bash\n```\n\nThe installer handles everything:\n1. Detects and removes incompatible software (Docker, firewalld, ufw, iptables)\n2. Installs Podman, WireGuard, nftables\n3. Generates all secrets — never written to disk in plaintext\n4. Starts PostgreSQL → Redis → Backend → Frontend\n5. Prints a one-time setup URL:\n   ```\n   https://YOUR-IP:19443/register?setup_token=\u003ctoken\u003e\n   ```\n\n### Agent (additional VPS)\n\n1. Dashboard → **Connect new VPS** → copy the displayed keypair + PSK\n2. On the new VPS, run the same installer and paste the dashboard data when prompted\n3. Done — the tunnel is up and the agent appears online in the dashboard\n\n### Requirements\n\n| | |\n|---|---|\n| **OS** | Ubuntu 22.04+, Debian 12+, Fedora 39+, CentOS/RHEL 9+, Rocky/AlmaLinux 9+ |\n| **SSH port** | Auto-detected — any port works |\n| **Fixed ports** | `19443/TCP` (dashboard) · `51820/UDP` (WireGuard) — opened automatically. Must be free and allowed by your VPS provider's external firewall if applicable. |\n| **Root access** | Required for install |\n\n---\n\n## 🆚 vs Alternatives\n\n| | **Lynx** | Coolify | Dokploy | cPanel / Plesk |\n|---|---|---|---|---|\n| Container runtime | Podman (rootless) | Docker | Docker | varies |\n| Firewall management | ✅ Full nftables | ❌ | ❌ | Partial |\n| VPN between servers | ✅ WireGuard | ❌ | ❌ | ❌ |\n| Encryption at rest | ✅ AES-256 (pg_tde) | ❌ | ❌ | ❌ |\n| Per-user encryption | ✅ KEK/DEK | ❌ | ❌ | ❌ |\n| Signed binary updates | ✅ Ed25519 | ❌ | ❌ | ❌ |\n| Runtime dependencies | None | Docker Engine | Docker Engine | Heavy |\n| Pricing | Free / self-hosted | Free tier + paid | Free / self-hosted | Paid license |\n| SaaS / cloud | Never | Optional | Optional | Optional |\n\n---\n\n## 🔐 Security\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eTransport \u0026amp; cryptography\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr /\u003e\n\n- **WireGuard + mTLS** — double-layer encryption on all dashboard ↔ agent traffic\n- **TLS 1.3 minimum** — no TLS 1.0/1.1/1.2 accepted anywhere\n- **Ed25519** — JWT signing, agent command signing, and binary update verification\n- **Per-agent PSK** — each tunnel has its own unique preshared key, rotated automatically\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eSigned commands \u0026amp; immutable audit log\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr /\u003e\n\nEvery command the dashboard sends to an agent is Ed25519-signed. The agent verifies signature, nonce (replay prevention), and timestamp (\u003c 30s window) before executing anything.\n\nAll executed and rejected commands are stored in a **hash-chained append-only audit log** on the agent, synced to dashboard PostgreSQL in real time. Tampering with any entry is mathematically detectable.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cstrong\u003eReporting a vulnerability\u003c/strong\u003e\u003c/summary\u003e\n\u003cbr /\u003e\n\nSee [SECURITY.md](SECURITY.md).\n\n\u003c/details\u003e\n\n---\n\n## 📄 License\n\n[MIT](LICENSE) — © 2026 [Jaro-c](https://github.com/Jaro-c)\n\n\u003cdiv align=\"center\"\u003e\n  \u003cbr /\u003e\n  \u003csub\u003eMade with ❤️ by \u003ca href=\"https://github.com/Jaro-c\"\u003eJaroc\u003c/a\u003e\u003c/sub\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjaro-c%2Flynx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjaro-c%2Flynx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjaro-c%2Flynx/lists"}