nsbdoperator's cockpit
Self-host →
Nexus for Services, Bots & Deployments · 14 providers · 4 agents

The operator's cockpit
for everything you SSH into,
click through and forget about.

nsbd is a self-hosted admin dashboard that puts your entire stack — cloud instances, managed databases, domains, Git repos, object storage, hosting platforms, the boxes you SSH into, and the AI coding agents you point at all of it — behind a single login. Stop bouncing between twelve provider consoles and four terminal tabs to answer one question.

Self-host in 60sStar on GitHub
Your Postgres·Ubuntu / Debian·Traefik‑aware·Tailnet‑friendly
nsbd.internal/projects
ModulesProjects
Projects
11 projects
Search projects…
Active (11)Archived
ChargeMac — App
Silly macOS menu bar app to yell at you when your battery gets low.
1 Domain 1 DNS 1 Repo 1 Hosting
mikeroq/chargemac-app4/8
ChargeMac — Website
chargemac.com
The website for ChargeMac.
1 Domain 1 DNS 1 Repo 1 Hosting1
mikeroq/chargemac-website4/8
ChargeWin — App
Windows version of ChargeMac.
1 Domain 1 DNS 1 Repo 1 Hosting
mikeroq/chargewin-app4/8
ChargeWin — Website
chargewin.net
The website for ChargeWin.
1 Domain 1 DNS 1 Repo 1 Hosting
mikeroq/chargewin-website4/8
BurnADollar
burnadollar.com
Website for people to give me money.
1 Domain 1 DNS 1 Repo 1 Hosting
mikeroq/burnadollar4/7
LeapDrop
leapdrop.io
Clone of JumpFaUlo.
1 Domain 1 DNS 1 Repo 1 Hosting
mikeroq/leapdrop4/7
nsbd
nsbd
The control center.
0 Domain 0 DNS
0 resources4/3
trussbridges
trussbridges
SaaS platform for IT management of Assets, Tickets, Knowledge, and more.
1 Domain 1 DNS 2 Repo 1 Hosting2
mikeroq/trussbridges4/7
snap
snap.int.mroq.dev
Screenshot service with windows screenshot hook and browser extension.
1 Domain 1 DNS 5 Repo 1 Hosting2
mikeroq/snap4/6
The five‑tab problem

Even a small product is split across a dozen consoles.

One service is a repo at GitHub, DNS at Cloudflare, a container at Coolify, a database at Supabase, secrets in 1Password and logs on a VPS you SSH into. Answering “is it up?” means opening five tabs and hoping you remembered the right ones.

Today
Ten tabs. Four CLIs. One question.
GitHubCloudflareVultrCoolifyRender1PasswordNamecheapGrafanaNotionSentry+3 more
  • 09:14open Cloudflare to check the DNS record
  • 09:15open GitHub to grab the SHA that's deployed
  • 09:16open Coolify to restart the container
  • 09:17ssh into the VPS to tail the logs
  • 09:18open 1Password to find the env var
  • 09:19…what was the original question?
With nsbd
One project. One page.
  • trussbridges
    trussbrid.ges · 8c01c72 · 2 days · healthy
  • Repo · github.com/mikeroq/trussbridges
    master · synced 4m ago · webhook receiving
  • DNS · cloudflare
    A trussbrid.ges → 78.46.x.x · auto‑created on deploy
  • Env vars · 7 keys
    encrypted in your Postgres · injected at deploy
  • Last deploy · 4 days ago
    ✓ build · ✓ healthcheck · rollback available
⌘K · jump to any resource across every provider
Inventory · 01

Group your sprawl into Projects.

A “service” becomes one thing again — its repo, its domain, its database, its host, its deploys — instead of seven tabs. Synced on a schedule from each provider's API.

synced 23h ago
Projects
11
11 total
Repos
73
65 non‑fork
Services
15
10 healthy
Domains
12
12 active
Object Storage
5
8.3 GB
Databases
9
2 backups due
Cloud Hosts
8
$132/mo
Networks
4
tailnet healthy
1
One login, every console

OAuth or API key once per provider. nsbd polls the rest. Your data stays in your Postgres.

