Kastell
Your infrastructure, fortified.
English | Türkçe
Why Kastell Exists
Most self-hosted servers break because:
- No backup discipline
- No update strategy
- No security hardening
- No monitoring
- No snapshot routine
Stop babysitting your servers. Kastell was built to fix that.
Quick Start
# Interactive mode -- no commands to memorize
npx kastell
Running kastell without any arguments launches an interactive search menu with a gradient ASCII banner and quick-start examples. Browse actions by emoji-categorized groups, type to filter results instantly, and configure options step by step -- no need to remember any command names or flags.
██╗ ██╗ ██████╗ ███████╗████████╗███████╗██╗ ██╗
██║ ██╔╝ ██╔══██╗ ██╔════╝╚══██╔══╝██╔════╝██║ ██║
█████╔╝ ███████║ ███████╗ ██║ █████╗ ██║ ██║
██╔═██╗ ██╔══██║ ╚════██║ ██║ ██╔══╝ ██║ ██║
██║ ██╗ ██║ ██║ ███████║ ██║ ███████╗███████╗███████╗
╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚══════╝ ╚═╝ ╚══════╝╚══════╝╚══════╝
KASTELL v1.14.0 · Your infrastructure, fortified.
$ kastell init --template production → deploy a new server
$ kastell status --all → check all servers
$ kastell secure setup → harden SSH + fail2ban
$ kastell maintain --all → full maintenance cycle
? What would you like to do?
Server Management
❯ Deploy a new server
Add an existing server
List all servers
...
Security
Harden SSH & fail2ban
Manage firewall (UFW)
...
Each action includes sub-options (server mode, template, log source, port number, etc.) and a <- Back option to return to the main menu at any point.
If you already know the commands, you can still use them directly:
kastell init # Deploy a new server
kastell status my-server # Check server status
kastell backup --all # Backup all servers
Kastell handles server provisioning, SSH key setup, firewall configuration, and platform installation automatically.
What Makes Kastell Different?
| Problem | Solution |
|---|---|
| Broke your server with an update? | Pre-update snapshot protection via maintain |
| No idea if your server is healthy? | Built-in monitoring, health checks, and doctor diagnostics |
| Security is an afterthought? | Firewall, SSH hardening, SSL, and security audits built-in |
| Backups? Maybe someday... | One-command backup & restore with manifest tracking |
| Managing multiple servers? | --all flag across backup, maintain, status, and health |
| Existing server not tracked? | kastell add brings any server under management |
| Don't want to memorize commands? | Just run kastell -- interactive menu guides you |
What Can You Do?
Deploy
kastell # Interactive menu (recommended)
kastell init # Interactive setup (direct)
kastell init --provider hetzner # Non-interactive
kastell init --config kastell.yml # From YAML config
kastell init --template production # Use a template
kastell init --mode bare # Generic VPS (no platform)
kastell init --mode dokploy # Dokploy (Docker Swarm PaaS)
Manage
kastell list # List all servers
kastell status my-server # Check server status
kastell status --all # Check all servers
kastell ssh my-server # SSH into server
kastell restart my-server # Restart server
kastell destroy my-server # Destroy cloud server entirely
kastell add # Add existing server
kastell remove my-server # Remove from local config
kastell config set key value # Manage default configuration
kastell config validate # Validate servers.yaml structure and types
kastell export # Export server list to JSON
kastell import servers.json # Import servers from JSON
Update & Maintain
kastell update my-server # Update platform (Coolify or Dokploy, auto-detected)
kastell update my-server --dry-run # Preview update without executing
kastell maintain my-server # Full maintenance (snapshot + update + health + reboot)
kastell maintain my-server --dry-run # Preview maintenance steps
kastell maintain --all # Maintain all servers
Back Up & Restore
kastell backup my-server # Backup DB + config
kastell backup --all # Backup all servers
kastell restore my-server # Restore from backup
Snapshots
kastell snapshot create my-server # Create VPS snapshot (with cost estimate)
kastell snapshot list my-server # List snapshots
kastell snapshot list --all # List all snapshots across servers
kastell snapshot delete my-server # Delete a snapshot
Security
kastell firewall status my-server # Check firewall
kastell firewall setup my-server # Configure UFW
kastell secure audit my-server # Security audit
kastell secure setup my-server # SSH hardening + fail2ban
kastell domain add my-server --domain example.com # Set domain + SSL
Security Audit
kastell audit my-server # Full security audit (29 categories, 421+ checks)
kastell audit my-server --json # JSON output for automation
kastell audit my-server --threshold 70 # Exit code 1 if score below threshold
