All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DockPanel — Free Docker-native server panel written in Rust (~57MB RAM)
Hey everyone,
I've been lurking here for a while and figured this community would appreciate this more than most.
I built a server panel called DockPanel. It's written in Rust — three binaries (agent, API, CLI) totaling about 35MB on disk. Runtime memory sits around
57MB. I run it on a $5 Vultr VPS alongside a dozen containers and PostgreSQL without breaking a sweat.
For comparison: cPanel eats 800MB+ just existing. CloudPanel sits around 250MB. HestiaCP is lighter but still PHP. DockPanel is just compiled Rust talking
to a Unix socket.
What it manages:
- Sites — PHP, Node.js, Python, static, reverse proxy. CMS auto-install for WordPress, Laravel, Drupal, Joomla, Symfony, CodeIgniter.
- Databases — MySQL and PostgreSQL in Docker containers. Built-in SQL browser (no phpMyAdmin dependency).
- Docker apps — 54 one-click templates. Nextcloud, Gitea, Uptime Kuma, Portainer, Home Assistant, Grafana, Redis, and more. Full container management —
logs, shell, stats, resource limits. - Docker Compose stacks — paste your YAML, deploy multi-container apps.
- Git deploy — push-to-deploy with Nixpacks (auto-detects language, no Dockerfile needed). Blue-green zero-downtime. Automatic rollback if health check
fails. - Backups — scheduled to local, S3, SFTP, Backblaze B2, or GCS. Supports MySQL, PostgreSQL, MongoDB dumps + Docker volume backups. Encrypted (AES-256-CBC).
Auto-verified by spinning up a temp container and actually restoring the dump. - SSL — Let's Encrypt, auto-renew.
- DNS — Cloudflare and PowerDNS.
- Email — Postfix + Dovecot + DKIM + Rspamd + Roundcube. Full mail stack from the panel.
- Security — firewall management, fail2ban, vulnerability scanning, auto-healing (restarts crashed services automatically).
- Monitoring — HTTP/TCP/ping/keyword checks. Alerts via Slack, Discord, PagerDuty, email, webhooks.
- Web terminal — SSH in browser, tabs, themes.
- CLI — dockpanel status, dockpanel diagnose, dockpanel export -o config.yml.
- IaC — export your full server config as YAML, apply to a new machine.
Multi-server — manage multiple boxes from one panel.
What it doesn't do (being honest):
No Kubernetes. This is single-server Docker, not an orchestrator.
- Ubuntu 22.04/24.04 and Debian 12 only right now. No CentOS/Alma.
- No built-in DNS server — it integrates with Cloudflare/PowerDNS, doesn't replace them.
It's new. I have 116 E2E tests and a completed security pentest (18 vulns found and fixed), but it hasn't been hammered by thousands of users yet. I'd
rather be upfront about that.Security:
Since CyberPanel keeps coming up in panel discussions — I did a full pentest on DockPanel before releasing. 18 vulnerabilities found (5 critical, 6 high, 7
medium), all fixed. Zero remaining. The agent runs on a Unix socket, not a network port. All commands go through a token-authenticated API. Passwords are
Argon2. Sessions are HttpOnly JWT with blacklist on logout. Rate limiting on auth endpoints.That said, I'd welcome anyone who wants to poke at it and report issues.
Links:
- GitHub: https://github.com/ovexro/dockpanel
- Install: curl -sL https://dockpanel.dev/install.sh | sudo bash
Docs: https://docs.dockpanel.dev
MIT licensed. No telemetry. No paid tier. No "community edition" with missing features. Everything listed above is included. Runs on x86_64 and ARM64.
Happy to answer questions — I'll be in this thread.
Comments
Is this vibe coded?
Entirely, yes
You apparently didn't... otherwise you would have seen the thread where another guy let Claude write a panel for him and it ended up having more security issues than real features.
Seriously, what is wrong with you people that you all believe you write a prompt, and boom you have something that you can put on the internet?
Give him a second to reply, he's trying to prompt one.
Looks terrible ai slop. Lol every css change has a commit message longer than the code change merged straight to main
Wait this is actually so bad and even the advertised "35MB binaries" is wrong, the changelog , relasee histroy , and commit history don't match
There is a 256 character commit message for a 2 character css change
not again..
also can we stop rewriting things in rust
im glad that its at least open source this time
>
I tested for security and vulnerability issues. I documented everything on GitHub.
I really appreciate your feedback; any suggestions are valuable for doing more E2E tests.
My honest feedback, you are not a programmer.
AI is fun and all that, probably a good feeling getting quick results without actually doing anything for it.
There is no problem when you do that on your own to create your little funny thing.
But, please do not publish this as a tool for people to use.
I agree. I enjoy building apps with Claude Code, testing them E2E, and continuing to polish them until no issues are found. I love getting realistic feedback from people like you. Thanks.
whats the demo user/pw
Make a user.
hello #4
Why there is a sudden outburst of vibe coded apps in LET? @ovexro when you have vibe coded entire app with claude, whats the use of feedback? feedback is for people willing to learn not vibe!
We are on a path to one man unicorn app. Now all team managers think that they can code, so a ton of crapware spitting everyday. Everyone wants to invent clawbot v2 and rake that million.
I love how there's an express API whose only purpose is serving a health check and returning some hardcoded pricing JSON (I don't think it's even used?)
https://github.com/ovexro/dockpanel/blob/main/website/server/src/index.ts
I also found a vuln after looking for a few minutes, verifying it took forever because i had to install the dumb thing (the demo doesn't send emails)
https://github.com/ovexro/dockpanel/blob/45a488be1951ba18aa8fd89c9bf1c5fd9c7e3c50/panel/backend/src/routes/auth.rs#L471-L482
You can pass any "origin" header value to /api/auth/register and /api/auth/forgot-password and it will send an email with a link that points to whatever you want (e.g. an attacker site)
oh no! you should fix those config issues
Thank you, guys!
I really appreciate it.
I.e. you asked your AI to re-read its own code and it hallucinated vulnerabilities and "fixed" them while leaving real vulnerabilities in.
Done. I made some changes. If you guys have a VPS server for tests, I'd really appreciate your thoughts on the new updates.
Are we getting paid for our time and resources??
Did you include "NO MISTAKES" at the end of your prompts? Works better in full caps.
Why did you disable registration? are you scared of someone wiping the entire server?
I've seen AI just remove affected features if you ask it to fix a bug in something on more than one occasion.
yabs coming
Mh.. I think it forgot some parts.
Maybe just use
rm -rf /, that should fix a lot of the issues in this software.im not going to be pentesting for free, and also this seems to be a dedi/high cores, so i wont be posting it. whatever audit you had AI do, is insufficient in every way.
please just kill the project.
At this point for each incoming ai slop app, someone just test rm -rf injection. If this pass - app is good for prod.