2
Unified search

Find a repo, a hostname, a TXT record or a Stripe webhook by name across every provider you've connected.

3
Project = bundle

Pin a repo, a domain, a host, a database and a deploy target together. Everything else follows.

Agent Sessions · 02

Develop with your AI coding agents
— without ever leaving nsbd.

Claude Code, Codex, Gemini, OpenCode: spawn them, talk to them, watch them work, and approve what they do, all from one dashboard. The browser tab is the IDE; tmux, transcripts and per‑agent quirks stay out of your way.

nsbd.internal/agents/claude-9bccef
claude · opus 4.7·~/trussbridgesawaiting input
ChatTerminal
me
let's look at the failing test in auth.test.ts and patch the middleware
C
Readtests/auth.test.ts
Readservices/auth/permission-middleware.js
Editservices/auth/permission-middleware.jsawaiting
− if (req.user.role !== 'admin')
+ if (!hasPermission(req.user, 'admin'))
I rewrote the gate to use hasPermission so the check matches the new RBAC table. Need approval before I write the file.
claude wants to Edit services/auth/permission-middleware.js
hook source · sent from session 9bccef
Message claude…
Every agent, one pane of glass

Whether you launched a session from nsbd or fired one up in a terminal yourself, it shows up in the sessions list with a live status pill — starting, generating, awaiting input, idle, ended.

Chat with any agent, in the browser

Streaming responses, tool‑call chips with inline diffs for Edit / MultiEdit, success/error coloring on every tool result, and a transcript search that actually finds things. No terminal in sight.

Approve permissions in‑page

Permission requests land as a banner enriched with the actual path or command — not a generic “Claude wants permission for Write.” Allow, Allow always, or Deny travels back to the agent. Hooks or ACP, same banner.

Full tmux, always at your fingertips

Every session keeps a live Terminal tab next to its Chat — the agent’s full tmux window with scrollback and keystrokes, not a preview that only appears when something breaks. A stall sweep also flags sessions that have gone quiet, so a wedged agent surfaces on its own.

Spawn with context, not from scratch

Launch from any project, working directory and model. A short preamble tells the agent where it is and to read the local AGENTS.md / CLAUDE.md — it arrives oriented instead of asking for a tour. Optional starting prompt.

Token usage that adds up

Per‑session totals roll into account analytics: daily stacked bars by agent, totals by model and project. Tokens attribute to the day they were generated. Live 5‑hour quota windows for Claude and Codex.

Control plane · 03

Not just an inventory viewer.
The buttons actually do things.

Deploy, provision, run, schedule and roll back from one pane. Everything streams live; everything lands in the job log; everything can be put on a cron.

One‑click container deploys

Push a Dockerfile or Compose file. Traefik routes, Let's Encrypt certs and DNS records get wired up automatically, with rollback to the last green SHA baked in.

Provision over SSH

Hand nsbd an IP. The Ansible playbook installs the Go host agent, registers the box and joins your inventory.

Ansible playbooks

Edit, run and version playbooks against any host, group or tag — and chain them into Runbooks. Live output streams into the job log.

Visual Pipelines

Compose Runbooks into a drag‑and‑drop canvas. Branch, parallelise, wait for approval, retry — a real DAG, not YAML stapled together.

Terraform stack runner

Declarative cloud resources with state held in your own Postgres via a built‑in HTTP backend. No Terraform Cloud, no S3 + DynamoDB.

Live job streams

Every long‑running operation streams stdout/stderr over WebSocket and lands in a unified Postgres‑backed job history.

Cron‑scheduled anything

Backups, playbooks, deploys, custom scripts — schedule any job on a cron and get a Discord ping on failure.

