ClusevDocs
EN DE
Docs/Guide/Clusev v0.11 · beta

Clusev Documentation

Clusev is a self-hosted control plane for a fleet of Linux servers — one security-first dashboard that administers your machines directly over SSH. It installs nothing on the servers you manage and never re-implements their daemons; it orchestrates the real ones.

New here?

Go straight to Server requirementsInstallationFirst login. The whole install is one command and finishes in a couple of minutes.

How it works

You run one Docker stack on one VM — the panel host. The browser talks to it over HTTPS and a WebSocket for live telemetry. Clusev reaches each of your servers over SSH exec + SFTP (via phpseclib), using credentials sealed in an encrypted vault that never leaves the control plane.

Operator Clusev control plane Laravel Reverb MariaDB Redis encrypted SSH vault keys never leave here web-01db-01edge-01 your fleet HTTPS SSH · SFTP
One control plane on one VM — agentless SSH out to every server

Two kinds of machine

Keep these straight — they have very different requirements:

  • The panel host — the single VM that runs Clusev (the Docker stack). You install here. See requirements.
  • The servers you manage — everything else in your fleet. They need nothing installed — just SSH reachable from the panel.
Free forever

Multi-server fleet management is never paywalled. Clusev is open core (AGPL-3.0); optional Pro modules — SSO/LDAP, RBAC, audit export, alerting — are separate add-ons.

Server requirements

What you need before installing: one small VM for the panel, and SSH access to the servers you want to manage.

The panel host

A single VM that runs the whole Docker stack (app, MariaDB, Redis, Reverb, queue). Modest — a €4/month VPS is plenty for a small fleet.

Operating system

Debian / Ubuntu
Debian 12/13 or Ubuntu 22.04/24.04 · root access

CPU & memory

1 vCPU · 1 GB
2 GB RAM recommended for headroom

Disk

~5 GB free
10 GB+ recommended — image + DB grow over time

Network

Public IP
Ports 80/443 open if you want automatic HTTPS

The only tool you need pre-installed is git to fetch the repo — the installer sets up Docker and everything else. Minimal cloud images often ship without git; the install command shows how to add it.

The servers you manage

These need nothing installed. Clusev is agentless — how much it can do depends only on what the target already runs:

  • Metrics (CPU, memory, disk, load) work on essentially any Linux with a standard /proc.
  • Service control (start / stop / restart / journal) needs systemd.
  • Hardening (firewall + fail2ban + auto-updates) needs the host's firewall (ufw / firewalld) and one of apt / dnf / zypper.

The one hard requirement is SSH reachable from the panel host. See the full matrix under Supported systems.

Ports

The panel serves on your chosen HTTP port (default 80). For automatic Let's Encrypt HTTPS, ports 80 and 443 must be publicly reachable. Outbound, the panel needs to reach each managed server's SSH port (usually 22).

Installation

One command. The installer is idempotent — safe to re-run — and sets up Docker, all secrets, the database and the first admin in a single pass.

panel host — as root
# minimal images often lack git
sudo apt-get update && apt-get install -y git
git clone https://github.com/clusev/clusev.git
cd clusev
sudo ./install.sh

What the installer does

  1. Installs Docker

    On Debian/Ubuntu, from Docker's official repository — if it isn't already present.

  2. Creates a clusev system user

    A dedicated, unprivileged user in the docker group that owns and runs the stack — with its own random password.

  3. Asks only two things

    The HTTP port (default 80) and an admin e-mail (default admin@clusev.local). No domain is asked for — you set that later in the dashboard. Preset CLUSEV_ADMIN_EMAIL / CLUSEV_DOMAIN in the environment for a fully unattended install.

  4. Builds and starts everything

    Generates all secrets once (never regenerated on re-run), builds the image, starts the stack, runs migrations, and creates the first administrator with a random one-time password.

  5. Prints a one-time summary

    The dashboard URL, your admin login + one-time password, and the clusev host user + its password. Both passwords are shown only once — note them down.

root@panel: ~/clusev ✓ Clusev is up. ────────────────────────────────────────────── Dashboardhttp://203.0.113.10 Admin loginadmin@clusev.local One-time passwordq7F2-··········-9dLx Host userclusev Host password·············· ────────────────────────────────────────────── ! Shown once — save these now.
The closing summary — the only place the one-time passwords appear
Save the summary

Copy the admin and host passwords before you close the terminal. If you lose the admin one, you can still recover — see Recovery.

First login

Open the dashboard URL from the summary and sign in with your admin e-mail and the one-time password.

http://203.0.113.10 Sign in to Clusev admin@clusev.local •••••••••••• Sign in
The panel is German by default (English available) — status is shown with colour, never emoji

Set your own password

Setting your own password is recommended — a banner keeps reminding you until you do — but no longer forced, so a missed reminder can never lock you out of your own panel. Change it (and the login e-mail) any time under Settings → Profile.

