Production Β· v1.2.0 Β· multi-node from day one

Run a fleet of servers from one screen.

Hyperion is a self-hosted, multi-node hosting control panel written in Rust. One binary on each server, one web UI on the master β€” provisioning nginx + FPM + database + TLS + WordPress in a single atomic transaction.

Rust Β· stable 2024 AGPL-3.0 Debian 12+ 650+ tests #![forbid(unsafe_code)]
1 master Β· N workers Β· signed RPC
PHP 8.1–8.4Β·MariaDB / PostgreSQLΒ· Let's EncryptΒ·WordPressΒ· Redis cacheΒ·S3 + age backupsΒ· TOTP 2FAΒ·fail2banΒ· BLAKE3 audit chainΒ·Ed25519 RPCΒ·
0
Tests, run in seconds
∞
Worker nodes per master
0%
unsafe code, every crate
0
Minutes to a live panel

Why Hyperion

The same job most panels do β€” without trusting 10,000 lines of bash-by-stringification.

Most open-source hosting panels are PHP wrappers around shell templating. They work β€” but the trust model is a stack of string-interpolated commands. Hyperion is the opposite: a small, security-first Rust core that does the same job and scales across multiple servers out of the box.

β€œEvery adapter takes pre-validated typed arguments and shells out only via Command::new(..).arg(..) β€” no shell interpolation, ever. Failure at any step rolls back the rest. No orphan rows, no zombie users.”
Capability
Hestia / Vesta
Hyperion
Memory-safe core
PHP + bash
Rust
Multi-node cluster
single-node
master + N
Atomic provisioning
partial
LIFO rollback
Tamper-evident audit
β€”
BLAKE3 chain
TOTP 2FA in core
partial
enforced
Off-site encrypted backups
FTP only
S3 + age
Cross-node migration
β€”
one-click
Hosting clone to new domain
β€”
two clicks

vs. HestiaCP Β· Vesta Β· aapanel

The panel

One screen for the whole fleet

axum + askama + HTMX, no JS build step, single binary. KPI tiles, live load & bandwidth sparklines, a tamper-evident audit feed β€” dark and light themes out of the box.

https://master.example.com:8443
Hyperion dashboard β€” KPI tiles, load and bandwidth sparklines, recent-activity audit feed
/stats β€” cluster (all nodes)
Hyperion stats page β€” cluster-wide KPIs and per-node load, memory, bandwidth and request sparklines
Load avg Β· 1m 0.16
AVG 0.15PEAK 1.19
Memory used 34%
AVG 34%1.2 / 3.7 GB

Features

Everything a host needs, first-class

Hosting CRUD, WordPress, backups, security and the cluster β€” all surfaced in the UI, the CLI, and the signed RPC layer.

One-click create β€” atomic, or not at all

Linux user, PHP-FPM pool, MariaDB / Postgres DB, nginx vhost, self-signed cert β€” all in one transaction. Failure at any step rolls back the rest on a LIFO stack. No orphan rows, no zombie users.

βœ“create system user
βœ“FPM pool + nginx vhost
●issue TLS certificate

PHP 8.1 β†’ 8.4, side by side

Four runtimes via deb.sury.org. Static-only sites, plus a reverse-proxy mode for Node.js / Python / Docker.

8.1 8.2 8.3 8.4

WordPress, managed

Plugin / theme manager via wp-cli, vulnerability scan against the Wordfence feed, and one-click staging β†’ push-to-prod with a pre-push safety backup.

Backups that leave the box

Local tar.gz + DB dump, or off-site to S3 (Wasabi / B2 / Minio / AWS) with client-side age encryption β€” the private key never touches the node. Granular restore: full, DB-only, or files-only. Restore any archive as a brand-new domain.

dailyβœ“ 7 kept
weeklyβœ“ 4 kept
monthlyβœ“ 6 kept

Live progress on every job

Migration, install, cert issue, backup, clone β€” an HTMX-polled bar on /jobs/<id>. Navigate away and back; it's still updating.

Per-hosting controls

HTTP basic auth, HSTS presets, custom nginx snippet (nginx -t validated), FastCGI page cache, Redis object cache.

Let's Encrypt

HTTP-01 one-click + auto-renewal, and DNS-01 wildcard via guided TXT or a Cloudflare token.

File manager

Browse, upload, inline editor, type-the-name delete. Symlinks & path traversal refused at the adapter layer.

Quotas & limits

Kernel-enforced disk quota via setquota, per-pool memory_limit, monthly bandwidth alerts.

Multi-node cluster

One master. A fleet of workers. Signed end to end.

