https://github.com/jaro-c/lynx
⚡ A blazingly fast, modern, and secure process manager for Linux. The zero-overhead, systemd-native alternative to PM2 powered by Go.
https://github.com/jaro-c/lynx
community daemon deployment devops golang isolation linux non-commercial open-source-like pm2 pm2-alternative process-manager sandboxing security supervisor systemd
Last synced: 29 days ago
JSON representation
⚡ A blazingly fast, modern, and secure process manager for Linux. The zero-overhead, systemd-native alternative to PM2 powered by Go.
- Host: GitHub
- URL: https://github.com/jaro-c/lynx
- Owner: Jaro-c
- License: other
- Created: 2025-02-08T01:11:49.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2026-03-08T18:02:19.000Z (3 months ago)
- Last Synced: 2026-03-08T21:33:14.226Z (3 months ago)
- Topics: community, daemon, deployment, devops, golang, isolation, linux, non-commercial, open-source-like, pm2, pm2-alternative, process-manager, sandboxing, security, supervisor, systemd
- Language: Go
- Homepage:
- Size: 479 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Agents: AGENTS.md
Awesome Lists containing this project
README
# Lynx
**Self-hosted VPS & container manager.**
Containers · Firewall · VPN — from one dashboard, across any number of servers.
[](https://github.com/Jaro-c/Lynx/actions/workflows/agent.yml)
[](https://github.com/Jaro-c/Lynx/actions/workflows/dashboard-server.yml)
[](LICENSE)
[Install](#-install) · [Architecture](#-architecture) · [vs Alternatives](#-vs-alternatives) · [Security](#-security)
---
> **The cPanel/Plesk/Coolify alternative built for people who care about security.**
> One binary per VPS. All traffic encrypted over WireGuard. No SaaS. No cloud lock-in. No Docker daemon.
---
## ✨ Features
**📦 Containers** — Podman rootless, per-organization isolation, survive VPS reboots without Lynx running
**🔥 Firewall** — Full nftables control from the dashboard, three-layer hierarchy, atomic apply, auto-restore on any tampering
**🔒 Networking** — All dashboard → agent traffic over WireGuard + mTLS. Cross-VPS scaling via direct agent tunnels — no relay through dashboard
**🔑 Encryption** — PostgreSQL AES-256 at rest (pg_tde) + per-user envelope encryption (KEK/DEK)
**📁 Single binary** — No runtime dependencies on the server. No Node.js, no Bun, no Docker Engine. Install one binary, uninstall one binary
**🔄 Auto-update** — Hourly GitHub Releases check, Ed25519 signature verification before any swap, automatic rollback if the new binary fails to start
---
## 🏗 Architecture
```
Dashboard VPS
├── Frontend ── Next.js (compiled binary, no runtime)
├── Backend ── Rust
│ ├── WireGuard ──► Agent (local, same VPS)
│ ├── WireGuard ──► Agent (remote VPS #1)
│ └── WireGuard ──► Agent (remote VPS #2)
│
└── Each agent: Podman + nftables + WireGuard
```
Each agent connects to the dashboard over a **1:1 WireGuard tunnel** with its own PSK. Agents never talk to each other through the dashboard — cross-VPS scaling uses direct agent-to-agent tunnels.
Firewall hierarchy (nftables)
```
table inet lynx-agent {
chain lynx-base ← Lynx invariants. Never editable. Auto-restored instantly on any change.
chain lynx-global ← Rules pushed to ALL agents simultaneously
chain lynx-local ← Per-VPS rules for this agent only
}
```
- **`lynx-base`** — default deny, WireGuard allowlist, inter-org isolation, anti-spoofing
- **`lynx-global`** — IP blocklists, protocol restrictions — propagated to all agents in parallel; agents offline receive pending rules on reconnect
- **`lynx-local`** — per-VPS port rules, IP allowlists
Horizontal scaling — cross-VPS
```
Internet → 80/443
↓
lynx-nginx (Agent-1, entry point)
├── replica:1 (Agent-1, local Podman network)
└── WireGuard ──► Agent-2
├── replica:2
└── replica:3
```
Agent-2 never exposes public ports for the project. All traffic enters through Agent-1 via WireGuard.
---
## ⚡ Install
### Dashboard
```bash
curl -fsSL https://raw.githubusercontent.com/Jaro-c/Lynx/main/install.sh | sudo bash
```
The installer handles everything:
1. Detects and removes incompatible software (Docker, firewalld, ufw, iptables)
2. Installs Podman, WireGuard, nftables
3. Generates all secrets — never written to disk in plaintext
4. Starts PostgreSQL → Redis → Backend → Frontend
5. Prints a one-time setup URL:
```
https://YOUR-IP:19443/register?setup_token=
```
### Agent (additional VPS)
1. Dashboard → **Connect new VPS** → copy the displayed keypair + PSK
2. On the new VPS, run the same installer and paste the dashboard data when prompted
3. Done — the tunnel is up and the agent appears online in the dashboard
### Requirements
| | |
|---|---|
| **OS** | Ubuntu 22.04+, Debian 12+, Fedora 39+, CentOS/RHEL 9+, Rocky/AlmaLinux 9+ |
| **SSH port** | Auto-detected — any port works |
| **Fixed ports** | `19443/TCP` (dashboard) · `51820/UDP` (WireGuard) — opened automatically. Must be free and allowed by your VPS provider's external firewall if applicable. |
| **Root access** | Required for install |
---
## 🆚 vs Alternatives
| | **Lynx** | Coolify | Dokploy | cPanel / Plesk |
|---|---|---|---|---|
| Container runtime | Podman (rootless) | Docker | Docker | varies |
| Firewall management | ✅ Full nftables | ❌ | ❌ | Partial |
| VPN between servers | ✅ WireGuard | ❌ | ❌ | ❌ |
| Encryption at rest | ✅ AES-256 (pg_tde) | ❌ | ❌ | ❌ |
| Per-user encryption | ✅ KEK/DEK | ❌ | ❌ | ❌ |
| Signed binary updates | ✅ Ed25519 | ❌ | ❌ | ❌ |
| Runtime dependencies | None | Docker Engine | Docker Engine | Heavy |
| Pricing | Free / self-hosted | Free tier + paid | Free / self-hosted | Paid license |
| SaaS / cloud | Never | Optional | Optional | Optional |
---
## 🔐 Security
Transport & cryptography
- **WireGuard + mTLS** — double-layer encryption on all dashboard ↔ agent traffic
- **TLS 1.3 minimum** — no TLS 1.0/1.1/1.2 accepted anywhere
- **Ed25519** — JWT signing, agent command signing, and binary update verification
- **Per-agent PSK** — each tunnel has its own unique preshared key, rotated automatically
Signed commands & immutable audit log
Every command the dashboard sends to an agent is Ed25519-signed. The agent verifies signature, nonce (replay prevention), and timestamp (< 30s window) before executing anything.
All executed and rejected commands are stored in a **hash-chained append-only audit log** on the agent, synced to dashboard PostgreSQL in real time. Tampering with any entry is mathematically detectable.
Reporting a vulnerability
See [SECURITY.md](SECURITY.md).
---
## 📄 License
[MIT](LICENSE) — © 2026 [Jaro-c](https://github.com/Jaro-c)