Open-source infrastructure monitoring and tooling platform for corporate engineering teams
https://carrtech-dev.github.io/ct-ops/
- TypeScript 72.1%
- Go 15.9%
- JavaScript 5.9%
- Shell 4.7%
- Python 0.7%
- Other 0.6%
simon
622ccb8a0c
All checks were successful
CI Policy / Workflow runner policy (push) Successful in 3s
PR Checks (Docker images) / Ansible API contract (push) Successful in 3s
PR Checks (Docker images) / Ansible API Docker image (push) Successful in 1m29s
PR Checks (Docker images) / Ingest Docker image (push) Successful in 1m41s
SAST / gosec (agent) (push) Successful in 1m7s
SAST / semgrep (push) Successful in 50s
SAST / gosec (ingest) (push) Successful in 1m5s
SAST / crypto-lint (no weak hashes / ciphers) (push) Successful in 4s
SAST / trivy (filesystem) (push) Successful in 12s
SAST / trivy (config / IaC) (push) Successful in 13s
Secret Scan / gitleaks (push) Successful in 10s
PR Checks (Docker images) / Web Docker image (push) Successful in 4m29s
Publish the customer bundle automatically after web and ingest image publish workflows complete. The bundle job derives bundle/v* from .release-please-manifest.json at the component tag, pins WEB_IMAGE_TAG or INGEST_IMAGE_TAG to the just-published image tag, and runs deploy/scripts/publish-forgejo-release.sh so upgrade.sh has a fresh bundle to consume. Validation: - bash deploy/scripts/test-forgejo-web-release.sh - bash deploy/scripts/test-forgejo-bundle-release.sh - bash deploy/scripts/test-docker-publish-web-workflow.sh - bash deploy/scripts/test-docker-publish-ingest-workflow.sh - ruby YAML parse check for changed workflows - PR checks green on Forgejo |
||
|---|---|---|
| .github | ||
| agent | ||
| apps | ||
| consumers | ||
| deploy | ||
| docs | ||
| packages/proto-ts | ||
| proto | ||
| .dockerignore | ||
| .env.example | ||
| .gitignore | ||
| .npmrc | ||
| .release-please-manifest.json | ||
| AGENTS.md | ||
| CLAUDE.md | ||
| dev-stack.sh | ||
| docker-compose.dev-stack.yml | ||
| docker-compose.dev.yml | ||
| docker-compose.single.yml | ||
| go.work | ||
| install.sh | ||
| Makefile | ||
| ORGANISATION_REMOVAL_TASKS.md | ||
| package.json | ||
| PENTEST.md | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| PROGRESS.md | ||
| README.md | ||
| release-please-config.json | ||
| SECURITY.md | ||
| SECURITY_DISCLOSURE.md | ||
| start.sh | ||
| TASK.md | ||
| turbo.json | ||
CT-Ops
Infrastructure monitoring built for engineering teams that can't phone home.
CT-Ops is an open-source monitoring and operations platform designed to run entirely on your own infrastructure — no SaaS dependencies, no telemetry, no licence servers. Deploy it in five minutes on a single Docker host or scale it to a Redpanda-backed HA cluster. Either way, it works in an air-gapped environment out of the box.
Features
- Agent-based host monitoring — lightweight Go agent, single binary, communicates over gRPC/mTLS on port 9443. Browser traffic terminates TLS on 443 via a bundled nginx container.
- Real-time metrics — CPU, memory, disk, and network graphs backed by TimescaleDB, visible seconds after agent enrolment.
- Alerting & notification routing — rule-based alerts with configurable thresholds and multi-channel notification delivery.
- Certificate lifecycle management — inspect, validate, and track X.509 certificates from URL or file upload. Expiry alerts built in.
- Network inventory — CIDR-based network management with a live topology graph view.
- Directory user lookup — query LDAP/Active Directory in real time, no sync job required. Community tier (no paywall).
- Service account & identity tracking — inventory SSH keys, API tokens, and service identities across your estate.
- Host groups & tagging — flexible
key:valuetags on any resource, group-based access control for teams. - Terminal workspace — split-pane browser terminal for ad-hoc investigation without leaving the dashboard.
- Air-gap agent bundles — download a self-contained zip (binary + config + install script) for hosts that can't reach the internet.
- Instance-scoped RBAC —
super_admin→instance_admin→engineer→read_only→agentrole hierarchy. - Three deployment profiles —
single(one host),standard(Redpanda),ha(clustered) — same codebase, differentdocker-composefiles.
Quick Start
Requirements: Docker, curl, unzip, openssl. Do not run as root.
# Download and unpack the latest release
# The installer verifies the published SHA-256 checksum before unpacking.
curl -fsSL https://forgejo.carrtech.dev/carrtech/ct-ops/raw/branch/main/install.sh | bash
cd ct-ops
# First run creates .env from the example file
./start.sh
# Set your domain and credentials
$EDITOR .env
# Boot the stack
./start.sh
Open https://localhost (or the domain you configured) to complete setup. Your browser will warn about the self-signed certificate on first visit — accept it, or drop a real cert into deploy/tls/server.{crt,key} and restart the nginx container.
To pin a specific version:
curl -fsSL https://forgejo.carrtech.dev/carrtech/ct-ops/raw/branch/main/install.sh \
| CT_OPS_VERSION=v0.3.0 bash
Enrol your first agent
Once the stack is running, go to Administration → Agents → Enrolment in the UI. Copy the one-line install command or download an offline bundle for air-gapped hosts.
Documentation
Full docs — installation, configuration, architecture, deployment profiles, and feature guides — are at:
https://forgejo.carrtech.dev/carrtech/ct-ops
Deployment Profiles
| Profile | When to use |
|---|---|
docker-compose.single.yml |
Single host, in-process queue, up to ~50 agents |
docker-compose.standard.yml |
Single Redpanda node, production workloads |
docker-compose.ha.yml |
Redpanda cluster, multiple ingest and web nodes, HAProxy |
All profiles produce a self-contained tarball suitable for air-gap deployment via deploy/scripts/airgap-bundle.sh.
Licence
| Component | Licence |
|---|---|
| Core platform & web app | Apache 2.0 |
| Agent | Apache 2.0 |
Enterprise features (apps/web/enterprise/) |
Proprietary (source-available) |
The agent is always open source — security teams need to audit what runs on their hosts.
Contributing
Issues and PRs are welcome. See CLAUDE.md for architecture decisions and conventions.