Show HN: I replaced Grafana+Prometheus with a Go binary and SSH for my VPSs

Server monitoring without the infrastructure. A single binary and an SSH connection — metrics, logs, and alerts for your Docker hosts.

This project is still very much in development and being tested. I was frustrated that I couldn't find the monitoring/alerting solution that was just right for smaller scale hosting on a single or multiple VPSs so I decided to build the thing that was just right for my needs. What I'm saying is that you should use this at your own risk, don't expect all features to work yet. If you do find bugs or are missing features that you would like to see, id very much appreciate you open a new issue. I hope you will enjoy tori as much as I am :)

tori has two parts. The agent runs on your server collecting metrics, tailing logs, and evaluating alerts 24/7. The client runs on your machine and connects through an SSH tunnel to a Unix socket — no HTTP server, no open ports.

Add a server to ~/.config/tori/config.toml:

Connect:

That's it — tori connects over SSH, no extra ports or setup needed.

The agent runs on Linux only (it reads from /proc and /sys).

The install script downloads the latest release, creates a tori system user, sets up directories, and installs a systemd service:

To install a specific version:

After installation:

A ready-to-use Docker Compose file is provided at deploy/docker-compose.yml with sensible defaults including alert rules:

When running via Docker, set the host paths in your config to the mounted locations:

You can also inject the entire config via the TORI_CONFIG environment variable instead of mounting a file. This is useful for PaaS platforms like Dokploy or Coolify where you don't have easy access to the host filesystem — see deploy/docker-compose.yml for an example.

Installs to ~/.local/bin/tori (or /usr/local/bin/tori if run as root).

Installs to ~/.local/bin/tori (or /usr/local/bin/tori if run with sudo).

Install WSL, then follow the Linux instructions above.

When connected to multiple servers, use S to open the servers dialog, then j/k and Enter to switch. Each server has isolated data — switching is instant since all sessions receive data concurrently.

The agent config lives at /etc/tori/config.toml. All fields have sensible defaults — an empty config file works out of the box.

Alert conditions use the format scope.field op value. Available fields:

Numeric fields support >, <, >=, <=, ==, !=. String fields support == and != only, with values in single quotes.

Each alert rule supports these optional timing fields:

Set any of these to "0s" to disable.

The [display] section controls how timestamps appear in logs and alerts. Both fields use Go time layout strings:

The [theme] section overrides individual TUI colors. By default all colors use ANSI values (0–15) so the interface inherits your terminal's color scheme. Any field left unset keeps its ANSI default. Values can be ANSI numbers ("1"–"15"), 256-palette numbers ("16"–"255"), or hex ("#rrggbb").

Re-run the same install command to update to the latest version. Existing configs are preserved.

For client-only installs, just remove the binary (~/.local/bin/tori or /usr/local/bin/tori) and config (~/.config/tori/).

Docker socket access: tori requires read-only access to the Docker socket (/var/run/docker.sock) for container monitoring. This is the same trust model as lazydocker, ctop, and other Docker monitoring tools. The socket is always mounted :ro — tori never writes to Docker.

Unix socket permissions: The tori socket at /run/tori/tori.sock is the only way to interact with the agent. The default file mode is 0666 because SSH is the real auth gate — anyone who can reach the socket already has shell access to the server. tori doesn't expand the attack surface.

Config file: The agent config contains SMTP credentials and webhook URLs. Permissions should be 0600 owned by the user running the agent.

No exposed ports: tori does not listen on any network port. All client communication goes through SSH to the Unix socket. There is no HTTP server, no API endpoint, nothing to expose or firewall. SSH compression is enabled by default on all tunnels to reduce bandwidth for metrics and log traffic.

Log contents: tori stores container logs in SQLite. These may contain sensitive application data (tokens, user info, errors with PII). The database file at /var/lib/tori/tori.db should have restrictive permissions and the retention policy should be set appropriately.