Cenvero Fleet Docs

One controller. Two transport modes. Full control — no cloud required.

Controller binary

The fleet binary manages servers, services, logs, alerts, keys, and updates from your local machine.

Agent binary

The fleet-agent binary runs on each managed server. Installed automatically or manually.

Direct mode

Controller SSHes into the agent on demand. Use when the controller can reach the server.

Reverse mode

Agent dials out to the controller. Use when the server is behind NAT or a firewall.

Install

Pick your preferred method. The controller is a single static binary — no runtime dependencies.

Homebrew recommended

brew tap cenvero/fleet && brew install cenvero-fleet

or one-liner: curl -fsSL https://fleet.cenvero.org/install | sh

# Upgrade anytime with brew upgrade cenvero-fleet. All archives are minisign-verified before install.

One-liner

curl -fsSL https://fleet.cenvero.org/install | sh

# Detects your CPU arch, verifies the minisign signature, installs to /usr/bin/fleet. Also available via Homebrew — brew tap cenvero/fleet && brew install cenvero-fleet

PowerShell

irm https://fleet.cenvero.org/install.ps1 | iex

# Run from an elevated PowerShell prompt. Installs to %ProgramFiles%\fleet and adds it to PATH.

To build from source: git clone https://github.com/cenvero/fleet && make build (Go 1.24+)

Release verification — all release archives are signed with minisign. The installer verifies the signature against the embedded public key before swapping the binary. You can also verify manually with minisign -Vm fleet.tar.gz -p minisign.pub.

Initialize

Run once on the machine that will act as the controller:

fleet init

Creates the config directory (default ~/.cenvero-fleet/), generates Ed25519 controller keys, initialises the SQLite databases, and writes config.toml.

Note — all fleet commands are blocked until fleet init has been run. Running any other command first will print a clear error with the correct next step.

Verify everything looks right:

fleet status
fleet config show

Add a Server

Run fleet server add with no arguments to be guided through a step-by-step prompt, or pass the name and address directly:

# Interactive — prompts for all details
fleet server add

# Non-interactive
fleet server add web-01 192.0.2.10

# Reverse mode (agent dials out to controller)
fleet server add edge-01 unknown --mode reverse

Interactive mode asks for name, address, transport mode, login credentials, SSH port, and sudo preference — Enter accepts each default.

Server add flags

Flag	Default	Description
`--mode`	direct	Transport mode: `direct` or `reverse`
`--port`	2222	Fleet agent port on the remote server
`--user`	root	SSH user the agent runs as
`--login-user`	—	Login user for agent auto-install
`--login-port`	22	SSH port for the initial login
`--login-key`	—	SSH private key for login (defaults to fleet key)
`--login-password`	—	SSH password for login
`--sudo`	false	Use sudo if login user is not root
`--no-agent`	false	Skip agent auto-install (register only)

Server management commands

fleet server list
fleet server show web-01
fleet server reconnect web-01
fleet server bootstrap web-01
fleet server remove web-01

Auto-install Agent

For direct-mode servers the agent is automatically installed by default. The CLI shows an install preview and asks for confirmation before SSHing in.

# Fully interactive
fleet server add

# Key auth
fleet server add web-01 192.0.2.10 \
  --login-user root \
  --login-key ~/.ssh/id_ed25519

# Password auth with sudo
fleet server add web-01 192.0.2.10 \
  --login-user ubuntu \
  --login-password mypassword \
  --sudo

# Register only — skip agent install
fleet server add web-01 192.0.2.10 --no-agent

The auto-install flow:

Shows a preview of files and services that will be created
SSHes to the server using the provided login credentials
Detects CPU architecture via uname -m
Downloads the correct fleet-agent binary from GitHub
Installs to /usr/local/bin/fleet-agent
Creates and enables a fleet-agent.service systemd unit
Starts the service and registers the server in the controller

Linux only — auto-install requires systemd. For macOS or Windows agents, pass --no-agent and follow the manual setup instructions printed after registration.

Teardown

fleet server remove web-01

Stops and disables fleet-agent.service, removes the binary, and deletes the server record.

Transport Modes

Direct mode

Controller initiates SSH to the agent on each operation. Server must be reachable. Best for same-network or public-IP servers.

Reverse mode

Agent dials out and holds the connection open. Controller sends RPCs through the tunnel. Best for NAT'd or firewalled servers.

Mix both modes freely. Start the controller daemon for reverse sessions:

fleet daemon

Start a reverse agent on the remote server:

fleet-agent reverse \
  --controller controller.example.com:9443 \
  --server-name edge-01

Shell Access

Open an interactive root shell on any managed server:

fleet ssh web-01

Invokes the system ssh binary using the fleet controller key, connecting to the agent's SSH port (default 2222) with the fleet host key pinned — no separate SSH setup needed.

Root access — the agent runs as root and fleet always connects as root. Required for systemd, firewall, and privileged operations.

Run Commands

Run a one-off command on a single server:

fleet exec web-01 uptime
fleet exec web-01 "df -h /"
fleet exec web-01 "systemctl status nginx"

Run across all servers concurrently:

fleet exec --all uptime
fleet exec --all "free -m"
fleet exec --all "apt list --upgradable 2>/dev/null | head"

Output is prefixed with the server name. Commands run via /bin/sh -c on the agent.

Services

Track and control systemd services on Linux agents. linux

Track a service

# Add with log file tracking
fleet service add web-01 nginx.service \
  --log /var/log/nginx/access.log \
  --critical

fleet service list web-01

Control services

fleet service start   web-01 nginx.service
fleet service stop    web-01 nginx.service
fleet service restart web-01 nginx.service

Logs

Read tracked service logs live or from the controller-side cache.