Browser tmux & agent sessions

Open a tmux session on any managed host straight from a tab — including the one your Claude, Codex or Gemini CLI is running inside. Pull‑down Quake terminal on every page.

trussbridges·trussbrid.ges ↗
RestartStopDeploy
Container
8c01c721e5d6
Image
10964b4
Live Status
● Up 2 days
Resources
No limits
BuildNetworkEnvironmentDockerfileLogsDeploy
Deploy Method
Dockerfile
Branch
master
Git Repository
https://github.com/mikeroq/trussbridges.git
Dockerfile Path
./Dockerfile
Build Context
.
Restart Policy
Unless Stopped
CPU Limit
e.g. 0.5 or 2
deploy · trussbridges
streaming · 00:23
12:04:01→ git fetch origin master
12:04:02 ↳ 8c01c72 chore: bump base image
12:04:03→ docker build -t trussbridges:8c01c72 .
12:04:09 step 1/12 FROM node:22-slim
12:04:11 step 2/12 COPY package*.json .
12:04:18 step 6/12 RUN pnpm install --frozen-lockfile
12:04:31 step 9/12 COPY . .
12:04:38 step 12/12 CMD ["node", "server.js"]
12:04:39→ docker push registry.nsbd.lan/trussbridges:8c01c72
12:04:48→ traefik route bound · trussbrid.ges → :3000
12:04:49✓ healthcheck passed (3/3)
12:04:50deploy succeeded · rollback available
also written to /jobs/2741
Pipelines · 04

A real DAG.
Not YAML stapled together.

Compose playbooks, runbooks, deploys and arbitrary shell into a drag‑and‑drop canvas. Branch on success or failure, parallelise, wait for human approval, retry. Each node streams its output into the unified job log; the whole pipeline is one row in the queue.

trussbridges · release·run #438
running00:08:42
Git push
master · 8c01c72
Build container
12 layers · 7.2s
Run tests
342 / 342 ✓
Deploy staging
trussbridges-staging
Healthcheck
3/3 passed
Approval gate
@mikeroq · waiting
Deploy prod
trussbridges
Notify Discord
#ops-deploys
Rollback
if healthcheck fails
9 nodes · 8 edges · 1 branchpowered by xyflow
Run feed
Every node lands in the job log
  • 12:04:01trigger · git push origin master
  • 12:04:03build · docker build -t trussbridges:8c01c72
  • 12:04:11test · 342 passed · 0 failed · 14.2s
  • 12:04:25deploy-staging · container up · traefik route bound
  • 12:04:30healthcheck · GET /healthz · 200 · 3/3
  • 12:04:30approve · waiting on @mikeroq
  • deploy-prod · queued · gated on approval
  • notify · discord #ops-deploys
also written to /jobs/438
Integrations · 05

Connect once. Sync forever.

Drop in an API key — nsbd handles the rest. Resources show up in inventory, can be grouped into Projects, and the credentials never leave your encrypted Postgres.

secrets encrypted at rest
VL
Vultr
cloud
synced
CF
Cloudflare
dns / edge
synced
GH
GitHub
repos
synced
CO
Coolify
hosting
synced
Vercel
hosting
synced
RD
Render
hosting
synced
TU
Turso
database
synced
SB
Supabase
database
synced
HZ
Hetzner
cloud
synced
RW
Railway
hosting
synced
NC
Namecheap
domains
synced
SS
Spaceship
domains
synced
IM
Infomaniak
cloud
synced
S3
S3‑compatible
object store
synced
api keysoauthssh keypairsDon't see your provider? File an integration request →
What nsbd does per integration kind
read the small print before you wire a key
Cloud

Inventory VMs, snapshots, regions, billing. Restart, destroy, attach storage.

Vultr · Hetzner
Repos

Sync repos, branches, commits and webhooks. Wire deploy triggers without leaving the dashboard.

GitHub
Domains

Registrar metadata, nameservers, transfer + renewal status, contact records.

Namecheap · Spaceship · Infomaniak · Cloudflare
DNS / edge

Create and update DNS records — auto‑wired when you bind a domain to a service.

Cloudflare
Hosting (synced)

Read existing projects + deploys for context. You can keep using these — nsbd surfaces them, doesn't replace them.

Vercel · Render · Railway · Coolify
Hosting (deploys here)

Bring your own host: provision over SSH and nsbd runs Docker / Compose on it directly. This is where containerised deploys actually land.

any Ubuntu / Debian host
Databases

Sync managed DBs, connection strings, plans and backup status — or provision Postgres / MySQL / Redis / SQLite on a managed host yourself.

