RedFlag

Self-hosted update management for homelabs — enterprise-grade security without the vendor

Homelabs deserve enterprise-grade update management without the vendor lock-in.

That's the entire pitch. If you run more than a handful of services — and if you take security seriously — you need to know what needs updating, when, and whether the update is legitimate. RedFlag does this with a security model that would satisfy a paranoid sysadmin, because it was built by one.

The problem

You're running 25 Docker containers, a few bare-metal services, maybe some Windows machines on the network. How do you know what needs updating? You check manually, maybe run apt update when you remember, maybe watch for GitHub release notifications. At scale, this breaks down. Things fall through the cracks. You run an EOL image for months because nobody noticed.

Enterprise update management exists — WSUS, SCCM, Intune, Jamf. But those tools come with vendor dependencies, licensing costs, and architectures designed for corporate environments where you have an IT team and a budget.

RedFlag is for the rest of us.

The security model

This is where it gets serious.

Ed25519 command and binary signing. Every update command and every binary distributed through RedFlag is cryptographically signed. The agent on the receiving end verifies the signature before executing anything. If it doesn't verify, it doesn't run. No exceptions.

Three-tier token authentication. Registration tokens, session tokens, and command tokens — each with different lifetimes and scopes. A compromised session token can't register new machines. A compromised registration token can't issue commands.

SHA256-bound machine IDs. Each managed machine has a cryptographically bound identity. You can't impersonate a machine by spoofing a hostname.

Nonce-based replay protection. Every command includes a nonce. Replay a captured command packet and it gets rejected. This matters when you're distributing update commands across a network.

Path-traversal-hardened binary delivery. The binary distribution system is hardened against path traversal attacks. No ../../etc/passwd through the update channel.

Pull-only agents, no inbound ports. Agents poll the server for updates — the server never pushes to agents. This means your managed machines don't need inbound ports open. Firewall-friendly by design.

The stack 

Server:  Go backend + PostgreSQL
Web UI:  React
Agents:  Go (Linux: APT, DNF, Docker | Windows: Windows Update, Winget)
Tests:   170 tests across 18 packages

The Go backend handles authentication, command signing, binary distribution, and state tracking. The React frontend gives you visibility into your fleet — what's running, what's outdated, what needs attention. Agents run on managed machines and report back.

Platform support

  • Linux: APT (Debian/Ubuntu), DNF (Fedora/RHEL), Docker container updates
  • Windows: Windows Update integration, Winget package management

Current state

Shipping v1.0. 170 tests across 18 packages, production-hardened through real use on real infrastructure.

Links: GitHub · Discord Community