Open source · Self-hosted

Your homelab. In your pocket.

Nekzus is an open-source control plane for your self-hosted stack: Docker, Kubernetes, and every mDNS device on your LAN, managed from a native iOS and Android app. Zero cloud dependency. Zero telemetry. End-to-end encrypted.

View install command See it running

License: GPL-3.0 Transport: TLS 1.3 Auth: JWT + device binding Telemetry: none

Nekzus web dashboard showing container status, metrics, and service discovery.

Nekzus mobile dashboard showing service overview.

100+

Prometheus metrics exposed

5 min

Median time to first pairing

Bytes sent off your network

GPL-3.0

License · free forever

Deployment

Deploy in under 5 minutes.

A single container, a mobile app, and a QR pairing handshake.

Run one Docker command

Single self-contained container. No orchestrator required, no external dependencies.

$ docker run -d \
    --name nekzus \
    -p 8080:8080 \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v nekzus-data:/app/data \
    nstalgic/nekzus:latest

Install Nekzus PRTL

Native iOS 13+ and Android 8+ apps. Face ID / Touch ID, push notifications, offline mode.

Coming soon.

Pair with QR + TLS

Five-second pairing with TLS 1.3 certificate pinning. Every device is bound to its own JWT.

Capabilities

Capabilities.

Six capabilities engineered for self-hosted stacks.

Auto discovery

Detects Docker containers, Kubernetes pods, and mDNS devices. No labels, no config files.

Full container control

Live logs, restart, resource monitoring. Every Docker verb, from your phone.

Authenticated webview

Tap any service and interact with its full web UI through a TLS-pinned webview with dual-layer auth.

Notification inbox

Built-in webhook API. Alerts from any script route to your phone with full history.

Multi-language scripts

Shell, Python, or Go. Cron scheduling, parameterized inputs, execution history.

Prometheus metrics

100+ built-in metrics for observability. Scrape with your existing stack.

Capability	Nekzus	DIY scripts	Cloud SaaS
Runs entirely on your LAN	✓	Depends	✗
Zero telemetry	✓	✓	✗
Native iOS & Android app	✓	✗	Varies
Auto-discovery (Docker / K8s / mDNS)	✓	✗	Varies
Built-in Prometheus metrics	✓	✗	Varies
Open source (GPL-3.0)	✓	✓	Usually ✗
Cost	Free	Free + your time	$$ / month

Evaluation against a typical hand-rolled Bash/Python monitoring stack and a comparable hosted control-plane SaaS.

Product tour

See it on your phone.

Every capability, from a device you already carry.

Authenticated webview

Open any service's full web UI through a TLS-pinned, dual-auth session.

Authenticated TLS-pinned webview opened to a self-hosted service. — Authenticated webview

Open any service's full web UI through a TLS-pinned, dual-auth session.

Container control

Start, stop, restart, and stream logs from Docker or Kubernetes.

Container control screen with live logs and resource metrics. — Container control

Start, stop, restart, and stream logs from Docker or Kubernetes.

Service detail

Metadata, health checks, and quick actions for any container or pod.

Service detail screen showing metadata, health checks, and quick actions. — Service detail

Metadata, health checks, and quick actions for any container or pod.

Notifications inbox

Webhook-driven alerts with full history and per-service filtering.

Notifications inbox with alert history. — Notifications inbox

Webhook-driven alerts with full history and per-service filtering.

Architecture

The architecture in one diagram.

One container on your host, an encrypted handshake, and a native mobile app.

01 · Client Mobile app iOS · Android

02 · Transport TLS 1.3 + JWT cert pinning

03 · Gateway Nekzus single Docker container

04 · Targets Docker · K8s · mDNS your existing stack

No cloud

Runs entirely on your LAN. Remote access is opt-in via Cloudflare Tunnel, Tailscale, or reverse proxy.

No telemetry

Zero analytics, zero phone-home. GPL-3.0 source is public. Audit the code.

No AI

No LLM calls, no training, no prompts sent anywhere. Just infrastructure.

FAQ

Frequently asked questions.

How long does it take to get started?

About 5 minutes. One docker run command, install the app, scan a QR code.

Do I need to expose my homelab to the internet?

No. Nekzus runs on your LAN. Remote access is opt-in via reverse proxy or tunnel.

What does Nekzus discover automatically?

Docker containers (via labels), Kubernetes pods (via annotations), and mDNS/Bonjour/Avahi devices. Consul, Nomad, and cloud-provider discovery are on the roadmap.

Is Nekzus secure for public exposure?

JWT auth with device-bound tokens, TLS 1.3 certificate pinning, rate limiting, and optional local-network bypass for trusted subnets.

Does Nekzus send any data off my network?

No. Zero telemetry. GPL-3.0 source. Grep and verify.

Is it really free?

Yes. GPL-3.0 licensed. No premium tier, no feature locks, no usage limits. The copyleft means any modifications you distribute must also be GPL-3.0. If you're just running it on your own homelab, that doesn't affect you.

What platforms does the mobile app support?

iOS 13+ and Android 8+. Face ID / Touch ID, push notifications, offline mode.

Deploy

Take control of your stack.

One command. No cloud. No tracking.

$ docker run -d \
    --name nekzus \
    -p 8080:8080 \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v nekzus-data:/app/data \
    nstalgic/nekzus:latest

View on GitHub Read documentation

Your homelab. In your pocket.

Deploy in under 5 minutes.

Run one Docker command

Install Nekzus PRTL

Pair with QR + TLS

Capabilities.

Auto discovery

Full container control

Authenticated webview

Notification inbox

Multi-language scripts

Prometheus metrics

See it on your phone.

Authenticated webview

Container control

Service detail

Notifications inbox

The architecture in one diagram.

No cloud

No telemetry

No AI

Frequently asked questions.

Take control of your stack.