Allows provisioning and managing cloud servers on Linode (Akamai), including snapshots and automated maintenance routines.
Enables automated deployment, status monitoring, and snapshot management for DigitalOcean droplets.
Facilitates the management and hardening of Docker-based platforms like Coolify and Dokploy on remote infrastructure.
Supports provisioning, management, and snapshot routines for infrastructure hosted on Hetzner Cloud.
Provides security hardening, firewall configuration, and maintenance tools specifically tailored for Ubuntu-based server environments.
Allows for automated server provisioning, status tracking, and backup operations on the Vultr cloud platform.
Utilizes YAML files for defining server deployment configurations and infrastructure templates.
English | Türkçe
Why Kastell Exists
Most self-hosted servers break because:
No backup discipline
No update strategy
No security hardening
No monitoring
No snapshot routine
Stop babysitting your servers. Kastell was built to fix that.
Quick Start
# Interactive mode -- no commands to memorize
npx kastellRunning kastell without any arguments launches an interactive search menu with a gradient ASCII banner and quick-start examples. Browse actions by emoji-categorized groups, type to filter results instantly, and configure options step by step -- no need to remember any command names or flags.
██╗ ██╗ ██████╗ ███████╗████████╗███████╗██╗ ██╗
██║ ██╔╝ ██╔══██╗ ██╔════╝╚══██╔══╝██╔════╝██║ ██║
█████╔╝ ███████║ ███████╗ ██║ █████╗ ██║ ██║
██╔═██╗ ██╔══██║ ╚════██║ ██║ ██╔══╝ ██║ ██║
██║ ██╗ ██║ ██║ ███████║ ██║ ███████╗███████╗███████╗
╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚══════╝ ╚═╝ ╚══════╝╚══════╝╚══════╝
KASTELL v1.14.0 · Your infrastructure, fortified.
$ kastell init --template production → deploy a new server
$ kastell status --all → check all servers
$ kastell secure setup → harden SSH + fail2ban
$ kastell maintain --all → full maintenance cycle
? What would you like to do?
Server Management
❯ Deploy a new server
Add an existing server
List all servers
...
Security
Harden SSH & fail2ban
Manage firewall (UFW)
...Each action includes sub-options (server mode, template, log source, port number, etc.) and a <- Back option to return to the main menu at any point.
If you already know the commands, you can still use them directly:
kastell init # Deploy a new server
kastell status my-server # Check server status
kastell backup --all # Backup all serversKastell handles server provisioning, SSH key setup, firewall configuration, and platform installation automatically.
What Makes Kastell Different?
Problem | Solution |
Broke your server with an update? | Pre-update snapshot protection via |
No idea if your server is healthy? | Built-in monitoring, health checks, and |
Security is an afterthought? | Firewall, SSH hardening, SSL, and security audits built-in |
Backups? Maybe someday... | One-command backup & restore with manifest tracking |
Managing multiple servers? |
|
Existing server not tracked? |
|
Don't want to memorize commands? | Just run |
What Can You Do?
Deploy
kastell # Interactive menu (recommended)
kastell init # Interactive setup (direct)
kastell init --provider hetzner # Non-interactive
kastell init --config kastell.yml # From YAML config
kastell init --template production # Use a template
kastell init --mode bare # Generic VPS (no platform)
kastell init --mode dokploy # Dokploy (Docker Swarm PaaS)Manage
kastell list # List all servers
kastell status my-server # Check server status
kastell status --all # Check all servers
kastell ssh my-server # SSH into server
kastell restart my-server # Restart server
kastell destroy my-server # Destroy cloud server entirely
kastell add # Add existing server
kastell remove my-server # Remove from local config
kastell config set key value # Manage default configuration
kastell config validate # Validate servers.yaml structure and types
kastell export # Export server list to JSON
kastell import servers.json # Import servers from JSONUpdate & Maintain
kastell update my-server # Update platform (Coolify or Dokploy, auto-detected)
kastell update my-server --dry-run # Preview update without executing
kastell maintain my-server # Full maintenance (snapshot + update + health + reboot)
kastell maintain my-server --dry-run # Preview maintenance steps
kastell maintain --all # Maintain all serversBack Up & Restore
kastell backup my-server # Backup DB + config
kastell backup --all # Backup all servers
kastell restore my-server # Restore from backupSnapshots
kastell snapshot create my-server # Create VPS snapshot (with cost estimate)
kastell snapshot list my-server # List snapshots
kastell snapshot list --all # List all snapshots across servers
kastell snapshot delete my-server # Delete a snapshotSecurity