Supabase · Turso · Railway · Vultr
Object storage

List buckets, generate presigned uploads, manage CORS + lifecycle policies.

Cloudflare R2 · S3 · Vultr
Architecture · 06

Power without lock‑in.
Built for operators who'd build this themselves — if they had the weekends.

Topology
1 dashboard · N hosts · M providers
Your browser
React + Vite
HTTPS · WS
nsbd dashboard
Node · Express · CommonJS
  • Postgresstate · jobs · secrets
  • DeployerGo · SQLite · rollback
  • Host poolWS fan‑out
Managed hosts · run the Go agent
dashagent
DockerPostgresTraefik
trussbridges-prodagent
Dockerrestic
snap-edgeagent
Dockertmux
Each host: :4100 · WebSocket tail · system metrics · Docker · tmux · restic
Provider APIs · synced, never proxied
VultrHetznerGitHubCloudflareVercelRenderRailwayCoolifySupabaseTursoNamecheapSpaceshipInfomaniakR2 / S3
Polled on a schedule · webhooks where supported · credentials encrypted at rest
dashboardmanaged hostprovider APIno SaaS in the middle
Node + Go

An Express dashboard, a Go host agent on every box and a Go deployer that owns rollbacks. Three small services, one Postgres, no orchestration framework.

Self‑hostable

Runs on any Ubuntu or Debian box behind your own Traefik. No SaaS dependency, no phone home, no telemetry.

Your Postgres

All state — inventory, jobs, secrets, deploy history, Terraform state — lives in a Postgres database you own. Bring your own RDS or run the bundled one.

Secrets encrypted at rest

Provider API keys, SSH keypairs and per‑service env vars are sealed with a master key you supply. Injected into containers at deploy time, never logged.

Tailnet‑friendly

Reach private hosts over your tailnet without exposing them publicly. The host agent listens on the interface you tell it to — pair it with Tailscale and you're done.

Deployer with audit trail

Every push is a fast‑forward‑only merge, build, restart, healthcheck — and auto‑rollback to the last green SHA on failure. Per‑deploy stdout/stderr tails live in a local SQLite store.

Auto‑DNS + Traefik

Bind a domain to a service and the DNS record gets created at your registrar and a Traefik route + Let's Encrypt cert gets wired up. No YAML to write.

HTTP Terraform state backend

Run Terraform with state stored in your own Postgres over a built‑in HTTP backend. No Terraform Cloud, no S3 + DynamoDB dance.

Postgres‑backed job queue

Deploys, playbooks, runbooks, terraform and backups all land in one job queue with live WebSocket tails, retries and a permanent history.

Backups on restic

Bundled backup system on top of restic. Schedule snapshots of databases, volumes and home directories — cron‑gated, alert on failure.

Database engine provisioner

Spin up Postgres, MySQL, Redis or SQLite on a managed host with users, roles, TLS, external ingress and restic backups configured.

Fleet‑aware host agents

The Go host agent runs on every managed box and holds a persistent WebSocket to the dashboard. System metrics, Docker, tmux and deploys streamed in real time.

Playbooks, runbooks, pipelines

Editable Ansible playbooks, chainable runbooks and a drag‑and‑drop pipeline canvas. Each step streams to the job log; failures pause for approval.

Notifications & API

Failures fan out to Discord webhooks. Every action that the UI does is also available as an authenticated HTTP API with an in‑dashboard Scalar reference.

Built‑in wiki & editor

Monaco code editor and MDX wiki built in. The runbooks you keep meaning to write down, finally linked from every host, project and job.

Roadmap · 07

Shipping in the open.
Steered by what operators actually do every Tuesday.

Recently shipped
last 90 days
  • Multi‑host fleet

    Go host agent on every box, persistent WS pool, one‑command SSH provisioning.

  • Database engine provisioner

    Spin up Postgres / MySQL / Redis / SQLite with users, roles, TLS and ingress.

  • Auto‑DNS + Traefik

    Bind a domain to a service; DNS + Traefik route + Let's Encrypt cert wire up.

  • Restic backups

    Scheduled snapshots of databases, volumes and home directories with retention.

  • HTTP Terraform state backend

    Terraform with state in your own Postgres. No Terraform Cloud, no S3 + DynamoDB.

