Introducing remote-systemd-toggle

Sometimes the simplest tools are the most useful ones.

While managing servers, VPN gateways, lab systems, and home infrastructure, we occasionally found ourselves wanting a very small utility that could securely toggle a specific systemd service from a remote machine. Not a complete orchestration platform. Not a web application. Not another management framework.

Just a small, focused tool that does one thing well.

🚀 What is remote-systemd-toggle?

remote-systemd-toggle is a lightweight client/server application written in Go that allows a remote client to toggle a predefined systemd service on a Linux server.

The client can:

• Query the current service status
• Toggle the configured service
• Authenticate using mutual TLS and a password
• Run on Linux and Windows (client only)

The server performs the actual systemd interaction and is intentionally limited to a single configured service.

No web interface.

No database.

No cloud dependencies.

Just a secure remote switch.

🛡️ Security First

Because the server is intended to be reachable over potentially untrusted networks, security was the primary design goal from the beginning.

The current implementation includes:

• 🔒 TLS 1.3 only
• 🔑 Mutual TLS authentication
• 🔐 Additional password authentication
• 🧮 Argon2id password hashing
• 🚫 No password logging
• 🧹 Memory cleanup where practical
• 📁 Automatic permission hardening for configuration and secret files

Wrong password attempts become increasingly expensive:

delay = wrong_attempts² × 3 minutes  // '3 minutes' can be changed in configuration

delay = wrong_attempts² × 3 minutes  // '3 minutes' can be changed in configuration

After ten (can be changed in configuration) failed attempts, the server disables and stops itself.

Perhaps a little paranoid.

But sometimes paranoia is simply another word for experience. 😄

🧩 Why Another Tool?

Because we like small tools.

Many modern solutions are incredibly powerful, but sometimes they also bring complexity that is unnecessary for a very specific task.

remote-systemd-toggle follows a different philosophy:

Do one thing. Do it securely. Keep it understandable.

The entire codebase is intentionally small and easy to review.

🤖 Built with AI Assistance

This project is also an experiment in a different sense.

Most of the implementation, documentation and release automation work was created with the help of OpenAI Codex. Ownership, architecture, requirements, reviews, security discussions, and design decisions remained under human control, while much of the repetitive implementation work was automated.

This allowed us to focus on:

• Architecture
• Security
• Usability

instead of spending most of our time writing boilerplate code.

The result is a project that would likely have taken significantly longer to build just a few years ago.

📦 Packaging and Releases

Every further release automatically produces:

• Debian packages
• RPM packages
• Windows client binaries

Because if a tool is worth building, it is worth shipping properly. 📦

Get it on GitHub and read the documentation there …

The ThK-Systems Debian repository can be used for automatic updates.