kastell firewall status my-server # Check firewall
kastell firewall setup my-server # Configure UFW
kastell secure audit my-server # Security audit
kastell secure setup my-server # SSH hardening + fail2ban
kastell domain add my-server --domain example.com # Set domain + SSLSecurity Audit
kastell audit my-server # Full security audit (29 categories, 421+ checks)
kastell audit my-server --json # JSON output for automation
kastell audit my-server --threshold 70 # Exit code 1 if score below threshold
kastell audit my-server --fix # Interactive fix mode (prompts per severity)
kastell audit my-server --fix --dry-run # Preview fixes without executing
kastell audit my-server --watch # Re-audit every 5 min, show only changes
kastell audit my-server --watch 60 # Custom interval (60 seconds)
kastell audit --host root@1.2.3.4 # Audit unregistered server
kastell audit my-server --badge # SVG badge output
kastell audit my-server --report html # Full HTML report
kastell audit my-server --score-only # Just the score (CI-friendly)
kastell audit my-server --summary # Compact dashboard view
kastell audit my-server --explain # Explain failed checks with remediation guidance
kastell audit my-server --compliance cis # Filter by compliance framework (cis-level1, cis-level2, pci-dss, hipaa)Security Hardening
kastell lock my-server # 19-step production hardening (SSH + UFW + sysctl + auditd + AIDE + Docker)
kastell lock my-server --dry-run # Preview hardening steps without applyingMonitor & Debug
kastell monitor my-server # CPU, RAM, disk usage
kastell logs my-server # View platform logs (Coolify or Dokploy)
kastell logs my-server -f # Follow logs
kastell health # Health check all servers
kastell doctor # Check local environmentSupported Providers
Provider | Status | Regions | Starting Price |
Stable | EU, US | ~€4/mo | |
Stable | Global | ~$18/mo | |
Stable | Global | ~$12/mo | |
Beta | Global | ~$12/mo |
Prices reflect the cheapest plan with at least 2 GB RAM (required by Coolify and Dokploy). Bare mode has no minimum requirements -- plans start from ~$2.50/mo depending on provider. You can choose a different size during setup. Linode support is in beta -- community testing welcome.
Supported Platforms
Platform | Mode Flag | Min RAM | Min CPU | Description |
Coolify |
| 2 GB | 2 vCPU | Docker-based PaaS (port 8000) |
Dokploy |
| 2 GB | 2 vCPU | Docker Swarm-based PaaS (port 3000) |
Bare |
| — | — | Generic VPS, no platform overhead |
Kastell uses a PlatformAdapter architecture -- the same commands (update, maintain, logs, health) work across all platforms. The platform is stored in your server record and auto-detected on each command.
Developer Experience
Feature | Command / Flag | Description |
Dry Run |
| Preview destructive commands without executing. Available on: destroy, update, restart, remove, maintain, restore, firewall, domain, backup, snapshot, secure. |
Shell Completions |
| Generate shell completion scripts for tab-completion of commands and options. |
Config Validation |
| Check |
Version Check |
| Shows current version and notifies if a newer version is available on npm. |
YAML Config
Deploy with a single config file:
# kastell.yml
provider: hetzner
region: nbg1
size: cax11
name: my-coolify
fullSetup: true
domain: coolify.example.comkastell init --config kastell.ymlTemplates
Template | Best For | Includes |
| Testing, side projects | 1-2 vCPU, 2-4 GB RAM |
| Live applications | 2-4 vCPU, 4-8 GB RAM, full hardening |
| Development & CI/CD | Same as starter, no hardening |
kastell init --template production --provider hetznerSecurity
Kastell is built with security as a priority -- 5,087 tests across 197 suites, including dedicated security test suites.
API tokens are never stored on disk -- prompted at runtime or via environment variables
SSH keys are auto-generated if needed (Ed25519)
All SSH connections use
StrictHostKeyChecking=accept-newwith IP validation (octet range) and environment filteringShell injection protection on all user-facing inputs (
spawn/spawnSync, noexecSync)Provider error messages are sanitized to prevent token leakage
stderr sanitization redacts IPs, home paths, tokens, and secrets from error output
Config file token detection (22+ key patterns, case-insensitive, nested)
Import/export operations strip sensitive fields and enforce strict file permissions (
0o600)--full-setupenables UFW firewall and SSH hardening automaticallyMCP: SAFE_MODE (default: on) blocks all destructive operations, Zod schema validation on all inputs, path traversal protection on backup restore
Claude Code hooks: destroy-block prevents accidental
kastell destroywithout--force, pre-commit audit guard warns on score drops
Installation
# Run directly (recommended)
npx kastell <command>
# Or install globally
npm install -g kastell
kastell <command>Requires Node.js 20 or later.
