NixSecOps
Run Silent. Run Deep.
InfraPatch
InfraPatch is an open-source Linux patch management system. it runs a lightweight Rust daemon on each managed endpoint that automatically applies package updates, tracks patch history, and executes scheduled reboots — all reporting back to a self-hosted PHP web dashboard backed by PostgreSQL.
supported platforms
- Debian / Ubuntu / Linux Mint (via
apt) - Red Hat Enterprise Linux / Rocky Linux / CentOS / Fedora (via
dnf)
features
- background daemon syncs installed packages and available updates every 60 minutes
- automated patching on a configurable interval with full patch history logging
- package hold-backs — prevent specific packages from being upgraded
- reboot scheduling with pre-reboot database flag clearing
- web dashboard for fleet overview, per-server management, and PDF audit reports
- multi-tenant: each organization gets an isolated PostgreSQL shard
- free tier supports up to 5 endpoints with no license required
- encrypted local config (AES-256-GCM), SSL-enforced database connections
After Building from Source here is a quick overview of installation, environments may vary, and will need adjustment. See the readme section in the GitHub repositories for details. Also this was tested on a PostgreSQL 18 server running PgBouncer in front. For scale PgBouncer is a necessity, especially with more than 50 endpoints.
Debian / Ubuntu:
sudo apt install ./infrapatch-service_1.0.3-2_amd64.deb sudo infrapatch-cli configure sudo systemctl enable --now infrapatch_service.service sudo systemctl enable --now infrapatch-reboot-check.timer
RHEL / Rocky Linux:
sudo dnf install infrapatch_service-1.0.3-2.el10.x86_64.rpm sudo infrapatch-cli configure sudo systemctl enable --now infrapatch_service.service sudo systemctl enable --now infrapatch-reboot-check.timer
when prompted, enter your customer key from the web dashboard. the agent will connect to your database shard and begin reporting within 60 minutes.
cli reference
| command | description |
|---|---|
sudo infrapatch-cli configure | initial setup using your customer key |
infrapatch-cli status | show last run time and daemon status |
sudo infrapatch-cli sync | trigger an immediate manual package sync |
sudo infrapatch-cli list-servers | list all reporting endpoints |
sudo infrapatch-cli list-updates [hostname] | show pending updates |
sudo infrapatch-cli set-autopatch [on|off] | enable or disable auto-patching |
sudo infrapatch-cli schedule-reboot "YYYY-MM-DD HH:MM:SS" | schedule a reboot |
sudo infrapatch-cli cancel-reboot [hostname] | cancel a pending reboot |
sudo infrapatch-cli set-license | apply a license key |
sudo infrapatch-cli show-deployment-id | show deployment UUID for licensing |
build from source
requires: rust stable toolchain, openssl development headers.
git clone https://github.com/bsmgit/infrapatch_agent_GA.git cd InfraPatchLinuxAgent # debian/ubuntu package cd infrapatch_service_daemon_service_deb cargo build --release cargo deb # rhel/rocky rpm cd ../infrapatch_service cargo build --release cargo rpm build
source code
[agent — github] · [web dashboard — github]
license
InfraPatch is released under the MIT License. see the LICENSE file in the repository for the full text.
support
bug reports and pull requests via GitHub. general questions and security disclosures: nixsecops@protonmail.com