A local server cockpit
A complete server inventory and SSH management tool for Mac: clear fleet overview, one-click import from 12 cloud providers, and AI log triage that auto-fetches journalctl, syslog and nginx logs over SSH and turns them into a probable root cause. No agent on the host. No cloud account. No telemetry.
📡 SSH-based 🖥 Linux · macOS · Windows targets 🛡 SQLCipher-encrypted vault
Inside the app
These are the tabs you actually use on a typical server. Every value is populated by a live SSH scan — no spreadsheets, no manual entry.
Per-server overview with master data and SSH config, plus a row of AI tools — anomaly detection, incident playbook, migration planner, impact analysis, capacity forecast.
Live hardware snapshot read over SSH: CPU, RAM, load and uptime, SSL-certificate expiry, failed logins, sensors and per-filesystem disk usage.
Live metrics straight over SSH — CPU, RAM, load, network, disk I/O and swap as rolling sparklines, plus per-core CPU, polled every couple of seconds. No agent on the host.
Read-only TCP-connect sweep of your local network. Every responding host with its open ports — add any of them to your inventory with one click.
One-click import from Hetzner, Contabo, Proxmox, vSphere and more — servers, specs and status pulled straight from the provider API.
Auto-discovered packages and applications per server, with versions, install method and notes — diffed on every scan.
Reusable shell commands, runnable on many servers in parallel over SSH. Describe what you need and the AI drafts the snippet for you.
A built-in PTY SSH terminal for every server — full ANSI colours, scrollback and resize. Run top, journalctl or anything else without leaving the app.
AI log triage: ServerShelf pulls the log over SSH and your own AI key returns a root-cause hypothesis, the evidence it relied on, and concrete diagnosis steps.
Plug in OpenAI, Anthropic, OpenRouter or a local model. Your API key is stored only in the local encrypted database — nothing routes through us.
Account-wide, read-only view of your Cloudflare Pages, Workers, DNS zones, R2, KV and more — sitting right next to your servers.
Real screenshots from the shipping app.
For people who run several servers and want to see, fast: what's running where, what's critical, what changed.
Why ServerShelf exists
One afternoon I reset a cloud VPS — and wiped an n8n instance I'd completely forgotten was running on it. It was quietly powering automation agents for a system people still depended on. Gone, with a single command.
So I did what everyone does: I opened a spreadsheet. Dev, staging, prod — every server, with its databases, web servers and the apps running on each. Finally, an overview.
Within a week the spreadsheet was already out of date. The real problem was never the missing list — it was having to keep it by hand. So I built the thing that fills itself in: connect over SSH, scan, and the inventory is simply there. That became ServerShelf.
— Christof, builder of ServerShelf
Features
Three things stand out: a single overview of your fleet, automated import from twelve cloud providers, and AI log triage that points at the probable cause. Everything else builds on those three.
Pick a server, pick a source (journalctl, syslog, auth.log, nginx, Apache, dmesg, Docker) — ServerShelf auto-fetches the last N lines via SSH, then sends them to your own AI key. You get a probable root cause, ranked next steps, and a suggested fix. Manual paste still works for logs from anywhere else.
Twelve providers in one place: Hetzner, AWS, DigitalOcean, Contabo, Vultr, Linode, Scaleway, IONOS, OVHcloud, Proxmox, Kubernetes, VMware vSphere. Re-sync at any time — your notes, tags and projects stay intact.
Every server, every project, every tag — one window. Pending updates, SSL expiry, uptime status, SMART warnings. Click a tile to drill in. Snooze what you can't act on right now.
One click, plain SSH (key or password). ServerShelf detects the target OS and runs the right probe: Linux reads dpkg/rpm/apk, systemctl, journalctl; macOS uses brew, launchctl, sw_vers; Windows uses PowerShell with Get-CimInstance, Get-Service, Get-NetTCPConnection. About six seconds per server. Nothing is installed, nothing changes on the host.
Every six hours, ServerShelf opens an actual TLS handshake to domain:443 and parses the certificate (issuer, SAN list, validity window). It warns 30 days before expiry and handles self-signed, expired, and wildcard SANs.
Per server: installed packages, versions and install method. Software-license keys (Mailgun, Sentry, Adobe and friends) live in an AES-256-GCM vault with seats, vendor, renewal date and cost. Reveal on demand.
Start, stop, restart, remove and create containers on the host's Docker engine, all over SSH. Stream logs live. Works on any server with docker installed — your laptop does not need Docker.
Configurable polling intervals (from 60 s upward), status history, latency tracking. Marks each target DOWN / SLOW / OK. Failures surface in the Triage view. Local-only — no external monitoring service involved.
A real PTY-backed SSH terminal per server: resize, ANSI colors, scrollback. A snippet library you can run with one click. An SSH-key deployment helper for first-time setup.
Export the full inventory to one AES-256-GCM file (Argon2id KDF, 64 MiB / 3 iter). Cloud sync ships the same blob to your iCloud Drive, S3 bucket or WebDAV folder — end-to-end encrypted, no one but you holds the key.
A configurable idle timer locks the vault automatically. Optional Touch ID / Windows Hello quick-unlock via the OS keychain — the passphrase never leaves disk and is never reused. Lock manually with one click in the sidebar.
Every destructive or credential-touching action (server delete, container kill, snippet on remote, AI prompt) lands in the audit log with timestamp, target, duration and outcome. SQLite triggers block UPDATE and DELETE — the log is forensic-grade.
