Minimal infrastructure.
Maximum control.
MADMIN is a modular infrastructure platform on Ubuntu Minimal. Orchestrate networking, VPN, DNS, firewall and reverse-proxy modules from one hardened, API-first control plane.
Everything to run real infrastructure
A lightweight core with independent, hot-swappable modules. Each one ships with its own permissions, firewall chains and lifecycle.
- core
Modular Architecture
A lightweight core. Every capability — DHCP, DNS, VPN, reverse proxy — is an independent module with its own lifecycle, permissions and firewall chains.
- ubuntu 24.04
Ubuntu Minimal Base
Built on a stripped Ubuntu 24.04 footprint. Fewer packages, smaller attack surface, predictable systemd-native operation.
- iptables · ipset
Orchestrated Firewall
Hierarchical iptables + ipset orchestration. Gateway protection, per-module chains and instant conntrack session termination on new DROP rules.
- 6 modules
Module App-Store
Install, enable and remove modules from the dashboard. DHCP, DNS, OpenVPN, WireGuard, IPsec and Reverse Proxy ship in-tree.
- jwt · totp
RBAC + 2FA
Slug-based granular permissions per module and user. JWT sessions, TOTP two-factor with single-use backup codes, instant token revocation.
- 60s telemetry
Real-time Monitoring
Live CPU, RAM, disk and network telemetry with historical series collected every 60s — surfaced through interactive dashboard charts.
- fastapi · openapi
API-first Control Plane
Every action is a documented FastAPI endpoint. OpenAPI / Swagger schema, JWT bearer security, async by default.
- nginx · let's encrypt
Reverse Proxy + TLS
Publish self-hosted apps over HTTPS in one click. nginx proxy hosts, HTTP basic-auth + IP access lists, automated Let's Encrypt certificates.
One control plane, every layer
Requests flow through a single hardened core and fan out to independent modules — each isolated, each accountable.
Authenticated request hits the dashboard or API.
RBAC, audit, routing — the single control plane.
DHCP, DNS, VPN, reverse proxy act on the request.
systemd, Netplan and iptables apply the change.
Hardened from the kernel up
Minimal surface, isolated modules and full auditability — security is the default posture, not a setting you remember to enable.
Isolated environments
Each module runs in its own permission and firewall-chain boundary. Disabling a module drops its chains, permissions and tables cleanly.
Minimal attack surface
Ubuntu Minimal base plus module dependencies installed only when activated. Nothing runs that you didn't ask for.
Hardened deployments
Dashboard reachable only on the primary management interface by default. Inter-LAN traffic blocked, TOTP enforceable globally.
Reproducible & reliable
Declarative module manifests, scripted installs and full config backup / restore make every deployment repeatable.
# default policy
FORWARD DROP · LAN isolation
dashboard :7443 eth0 only
new DROP rule → conntrack flush
Scriptable to the
last endpoint
Install with one command, then drive everything through a documented, async FastAPI surface. Swagger / OpenAPI included, JWT bearer secured.
- · /api/health — DB connectivity probe
- · /api/modules — lifecycle control
- · /api/firewall — rules & gateway protection
- · /api/system — live telemetry
A dashboard that respects the operator
Dense where it counts, calm everywhere else. Dark by default, real-time telemetry, every module one click away.
Runs where your infrastructure lives
From a single VM to bare metal. MADMIN is portable by design — the same control plane on every substrate.
- ProxmoxVM on PVE
- KVMlibvirt virtual machines
- VMwareESXi / vSphere guests
- Bare MetalDirect on hardware
Take control of your infrastructure
One command to install on Ubuntu 24.04. Open source, MIT licensed, yours to run.