wdm is a terminal application — a TUI and a CLI — for installing, updating, and checking a curated set of Docker Compose self-hosting templates, with safe defaults and minimal operational friction.
|
Webnestify Education is a Slovak nonprofit that provides free cybersecurity education for schools, communities, families, seniors, and anyone who needs it. Donations go through a public transparent account, so supporters can see where the money goes. Donate to Webnestify Education -> · Learn about Webnestify Education · Transparency |
- Platform: Linux amd64
- OS: Debian 12 / 13, Ubuntu 24.04 / 26.04
- Runtime: Docker 20.10+ with Compose V2
- User: a rootless Docker setup (recommended), or a normal account in the
dockergroup —wdmrefuses to run as root or under sudo
wdm is distributed as a single signed binary through GitHub Releases, together with its catalog bundle and verification assets.
Verified one-line install for Linux amd64:
curl -fsSL https://raw.githubusercontent.com/wnstify/wdm/main/scripts/install.sh | shThe installer requires curl, GNU sha256sum, and tar; no preinstalled cosign, gh, sudo, or package manager is needed. It downloads a pinned temporary cosign verifier, verifies that verifier with a pinned SHA-256 checksum, then verifies the signed release checksums and provenance attestation.
After verification, the installer writes wdm to ~/.local/bin/wdm and seeds the verified stable catalog under $XDG_DATA_HOME/wdm/catalogs or ~/.local/share/wdm/catalogs, so first-run app browsing works without a separate catalog update. Set WDM_INSTALL_DIR to another user-writable absolute directory if needed.
Manual fallback:
- Download the binary (
wdm-linux-amd64) and the verification assets (SHA256SUMS, its signatures, the provenance attestation, and the SBOM) from the Releases page. - Verify before you run. Check the signature, checksums, and provenance attestation as described in SECURITY.md. Verification fails closed: a missing or invalid signature, checksum, or attestation stops the process — do not run an artifact that does not verify.
- Place the verified binary on your
PATH(for example~/.local/bin/wdm) and mark it executable.
The recommended setup runs wdm against a dedicated user with rootless Docker: the daemon runs unprivileged under that user, with no docker group and no root-owned socket. provision-rootless-docker-user.sh bootstraps such a host — it creates the user, allocates subuid/subgid ranges, enables systemd linger, and installs SHA-256-pinned rootless Docker and Compose. (A normal account in the docker group is the simpler alternative.)
Run it as root, or as a user with sudo, on the target server (it refuses docker-group members and existing system accounts):
curl -fsSL https://raw.githubusercontent.com/wnstify/wdm/main/scripts/ops/provision-rootless-docker-user.sh | sudo bash -s -- --user wdmReview the script before piping it into a root shell, or download it and pass --dry-run first to print every command without changing the system. Then log in as that user, install wdm as shown above, and run it.
In an interactive terminal, run wdm with no arguments to launch the TUI:
wdmThe TUI is the guided entry point: browse the catalog, install and update stacks, check status and logs, manage backups, and self-update — all from the keyboard. When run in a pipe or a script, wdm prints CLI help instead of starting the interactive program.
Every action is scriptable. The CLI prints human-readable text by default, and machine-readable JSON with --json. Each run writes a redacted diagnostic log to ~/.local/state/wdm/logs/latest.log; add --debug for verbose detail, and on failure wdm points you at the log (review it before sharing publicly).
wdm apps list # list managed stacks with live runtime state
wdm apps install <app> # install a curated app
wdm apps status <app> # report a stack's health
wdm apps logs <app> # view stack logs
wdm apps update <app> # update a stack
wdm apps restart <app> # restart a stack
wdm apps stop-all # stop every running managed stack (data preserved)
wdm apps backups list <app> # list pre-change config backups
wdm apps remove <app> # stop a stack (volumes and networks preserved)
wdm apps delete <app> # permanently delete a stack's files (data kept, networks removed)
wdm resources <app> # view or change a stack's memory/CPU/PID limits
wdm catalog check # check for catalog updates
wdm catalog update # update the local catalog
wdm self-update check # check for a newer wdm release
wdm settings # view or change settings
wdm uninstall # tear down every managed app and remove wdm (data kept)Run wdm <command> --help for the full flag set of any command.
