AGPL-3.0 · self-hosted · GDPR-native

Opale

One admin. One VM. Your whole fleet, polished.

Get started View on GitHub

1VM · 1 binary

15 minagent checkin cadence

0€SaaS subscription

opale.local · /dashboard

Active alerts

3 critical · 5 warning

Devices online

47 / 82

Compliance

89%

Time saved (30d)

24h

≈ €520 admin cost avoided

Devices needing attention See all →

LAB-DESK-04 a.smith

97.5%

DEV-LAPTOP-12 p.fischer

94.9%

ENG-WS-08 k.lee

89.2%

HOST-OFFICE-21 j.morgan

73.4%

MKT-LAPTOP-03 m.chen

52.1%

Recent activity live

✓Checkin received · MKT-LAPTOP-03just now

·Compliance changed · HOST-OFFICE-213m ago

!Disk threshold · LAB-DESK-048m ago

✓Agent updated · DEV-LAPTOP-1215m ago

// Modular by design

Pick what you need.
Nine modules. All optional. One coherent UI.

Built from the frustration of stitching together five SaaS tools to monitor a hundred laptops. Opale ships the lot in one container — enable what you need, hide what you don’t.

Inventory & monitoring

The core that everything else hangs off. Populate it however suits you: manual entry, optional Microsoft Intune sync, or the optional cross-platform Go agent (Windows, macOS, Linux) for hardware, disk, network and bandwidth telemetry every 15 minutes.

intune · agent · ed25519 · all opt-in

opt.

Alerts

Disk thresholds, prolonged offline, non-compliant devices — computed live from device state. Web-Push to admins on critical changes, biometric unlock on mobile.

vapid push · service worker · webauthn

opt.

Tickets

Open / in-progress / resolved workflow, tags, Kanban view, links to devices. “Proposed” tickets land from a mail-to-AI ingestion pipe and wait for your review.

kanban · mail-to-AI · device-linked

opt.

Remote SSH in the browser

Real terminal in a tab via WebSocket + xterm.js, over your existing mesh VPN. Netbird, Tailscale, ZeroTier — whatever you already trust.

xterm.js · ssh2 · mesh-vpn aware

opt.

CLI

opale is a Go binary with Cobra, PKCE auth and shell completion. Devices, tickets, scripts, deployments — everything the UI does, scriptable.

cobra · pkce · bash/zsh/fish

opt.

Scripts

PowerShell library, queued execution at next checkin, results streamed back. Quick-script tray for the four commands you run twenty times a week.

powershell · queued · result diff

opt.

LAPS-style recovery

The agent rotates the local admin password, escrows it RSA-OAEP encrypted. Admins decrypt one-shot from the UI — the server never sees plaintext.

rsa-oaep · escrowed · one-shot decrypt

opt.

Onboarding

Guided checklists for new device or new collaborator, with optional IdP group assignment when you wire one up. The thing you forget to do half the time.

checklist · idp groups · opt. · auditable

opt.

Mobile PWA

Installable on iOS and Android, WebAuthn unlock, push notifications. Tap an alert at 23:47, triage from bed, sleep again.

pwa · webauthn · offline-ready

// CLI-first when you need it

Terminal first. UI when it’s nicer.

Every UI action has a CLI counterpart with PKCE auth and shell completion. Script your fleet from anywhere.

~ — opale

$ opale devices list --compliance=non-compliant --last-seen=<7d
┌──────────────────────┬─────────────────────────┬──────────┬─────────┐
│ HOSTNAME             │ USER                    │ DISK %   │ STATUS  │
├──────────────────────┼─────────────────────────┼──────────┼─────────┤
│ LAB-DESK-04          │ a.smith                 │ 97.5     │ critical│
│ DESKTOP-OFFICE-21    │ j.morgan                │ 47.6     │ warning │
│ DEV-LAPTOP-12        │ p.fischer               │ 94.9     │ warning │
└──────────────────────┴─────────────────────────┴──────────┴─────────┘
3 devices · 1 critical · 2 warning

$ opale scripts run --name="clear-temp" --target=LAB-DESK-04
→ queued · result in ~15min · run id 4f2c8e
$ opale scripts wait 4f2c8e
✓ exit 0 · 4.2 GB freed · 412 files removed

$ opale tickets create --device=LAB-DESK-04 --tag=hardware \
    --title="Disk filling too fast, replacement candidate"
✓ ticket #847 · status=open · assigned to you
$

// Architecture

One container, one Postgres,
a Windows agent that just runs.