Live stream

fleet service logs web-01 nginx.service
fleet service logs web-01 nginx.service --follow

Cached logs

The controller caches log segments locally — access them even when the server is offline:

fleet service logs web-01 nginx.service --cached

Retention is configurable by size, count, and age in config.toml.

Firewall & Ports

Manage UFW rules and open/close ports on Linux agents. linux

Firewall

fleet firewall status  web-01
fleet firewall enable  web-01
fleet firewall disable web-01
fleet firewall add     web-01 "allow 443/tcp"
fleet firewall remove  web-01 "allow 443/tcp"

Ports

fleet port list  web-01
fleet port open  web-01 443
fleet port close web-01 443

Alerts

Fleet evaluates metric thresholds and fires alerts when servers breach them.

# List active alerts
fleet alerts

# Filter by server
fleet alerts --server web-01

# Acknowledge
fleet alerts ack <id>

# Suppress for a duration
fleet alerts suppress <id> --for 6h

Dashboard

Full-terminal TUI with multiple panels:

fleet dashboard

Panel	Description
Overview	Controller status, server count, alert summary
Servers	Per-server health, mode, last seen, metrics
Services	Service status across all tracked servers
Logs	Recent log lines, cached and live
Alerts	Active alerts with ack and suppress actions
Ops	Quick access to common operations

Arrow keys + Tab to navigate. Mouse supported. q or Ctrl+C to exit.

Keys

The controller uses Ed25519 keys for SSH authentication.

# Show controller key fingerprint
fleet key fingerprint

# Rotate across the whole fleet
fleet key rotate

Key rotation pushes the new public key to all connected servers' authorized_keys before replacing the local private key. Safe for both direct and reverse fleets.

Updates

Fleet manages its own updates. Agents are automatically kept in sync with the controller version whenever they connect — no policy configuration required.

# Check for available updates
fleet update check

# Apply the latest release
fleet update apply

# Roll back to the previous version
fleet update rollback

# Switch channel
fleet update channel stable
fleet update channel beta

Channels: stable, beta, alpha. All artifacts are signature-verified before applying.

Homebrew installs — fleet update apply skips self-update when installed via Homebrew and shows the correct brew upgrade cenvero-fleet hint. Agents are still updated regardless.

Configuration

# Show / validate
fleet config show
fleet config validate

# Backup and restore
fleet config backup
fleet config restore

# Export / import (migration)
fleet config export
fleet config import

Database backend

Default is SQLite. Shift to PostgreSQL, MySQL, or MariaDB:

fleet database show
fleet database shift \
  --backend postgres \
  --dsn 'postgres://user:pass@host:5432/fleet?sslmode=require'

All Commands

Command	Description
`fleet init`	Initialize controller config, keys, and databases
`fleet status`	Show controller status and server summary
`fleet dashboard`	Open the terminal dashboard TUI
`fleet daemon`	Start controller daemon (required for reverse mode)
`fleet server add [name] [ip]`	Register server and auto-install agent; `--no-agent` to skip
`fleet server list`	List all registered servers
`fleet server show <name>`	Show server details and last observed state
`fleet server reconnect <name>`	Force reconnect and refresh server info
`fleet server bootstrap <name>`	Run remote bootstrap script
`fleet server metrics <name>`	Show current server metrics
`fleet server remove <name>`	Remove server and tear down managed agent
`fleet ssh <name>`	Open interactive root shell
`fleet exec <name> <cmd>`	Run a command on one server
`fleet exec --all <cmd>`	Run a command on all servers concurrently
`fleet service add <server> <svc>`	Track a service
`fleet service list <server>`	List tracked services
`fleet service start\|stop\|restart <server> <svc>`	Control a service
`fleet service logs <server> <svc>`	Read or follow service logs
`fleet firewall status\|enable\|disable <server>`	Manage UFW
`fleet firewall add\|remove <server> <rule>`	Add or remove a UFW rule
`fleet port list\|open\|close <server> <port>`	Manage open ports
`fleet alerts`	List active alerts
`fleet alerts ack <id>`	Acknowledge an alert
`fleet alerts suppress <id>`	Suppress an alert
`fleet key fingerprint`	Show controller key fingerprint
`fleet key rotate`	Rotate key across fleet
`fleet update check\|apply\|rollback`	Manage controller updates
`fleet update channel <name>`	Set update channel
`fleet config show\|validate\|backup\|restore`	Manage config
`fleet database show\|shift`	Inspect or migrate database backend
`fleet template list\|apply`	Manage server templates
`fleet self-uninstall`	Remove fleet binary and config directory

Directory Layout

Default location: ~/.cenvero-fleet/

~/.cenvero-fleet/
├── config.toml          # controller configuration
├── instance.id          # stable instance identifier
├── keys/
│   ├── id_ed25519       # controller private key
│   ├── id_ed25519.pub
│   ├── known_hosts      # pinned agent host keys
│   └── rotations/       # previous key versions
├── servers/             # per-server TOML records
├── templates/           # reusable server templates
├── logs/
│   ├── _aggregated/     # cached remote log segments
│   └── _audit.log       # controller audit log
├── alerts/              # alert state store
├── data/
│   ├── state.db         # server and service state
│   ├── metrics.db       # metrics history
│   └── events.db        # event log
├── backups/             # config backup archives
└── tmp/