6b22741f54
Two bugs fixed: 1. audit_service.py: log_action() inserted into audit_logs using the caller's DB session but never committed. Any router that called db.commit() before log_action() (firmware, devices, config_editor, alerts, certificates) had its audit rows silently rolled back when the request session closed. Fix: log_action now opens its own AdminAsyncSessionLocal and self- commits, making audit persistence independent of the caller's transaction. The 'db' parameter is kept for backward compat but unused. Affects 5 routers (firmware, devices, config_editor, alerts, certificates). 2. docker-compose.override.yml: /data/firmware-cache had no volume mount so the directory didn't exist in the container, causing firmware downloads to fail with Permission denied. Fix: bind-mount docker-data/firmware-cache:/data/firmware-cache so firmware images survive container restarts.
The Other Dude
Self-hosted MikroTik fleet management for MSPs.
Warning
This software is in active development and testing. It is not yet ready for production use. APIs, database schemas, and features may change without notice. Use at your own risk.
TOD is a multi-tenant platform for managing RouterOS devices at scale. It replaces the chaos of juggling WinBox sessions and SSH terminals across hundreds of routers with a single, centralized web interface -- fleet visibility, configuration management, real-time monitoring, and zero-knowledge security, all self-hosted on your infrastructure.
Key Features
- Fleet Management -- Dashboard with device health, uptime sparklines, virtual-scrolled fleet table, geographic map, and subnet discovery.
- Configuration Push with Panic-Revert -- Two-phase config deployment ensures you never brick a remote device. Batch config, templates, and git-backed version history with one-click restore.
- Real-Time Monitoring -- Live CPU, memory, disk, and interface traffic via Server-Sent Events backed by NATS JetStream. Configurable alert rules with email, webhook, and Slack notifications.
- Zero-Knowledge Security -- 1Password-style architecture. SRP-6a authentication (server never sees your password), per-tenant envelope encryption via Transit KMS, Emergency Kit export.
- Multi-Tenant with PostgreSQL RLS -- Full organization isolation enforced at the database layer. Four roles: super_admin, admin, operator, viewer.
- Internal Certificate Authority -- Issue and deploy TLS certificates to RouterOS devices via SFTP. Three-tier TLS fallback for maximum compatibility.
- WireGuard VPN Onboarding -- Create device + VPN peer in one transaction. Generates ready-to-paste RouterOS commands for devices behind NAT.
- PDF Reports -- Fleet summary, device detail, security audit, and performance reports generated server-side.
- Command Palette UX -- Cmd+K quick navigation, keyboard shortcuts, dark/light mode, smooth page transitions, and skeleton loaders throughout.
Architecture
Routers
↓
Pollers (Go)
↓
NATS Event Bus
↓
API + TimescaleDB
↓
Web UI
Tech Stack
| Layer | Technology |
|---|---|
| Frontend | React 19, TanStack Router + Query, Tailwind CSS, Vite |
| Backend | Python 3.12, FastAPI, SQLAlchemy 2.0 async, asyncpg |
| Poller | Go 1.24, go-routeros/v3, pgx/v5, nats.go |
| Database | PostgreSQL 17 + TimescaleDB, Row-Level Security |
| Cache / Locks | Redis 7 |
| Message Bus | NATS with JetStream |
| KMS | OpenBao (Transit secret engine) |
| VPN | WireGuard |
| Auth | SRP-6a (zero-knowledge), JWT |
| Reports | Jinja2 + WeasyPrint |
Quick Start
# Clone and configure
git clone https://github.com/your-org/tod.git && cd tod
cp .env.example .env
# Edit .env -- set CREDENTIAL_ENCRYPTION_KEY and JWT_SECRET_KEY at minimum
# Build images sequentially (avoids OOM on low-RAM machines)
docker compose --profile full build api
docker compose --profile full build poller
docker compose --profile full build frontend
# Start the full stack
docker compose --profile full up -d
# Open the UI
open http://localhost:3000
On first launch, the setup wizard walks you through creating a super admin account, enrolling your Secret Key, adding your first organization, and onboarding your first device.
Documentation
Full documentation is available at theotherdude.net.
See the documentation site for screenshots and feature walkthroughs.
License
Free for production use managing up to 1,000 devices with no limitations. Deployments exceeding 1,000 managed devices require a commercial license. See the LICENSE file for full terms.
For commercial licensing inquiries: license@theotherdude.net
For support: support@theotherdude.net — support inquiries are best-effort unless covered by a support license.
The Name
"The Other Dude" -- because every MSP needs one. When the network is down at 2 AM and someone has to fix it, TOD is the other dude on the job. The Big Lebowski inspired, the rug really ties the room together.