  • Pipeline canvas

    Drag‑and‑drop runbook DAG built on xyflow with approval gates and retries.

  • Deployer with rollback

    FF‑only merges, healthchecks, auto‑rollback to the last green SHA, SQLite audit trail.

  • OAuth SSO + RBAC

    Single‑user mode out of the box; add an OAuth provider for teams with per‑route permissions.

  • Quake terminal + agent sessions

    Pull‑down tmux on every page with Claude / Codex / Gemini state pills.

  • Postgres‑backed job queue

    Deploys, playbooks, runbooks, terraform and backups in one queue with live tails.

Up next
directional · not dated
  • Kubernetes provider

    Deploy to existing clusters; sync namespaces, workloads and ingresses.

  • More cloud providers

    DigitalOcean, Linode and Scaleway. The adapter API stays small — PRs welcome.

  • Fleet‑wide search

    ⌘K across every host, service, secret reference and job log.

  • Pipeline host scoping

    Deploy individual pipeline steps to specific hosts or host groups.

  • Scheduled pipeline runs

    Crontab any pipeline directly from the canvas; Discord on failure.

  • Public API tokens

    Scoped tokens for the existing HTTP API + a Scalar reference built in.

FAQ · 08

Frequently asked,
quickly answered.

How is this different from Coolify, Portainer or Dokku?
+
Those run one host'scontainers. nsbd does too — but its real job is the layer above: tying that host's deploys to your registrar, your DNS, your repo, your job log, your other hosts, your Terraform state, your backups and your wiki. The container runner is one feature, not the whole product.
Is the source available?
+
Not yet — the source is private while the API surface, migrations and installer settle. The plan is to open it once those are stable.
Does it phone home?
+
No telemetry. No analytics. The only outbound traffic is to providers you configured and Discord webhooks you opted into.
Where do my secrets live?
+
In your Postgres, encrypted at rest with a master key you supply. Decrypted only when they're injected into a container at deploy time or used to call a provider API. Never written to disk in plaintext.
Does it support SSO?
+
Yes. OAuth‑based SSO is built in alongside an RBAC permission system — single‑user mode works out of the box, add an OAuth provider when you want to invite teammates. Per‑route permission gates and an audit log cover who did what.
What if my provider isn't supported?
+
SSH usually fills the gap — point nsbd at a Linux box, install the host agent, and run anything you'd run on a server. For a deeper integration, the provider adapter API is ~200 lines of JS per kind (cloud, hosting, database, domains, storage).
Do I need a domain?
+
No. nsbd happily runs on a tailnet or LAN address. Domains become useful once you start deploying public services and want auto‑DNS + Let's Encrypt.
Can I bring my own Postgres?
+
Yes — point the dashboard at any reachable Postgres 14+ via a connection string. RDS, Supabase, Neon, the bundled Docker container, or one of your own host‑agent‑provisioned engines all work.
What's the minimum spec to self‑host?
+
Dashboard box: 1 vCPU, 1 GB RAM, Ubuntu 22.04+ or Debian 12+, Postgres 14+. Each managed host runs a single Go binary that idles at a few MB of RAM.
How do updates work?
+
The dashboard updates itself on git push via the bundled deployer — fast‑forward‑only merge, build, restart, healthcheck, auto‑rollback on failure. Host agents update from a single button on the hosts page (or on a cron).
Can multiple people use it?
+
Yes. SSO covers login, RBAC covers what each person can see and do, and every action streams into the shared job log so the rest of the team has context.
Does it work with Tailscale?
+
Yes — host agents bind to whichever interface you configure, so pairing them with Tailscale gives you a private fleet without exposing anything publicly. Each newly provisioned host can join your tailnet automatically using an auth key stored in nsbd's encrypted secret store.
Install · 09

The dashboard you'd build for yourself.
Now you don't have to.

A Node/Express dashboard, a Go host agent and a Go deployer — all backed by your own Postgres. Three systemd units, no SaaS in the loop, no phone home.

Read the install guideView source
v1.1 · self-hosted · ubuntu 22.04+ / debian 12+ · postgres 14+