Single-tenant by design — one Opale instance per organisation. No multi-tenancy gymnastics, no shared blast radius.

Endpoints · optional

Endpoint agent

Optional Go service for richer telemetry. Checks in every 15 min, ed25519-signed auto-update. Windows, macOS and Linux — amd64 and arm64. Skip it entirely if Intune or manual entry is enough.

go cross-platform ed25519

Server (one VM)

Fastify API · PostgreSQL · WS proxy

Node ESM, raw SQL, no ORM. Serves the SPA, proxies SSH over WebSocket, signs agent binaries on the fly.

node fastify postgres ws · ssh2

Identity

Your identity provider

SSO via standard OIDC, JWT verified server-side via JWKS — works with any compliant IdP. Intune compliance sync and Graph group assignment are fully optional add-ons.

oidc jwks intune · opt. graph · opt.

// Who it’s for

Honest scope — not for everyone.

One maintainer’s tool, opened up. We tell you what it is and what it isn’t.

Built for YES

Small structures, 10–300 endpoints, one or two IT people wearing too many hats
French / EU organisations under GDPR that want telemetry in-house, not in someone else’s cloud
Mixed Windows / macOS / Linux fleets — bring whatever OIDC identity provider you already trust
Teams comfortable on a single VM with Docker Compose
Admins who’d rather audit AGPL code than a vendor’s SOC 2 report

Not designed for NO

Multi-tenant SaaS deployment — one Opale = one organisation, by design
Mobile-only fleets — the agent covers desktops and laptops, not phones or tablets
Replacing a full ITSM — we cover the basics, not enterprise workflow
Organisations that need 24/7 commercial support and an SLA
Anyone who thinks AGPL-3.0 is “too restrictive” for their fork plans

// Stack

Boring tech. On purpose.

Things that will still run a decade from now. No build step on the front-end — the SPA is Vanilla JS that you can read.

backend

Node · Fastify · ESM

database

PostgreSQL · raw SQL

frontend

Vanilla JS · no build step

auth

OIDC · JWKS · any IdP

remote shell

WebSocket · ssh2 · xterm.js

push

Web Push · VAPID · SW

mobile

PWA · WebAuthn

agent

Go · cross-platform · ed25519

cli

Go · Cobra · PKCE

packaging

Docker Compose · single Dockerfile

license

AGPL-3.0

support

Issues only · no SLA

Honest status — read before you deploy.

Opale is experimental and maintained by one person. It runs in production for its original organisation, but the public release is recent and APIs may shift. There is no commercial support, no SLA, no roadmap promises. Issues are read, not contractually answered.

If you can’t pin to a commit and read AGPL-licensed code when something breaks, this isn’t the right tool for you — and that’s deliberate. Contribute via issues or PRs; security reports via SECURITY.md.

// Quick start

Three commands.

For TLS, Entra app registration and the Windows agent rollout, see INSTALL.md.

// clone & configure

git clone https://github.com/4rtefakt/opale-rmm.git
cd opale-rmm
cp .env.example .env       # fill in the required values
./setup.sh                 # vendor front-end deps

// bring it up

docker compose -f docker-compose.example.yml up -d
# API + Postgres now on :3010
# → browse to http://localhost:3010

Pick what you need.Nine modules. All optional. One coherent UI.

Inventory & monitoring

Alerts

Tickets

Remote SSH in the browser

CLI

Scripts

LAPS-style recovery

Onboarding

Mobile PWA

Terminal first. UI when it’s nicer.

One container, one Postgres,a Windows agent that just runs.

Honest scope — not for everyone.

Built for YES

Not designed for NO

Boring tech. On purpose.

Honest status — read before you deploy.

Three commands.

Pick what you need.
Nine modules. All optional. One coherent UI.

One container, one Postgres,
a Windows agent that just runs.