Troubleshooting
Server creation fails?
Run kastell doctor --check-tokens to verify your API token and local environment.
Server not responding?
Use kastell status my-server --autostart to check platform status and auto-restart if needed, or kastell health to check all servers at once.
Need to start fresh?
kastell destroy my-server removes the cloud server entirely.
Contributing
See CONTRIBUTING.md for development setup, testing, and contribution guidelines.
Kastell uses 5,087 tests across 197 suites. Run npm test before submitting PRs.
MCP Server (AI Integration)
Kastell includes a built-in Model Context Protocol server for AI-powered server management. Works with Claude Code, Cursor, Windsurf, and other MCP-compatible clients.
{
"mcpServers": {
"kastell": {
"command": "npx",
"args": ["-y", "-p", "kastell", "kastell-mcp"],
"env": {
"HETZNER_TOKEN": "your-token",
"DIGITALOCEAN_TOKEN": "your-token",
"VULTR_TOKEN": "your-token",
"LINODE_TOKEN": "your-token"
}
}
}
}Available tools:
Tool | Actions | Description |
| list, status, health, sizes | Query server information, check cloud provider and platform status |
| logs, monitor | Fetch platform/Docker logs and system metrics via SSH |
| add, remove, destroy | Register, unregister, or destroy cloud servers |
| update, restart, maintain | Update platform, restart servers, run full maintenance |
| secure, firewall, domain | SSH hardening, firewall rules, domain/SSL management (10 subcommands) |
| backup, snapshot | Backup/restore databases and create/manage VPS snapshots |
| create | Provision new servers on cloud providers |
| audit | 421+-check security audit with compliance framework filtering; use |
| collect | Collect forensic evidence package with checksums |
| start, stop, status | Manage autonomous security monitoring daemon |
| diagnose | Proactive health analysis with remediation commands |
| harden | 19-step production hardening (SSH, UFW, sysctl, auditd, AIDE, Docker) |
| overview | Fleet-wide health and security posture dashboard |
All destructive operations (destroy, restore, snapshot-delete, provision, restart, maintain, snapshot-create) require
SAFE_MODE=falseto execute.
Claude Code Plugin
Kastell is available as a Claude Code plugin for the Anthropic marketplace. The plugin bundles:
4 skills: kastell-ops (architecture reference), kastell-scaffold (component generation), kastell-careful (destructive op guard), kastell-research (codebase exploration)
2 agents: kastell-auditor (parallel audit analyzer), kastell-fixer (worktree-isolated auto-fix)
5 hooks: destroy-block, session-audit, session-log, pre-commit-audit-guard, stop-quality-check
Install via Claude Code plugin manager or use directly with claude --plugin-dir kastell-plugin.
MCP Platform Setup
Platform | Config Location | Guide |
Claude Code |
| |
Claude Desktop |
| |
VS Code / Copilot |
| |
Cursor |
|
More platforms (JetBrains, Windsurf, Gemini, and others) coming in v2.0.
AI Discoverability
Kastell provides llms.txt for AI crawlers and is listed in the MCP Registry as io.github.kastelldev/kastell.
CI/CD Integration
Use kastell audit in your CI pipeline to enforce security baselines:
# .github/workflows/security-audit.yml
name: Security Audit
on:
schedule:
- cron: '0 6 * * 1' # Weekly Monday 6 AM
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm install -g kastell
- run: kastell audit --host root@${{ secrets.SERVER_IP }} --threshold 70 --json > audit-result.json
- uses: actions/upload-artifact@v4
with:
name: audit-report
path: audit-result.jsonThe --threshold flag causes a non-zero exit code when the score falls below the target, failing the CI job automatically.
What's Next
Test Excellence: Mutation testing, coverage gaps, integration tests (v1.14)
Plugin ecosystem with marketplace distribution (v2.0)
Dashboard and managed service (v3.0)
Philosophy
Infrastructure should be boring, predictable, and safe.
Kastell is not a script. It's your DevOps safety layer for self-hosted infrastructure.
License
Apache 2.0 -- see LICENSE
Support
GitHub Issues -- Bug reports and feature requests
Changelog -- Version history
Built by @omrfc