https://github.com/glyndor/panel
Self-hosted VPS & container manager — cPanel/Plesk/Coolify alternative. Podman, nftables, WireGuard. Rust + Next.js.
https://github.com/glyndor/panel
caprover-alternative container-management coolify-alternative cpanel-alternative devops docker-alternative dokploy-alternative firewall nextjs nftables paas plesk-alternative podman postgresql rust self-hosted vps wireguard
Last synced: 11 days ago
JSON representation
Self-hosted VPS & container manager — cPanel/Plesk/Coolify alternative. Podman, nftables, WireGuard. Rust + Next.js.
- Host: GitHub
- URL: https://github.com/glyndor/panel
- Owner: Glyndor
- License: mit
- Created: 2026-05-12T17:20:28.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2026-06-04T22:44:34.000Z (16 days ago)
- Last Synced: 2026-06-05T00:08:56.679Z (16 days ago)
- Topics: caprover-alternative, container-management, coolify-alternative, cpanel-alternative, devops, docker-alternative, dokploy-alternative, firewall, nextjs, nftables, paas, plesk-alternative, podman, postgresql, rust, self-hosted, vps, wireguard
- Language: Rust
- Homepage:
- Size: 6.74 MB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 10
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# Lynx
**Self-hosted VPS & container manager.**
Containers · Firewall · VPN — from one dashboard, across any number of servers.
[](https://github.com/Glyndor/panel/actions/workflows/dashboard-server.yml)
[Install](#-install) · [Architecture](#-architecture) · [vs Alternatives](#-vs-alternatives) · [Security](#-security)
---
> **The cPanel/Plesk/Coolify alternative built for people who care about security.**
> One binary per VPS. All traffic encrypted over WireGuard. No SaaS. No cloud lock-in. No Docker daemon.
---
## ✨ Features
**📦 Containers** — Podman rootless, per-organization isolation, survive VPS reboots without Lynx running
**🔥 Firewall** — Full nftables control from the dashboard, three-layer hierarchy, atomic apply, auto-restore on any tampering
**🔒 Networking** — All dashboard → agent traffic over WireGuard + mTLS. Cross-VPS scaling via direct agent tunnels — no relay through dashboard
**🔑 Encryption** — PostgreSQL AES-256 at rest (pg_tde) + per-user envelope encryption (KEK/DEK)
**📁 Single binary** — No runtime dependencies on the server. No Node.js, no Bun, no Docker Engine. Install one binary, uninstall one binary
**🔄 Auto-update** — Hourly GitHub Releases check, Ed25519 signature verification before any swap, automatic rollback if the new binary fails to start
---
## 🏗 Architecture
```
Dashboard VPS
├── Frontend ── Next.js (compiled binary, no runtime)
├── Backend ── Rust
│ ├── WireGuard ──► Agent (local, same VPS)
│ ├── WireGuard ──► Agent (remote VPS #1)
│ └── WireGuard ──► Agent (remote VPS #2)
│
└── Each agent: Podman + nftables + WireGuard
```
Each agent connects to the dashboard over a **1:1 WireGuard tunnel** with its own PSK. Agents never talk to each other through the dashboard — cross-VPS scaling uses direct agent-to-agent tunnels.
Firewall hierarchy (nftables)
```
table inet lynx-agent {
chain lynx-base ← Lynx invariants. Never editable. Auto-restored instantly on any change.
chain lynx-global ← Rules pushed to ALL agents simultaneously
chain lynx-local ← Per-VPS rules for this agent only
}
```
- **`lynx-base`** — default deny, WireGuard allowlist, inter-org isolation, anti-spoofing
- **`lynx-global`** — IP blocklists, protocol restrictions — propagated to all agents in parallel; agents offline receive pending rules on reconnect
- **`lynx-local`** — per-VPS port rules, IP allowlists
Horizontal scaling — cross-VPS
```
Internet → 80/443
↓
lynx-nginx (Agent-1, entry point)
├── replica:1 (Agent-1, local Podman network)
└── WireGuard ──► Agent-2
├── replica:2
└── replica:3
```
Agent-2 never exposes public ports for the project. All traffic enters through Agent-1 via WireGuard.
