Available Now — v0.5.24

customsso-manager

Fleet SSO controller for FreePBX. Pair a PBX in one step, run fwconsole across every box, get alerted the moment something breaks. Open source, self-hosted, MIT licensed. One binary to install, one one-liner to pair each PBX. No agents to distribute, no seats to license.

customsso-manager fleet dashboard showing 5 paired FreePBX servers with real-time status indicators
The fleet view — every paired PBX at a glance, with per-box disk usage, FreePBX notification counts, and last-seen timestamps

What It Does

Nine capabilities that add up to running an entire FreePBX fleet from one console.

Single sign-on into every paired PBX

One login on the manager gets you deep-linked into any PBX's FreePBX admin UI. No re-entering credentials. Works with the native FreePBX UI in an iframe tab or with a full-window SSO redirect.

One-step pairing

Type a PBX's IP + root password once. The manager SSHes in, installs a minimal agent module, drops SSH keys, records a manifest of every file it touched, then wipes the password. Symmetric unpair — one click removes exactly what pairing wrote.

Bulk fwconsole across the fleet

Run fwconsole reload, module upgrades, fwconsole chown, GPG key refresh, or an admin-defined custom command against every selected PBX in one form. Every job SSH-audited end-to-end with output captured per box.

Fleet email alerts

Sidecar watches each PBX's FreePBX notification counts + disk usage on a 60-second cadence. Edge-triggered emails when a PBX transitions into a critical/warning state or crosses your disk threshold. Up to 4 recipients.

Interactive SSH terminal

Click a PBX, get a browser xterm.js session with the same audited SSH channel the sidecar uses. Configurable idle timeout.

Custom command catalog

Admins define reusable shell templates (with @MODNAME@ / @LINES@ placeholders) that appear in every PBX's fwconsole dropdown + the Bulk actions form. No code changes required to add a new operation.

Encrypted-at-rest secrets

Every SSH private key and HMAC secret protected by AES-256-GCM under a rotatable master key. Master-key rotation re-encrypts the whole fleet in one transaction.

Full audit trail

Every action attributable to a real user with IP + timestamp. Login attempts, pair/unpair, fwconsole runs, config edits, notification alerts.

Role-based access

Superuser, admin, operator, readonly. Fine-grained: an operator can dispatch commands but can't edit user accounts or master-key material. Multi-recipient password recovery via msmtp; superuser can hard-reset any account.

PBX status detail with live FreePBX notification list and system metrics
PBX detail — live FreePBX notification list plus a disk/RAM/CPU strip refreshed every 60 seconds by the sidecar

Install

Single-line install on a fresh Oracle Linux 9 minimal box.

curl -sSfL https://git.voip-stuff.net/customsso-manager/install.sh -o /tmp/setup.sh && sudo bash /tmp/setup.sh

The bootstrap fetches latest.tar.gz, verifies its SHA256 against the same-origin SHA256SUMS file, and execs the installer. When it finishes you get a first-run URL to claim the superuser account.

Requirements

Operating System

  • Oracle Linux 9 (minimal install) — primary target, tested on 9.8
  • Oracle Linux 10 — supported; the installer detects and configures it
  • Rocky / AlmaLinux 9 / 10 — should work via the same dnf paths (untested; report issues via signing@voip-stuff.net)
  • Debian / Ubuntu — planned for v1.1

PBX Side

  • FreePBX 16 or 17
  • Root SSH access from the manager at pair time (the manager wipes the password after handshake and switches to key-based auth going forward)

Hardware Minimums (for a fleet of up to ~50 PBXes)

ResourceMinimumRecommended
CPU1 vCPU2 vCPU
RAM1 GB2 GB
Disk10 GB20 GB (audit + job output grows over time; 90-day retention default)
NetworkReach every paired PBX on TCP 22 (SSH) and TCP 443 (SSO landing)

For fleets larger than ~50 PBXes, add 500 MB RAM and 5 GB disk per additional 50 PBXes as a rough scaling rule. The sidecar is I/O-bound, not CPU-bound; the bottleneck at scale is the concurrent-SSH pool (default 30 global / 5 per hardware node), not the box.

What the Installer Adds

Everything resolves on top of an OL9 Server (minimal) image via dnf — no manual prep needed. Packages pulled in during step [4/16]:

Web + PHP

httpd, mod_ssl — TLS-terminating web server for the manager UI

php, php-fpm, php-mysqlnd, php-mbstring, php-json, php-curl, php-pdo, php-process — PHP 8 runtime and the extensions the app uses

Database + Sidecar

mariadb-server, mariadb — application database (schema initialized during install)

python3, python3-pip — sidecar runtime (loops the jobs queue, refreshes PBX status, sends alerts)

TLS + Security

certbot, python3-certbot-apache — optional Let's Encrypt integration

fail2ban, firewalld — audit-log-driven brute-force protection + host firewall

Runtime Tooling

git, openssl, uuid, tar, policycoreutils-python-utils — misc runtime tooling

msmtp — SMTP relay client for password recovery + notification emails

Bulk fwconsole command form with 3 PBXes selected and the custom-command catalog visible
Bulk actions form — select PBXes, pick a command from the catalog (including any custom shell templates you've defined), watch the output per box

Fleet Email Alerts

The sidecar watches every paired PBX on a 60-second cadence. Alerts are edge-triggered — you don't get repeated emails for the same still-broken condition.

