One Unified Control Plane for Infrastructure
Manage servers, cloud providers, automation, and permissions from a single platform. Built for DevOps and platform teams who need enterprise-grade infrastructure orchestration.
Why Build Another Infrastructure Platform?
Modern infrastructure teams juggle AWS consoles, Cloudflare dashboards, SSH terminals, CI/CD pipelines, and permission systems — none of which talk to each other. Nexctl was built to solve this fragmentation.
It is a cloud-agnostic control plane that unifies provider integrations, SSH node orchestration, RBAC, Docker-isolated job execution, OAuth token management, and audit logging into a single, cohesive platform.
The system follows a modular monolith architecture with an event-driven Go backend, a dynamic Next.js frontend, and a plugin-based provider system that auto-registers capabilities.
Provider Integrations
Infrastructure Nodes
RBAC Role Templates
Audit Coverage
Everything Infrastructure Teams Need
From provider integrations to job execution, Nexctl provides a unified toolkit for managing modern infrastructure.
Provider Plugin Architecture
A plugin system that auto-registers providers with reusable capability detection. Each provider declares its capabilities — resources, actions, auth schemes — and the platform adapts dynamically.
SSH Infrastructure Orchestration
Manage Linux nodes via SSH with structured operations for Docker, nginx, systemd, cron, deployments, backups, and package management — all from a central dashboard.
RBAC with Policy Engine
Deny-by-default role-based access control with JSON policy documents, role templates, and provider-scoped permissions. Every API request is authorized against the policy store.
Docker-Isolated Job Runner
Execute Python, Bash, and Node scripts in isolated Docker containers with configurable CPU/memory limits, encrypted secrets injection, and automatic retry logic.
OAuth Token Management
Centralized OAuth token lifecycle management with automatic refresh, encrypted storage, and provider-scoped credential injection. Supports GitHub, Google, and custom providers.
Audit Logging & Event Bus
Every operation is recorded with correlation IDs across the event bus. Full audit trails for compliance, with structured logs and real-time event streaming.
Dynamic Provider Workspace
Provider-driven frontend rendering where each provider contributes its own UI components, actions, and notification handlers — registered at runtime through the plugin system.
Webhook Processing
Ingest and verify webhooks from GitHub, Cloudflare, and others with HMAC signature validation. Route events to provider handlers through the internal event bus.
Real-Time Infrastructure Ops
Streaming terminal sessions, live node metrics, and real-time job logs. WebSocket-powered updates keep the dashboard synchronized with infrastructure state.
Infrastructure Node Management
Manage your entire server fleet from a single interface — no more hopping between SSH sessions.
Enterprise-Grade RBAC
Deny-by-default access control with granular permissions, encrypted secrets, and complete audit trails.
{
"role": "infra-engineer",
"permissions": {
"nodes": ["read", "exec"],
"jobs": ["create", "read"],
"providers": ["read"],
"rbac": ["read"]
},
"scope": ["prod-eu-*", "staging-*"]
}
Docker-Isolated Job Runner
Execute automation scripts in isolated environments with resource controls, retry logic, and built-in secrets management.
$ nexctl job run --image python:3.12 --script deploy.py [nexctl] Creating job container... [nexctl] Isolating with Docker... [nexctl] Injecting encrypted secrets... [nexctl] Executing: python deploy.py ✓ Deployment complete (2.4s) [nexctl] Cleaning up container... ✓ Job finished — exit code 0
Provider Ecosystem
A pluggable provider system that integrates with any service through a unified capability interface.
Plugin Architecture Highlights
Architecture
A modular monolith with event-driven internals and a plugin-based provider system designed for scale.
Frontend
- Next.js 15 (App Router)
- React 19
- TanStack Query
- Tailwind CSS
- Framer Motion
Backend
- Go (Fiber)
- GORM / PostgreSQL
- Event Bus (in-memory)
- Worker Pool
- Audit Pipeline
Infrastructure
- Docker containers
- SSH node orchestration
- Event-driven automation
- Background workers
- Rate limiting
Security
- AES-GCM encryption
- JWT authentication
- RBAC policy engine
- OAuth 2.0 providers
- HMAC webhooks
Design Decisions
Engineering Highlights
Advanced engineering under the hood — from streaming terminals to event-driven architectures.
Streaming SSH Terminal
Real-time terminal sessions streamed via WebSocket with full PTY support, resize handling, and session recording.
Async Logging Pipeline
Non-blocking structured logging with correlation IDs that trace requests across the entire event bus and worker pool.
Correlation IDs
Every operation generates a unique correlation ID that propagates through all services, jobs, and audit records.
Worker Pools
Configurable Goroutine worker pools for job execution, SSH operations, and webhook processing with backpressure handling.
In-Memory Event Bus
Lightweight pub/sub event bus for internal communication — providers emit events, workers consume them, audit logs capture everything.
Dynamic Frontend Rendering
Provider-registered UI components render at runtime. The frontend adapts to available providers without redeployment.
Provider Auto-Registration
Providers self-register at startup via Go interfaces. The system detects capabilities, OAuth schemes, and UI components automatically.
OAuth Token Refresh
Automatic OAuth token refresh with encrypted storage and concurrent access safety. Tokens are injected per-provider at runtime.
Durable Execution Records
Every job, SSH command, and webhook event is persisted with full metadata. Historical execution data is queryable and exportable.
Stop Jumping Between
Infrastructure Dashboards.
Manage servers, providers, automation, and permissions from a single control plane. Built for teams who need enterprise-grade infrastructure orchestration.