---
## ⚡ Install
### Dashboard
```bash
curl -fsSL https://raw.githubusercontent.com/Glyndor/panel/main/install.sh | sudo bash
```
The installer handles everything:
1. Detects and removes incompatible software (Docker, firewalld, ufw, iptables)
2. Installs Podman, WireGuard, nftables
3. Generates all secrets — never written to disk in plaintext
4. Starts PostgreSQL → Redis → Backend → Frontend
5. Prints a one-time setup URL:
```
https://YOUR-IP:19443/register?setup_token=
```
### Agent (additional VPS)
1. Dashboard → **Connect new VPS** → copy the displayed keypair + PSK
2. On the new VPS, run the same installer and paste the dashboard data when prompted
3. Done — the tunnel is up and the agent appears online in the dashboard
### Requirements
| | |
|---|---|
| **OS** | Ubuntu 22.04+, Debian 12+, Fedora 39+, CentOS/RHEL 9+, Rocky/AlmaLinux 9+ |
| **SSH port** | Auto-detected — any port works |
| **Fixed ports** | `19443/TCP` (dashboard) · `51820/UDP` (WireGuard) — opened automatically. Must be free and allowed by your VPS provider's external firewall if applicable. |
| **Root access** | Required for install |
---
## 🆚 vs Alternatives
| | **Lynx** | Coolify | Dokploy | cPanel / Plesk |
|---|---|---|---|---|
| Container runtime | Podman (rootless) | Docker | Docker | varies |
| Firewall management | ✅ Full nftables | ❌ | ❌ | Partial |
| VPN between servers | ✅ WireGuard | ❌ | ❌ | ❌ |
| Encryption at rest | ✅ AES-256 (pg_tde) | ❌ | ❌ | ❌ |
| Per-user encryption | ✅ KEK/DEK | ❌ | ❌ | ❌ |
| Signed binary updates | ✅ Ed25519 | ❌ | ❌ | ❌ |
| Runtime dependencies | None | Docker Engine | Docker Engine | Heavy |
| Pricing | Free / self-hosted | Free tier + paid | Free / self-hosted | Paid license |
| SaaS / cloud | Never | Optional | Optional | Optional |
---
## 🔐 Security
Transport & cryptography
- **WireGuard + mTLS** — double-layer encryption on all dashboard ↔ agent traffic
- **TLS 1.3 minimum** — no TLS 1.0/1.1/1.2 accepted anywhere
- **Ed25519** — JWT signing, agent command signing, and binary update verification
- **Per-agent PSK** — each tunnel has its own unique preshared key, rotated automatically
Signed commands & immutable audit log
Every command the dashboard sends to an agent is Ed25519-signed. The agent verifies signature, nonce (replay prevention), and timestamp (< 30s window) before executing anything.
All executed and rejected commands are stored in a **hash-chained append-only audit log** on the agent, synced to dashboard PostgreSQL in real time. Tampering with any entry is mathematically detectable.
Reporting a vulnerability
See the [security policy](https://github.com/Glyndor/panel/security/policy) and
the [security architecture](docs/security-architecture.md) for threat modeling.
---
## 🛠 Development
Contribution model, branch flow and code style live in the
[organization contributing guide](https://github.com/Glyndor/.github/blob/main/CONTRIBUTING.md).
Repo-specific setup:
**Dashboard backend (Rust):**
```bash
cd lynx
SQLX_OFFLINE=true cargo build -p lynx-dashboard-server
SQLX_OFFLINE=true cargo test -p lynx-dashboard-server
```
`sqlx` compile-time checks use the committed `.sqlx` cache. To run against a
real database, see `lynx/dashboard/server/.env` and start PostgreSQL locally.
**Dashboard frontend (Next.js):**
```bash
cd lynx/dashboard/ui
bun install
bun dev
```
**Shell lint:** `bash scripts/lint.sh` (shellcheck on all `.sh` files).
The agent and the compose translator live in
[panel-agent](https://github.com/Glyndor/panel-agent) and
[podup](https://github.com/Glyndor/podup).
VM test matrix
Some features cannot be tested in CI (nftables, WireGuard, Podman, systemd).
Changes in these areas require local VMs — note in your PR which scenarios you ran:
| Area | Environment |
|------|-------------|
| nftables rules, divergence detection | VM local |
| WireGuard tunnel setup, PSK rotation | VM local (CAP_NET_ADMIN) |
| Podman containers, org isolation | VM local |
| Auto-update binary swap | VM local |
| Installation + incompatible software | VM local |
| Dashboard ↔ agent connectivity | 2 VMs |
| Migration (dashboard or agent) | 2–3 VMs |
Out of scope — do not contribute
- Docker support — incompatible by design (nftables/network isolation conflict)
- Rollback / downgrade mechanisms — hotfix + auto-update is the model
- Metrics persistence — metrics are real-time WebSocket only
- SMTP integration — not planned
- Changes that break backwards compatibility of migrations (additive-only)
---
## 📄 License
[Apache-2.0](LICENSE) — © 2026 [Glyndor](https://github.com/Glyndor)