Lightweight Linux patch management and Docker stack maintenance from a single dashboard.
QuietKeep is a self-hosted web application that lets you manage system updates and Docker containers across all your Linux hosts from one place. No agents to install. Everything works over SSH.
- Scan all your Linux hosts for available package updates
- Patch with one click. Applies security updates without upgrading your OS version
- Track patch history per host with full log output
- Detect when hosts need a reboot after kernel updates
- Supports Debian/Ubuntu, Kali Linux, Arch/CachyOS, and Proxmox VE
- Discover Docker Compose stacks automatically on any host
- Detect when container images have newer versions available
- Update stacks with one click. Pulls new images and recreates containers
- View update history with full logs
- Release notes links for quick access to changelogs
- CISA KEV catalog built in. Browse the Known Exploited Vulnerabilities database
- Filter by vendor, threat actor, or time range
- Ransomware tracking shows which CVEs are linked to ransomware campaigns
- Auto-updated from the official CISA feed
- Single-user authentication with admin login and JWT session cookies
- Optional TOTP 2FA via any authenticator app (Google Authenticator, Authy, 1Password, Bitwarden)
- Password reset via filesystem token (requires server access, no email or cloud)
- All API routes protected (except health check and auth endpoints)
- Home overview with at-a-glance status of all hosts, stacks, tags, and recent activity
- Clickable filter cards let you drill into hosts that need updates, reboots, or Docker attention
- Host tags to organize hosts by role, location, or environment with colored labels and filtering
- Bulk patch all hosts with one click, per-host error surfacing, and automatic re-scan
- Patch history export as per-host CSV or fleet-wide Excel (.xlsx with per-host tabs)
- Recent activity feed with color-coded timeline and relative timestamps
- Disk usage monitoring with color-coded thresholds in the Diagnostics table
- Light, Dark, and System themes
- First-run wizard with SSH key generation, host import, key deployment, and pre-flight checks
- Settings page for SSH config, scan intervals, security, tags, and theme
- Built-in Help with searchable FAQ and link to the full User Guide
QuietKeep Server Managed Hosts
┌──────────────────┐ ┌─────────────────────┐
│ FastAPI Backend │── SSH ──▶│ apt / pacman │
│ React Frontend │ │ docker compose │
│ SQLite DB │ │ No agents needed │
└──────────────────┘ └─────────────────────┘
QuietKeep connects to your hosts over SSH using key-based authentication. It runs standard system commands (apt, pacman, docker compose). Nothing is installed on the managed hosts.
| Layer | Technology |
|---|---|
| Backend | Python 3.12, FastAPI, SQLAlchemy, asyncssh |
| Frontend | React 19, TypeScript, Tailwind CSS 4, Lucide icons |
| Database | SQLite (zero config) |
| Transport | SSH (key-based, no agents) |
| Deployment | Docker Compose (single container, builds from source) |
All core features are functional and tested on an 18-host fleet.
- ✅ Host tags: organize hosts by role, location, or environment with colored labels; filter on Home and Dashboard
- ✅ Bulk patch all: one-click patch all hosts with pending updates; per-host error surfacing and automatic re-scan
- ✅ Recent activity feed: color-coded timeline of scans, patches, reboots, and Docker updates with relative timestamps
- ✅ Patch history export: per-host CSV and fleet-wide Excel (.xlsx with per-host tabs, one row per package)
- ✅ Disk usage monitoring: color-coded column in Diagnostics (green/amber/red thresholds)
- ✅ Build tag badge: optional TEST/BETA label in nav bar via BUILD_TAG env var
- ✅ Clickable metric tiles: Home page cards navigate to patches/docker pre-filtered
- ✅ UI polish: host count badges on filter tabs, active filter chips, relative timestamps in activity feed
- ✅ Tag management: create, rename, recolor, delete tags in Settings; assign tags per host from Host Detail
- ✅ Tags card on Home: colored pills link directly to Dashboard filtered by that tag
- ✅ User Guide link: accessible from About section and Help page
- ✅ Multi-OS host management (apt, pacman, kali, proxmox)
- ✅ One-click scanning and patching with full log capture
- ✅ Docker stack discovery and one-click updates
- ✅ Dashboard with filter cards, patch history, reboot detection
- ✅ Single-user authentication with optional TOTP 2FA
- ✅ First-run wizard with SSH key generation, host import, and key deployment
- ✅ Settings page with theme support, SSH configuration, and security settings
- ✅ Help page with searchable FAQ, bug reporting, and feature requests
- ✅ Threat Intel dashboard with CISA KEV catalog and ransomware tracking
- ✅ Docker Compose deployment with auto-detected IP and SSH key management via web UI
- ✅ Automated sudoers probing with one-click Fix Sudoers
- ✅ GPG key rotation detection with in-app secure recovery guidance (Kali/apt)
- ✅ Held-back package detection with opt-in kernel upgrade flow
- ✅ Fleet-wide Diagnostics tab with sortable OS, kernel, uptime, reboot, and sudoers columns
- ✅ Per-host Diagnostics card consolidating system health in one view
- ✅ Real OS name detection from
/etc/os-releaseand kernel version probing viauname -r - ✅ Scanning-in-progress banner with live feedback
- ✅ Password reset via filesystem token (no email or cloud required)
- 📋 Email/webhook notifications for available updates
- 📋 Selective patching (choose which packages to update)
- 📋 Multi-user support with roles
- 📋 Pre-built Docker images on GitHub Container Registry
- 📋 Linux-aware CVE cross-reference (NVD API, Ubuntu/Debian trackers)
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 2 cores | 4 cores |
| RAM | 2 GB | 4 GB |
| Disk | 10 GB | 20 GB+ |
| Python | 3.11+ | 3.12 |
| Node.js | 18+ | 20+ (build only) |
| OS | Ubuntu 22.04+ / Debian 12+ | Ubuntu 24.04 |
Managed hosts need: SSH access with key-based auth, passwordless sudo for package commands. Docker features require Docker Engine 20.10+ with Compose v2 plugin.
git clone https://github.com/QuietWireDev/QuietKeep.git ~/quietkeep
cd ~/quietkeep
docker compose up -d --buildOpen https://YOUR_SERVER_IP in your browser. You will see a self-signed certificate warning on the first visit (this is normal, see the User Guide for details).
The first-run wizard walks you through creating your admin account, generating an SSH key, adding hosts, and deploying keys.
For a full walkthrough including Docker installation, firewall setup, and reverse proxy configuration, see the User Guide.
To update to a newer version:
cd ~/quietkeep
git pull
docker compose up -d --buildYour data, settings, SSH keys, and certificates are stored in named Docker volumes and are not affected by rebuilds. Check the Releases page or CHANGELOG for what changed in each version.
QuietKeep is open source software licensed under the GNU Affero General Public License v3.0.
Copyright (C) 2026 QuietWire (Dennis Ayotte)
Built by QuietWire