Enable 2FA (optional)

Two-factor auth is optional but recommended. From Settings → Security you can enable a TOTP app and/or a hardware security key, and generate one-time backup codes. See 2FA, audit & sessions.

The guided tour

On first login a short guided tour highlights the key areas — the fleet switcher, dashboard, terminal and settings. Replay it any time from Settings.

Language — German & English

The interface ships in German (default) and English — every screen, label and message is fully translated. Switch language any time under Settings → Profile; only native technical tokens (nginx.service, SSH, 2FA) stay untranslated.

Adding servers

Add a machine by giving Clusev an address and SSH credentials. Nothing is installed on the target — the first connection just works.

Clusev Dashboard ServersServicesFilesAudit Add server NAMEweb-01 HOST203.0.113.42 PORT22 AUTH SSH key Password Connect
Add-server form — name, host, port and either an SSH key or a password

SSH credentials & the vault

Authenticate with an SSH private key (recommended) or a password. Whatever you enter is encrypted at rest in the credential vault and only ever decrypted inside the control plane to open a connection — it never reaches the browser and never leaves the panel host.

Least privilege

Use a dedicated key per server where you can. Later, Clusev's guided hardening flow can generate a key and disable password login on the target safely — see Firewall & hardening.

The fleet switcher

Once added, every page — dashboard, services, files, terminal — is scoped to the currently selected server. Switch across your whole fleet from the switcher at the top of the app. Adding servers is always free and never limited.

Dashboard & metrics

Live CPU, memory, load and disk per server, streamed in real time over a private WebSocket channel.

The dashboard reads metrics from the target's /proc over SSH and broadcasts them to your browser over an authenticated Reverb channel — the whole fleet, at a glance, updating live. The Server details page adds identity, resource gauges, specs, volumes, network interfaces and SSH keys for a single host.

Private by design

Every realtime channel is authenticated — fleet telemetry is never sent over a public channel. Metrics work on essentially any Linux with /proc, no agent required.

Services & files

systemd services

List units, start / stop / restart them, and tail the live journal — per service, per server, without leaving the panel. Requires systemd on the target; where it's absent, service control is shown as unavailable rather than failing silently.

SFTP file manager

Browse the remote filesystem over SFTP, edit text files in place, preview images, and upload / download. Same encrypted SSH session as everything else — no extra daemon on the target.

Web terminal

A full SSH terminal in the browser — one per server, plus one for the Clusev host itself.

web-01 · ssh host key pinned clusev@web-01:~$systemctl status nginx nginx.service — A high performance web server Active: active (running)since Tue 09:14 Main PID: 812 (nginx) clusev@web-01:~$tail -f /var/log/ real PTY · tab-completion · resize-aware
A real interactive PTY over SSH — the connection's host key is pinned against MITM

The terminal is a real PTY with tab-completion and window-resize handling, bridged from the browser to SSH by a small sidecar. On first connect the server's host key is pinned; if it ever changes, Clusev fails the connection closed rather than silently trusting a possible man-in-the-middle. There's also a terminal for the Clusev host itself, so you can manage the panel VM without a separate SSH client.

2FA, audit & sessions

Pluggable two-factor auth, a tamper-evident audit log, and per-device session control.

Two-factor authentication

Enable TOTP (any authenticator app) and/or a hardware security key from Settings → Security, or leave 2FA off — it's optional but recommended. Generate one-time backup codes and store them safely; they're your fallback if you lose your device.

Audit log

Every action is recorded in a complete, searchable, tamper-evident audit log and attributed to the administrator who performed it.

Administrators & sessions

Add further admin accounts under Settings. View active sessions per device and revoke them individually, per user, or globally. SSH credentials for your fleet stay sealed in the encrypted vault throughout.

Firewall & hardening

One-click firewall and fail2ban controls, plus a guided flow to lock down SSH without locking yourself out.

  • Firewall — view and edit ufw / firewalld rules per server from the Server details page.
  • fail2ban — see jail status and toggle protection with one click.
  • SSH key flow — a guided “generate an SSH key and disable password login, safely” sequence that verifies key access before it turns passwords off, so a misconfiguration can't strand you.
  • Automatic updates — enable unattended security upgrades where the package manager supports it.
Availability depends on the target

Hardening uses the host's own firewall and package manager. On systems without them (e.g. Alpine/OpenRC), the action is shown as unavailable rather than failing silently. See Supported systems.

WireGuard

Stand up a WireGuard tunnel straight from the dashboard, manage peers and live status — and optionally gate the panel to the tunnel only.