- No root, no sudo.
wdmrefuses to run as root or under sudo; run it as a normal user — with rootless Docker (recommended), or in thedockergroup. - Localhost by default. Generated stacks bind to localhost. A template opens a public port only when the app genuinely requires one (for example a VPN listener).
- Signed and verified. Catalog and release artifacts are signed, and verification fails closed on a missing or invalid signature, checksum, or attestation.
- Managed stacks only.
wdmtouches only the stacks it manages under~/docker/<app>/, and never writes outside the selected stack directory. - Your volumes are preserved. Removing a stack never destroys its data —
wdmdoes not rundocker compose down -v. It does not back up application data, so keep your own backups of stack volumes.
See SECURITY-DESIGN.md for actors, actions, trust boundaries, external interfaces, and the security assessment.
wdm curates nineteen apps:
| App | Description |
|---|---|
| Uptime Kuma | Uptime monitoring with status pages and 90+ notification channels. |
| FreshRSS | RSS feed aggregator with multi-user support and a refresh scheduler. |
| Jellyfin | Media server for movies, TV, and music with hardware-accelerated transcoding. |
| n8n | Workflow automation with 400+ integrations and a visual builder. |
| Navidrome | Music server and streamer with broad Subsonic-client support. |
| Open WebUI | Web interface for local and remote large language models, with chat and RAG. |
| SerpBear | Search-engine keyword rank tracker with a REST API and Search Console integration. |
| qBittorrent | BitTorrent client with a web UI, RSS auto-downloading, and search plugins. |
| Syncthing | Continuous, encrypted peer-to-peer file synchronization across your devices. |
| Baserow | No-code database platform with a spreadsheet UI and a full REST API. |
| Nextcloud | Content-collaboration platform for file sync, share, and groupware. |
| DocuSeal | Document-signing platform with a PDF form builder and a REST API. |
| Vaultwarden | Lightweight, Bitwarden-compatible password manager server. |
| Authentik | Identity provider with SSO, SAML, OAuth2/OIDC, LDAP, and a flow builder. |
| MeshCentral | Remote monitoring and management with browser-based remote desktop, terminal, and file transfer. |
| WireGuard + AdGuard Home | WireGuard VPN paired with AdGuard Home DNS filtering for network-wide ad and tracker blocking. |
| Zulip | Team chat with topic-based threading (a Slack alternative). |
| Dockhand | Docker-management web UI with filtered socket access (a Portainer alternative). |
| Stoat | Chat platform (formerly Revolt) with channels, voice, and file sharing. |
| Mira | Mira is a self-hostable, fully open-source AI code reviewer. |
wdmmanages a fixed, curated catalog — not arbitrary Compose projects.- It targets Linux amd64 on the OS and runtime matrix above; other platforms are unsupported.
- It ships a single stable release channel.
wdmis provided as-is under the MIT license with self-service, community support: file bugs and feature requests as GitHub issues, and report security issues as described in SECURITY.md. There is no commercial support or SLA.
Each stable release is supported until the next stable release is published. Support covers the wdm binary, release verification assets, catalog bundle, and curated templates shipped by this repository. Third-party container images and managed applications follow their own upstream support policies.
Only the latest stable release receives security fixes. When a newer stable release is published, earlier releases become unsupported and no longer receive security updates. If a release must be withdrawn for security reasons, the advisory or release notes will say so.
See CHANGELOG.md for release notes.
wdm stands on the shoulders of open source, and we are grateful for every project that made it possible.
A huge, heartfelt thank you to Pangolin and the team at fosrl — your work on secure, self-hosted tunneling is a cornerstone of what this project recommends, and your generosity to the community is genuinely appreciated. 💙
And thank you to the wider open source world — Go, Docker, Bubble Tea, Cobra, every container image we curate, and the countless maintainers behind them. None of this would exist without your time, care, and willingness to share your work freely. We're proud to build on top of it, and we hope wdm gives a little something back.
To everyone who writes, maintains, documents, and supports open source: thank you. 🙏