Manage all your servers — SSH terminals, remote desktops, file transfers, and Docker containers — from a single self-hosted browser interface.
Termix is an open-source, forever-free, self-hosted server management platform that unifies every protocol and tool a sysadmin or homelabber needs. Instead of juggling separate apps for SSH, RDP, VNC, file transfers, and Docker management, Termix consolidates them into a single web interface that runs entirely on infrastructure you control.
At its core, Termix pairs an Express.js backend — which handles all SSH protocol work, file operations, and remote desktop bridging via Apache Guacamole — with a React frontend that streams live terminal sessions over WebSockets. Sessions are persistent: tabs stay connected across browser refreshes and device switches, and split-screen layouts let you view up to four panels simultaneously.
Security is taken seriously at the data layer. Credentials and sensitive fields are encrypted at the field level using AES-256-GCM, and the entire SQLite database is optionally encrypted at rest before being written to disk. Authentication supports local accounts, OIDC/SSO, LDAP, TOTP two-factor, and OPKSSH — a modern approach that authenticates SSH sessions via OpenID Connect tokens so no static credentials ever need to be stored.
Termix ships as a Docker image, a native Electron application for Windows, macOS, and Linux, a PWA, and mobile apps on both the Apple App Store and Google Play. The project has grown to over 13,000 GitHub stars since launching in late 2024, with active releases shipped multiple times per month.
Architecture Termix uses a feature-modular client-server design: an Express.js backend partitioned by functional domain — SSH terminal, file manager, tunneling, Docker management, host metrics, and Guacamole for remote desktop — with each domain loaded as an independent module at startup. Data persistence uses an in-memory SQLite database (via better-sqlite3 and Drizzle ORM) that is flushed to an optionally-encrypted file on disk at shutdown or on a periodic save trigger, keeping read latency minimal while ensuring durability. Cross-cutting concerns such as permission management, audit logging, cryptography, and rate limiting are handled as singleton services injected where needed. The frontend is a React SPA served as static assets, communicating with the backend through a combination of REST endpoints and WebSocket connections for real-time terminal and remote desktop streams.
Tech Stack The backend runs on Node.js 22 with Express 5, using the ssh2 library for all SSH protocol work and the ws library for WebSocket management. Remote desktop protocols (RDP, VNC, Telnet) are bridged via guacamole-lite, a lightweight WebSocket proxy that connects to a guacd daemon. The database layer uses better-sqlite3 through Drizzle ORM with a typed schema and a custom AES-256-GCM file encryption layer. Authentication supports local accounts, OIDC/SSO, LDAP, TOTP 2FA, OPKSSH (OpenPubKey SSH via OIDC), and Tailscale SSH. The frontend is built with React 19, Tailwind CSS v4, and Radix UI primitives, with Monaco Editor for file editing, xterm.js for terminal rendering, and Cytoscape.js for the network topology graph. The application ships as a Docker image, native Electron app (Windows/macOS/Linux), PWA, and mobile apps on iOS and Android — all from a single TypeScript codebase built with Vite 8.
Code Quality The project includes extensive test coverage across 36 test files using Vitest, @testing-library/react, and jsdom, covering critical backend utilities (file manager helpers, SSH credential parsing, tunnel validation, audit logging, database encryption) as well as frontend hooks and component utilities. Husky pre-commit hooks enforce ESLint and Prettier formatting on every staged file, and the entire codebase is written in TypeScript 6 with strict mode enabled throughout. Error handling in the backend is explicit and structured: every protocol error is caught, categorized with an operation key, and routed through a custom structured logger. The backend startup sequence initializes cryptographic subsystems, database, and protocol servers in a documented order with graceful shutdown handling for SIGINT and SIGTERM.
What Makes It Unique The OPKSSH integration is the most technically distinctive aspect — it authenticates SSH sessions using OpenID Connect-derived certificates so no static credentials ever need to be stored in Termix’s database, a meaningful security improvement for teams already using an identity provider. The combination of field-level AES-256-GCM encryption on individual sensitive database columns and optional full database file encryption before disk write is an unusually thorough approach for a self-hosted tool in this category. The cross-platform packaging breadth — Docker, Electron, PWA, iOS App Store, Google Play, Chocolatey, Flatpak, AUR, Homebrew — from a single TypeScript codebase is rare for a project of this age. Tailscale SSH authentication, which routes authorization entirely through the tailnet ACL layer without any credential storage in Termix, offers a modern zero-trust access pattern that distinguishes it from traditional SSH web clients.
Termix is released under the Apache License 2.0, which is a permissive open-source license. You are free to use, modify, and distribute it for any purpose, including commercially, without any copyleft obligation. You do not need to release your own code if you modify Termix for internal use. The only requirements are retaining copyright notices and the license text in distributions.
Running Termix yourself means you are responsible for the full operational stack. The Docker deployment is straightforward — a single compose file brings up the Termix container alongside a guacd instance for remote desktop support — but you own uptime, backups of the encrypted SQLite database, TLS certificate management (Termix includes automatic SSL via its built-in generator), and upgrades between releases. The active release cadence (over 30 releases since launch, roughly 1–2 per month) means staying current requires a reliable update process. The database is held in memory and flushed to an optionally-encrypted file on disk, so your backup strategy needs to account for graceful-shutdown flushing or rely on the periodic save trigger.
There is no paid cloud tier or hosted version of Termix — it is entirely community-funded and self-hosted-only. This means you get no managed SLA, no cloud backup service, and no vendor support channel beyond GitHub Issues and Discord. What you gain is complete control over your data, the ability to air-gap the deployment, and zero per-seat licensing costs regardless of how many users or hosts you manage.