Orbit VPS

One binary that replaces Cockpit, Coolify, and Webmin—real-time metrics, service control, log streaming, and firewall management from a single port

Comment

Inspiration

Every server I managed required five different tools. Cockpit gave me metrics but couldn't deploy apps. Coolify deployed apps but showed me nothing about OS health. Webmin edited configs but had no container awareness. I'd SSH in at 2 AM, run htop, docker logs, journalctl, and ufw status — four different syntaxes, four different mental models, one exhausted developer. The moment I realized I was paying for three VPS instances and spending more time managing tools than building products, I knew something had to change. No existing project even attempted to unify these layers. So I built one that does.

What it does

Orbit is a single Go binary — under 18MB — that embeds a complete server management platform. It provides real-time per-process CPU, memory, disk, and network graphs with a 24-hour ring buffer. It manages systemd services, Docker containers, and PM2 processes from a unified interface with a built-in unit file editor. It streams logs from any file or journald unit in real-time with full-text search. It reads and displays nftables/UFW firewall rules. It authenticates users with JWT tokens and SSH keys. Everything serves from one port with self-signed TLS. No agents. No external database. No runtime dependencies beyond the Linux kernel.

How I built it

The backend is Go 1.22 using only net/http for HTTP/2 serving, gorilla/websocket for live metric and log streams, gopsutil for /proc abstraction, go-sqlite3 for user accounts and configuration, and bbolt for the metric ring buffer. The frontend is React 18 with TypeScript, built with Vite, using recharts for time-series graphs, xterm.js for the built-in terminal, zustand for state management, and @tanstack/react-query for data fetching. The entire React SPA compiles to static files and embeds into the Go binary via go:embed. GoReleaser cross-compiles for amd64, arm64, and armv7, producing .deb, .rpm, and tarball artifacts. GitHub Actions handles CI/CD with SLSA provenance generation. The install script is a standalone bash script that detects the OS, downloads the correct binary, creates the orbit system user and systemd service, and starts Orbit in under 30 seconds.

Challenges I ran into

CGO with SQLite broke cross-compilation. Go's standard cross-compiler doesn't work when C code is involved, so every ARM build required a native ARM64 GitHub Actions runner with the correct cross-compilation toolchain. One missing library produced a binary that linked against the wrong SQLite version, crashing on startup.

The /proc filesystem format varies subtly across distributions. Ubuntu 24.04 reports memory statistics differently than Debian 11. ARM64 kernels on Raspberry Pi expose CPU frequencies in a different structure than x86_64 cloud instances. What worked perfectly on my development machine returned zero values on a user's Rockchip board. I learned to test against multiple distributions early, not assume /proc consistency, and build fallback parsing paths for every metric.

nftables rule parsing was unexpectedly complex. Reading rules created by Docker, fail2ban, or a previous administrator's custom script — and displaying them alongside Orbit-managed rules without breaking anything — required building a bidirectional parser that could handle nftables' full ruleset format with sets, maps, and verdict chains. Getting this wrong would break networking on production servers, so the firewall module shipped as read-only until the parser is battle-tested.

The bus factor of one was the hardest non-technical challenge. Every commit, every code review, every release flows through one person. When I got sick for a week, development stopped. Building in public meant users reported bugs I couldn't immediately fix. Managing expectations while being the sole maintainer taught me that open source sustainability is as much about community structure as code quality.

Accomplishments that I'm proud of

Shipping a working binary that installs with one command and runs on any Linux server. The first user who reported "it just works on my Raspberry Pi" made every late night worth it. The architecture is genuinely minimal — 18MB, 30MB RAM idle, zero runtime dependencies — without sacrificing the functionality that usually requires five separate daemons. The security posture is deliberate: no telemetry, no phone-home, no account required, no external API calls. And the entire project was built with zero funding, purely on nights and weekends, proving that a solo developer can still ship meaningful infrastructure software.

What I learned

Integration is harder than algorithms. The hard problems in Orbit weren't efficient data structures — they were understanding systemd D-Bus error codes across versions, parsing /proc consistently across kernel builds, and making nftables rules coexist with Docker's networking. Infrastructure software lives at the boundaries between systems, and those boundaries are where the complexity accumulates. I also learned that documentation is a feature, not an afterthought. The install script, the configuration reference, the contributing guide — these are the first things users see, and their quality determines whether someone becomes a user or bounces. Finally, I learned that open source is lonely. Building in public helps, but nothing replaces having a co-maintainer who understands the codebase deeply. That's why the v0.3 roadmap includes onboarding contributors into formal maintainer roles.

What's next for Orbit VPS

v0.2 brings deploy hooks triggered by Git webhooks with zero-downtime blue/green deployment, a full UFW/nftables rule editor with conflict detection, HTTP/TCP/ping uptime monitors with alert channels, and full Docker container lifecycle management. v0.3 introduces multi-server federation — one Orbit hub managing multiple servers with mutual TLS, aggregated fleet metrics, and centralized configuration push — plus an MCP (Model Context Protocol) server that lets AI agents query server state and trigger actions through a scoped Unix socket. v0.4 adds a security audit module with SSH hardening scores, CVE scanning for open ports, Fail2ban integration, and SSO/OIDC support. The long-term vision is to make Orbit the last server management tool anyone needs to install — one binary, one port, complete control, and an open source community that sustains it for years.

Built With

Share this project:

Updates