Fleet SSO controller for FreePBX. Pair a PBX in one step, run fwconsole across every box, get alerted the moment something breaks. Open source, self-hosted, MIT licensed. One binary to install, one one-liner to pair each PBX. No agents to distribute, no seats to license.
Nine capabilities that add up to running an entire FreePBX fleet from one console.
One login on the manager gets you deep-linked into any PBX's FreePBX admin UI. No re-entering credentials. Works with the native FreePBX UI in an iframe tab or with a full-window SSO redirect.
Type a PBX's IP + root password once. The manager SSHes in, installs a minimal agent module, drops SSH keys, records a manifest of every file it touched, then wipes the password. Symmetric unpair — one click removes exactly what pairing wrote.
Run fwconsole reload, module upgrades, fwconsole chown, GPG key refresh, or an admin-defined custom command against every selected PBX in one form. Every job SSH-audited end-to-end with output captured per box.
Sidecar watches each PBX's FreePBX notification counts + disk usage on a 60-second cadence. Edge-triggered emails when a PBX transitions into a critical/warning state or crosses your disk threshold. Up to 4 recipients.
Click a PBX, get a browser xterm.js session with the same audited SSH channel the sidecar uses. Configurable idle timeout.
Admins define reusable shell templates (with @MODNAME@ / @LINES@ placeholders) that appear in every PBX's fwconsole dropdown + the Bulk actions form. No code changes required to add a new operation.
Every SSH private key and HMAC secret protected by AES-256-GCM under a rotatable master key. Master-key rotation re-encrypts the whole fleet in one transaction.
Every action attributable to a real user with IP + timestamp. Login attempts, pair/unpair, fwconsole runs, config edits, notification alerts.
Superuser, admin, operator, readonly. Fine-grained: an operator can dispatch commands but can't edit user accounts or master-key material. Multi-recipient password recovery via msmtp; superuser can hard-reset any account.
Single-line install on a fresh Oracle Linux 9 minimal box.
The bootstrap fetches latest.tar.gz, verifies its SHA256 against the same-origin SHA256SUMS file, and execs the installer. When it finishes you get a first-run URL to claim the superuser account.
signing@voip-stuff.net)| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 1 vCPU | 2 vCPU |
| RAM | 1 GB | 2 GB |
| Disk | 10 GB | 20 GB (audit + job output grows over time; 90-day retention default) |
| Network | Reach every paired PBX on TCP 22 (SSH) and TCP 443 (SSO landing) | |
For fleets larger than ~50 PBXes, add 500 MB RAM and 5 GB disk per additional 50 PBXes as a rough scaling rule. The sidecar is I/O-bound, not CPU-bound; the bottleneck at scale is the concurrent-SSH pool (default 30 global / 5 per hardware node), not the box.
Everything resolves on top of an OL9 Server (minimal) image via dnf — no manual prep needed. Packages pulled in during step [4/16]:
httpd, mod_ssl — TLS-terminating web server for the manager UI
php, php-fpm, php-mysqlnd, php-mbstring, php-json, php-curl, php-pdo, php-process — PHP 8 runtime and the extensions the app uses
mariadb-server, mariadb — application database (schema initialized during install)
python3, python3-pip — sidecar runtime (loops the jobs queue, refreshes PBX status, sends alerts)
certbot, python3-certbot-apache — optional Let's Encrypt integration
fail2ban, firewalld — audit-log-driven brute-force protection + host firewall
git, openssl, uuid, tar, policycoreutils-python-utils — misc runtime tooling
msmtp — SMTP relay client for password recovery + notification emails
The sidecar watches every paired PBX on a 60-second cadence. Alerts are edge-triggered — you don't get repeated emails for the same still-broken condition.
Up to 4 recipient email addresses per alert type. Delivered via the same msmtp configuration that handles password recovery — one SMTP config drives both.
Compatible with Gmail, Office 365, Amazon SES, Postfix relay, or any msmtp-compatible SMTP server.
Every SSH private key and HMAC secret is protected by AES-256-GCM under a rotatable master key. Master-key rotation re-encrypts the whole fleet in one transaction — if a key is ever suspected compromised, one command rolls the entire secret store.
Every action attributable to a real user with IP + timestamp. Login attempts, pair/unpair, fwconsole runs, config edits, notification alerts — all logged with retention configurable per organization (90 days default).
Four roles: superuser, admin, operator, readonly. Fine-grained — an operator can dispatch commands but can't edit user accounts or master-key material.
Pairing writes a manifest (/etc/customsso/pbx.manifest.json) listing every file and config change made on the PBX. Unpair iterates the manifest and undoes exactly those things — no orphan config, no leftover users, no stray SSH keys.
Yes. MIT licensed, open source, no seat licensing. Self-hosted on your own infrastructure.
No — the manager targets FreePBX 16 and 17. If you're on FreePBX 15, upgrade to 16 or 17 first.
No. The manager reaches the PBXes; the PBXes don't need to reach the manager (except to complete the initial pair handshake). Both sides can live in a private network as long as the manager can SSH into each PBX.
An operator signs into the manager once; from the fleet view, one click lands them inside any paired PBX's FreePBX admin UI, already authenticated as admin on that PBX. No re-entering credentials per box. The PBX sees a signed SSO token issued by the manager over an out-of-band channel; the operator sees the native FreePBX UI (in an iframe tab or a full-window redirect, their choice).
Both are commercial products with per-endpoint or per-seat pricing. customsso-manager is self-hosted, open source, and has no seat model. Feature-parity is nowhere near the Sangoma portal, but the core SSO + fleet-operations story is there for teams that don't need the full commercial offering.
No — pairing writes a manifest (/etc/customsso/pbx.manifest.json) listing every file and config change. Unpair iterates the manifest and undoes exactly those things. No orphan config, no leftover users, no stray SSH keys.
Paired PBXes keep working normally — the SSO landing endpoint on each PBX is served by that PBX itself, so users authenticated via active sessions keep their access. New logins via the manager UI fail until the manager is back. No PBX-side runtime dependency on the manager for call handling or SIP.
Yes — the installer creates a placeholder /etc/customsso-manager/msmtprc you edit through the UI (Settings → Mail). Standard msmtp format: Gmail, Office 365, SES, Postfix relay, whatever. One SMTP config drives both password-recovery and notification alerts.
Every 60 seconds per PBX. The sidecar SSH-probes each PBX in a small worker pool (default 30 concurrent globally, 5 per hardware node). Status includes: reachability, disk usage, FreePBX notification counts, SIP/RTP port config, framing settings.
Current version 0.5.24. Download the tarball or use the install one-liner above — both point at the same latest.tar.gz.
Full docs, config reference, and troubleshooting guide are hosted alongside the release repo.
Vulnerability disclosure: signing@voip-stuff.net (GPG key 046E8CA0EE6A755B).
Free, open source, self-hosted. One binary. No seats. No agents to distribute. Install on a fresh Oracle Linux 9 box in one line.