AI Cockpit
Ask plain-language questions about any of your servers. Paste a log excerpt and get a probable root cause. Generate shell snippets from a description. Read a daily briefing of what changed across the fleet, spot anomalies in metrics, review nginx, sshd and fail2ban configs, sketch architecture diagrams, plan migrations, forecast capacity. Twenty-plus AI workflows, all reading straight from your local inventory.
Bring your own key. Your prompts never touch our servers — they go directly from your machine to the AI provider you picked.
No vendor lock-in. Switch providers in Settings → AI any time.
Security by default
Server data is sensitive. ServerShelf treats it that way: nothing leaves your devices, every secret is encrypted at rest, and every privileged action is logged.
Your entire inventory lives in one SQLite file — but every page is encrypted with AES-256. The DB cannot be opened with a regular SQLite browser.
Your passphrase is stretched through Argon2id (64 MiB, 3 iterations) before it can unlock the DB key. Brute-force becomes economically pointless.
Your license is verified locally with an ed25519 signature. No license server, no online check, no telemetry — even after a year of updates.
Every destructive or credential-touching action is logged. SQLite triggers block UPDATE and DELETE on the log — the trail is forensic-grade.
No analytics, no phone-home, no anonymous metrics. Crash reports are opt-in and only enabled if you wire up your own Sentry DSN.
You buy the app and it runs. No sign-up, no account, no email verification. Cloud sync is optional and ships an encrypted blob to a bucket you own.
12 providers, one inventory
Import existing servers from your cloud account in one click — IP, OS, location and status come along. Re-sync at any time. Manual entries for bare metal, homelab boxes and Raspberry Pis are welcome too.
Coming soon
A small, read-mostly companion to the desktop app. Glance at your fleet from the couch, get a push notification when uptime drops, triage from the train. No release date yet — we'll ship when it's solid.
In development Want a heads-up when the apps land? Email us.
iOS & Android companion
Native iOS and Android apps that read your inventory directly from iCloud Drive, S3 or WebDAV — end-to-end encrypted. Works without your desktop running. Works on cellular. Works on a plane.
🚧 In development Mobile companion apps are still being built — TestFlight + Play Store coming with v1.1. Email us to get notified.
Talk to us
We read every message and usually reply within a working day. For technical bugs the in-app Help → Send feedback dialog ships extra context automatically. Otherwise, this form:
Frequently asked
In one SQLite file in your OS app-data directory, AES-256 page-encrypted with SQLCipher. Optional cloud sync uploads an opaque, end-to-end-encrypted blob to your own iCloud Drive, S3 bucket or WebDAV folder — we never see it.
SSH connections to the servers you add. HTTPS to the AI provider you picked, but only when you trigger an AI action. HTTPS to your cloud providers when you run an import. That's the complete list. No analytics, no phone-home, no telemetry.
No. ServerShelf uses plain SSH with your existing key pair (or password). Scans are read-only commands — uname, dpkg, systemctl, docker ps and friends. Nothing is installed on the host.
Yes — that's the only way. Drop in your Anthropic / OpenAI / OpenRouter / Mistral / Groq / Gemini key, or run Ollama locally for fully offline AI. We don't host any model — your prompts always go directly from your machine to your chosen provider.
All seven, side by side: Anthropic (Claude), OpenAI (GPT-4 / GPT-5), OpenRouter (gateway to 300+ models), Mistral (EU-hosted), Groq (fast inference), Google Gemini, and Ollama (fully local — no API key, no network). Switch any time in Settings → AI.
Personal: 1 user, unlimited devices. Team: 6 users, unlimited devices each. The license is per user, not per machine.
You keep the version you have, forever. No bricking, no nag screens, no offline-mode penalty. To get further updates, renew at 50 % of the then-current price.
14 days, money-back, no questions asked. Email [email protected] from the address you bought with.
v1.0 ships macOS 12+ only (Apple Silicon, signed + notarized). Windows 11 and Linux (Ubuntu, Fedora, Arch) builds are on the roadmap for v1.1. The app already scans Linux, macOS and Windows targets — only the client app itself is currently macOS-only.
Local-first by design
Your entire inventory lives in a single file in your app-data directory — page-level AES-256 encrypted via SQLCipher. The database key is sealed with your master passphrase (Argon2id) plus a one-time recovery code. Even physical access to the file is useless without one of the two.
Cloud sync derives an Argon2id key from your passphrase, then AES-256-GCM-encrypts the snapshot. Apple, Hetzner, or whoever runs your Nextcloud sees only an opaque blob.
No analytics, no phone-home, no "anonymous metrics". Crash reports are opt-in and only ever route through Sentry if you provide your own DSN.
Your AI provider keys stay on your machine. Prompts go directly from your app to your chosen provider. We never see them, and we host no model of our own.
Pricing
Pay once. No subscription. iOS & Android companion apps included when they ship. AI works with your own provider key — no extra cost, no monthly bill, no vendor lock-in.
Before you buy: ServerShelf is an SSH-based tool. It scans and manages servers you can reach via SSH — Linux, macOS and Windows (with OpenSSH Server installed) all work. Hardened jump-hosts without SSH and pure SaaS platforms are not supported.
For solo developers, freelancers, homelabs and side projects.
Honest expectations
Please read this before you buy. It saves both of us a refund.
dpkg/rpm/apk, systemctl, docker ps. Most distros work out of the box.