The master holds the web UI, audit log and nodes registry. Workers run an agent the master drives over an Ed25519-signed RPC channel β€” Canonical-JSON over self-signed HTTPS on port 9443. Integrity comes from the signature, not the TLS. No DNS dependency between nodes; it's IP-based.

  • β˜…
    Auto-placement. Pick β˜… auto and the master scores every node by load, memory and hosting count, then picks the best fit.
  • ⇄
    One-click migration. Move a hosting between any two nodes with live progress and a version preflight that catches a stale worker before cryptic failures.
  • ⧉
    Cross-node clone. Duplicate example.com as staging.example.com on a different node in two clicks.

Enroll a worker in ~30 seconds: Nodes β†’ Generate invite β†’ paste the printed curl … | sudo bash on a fresh VPS.

master
web UI
:8443
s1
s2
s3
s4
s5
s6

Architecture

Two layers per box

A privileged agent owns all system state; an unprivileged web binary talks to it over a local Unix socket. The AdapterPort trait is mocked end-to-end, so the orchestrator's rollback paths are unit-tested in isolation.

master only

hyperion-web

axum + askama + HTMX, runs unprivileged in the hyperion-admin group. Owns the audit log, web users, sessions ledger, enrolled-nodes registry and the Ed25519 master signing key.

audit chain sessions nodes registry master signer
runs as root

hyperion-agent

Owns all system state β€” users, dirs, nginx vhosts, FPM pools, DBs, certs, FTP, cron, backups. Listens on /run/hyperion.sock (0660, group hyperion-admin); on workers, also 0.0.0.0:9443 for signed RPC.

fs / users nginx / php mysql / pg acme / bkup wp / ftp scheduler
Wire protocol
u32be len β€– JSON

max frame 128 MiB

RPC envelope
Ed25519-signed

Canonical-JSON, token-on-first-use

Workspace
9 crates Β· 3 bins

one clear responsibility each

Security

Security-first, not security-eventually

A model that doesn't rely on trusting shell-script templating. Memory-safe to the core, signed at every boundary, tamper-evident by construction.

#![forbid(unsafe_code)]

In every crate. The compiler enforces it β€” there is no unsafe block to audit.

Argon2id passwords

At OWASP-recommended parameters. Constant-time secret & username compare on every login and heartbeat.

Ed25519 session cookies

With a DB-backed revocation ledger β€” kill a stolen cookie immediately from /settings/sessions.

TOTP 2FA, enforced

Required for admin+ roles with one-time backup codes and an optional 30-day remember-device.

Native brute-force defense

The agent scans access logs for wp-login / xmlrpc floods and auto-bans IPs via an nftables set. Bans survive reboots.

BLAKE3 audit chain

A tamper-evident hash chain over every state change, with a Verify chain button on /audit.

On every response: CSPΒ· HSTSΒ· X-Frame-OptionsΒ· Permissions-PolicyΒ· Referrer-PolicyΒ· Per-form CSRF tokens

Command line

hctl β€” when the web can't help

A thin client over the same Unix socket as the web UI. The "ssh in and poke" path for when something on a node is too broken for the panel.

  • β†’hctl info β€” node version, schema, hosting count at a glance.
  • β†’Create, suspend, back up and audit hostings without a browser.
  • β†’Every binary stamps its own git describe version at build time.
root@master ~ hctl
$ hctl hosting create example.com --php 8.3 --db mariadb
βœ“ created example_com (id=01K4Z…)
  root: /home/example_com/example.com/htdocs
  db:   lm_a8c_examplecz (user=lm_a8c_u, pass=Hx9k…RnG2)
  cert: issuer=self-signed, not_after=2027-06-01

$ hctl hosting backup-now example.com
βœ“ backup 17 ok
  archive: …/example.com-1764672000.tar.gz
  bytes:   148373921

$ hctl audit --limit 3
   ID  TS               ACTOR    ACTION           RESULT
   42  2026-06-08 14:42 agent    hosting.backup   ok
   41  2026-06-08 14:42 agent    hosting.suspend  ok
   40  2026-06-08 14:42 cli:root set_limits      ok
$ β–‹

Install

Live panel in ~3–5 minutes

One command on a fresh Debian 12+ VPS, as root. It apt-installs the stack, builds Hyperion from source, lays down configs and systemd units, and prompts for an admin password.

$
curl -fsSL https://raw.githubusercontent.com/nechodom/hyperion/main/packaging/install/install-master.sh | sudo bash
01

Install the master

Run the one-liner. Browse to https://<host>:8443.

02

Add worker nodes

Nodes β†’ Generate invite β†’ paste the printed command on a fresh VPS.

03

Provision anywhere

Create a hosting, pick β˜… auto, and the master places it on the best node.