kastell audit my-server --fix # Interactive fix mode (prompts per severity)
kastell audit my-server --fix --dry-run # Preview fixes without executing
kastell audit my-server --watch # Re-audit every 5 min, show only changes
kastell audit my-server --watch 60 # Custom interval (60 seconds)
kastell audit --host [email protected] # Audit unregistered server
kastell audit my-server --badge # SVG badge output
kastell audit my-server --report html # Full HTML report
kastell audit my-server --score-only # Just the score (CI-friendly)
kastell audit my-server --summary # Compact dashboard view
kastell audit my-server --explain # Explain failed checks with remediation guidance
kastell audit my-server --compliance cis # Filter by compliance framework (cis-level1, cis-level2, pci-dss, hipaa)
Security Hardening
kastell lock my-server # 19-step production hardening (SSH + UFW + sysctl + auditd + AIDE + Docker)
kastell lock my-server --dry-run # Preview hardening steps without applying
Monitor & Debug
kastell monitor my-server # CPU, RAM, disk usage
kastell logs my-server # View platform logs (Coolify or Dokploy)
kastell logs my-server -f # Follow logs
kastell health # Health check all servers
kastell doctor # Check local environment
Supported Providers
| Provider | Status | Regions | Starting Price |
|---|---|---|---|
| Hetzner Cloud | Stable | EU, US | ~€4/mo |
| DigitalOcean | Stable | Global | ~$18/mo |
| Vultr | Stable | Global | ~$12/mo |
| Linode (Akamai) | Beta | Global | ~$12/mo |
Prices reflect the cheapest plan with at least 2 GB RAM (required by Coolify and Dokploy). Bare mode has no minimum requirements -- plans start from ~$2.50/mo depending on provider. You can choose a different size during setup. Linode support is in beta -- community testing welcome.
Supported Platforms
| Platform | Mode Flag | Min RAM | Min CPU | Description |
|---|---|---|---|---|
| Coolify | --mode coolify (default) |
2 GB | 2 vCPU | Docker-based PaaS (port 8000) |
| Dokploy | --mode dokploy |
2 GB | 2 vCPU | Docker Swarm-based PaaS (port 3000) |
| Bare | --mode bare |
— | — | Generic VPS, no platform overhead |
Kastell uses a PlatformAdapter architecture -- the same commands (update, maintain, logs, health) work across all platforms. The platform is stored in your server record and auto-detected on each command.
Developer Experience
| Feature | Command / Flag | Description |
|---|---|---|
| Dry Run | --dry-run |
Preview destructive commands without executing. Available on: destroy, update, restart, remove, maintain, restore, firewall, domain, backup, snapshot, secure. |
| Shell Completions | kastell completions bash|zsh|fish |
Generate shell completion scripts for tab-completion of commands and options. |
| Config Validation | kastell config validate |
Check servers.yaml for structural and type errors using Zod strict schemas. |
| Version Check | kastell --version |
Shows current version and notifies if a newer version is available on npm. |
YAML Config
Deploy with a single config file:
# kastell.yml
provider: hetzner
region: nbg1
size: cax11
name: my-coolify
fullSetup: true
domain: coolify.example.com
kastell init --config kastell.yml
Templates
| Template | Best For | Includes |
|---|---|---|
starter |
Testing, side projects | 1-2 vCPU, 2-4 GB RAM |
production |
Live applications | 2-4 vCPU, 4-8 GB RAM, full hardening |
dev |
Development & CI/CD | Same as starter, no hardening |
kastell init --template production --provider hetzner
Security
Kastell is built with security as a priority -- 5,087 tests across 197 suites, including dedicated security test suites.
- API tokens are never stored on disk -- prompted at runtime or via environment variables
- SSH keys are auto-generated if needed (Ed25519)
- All SSH connections use
StrictHostKeyChecking=accept-newwith IP validation (octet range) and environment filtering - Shell injection protection on all user-facing inputs (
spawn/spawnSync, noexecSync) - Provider error messages are sanitized to prevent token leakage
- stderr sanitization redacts IPs, home paths, tokens, and secrets from error output
- Config file token detection (22+ key patterns, case-insensitive, nested)
- Import/export operations strip sensitive fields and enforce strict file permissions (
0o600) --full-setupenables UFW firewall and SSH hardening automatically- MCP: SAFE_MODE (default: on) blocks all destructive operations, Zod schema validation on all inputs, path traversal protection on backup restore
- Claude Code hooks: destroy-block prevents accidental
kastell destroywithout--force, pre-commit audit guard warns on score drops
Installation
# Run directly (recommended)
npx kastell <command>
# Or install globally
npm install -g kastell
kastell <command>
Requires Node.js 20 or later.