  1. First-time setup

    Create the WireGuard interface from the dashboard — the host gate provisions the server keys and config for you.

  2. Add peers

    Generate peer configs (with QR for mobile), see live handshake status and per-peer traffic history, and remove peers when they're done.

  3. Gate the panel (optional)

    Restrict access to Clusev — and even SSH — to the tunnel only, so the dashboard isn't exposed on the public internet at all.

Don't lock yourself out

Before gating the panel to WireGuard, confirm your tunnel actually connects. The bare-IP http://<server-ip> recovery path still exists, but set up and test a working peer first.

Domain & TLS

Run on a bare IP over HTTP, add a domain for automatic HTTPS, or sit behind your own reverse proxy — switch modes any time in the dashboard.

Bare IP plain HTTP · always-on recovery path browserhttp://203.0.113.10 Domain + Let's Encrypt automatic HTTPS · certs obtained & renewed for you browserhttps://panel.example.com External reverse proxy proxy terminates TLS · panel serves HTTP, trusts forwarded scheme browserproxyClusev :80
Three access modes — set under System → Domain & TLS

Bare IP (no domain)

Served over plain HTTP at http://<server-ip>. This address always stays reachable as a recovery path, even after you configure a domain.

With a domain

Set it under System → Domain & TLS at any time (or preset CLUSEV_DOMAIN at install). The panel obtains and renews a Let's Encrypt certificate automatically and serves HTTPS — just point DNS at the server. Let's Encrypt needs publicly reachable ports 80/443.

Behind your own reverse proxy

If a proxy already terminates TLS, switch TLS-Terminierung to Externer Reverse-Proxy. The panel then serves HTTP only and trusts the proxy's forwarded scheme — set TRUSTED_PROXY_CIDR to the proxy's address and firewall the HTTP port so only the proxy can reach it.

Applying changes

Domain/TLS changes apply on a stack restart — use the “Jetzt neu starten” button in System. No terminal needed; a small, scoped host service performs the restart. In-panel SMTP (for password-reset mail) is configured on the same screen.

Updating

One command pulls the latest code, then rebuilds, restarts and migrates — preserving your secrets, domain and e-mail settings.

panel host — as root
sudo clusev update   # pull → rebuild → restart → migrate

sudo clusev update fast-forwards the repo (it never discards local changes), re-runs the idempotent installer non-interactively, and updates itself if the script changed. The older two-step git pull && sudo ./install.sh still works.

Safe to re-run

Both the installer and updater are idempotent. Secrets are generated once and never regenerated; your configured domain and e-mail are preserved across updates.

Recovery

Locked out? There's always a way back in — self-service first, host command as a last resort.

Self-service reset

The forgot-password screen offers an e-mail reset link (valid 15 minutes) when SMTP is configured, or an inline 2FA-proof reset — e-mail + a TOTP code or backup code + a new password — as a fallback.

Completely locked out

Lost your password and 2FA, with no SMTP? Recover from the panel host:

panel host
clusev reset-admin

This clears the second factor so you can set a new password on next login. The bare-IP http://<server-ip> address is always available too, if a domain becomes unreachable.

Documented in-panel

This command is also shown under Settings → Security and is deliberately kept off the public forgot-password screen.

Supported systems

Clusev manages whatever it can reach over SSH. How much works depends on the target's init system and package manager.

OS familyMetricssystemd servicesHardening
Debian · Ubuntu (+ derivatives)YesYesYes
RHEL · Fedora · Rocky · Alma · CentOS Stream · Amazon LinuxYesYesYes
openSUSE · SLESYesYesYes
ArchYesYesNot yet (pacman not wired)
Alpine (OpenRC)YesNo systemdNo
Other / unidentified LinuxIf /proc presentNoNo

Metrics read from /proc and work on essentially any Linux. Service control needs systemd. Hardening uses the host's firewall (ufw / firewalld) and package manager (apt / dnf / zypper); where those aren't present, the action is shown as unavailable rather than failing.

FAQ

Do I install anything on the servers I manage?

No. Clusev is agentless — it connects over SSH (exec + SFTP). The only machine that runs software is the panel host.

Is multi-server management really free?

Yes — fleet management is never paywalled. Clusev is open core under AGPL-3.0. Optional Pro modules (SSO/LDAP, RBAC, audit export, alerting) are separate add-ons.

Where are my SSH credentials stored?

Encrypted at rest in a vault on the panel host. They're decrypted only inside the control plane to open a connection and are never sent to the browser.

Where does my data live?

Entirely on your VM. Clusev is self-hosted — your servers, your database, your keys. Nothing phones home.

Clusev — open core, AGPL-3.0 · © 2026 clusev.com · GitHub