Hyperion is a self-hosted, multi-node hosting control panel written in Rust. One binary on each server, one web UI on the master β provisioning nginx + FPM + database + TLS + WordPress in a single atomic transaction.
Why Hyperion
Most open-source hosting panels are PHP wrappers around shell templating. They work β but the trust model is a stack of string-interpolated commands. Hyperion is the opposite: a small, security-first Rust core that does the same job and scales across multiple servers out of the box.
βEvery adapter takes pre-validated typed arguments and shells out only via Command::new(..).arg(..) β no shell interpolation, ever. Failure at any step rolls back the rest. No orphan rows, no zombie users.β
vs. HestiaCP Β· Vesta Β· aapanel
The panel
axum + askama + HTMX, no JS build step, single binary. KPI tiles, live load & bandwidth sparklines, a tamper-evident audit feed β dark and light themes out of the box.
Features
Hosting CRUD, WordPress, backups, security and the cluster β all surfaced in the UI, the CLI, and the signed RPC layer.
Linux user, PHP-FPM pool, MariaDB / Postgres DB, nginx vhost, self-signed cert β all in one transaction. Failure at any step rolls back the rest on a LIFO stack. No orphan rows, no zombie users.
Four runtimes via deb.sury.org. Static-only sites, plus a reverse-proxy mode for Node.js / Python / Docker.
Plugin / theme manager via wp-cli, vulnerability scan against the Wordfence feed, and one-click staging β push-to-prod with a pre-push safety backup.
Local tar.gz + DB dump, or off-site to S3 (Wasabi / B2 / Minio / AWS) with client-side age encryption β the private key never touches the node. Granular restore: full, DB-only, or files-only. Restore any archive as a brand-new domain.
Migration, install, cert issue, backup, clone β an HTMX-polled bar on /jobs/<id>. Navigate away and back; it's still updating.
HTTP basic auth, HSTS presets, custom nginx snippet (nginx -t validated), FastCGI page cache, Redis object cache.
HTTP-01 one-click + auto-renewal, and DNS-01 wildcard via guided TXT or a Cloudflare token.
Browse, upload, inline editor, type-the-name delete. Symlinks & path traversal refused at the adapter layer.
Kernel-enforced disk quota via setquota, per-pool memory_limit, monthly bandwidth alerts.
Multi-node cluster
The master holds the web UI, audit log and nodes registry. Workers run an agent the master drives over an Ed25519-signed RPC channel β Canonical-JSON over self-signed HTTPS on port 9443. Integrity comes from the signature, not the TLS. No DNS dependency between nodes; it's IP-based.
Enroll a worker in ~30 seconds: Nodes β Generate invite β paste the printed curl β¦ | sudo bash on a fresh VPS.
Architecture
A privileged agent owns all system state; an unprivileged web binary talks to it over a local Unix socket. The AdapterPort trait is mocked end-to-end, so the orchestrator's rollback paths are unit-tested in isolation.
axum + askama + HTMX, runs unprivileged in the hyperion-admin group. Owns the audit log, web users, sessions ledger, enrolled-nodes registry and the Ed25519 master signing key.
Owns all system state β users, dirs, nginx vhosts, FPM pools, DBs, certs, FTP, cron, backups. Listens on /run/hyperion.sock (0660, group hyperion-admin); on workers, also 0.0.0.0:9443 for signed RPC.
max frame 128 MiB
Canonical-JSON, token-on-first-use
one clear responsibility each
Security
A model that doesn't rely on trusting shell-script templating. Memory-safe to the core, signed at every boundary, tamper-evident by construction.
In every crate. The compiler enforces it β there is no unsafe block to audit.
At OWASP-recommended parameters. Constant-time secret & username compare on every login and heartbeat.
With a DB-backed revocation ledger β kill a stolen cookie immediately from /settings/sessions.
Required for admin+ roles with one-time backup codes and an optional 30-day remember-device.
The agent scans access logs for wp-login / xmlrpc floods and auto-bans IPs via an nftables set. Bans survive reboots.
A tamper-evident hash chain over every state change, with a Verify chain button on /audit.
Command line
A thin client over the same Unix socket as the web UI. The "ssh in and poke" path for when something on a node is too broken for the panel.
$ hctl hosting create example.com --php 8.3 --db mariadb
β created example_com (id=01K4Zβ¦)
root: /home/example_com/example.com/htdocs
db: lm_a8c_examplecz (user=lm_a8c_u, pass=Hx9kβ¦RnG2)
cert: issuer=self-signed, not_after=2027-06-01
$ hctl hosting backup-now example.com
β backup 17 ok
archive: β¦/example.com-1764672000.tar.gz
bytes: 148373921
$ hctl audit --limit 3
ID TS ACTOR ACTION RESULT
42 2026-06-08 14:42 agent hosting.backup ok
41 2026-06-08 14:42 agent hosting.suspend ok
40 2026-06-08 14:42 cli:root set_limits ok
$ βInstall
One command on a fresh Debian 12+ VPS, as root. It apt-installs the stack, builds Hyperion from source, lays down configs and systemd units, and prompts for an admin password.
curl -fsSL https://raw.githubusercontent.com/nechodom/hyperion/main/packaging/install/install-master.sh | sudo bash
Run the one-liner. Browse to https://<host>:8443.
Nodes β Generate invite β paste the printed command on a fresh VPS.
Create a hosting, pick β auto, and the master places it on the best node.