Troubleshooting
Server creation fails?Run kastell doctor --check-tokens to verify your API token and local environment.
Server not responding?Use kastell status my-server --autostart to check platform status and auto-restart if needed, or kastell health to check all servers at once.
Need to start fresh?kastell destroy my-server removes the cloud server entirely.
Contributing
See CONTRIBUTING.md for development setup, testing, and contribution guidelines.
Kastell uses 5,087 tests across 197 suites. Run npm test before submitting PRs.
MCP Server (AI Integration)
Kastell includes a built-in Model Context Protocol server for AI-powered server management. Works with Claude Code, Cursor, Windsurf, and other MCP-compatible clients.
{
"mcpServers": {
"kastell": {
"command": "npx",
"args": ["-y", "-p", "kastell", "kastell-mcp"],
"env": {
"HETZNER_TOKEN": "your-token",
"DIGITALOCEAN_TOKEN": "your-token",
"VULTR_TOKEN": "your-token",
"LINODE_TOKEN": "your-token"
}
}
}
}
Available tools:
| Tool | Actions | Description |
|---|---|---|
server_info |
list, status, health, sizes | Query server information, check cloud provider and platform status |
server_logs |
logs, monitor | Fetch platform/Docker logs and system metrics via SSH |
server_manage |
add, remove, destroy | Register, unregister, or destroy cloud servers |
server_maintain |
update, restart, maintain | Update platform, restart servers, run full maintenance |
server_secure |
secure, firewall, domain | SSH hardening, firewall rules, domain/SSL management (10 subcommands) |
server_backup |
backup, snapshot | Backup/restore databases and create/manage VPS snapshots |
server_provision |
create | Provision new servers on cloud providers |
server_audit |
audit | 421+-check security audit with compliance framework filtering; use --explain for remediation guidance |
server_evidence |
collect | Collect forensic evidence package with checksums |
server_guard |
start, stop, status | Manage autonomous security monitoring daemon |
server_doctor |
diagnose | Proactive health analysis with remediation commands |
server_lock |
harden | 19-step production hardening (SSH, UFW, sysctl, auditd, AIDE, Docker) |
server_fleet |
overview | Fleet-wide health and security posture dashboard |
All destructive operations (destroy, restore, snapshot-delete, provision, restart, maintain, snapshot-create) require
SAFE_MODE=falseto execute.
Claude Code Plugin
Kastell is available as a Claude Code plugin for the Anthropic marketplace. The plugin bundles:
- 4 skills: kastell-ops (architecture reference), kastell-scaffold (component generation), kastell-careful (destructive op guard), kastell-research (codebase exploration)
- 2 agents: kastell-auditor (parallel audit analyzer), kastell-fixer (worktree-isolated auto-fix)
- 5 hooks: destroy-block, session-audit, session-log, pre-commit-audit-guard, stop-quality-check
Install via Claude Code plugin manager or use directly with claude --plugin-dir kastell-plugin.
MCP Platform Setup
| Platform | Config Location | Guide |
|---|---|---|
| Claude Code | claude mcp add or .mcp.json |
Setup Guide |
| Claude Desktop | claude_desktop_config.json |
Setup Guide |
| VS Code / Copilot | .vscode/mcp.json |
Setup Guide |
| Cursor | .cursor/mcp.json |
Setup Guide |
More platforms (JetBrains, Windsurf, Gemini, and others) coming in v2.0.
AI Discoverability
Kastell provides llms.txt for AI crawlers and is listed in the MCP Registry as io.github.kastelldev/kastell.
CI/CD Integration
Use kastell audit in your CI pipeline to enforce security baselines:
# .github/workflows/security-audit.yml
name: Security Audit
on:
schedule:
- cron: '0 6 * * 1' # Weekly Monday 6 AM
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm install -g kastell
- run: kastell audit --host root@${{ secrets.SERVER_IP }} --threshold 70 --json > audit-result.json
- uses: actions/upload-artifact@v4
with:
name: audit-report
path: audit-result.json
The --threshold flag causes a non-zero exit code when the score falls below the target, failing the CI job automatically.
What's Next
- Test Excellence: Mutation testing, coverage gaps, integration tests (v1.14)
- Plugin ecosystem with marketplace distribution (v2.0)
- Dashboard and managed service (v3.0)
Philosophy
Infrastructure should be boring, predictable, and safe.
Kastell is not a script. It's your DevOps safety layer for self-hosted infrastructure.
License
Apache 2.0 -- see LICENSE
Support
- GitHub Issues -- Bug reports and feature requests
- Changelog -- Version history
Built by @omrfc
