Self-hosted VPS & container manager.
Containers · Firewall · VPN — from one dashboard, across any number of servers.
The cPanel/Plesk/Coolify alternative built for people who care about security.
One binary per VPS. All traffic encrypted over WireGuard. No SaaS. No cloud lock-in. No Docker daemon.
📦 Containers — Podman rootless, per-organization isolation, survive VPS reboots without Lynx running
🔥 Firewall — Full nftables control from the dashboard, three-layer hierarchy, atomic apply, auto-restore on any tampering
🔒 Networking — All dashboard → agent traffic over WireGuard + mTLS. Cross-VPS scaling via direct agent tunnels — no relay through dashboard
🔑 Encryption — PostgreSQL AES-256 at rest (pg_tde) + per-user envelope encryption (KEK/DEK)
📁 Single binary — No runtime dependencies on the server. No Node.js, no Bun, no Docker Engine. Install one binary, uninstall one binary
🔄 Auto-update — Hourly GitHub Releases check, Ed25519 signature verification before any swap, automatic rollback if the new binary fails to start
Dashboard VPS
├── Frontend ── Next.js (compiled binary, no runtime)
├── Backend ── Rust
│ ├── WireGuard ──► Agent (local, same VPS)
│ ├── WireGuard ──► Agent (remote VPS #1)
│ └── WireGuard ──► Agent (remote VPS #2)
│
└── Each agent: Podman + nftables + WireGuard
Each agent connects to the dashboard over a 1:1 WireGuard tunnel with its own PSK. Agents never talk to each other through the dashboard — cross-VPS scaling uses direct agent-to-agent tunnels.
Firewall hierarchy (nftables)
table inet lynx-agent {
chain lynx-base ← Lynx invariants. Never editable. Auto-restored instantly on any change.
chain lynx-global ← Rules pushed to ALL agents simultaneously
chain lynx-local ← Per-VPS rules for this agent only
}
lynx-base— default deny, WireGuard allowlist, inter-org isolation, anti-spoofinglynx-global— IP blocklists, protocol restrictions — propagated to all agents in parallel; agents offline receive pending rules on reconnectlynx-local— per-VPS port rules, IP allowlists
Horizontal scaling — cross-VPS
Internet → 80/443
↓
lynx-nginx (Agent-1, entry point)
├── replica:1 (Agent-1, local Podman network)
└── WireGuard ──► Agent-2
├── replica:2
└── replica:3
Agent-2 never exposes public ports for the project. All traffic enters through Agent-1 via WireGuard.
curl -fsSL https://raw.githubusercontent.com/Glyndor/panel/main/install.sh | sudo bashThe installer handles everything:
- Detects and removes incompatible software (Docker, firewalld, ufw, iptables)
- Installs Podman, WireGuard, nftables
- Generates all secrets — never written to disk in plaintext
- Starts PostgreSQL → Redis → Backend → Frontend
- Prints a one-time setup URL:
https://YOUR-IP:19443/register?setup_token=<token>
- Dashboard → Connect new VPS → copy the displayed keypair + PSK
- On the new VPS, run the same installer and paste the dashboard data when prompted
- Done — the tunnel is up and the agent appears online in the dashboard
| OS | Ubuntu 22.04+, Debian 12+, Fedora 39+, CentOS/RHEL 9+, Rocky/AlmaLinux 9+ |
| SSH port | Auto-detected — any port works |
| Fixed ports | 19443/TCP (dashboard) · 51820/UDP (WireGuard) — opened automatically. Must be free and allowed by your VPS provider's external firewall if applicable. |
| Root access | Required for install |
| Lynx | Coolify | Dokploy | cPanel / Plesk | |
|---|---|---|---|---|
| Container runtime | Podman (rootless) | Docker | Docker | varies |
| Firewall management | ✅ Full nftables | ❌ | ❌ | Partial |
| VPN between servers | ✅ WireGuard | ❌ | ❌ | ❌ |
| Encryption at rest | ✅ AES-256 (pg_tde) | ❌ | ❌ | ❌ |
| Per-user encryption | ✅ KEK/DEK | ❌ | ❌ | ❌ |
| Signed binary updates | ✅ Ed25519 | ❌ | ❌ | ❌ |
| Runtime dependencies | None | Docker Engine | Docker Engine | Heavy |
| Pricing | Free / self-hosted | Free tier + paid | Free / self-hosted | Paid license |
| SaaS / cloud | Never | Optional | Optional | Optional |
Transport & cryptography
- WireGuard + mTLS — double-layer encryption on all dashboard ↔ agent traffic
- TLS 1.3 minimum — no TLS 1.0/1.1/1.2 accepted anywhere
- Ed25519 — JWT signing, agent command signing, and binary update verification
- Per-agent PSK — each tunnel has its own unique preshared key, rotated automatically
Signed commands & immutable audit log
Every command the dashboard sends to an agent is Ed25519-signed. The agent verifies signature, nonce (replay prevention), and timestamp (< 30s window) before executing anything.
All executed and rejected commands are stored in a hash-chained append-only audit log on the agent, synced to dashboard PostgreSQL in real time. Tampering with any entry is mathematically detectable.
Reporting a vulnerability
See the security policy and the security architecture for threat modeling.
Contribution model, branch flow and code style live in the organization contributing guide. Repo-specific setup:
Dashboard backend (Rust):
cd lynx
SQLX_OFFLINE=true cargo build -p lynx-dashboard-server
SQLX_OFFLINE=true cargo test -p lynx-dashboard-serversqlx compile-time checks use the committed .sqlx cache. To run against a
real database, see lynx/dashboard/server/.env and start PostgreSQL locally.
Dashboard frontend (Next.js):
cd lynx/dashboard/ui
bun install
bun devShell lint: bash scripts/lint.sh (shellcheck on all .sh files).
The agent and the compose translator live in panel-agent and podup.
VM test matrix
Some features cannot be tested in CI (nftables, WireGuard, Podman, systemd). Changes in these areas require local VMs — note in your PR which scenarios you ran:
| Area | Environment |
|---|---|
| nftables rules, divergence detection | VM local |
| WireGuard tunnel setup, PSK rotation | VM local (CAP_NET_ADMIN) |
| Podman containers, org isolation | VM local |
| Auto-update binary swap | VM local |
| Installation + incompatible software | VM local |
| Dashboard ↔ agent connectivity | 2 VMs |
| Migration (dashboard or agent) | 2–3 VMs |
Out of scope — do not contribute
- Docker support — incompatible by design (nftables/network isolation conflict)
- Rollback / downgrade mechanisms — hotfix + auto-update is the model
- Metrics persistence — metrics are real-time WebSocket only
- SMTP integration — not planned
- Changes that break backwards compatibility of migrations (additive-only)
Apache-2.0 — © 2026 Glyndor
Made with ❤️ by Jaroc