What Triggers an Alert

  • PBX transitions into a critical or warning state (FreePBX notification counter jump)
  • PBX crosses your configured disk-usage threshold
  • PBX becomes unreachable (missed status refreshes)

Recipients & Delivery

Up to 4 recipient email addresses per alert type. Delivered via the same msmtp configuration that handles password recovery — one SMTP config drives both.

Compatible with Gmail, Office 365, Amazon SES, Postfix relay, or any msmtp-compatible SMTP server.

Notifications configuration with 3 recipient emails and all three alert types enabled
Notifications tab — up to 4 recipients per alert type, edge-triggered so you don't get repeat emails for a still-broken condition

Security Model

Encrypted-at-Rest Secrets

Every SSH private key and HMAC secret is protected by AES-256-GCM under a rotatable master key. Master-key rotation re-encrypts the whole fleet in one transaction — if a key is ever suspected compromised, one command rolls the entire secret store.

Full Audit Trail

Every action attributable to a real user with IP + timestamp. Login attempts, pair/unpair, fwconsole runs, config edits, notification alerts — all logged with retention configurable per organization (90 days default).

Role-Based Access Control

Four roles: superuser, admin, operator, readonly. Fine-grained — an operator can dispatch commands but can't edit user accounts or master-key material.

Reversible Pairing

Pairing writes a manifest (/etc/customsso/pbx.manifest.json) listing every file and config change made on the PBX. Unpair iterates the manifest and undoes exactly those things — no orphan config, no leftover users, no stray SSH keys.

Interactive SSH terminal running in the browser against a paired PBX
In-browser SSH terminal (xterm.js) — same audited SSH channel the sidecar uses, with configurable idle timeout

Frequently Asked Questions

Is customsso-manager free?

Yes. MIT licensed, open source, no seat licensing. Self-hosted on your own infrastructure.

Does this work with FreePBX 15 or earlier?

No — the manager targets FreePBX 16 and 17. If you're on FreePBX 15, upgrade to 16 or 17 first.

Do the PBXes need to be publicly reachable?

No. The manager reaches the PBXes; the PBXes don't need to reach the manager (except to complete the initial pair handshake). Both sides can live in a private network as long as the manager can SSH into each PBX.

What does "SSO" actually mean here?

An operator signs into the manager once; from the fleet view, one click lands them inside any paired PBX's FreePBX admin UI, already authenticated as admin on that PBX. No re-entering credentials per box. The PBX sees a signed SSO token issued by the manager over an out-of-band channel; the operator sees the native FreePBX UI (in an iframe tab or a full-window redirect, their choice).

How is this different from PBX Manager or the Sangoma portal?

Both are commercial products with per-endpoint or per-seat pricing. customsso-manager is self-hosted, open source, and has no seat model. Feature-parity is nowhere near the Sangoma portal, but the core SSO + fleet-operations story is there for teams that don't need the full commercial offering.

Does the pair process leave anything behind on the PBX after unpair?

No — pairing writes a manifest (/etc/customsso/pbx.manifest.json) listing every file and config change. Unpair iterates the manifest and undoes exactly those things. No orphan config, no leftover users, no stray SSH keys.

What happens if the manager goes offline?

Paired PBXes keep working normally — the SSO landing endpoint on each PBX is served by that PBX itself, so users authenticated via active sessions keep their access. New logins via the manager UI fail until the manager is back. No PBX-side runtime dependency on the manager for call handling or SIP.

Can I use my own SMTP server for password recovery and alerts?

Yes — the installer creates a placeholder /etc/customsso-manager/msmtprc you edit through the UI (Settings → Mail). Standard msmtp format: Gmail, Office 365, SES, Postfix relay, whatever. One SMTP config drives both password-recovery and notification alerts.

How often does the fleet status refresh?

Every 60 seconds per PBX. The sidecar SSH-probes each PBX in a small worker pool (default 30 concurrent globally, 5 per hardware node). Status includes: reachability, disk usage, FreePBX notification counts, SIP/RTP port config, framing settings.

Get It

Latest Release

Current version 0.5.24. Download the tarball or use the install one-liner above — both point at the same latest.tar.gz.

Download latest.tar.gz

Documentation & Support

Full docs, config reference, and troubleshooting guide are hosted alongside the release repo.

Full Documentation

Vulnerability disclosure: signing@voip-stuff.net (GPG key 046E8CA0EE6A755B).

Manage Your FreePBX Fleet From One Console

Free, open source, self-hosted. One binary. No seats. No agents to distribute. Install on a fresh Oracle Linux 9 box in one line.