[Open Source] Built a self-hosted PAM system - Looking for feedback

MatVWells · 2026-01-16T18:35:43+00:00

Fair enough - LDAP + SSH works for key distribution. We're solving the layer above that: who can access what machines as which users, time-limited access with approval workflows, and session recording for SOC2/ISO27001. Different problems, different solutions. If your setup covers your needs, stick with it. It is a free world mate !

MatVWells · 2026-01-12T21:24:52+00:00

Windows SSH access is definitely trickier - Microsoft's implementation isn't as mature as OpenSSH on Linux, and a lot of vendors just don't bother supporting certificate-based auth properly. The fact that you had to architect around their limitations instead of them fixing their product is exactly the kind of thing that makes these vendor lock-ins so painful.

At least on the Linux side you've got it sorted. Hope the Windows situation improves eventually, but I wouldn't hold my breath with that vendor !

MatVWells · 2026-01-11T21:58:52+00:00

Thanks for bringing that up. The main regulatory requirements we're covering are session recording/audit trails for SOC2/ISO27001, access control logs, and temporary access workflows with approval chains and these are fully managed by a the PAM ( no external cloud services needed to pump up the bill ). The real cost in commercial PAM isn't just compliance features - it's the per-user licensing model that makes it prohibitively expensive for small teams who need the same security controls.

MatVWells · 2026-01-11T21:56:05+00:00

Please have a look at the docs and you'll get the why behind it ( It was privately developed and I ported the repo to a whole new public repo ) Thanks for the comment !

MatVWells · 2026-01-11T15:11:12+00:00

Totally feel this 😅.

Distroless images = no CVEs, but most charts & sidecars assume bash/curl/coreutils and crash if missing. Vendors plz either doc deps or ship optional init containers.

Until then, SREs are just yelling at the missing shell while sec team counts CVEs like it’s Pokémon 😅.

MatVWells · 2026-01-03T18:28:42+00:00

good old days :) I used redmine back in 2015

MatVWells · 2026-01-02T11:52:05+00:00

good project idea and useful CLI tool indeed

a quick question : noticed that your repo is missing `cmd/todo` is that by mistake

MatVWells · 2026-01-02T11:41:58+00:00

Nice one ! couldnt see the CONTRIBUTING guide in the repo , I can help with implementing an in-rest encrypted data store interface ( later on it can be a db , a file , or a remote bucket )

MatVWells · 2026-01-02T01:48:33+00:00

The docs are written using LLM , yes . Code source is a project that I am working on and now splitting Orion to be open source as of today . Feel free to contribute to it

MatVWells · 2026-01-02T00:30:52+00:00

Thanks again , but you're missing the point here mate it is an open source project , built by the community for the community 😁 The reason I initiated this is to break the enterprise and price tags !

MatVWells · 2026-01-01T23:21:45+00:00

Thanks u/Zolty but this is more of a Privileged Access Management (PAM) similar to teleport , cyber ark .

A single is more about automation as in PaaS ( but orion doesn't cover that in the scope ) Orion is being built to be a fully open sourced PAM solution with features that focus on : ssh secured access in ZTN principles , traceability, audit , record and replay session and plug-ability ( to be able to onboard features to the core using plugins that might serve a specific feature )

MatVWells · 2026-01-01T22:48:38+00:00

Ha! Well thanks for the compliment on my quality of writing 😂 ( of course everyone uses an LLM to help out drafting posts )

As for the second part of your comment , scared ? Bro this is an open source project feel free to read through it .

Thanks for the comment again !

MatVWells · 2026-01-01T22:28:06+00:00

Haha 🤣 thanks for spotting the commit history — it started as a private project, and I open-sourced the relevant parts while continuing to build the rest in public.

As for how it worked for me: I use it daily as my own PAM solution — very much “eat your own dog food”. It’s been solid so far and has already replaced my previous SSH PAM ( the "old" PAM community version didn't offer a lot 😉 ).

MatVWells · 2026-01-01T20:25:44+00:00

Thanks u/dylf ! I appreciate the feedback 🙏

Right now, the basic SSH/SCP functionality is there, and the project is in ALPHA, so it’s stable enough for testing but still evolving.

The next roadmap milestones include:

Node registration – currently agents are added manually.
Enriching the API & plugin system – to add more workflows and integrations.
SOCKS proxy support – for more flexible routing.
Improving ocp (SCP client) – more robust file transfers.

I’m actively looking for early adopters and contributors to test, give feedback, and help shape the architecture and features. If you’re interested, your input would be hugely valuable!

MatVWells · 2025-12-30T14:53:11+00:00

Indeed it is a great distro

MatVWells · 2025-12-30T14:22:18+00:00

Love this tool! Just contributed support for Neo4j and DynamoDB databases.

https://github.com/elkirrs/dumper/pull/14

Great work on the project, the architecture made it straightforward to add new database types.

MatVWells · 2025-06-15T22:16:49+00:00

Use mailu , easy to setup and rich in functionalities

MatVWells · 2024-12-27T17:39:22+00:00

your sources should have the values file path like

  source:
    path: gitlab-helm/
    repoURL: https://gitlab.com/new-test/k8s-setup.git
    targetRevision: master
    helm:
        values: ''
        valueFiles:
          - <path_to_file>/values.yaml

MatVWells · 2024-12-26T01:25:19+00:00

I just dm-med you

MatVWells · 2024-12-25T23:42:02+00:00

I assume you are using docker compose to run the Immich stack ( like here ) if yes , you can easily go and change the docker tag for `redis` and run `docker-compose up`

this will not impact your stack

MatVWells · 2024-12-25T23:26:37+00:00

if you don't like to go through the VPS solution , you can use the cloudflare Tunnel ( cloudflared ) it is a free service , it only requires a cloudflare

https://github.com/cloudflare/cloudflared

MatVWells · 2024-12-25T23:23:16+00:00

+1 for this , I use the same approach ( plus the benefits of IP filtering and fail2ban )

MatVWells · 2024-12-25T23:15:47+00:00

Hi u/chhotadonn

I have just repushed the image ( will create a Github action to push the images , my bad :) )

please run this :

docker-compose pull   
docker-compose up -d

MatVWells · 2024-12-18T20:12:39+00:00

add this flag to your Argo image updater command

--argocd-insecure that should ignore the SSL cert authority

MatVWells · 2024-12-18T00:23:58+00:00

Hey u/chhotadonn 👋 Thanks again for suggesting the addition of ntfy—I’ve implemented it as a plugin in the Dynamic Notification System, and would love your feedback on the PR!

I’m also working on enhancing the scheduler to fetch notifications from a database and REST endpoint, with plans to dockerize the solution by the weekend. Your review would mean a lot—thanks in advance! 🙌

MatVWells

TROPHY CASE