Introduction

What is NetStacks?

NetStacks is a modern network operations platform built for engineers who manage everything from a handful of switches to thousands of routers, firewalls, and appliances across multiple data centers. It replaces aging tools like SecureCRT, PuTTY, and spreadsheet-based credential tracking with a single, purpose-built platform that understands networking workflows.

NetStacks has two components:

• Terminal — A native desktop application built with Tauri (Rust + React). It provides a high-performance terminal emulator with multi-tab sessions, split panes, session recording, AI-powered assistance, SFTP file transfers, and multi-send for broadcasting commands to multiple devices at once.
• Controller — A server-side application built with Rust (Axum) backed by PostgreSQL with pgvector. It provides centralized device management, an encrypted credential vault, SSH Certificate Authority for zero-standing-privilege access, configuration templates, scheduled automation, and NOC agents for AI-driven incident triage.

Standalone vs Enterprise Mode

The Terminal can operate in two modes depending on your needs:

• Standalone Mode — Use the Terminal by itself. Connect directly to devices using locally stored credentials and SSH keys. No server infrastructure required. Ideal for individual engineers or small teams managing 10–50 devices.
• Enterprise Mode — Connect the Terminal to a Controller instance. Credentials are centrally managed in the encrypted vault, SSH certificates are issued on demand with short TTLs, device inventories sync from NetBox, and all sessions can be audited. Built for teams managing 100–10,000+ devices across multiple sites.

How It Works

In standalone mode, the Terminal connects directly to network devices via SSH or Telnet using credentials stored locally on your machine.

In enterprise mode, the Terminal communicates with the Controller over a REST API and WebSocket connection. When you open a session, the Terminal requests a short-lived SSH certificate from the Controller's built-in Certificate Authority, retrieves device credentials from the encrypted vault, and connects through the Controller's SSH proxy or directly to the device.

The Controller stores all data in PostgreSQL with the pgvector extension enabled for AI embedding storage. Credentials in the vault are encrypted at rest using AES-256-GCM with keys derived through Argon2. The SSH CA issues certificates with configurable TTLs (as short as 5 minutes) so that no standing SSH keys exist on managed devices.

┌─────────────────────────────────────────────────────────────────┐
│                      NetStacks Platform                         │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ┌───────────────┐            ┌────────────────────────────┐   │
│  │   Terminal     │◄──────────►│        Controller           │   │
│  │   (Desktop)    │  REST API  │                            │   │
│  │                │  WebSocket │  ┌──────────────────────┐  │   │
│  │  • SSH/Telnet  │            │  │  REST API (Axum)     │  │   │
│  │  • SFTP        │            │  └──────────────────────┘  │   │
│  │  • AI Chat     │            │  ┌──────────────────────┐  │   │
│  │  • Multi-Send  │            │  │  Credential Vault    │  │   │
│  │  • Recording   │            │  │  (AES-256-GCM)       │  │   │
│  └───────────────┘            │  └──────────────────────┘  │   │
│         │                      │  ┌──────────────────────┐  │   │
│         │ Standalone           │  │  SSH CA              │  │   │
│         │ (direct SSH)         │  │  (Zero-Standing)     │  │   │
│         │                      │  └──────────────────────┘  │   │
│         ▼                      │  ┌──────────────────────┐  │   │
│  ┌───────────────┐            │  │  PostgreSQL 16       │  │   │
│  │ Network       │◄───────────│  │  + pgvector          │  │   │
│  │ Devices       │  SSH/SNMP  │  └──────────────────────┘  │   │
│  │ (routers,     │            │  ┌──────────────────────┐  │   │
│  │  switches,    │            │  │  Plugin System       │  │   │
│  │  firewalls)   │            │  │  (Docker containers) │  │   │
│  └───────────────┘            └────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘

Getting Started Guide

Follow these steps to go from zero to your first connected device session.

Step 1: Decide on Standalone or Enterprise

If you are a single engineer or a small team without centralized credential requirements, start with standalone mode. You can always add a Controller later. If your organization needs centralized credentials, SSH CA, audit logging, or device inventory sync, deploy the Controller from the start.

Step 2: Check System Requirements

Verify your machine meets the system requirements. The Terminal runs on macOS (Intel and Apple Silicon), Windows (x64), and Linux (x64 and arm64). The Controller runs on any Docker host.

Step 3: Install the Terminal

Download and install the Terminal for your platform from the Installation Guide. The installer is under 50 MB and requires no runtime dependencies on macOS or Windows.

Step 4: Deploy the Controller (Optional)

If you chose enterprise mode, deploy the Controller using Docker Compose. The default configuration starts the API server on port 3000 and PostgreSQL on port 5432. See the Code Examples section below for a sample docker-compose.yml.

Step 5: Connect to Your First Device

Open the Terminal, create a new connection profile with your device's IP address and credentials, and click Connect. For a guided walkthrough, see the Quick Start Guide.

Code Examples

Controller Docker Compose

Deploy the Controller and PostgreSQL with a single docker compose up. This configuration is derived from the official NetStacks repository:

services:
  db:
    image: pgvector/pgvector:pg16
    ports:
      - "5432:5432"
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-netstacks}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-netstacks_dev}
      POSTGRES_DB: ${POSTGRES_DB:-netstacks}
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U netstacks"]
      interval: 5s
      timeout: 5s
      retries: 5

  api:
    image: netstacks/controller:latest
    depends_on:
      db:
        condition: service_healthy
    ports:
      - "3000:3000"
    environment:
      DATABASE_URL: postgres://netstacks:netstacks_dev@db:5432/netstacks
      VAULT_MASTER_KEY: ${VAULT_MASTER_KEY}
      JWT_SECRET: ${JWT_SECRET}
      RUST_LOG: info

volumes:
  pgdata:

Verify the Controller is Running

curl http://localhost:3000/health

SSH to a Network Device

Connect to a core router from your workstation to verify SSH access before adding it to NetStacks:

# Verify SSH access to a Cisco IOS-XE router
ssh admin@core-rtr-01.dc1.example.net

# Or connect to an Arista leaf switch
ssh netops@leaf-sw-03.rack12.example.net

# Verify connectivity to an out-of-band management network
ssh admin@10.0.1.1 -p 22

Check Controller Database Connectivity

# Verify PostgreSQL is accepting connections
docker exec -it netstacks-db-1 pg_isready -U netstacks

# Expected output:
# /var/run/postgresql:5432 - accepting connections

Questions & Answers

Q: What is NetStacks?

A: NetStacks is a network operations platform with two components — a native desktop Terminal for connecting to devices via SSH/Telnet and an optional server-side Controller for centralized management, credential vaulting, SSH certificate issuance, and AI-powered automation.

Q: What is the difference between Terminal and Controller?

A: The Terminal is the desktop application you use every day to connect to routers, switches, and firewalls. It handles SSH sessions, file transfers, multi-send, and AI chat. The Controller is a server that provides centralized device inventory, encrypted credential storage, SSH Certificate Authority, configuration templates, and scheduled automation. You can use the Terminal without the Controller (standalone mode).

Q: Can I use Terminal without Controller?

A: Yes. In standalone mode, the Terminal connects directly to devices using credentials and SSH keys stored locally on your machine. No server infrastructure is required. This is ideal for individual engineers managing a smaller set of devices.

Q: What protocols does NetStacks support?

A: The Terminal supports SSH (v2), Telnet, and SFTP for file transfers. The Controller additionally supports SNMP polling for device monitoring. SSH is the primary and recommended protocol for all device connections.

Q: Is NetStacks open source?

A: NetStacks source code is available on GitHub. The Terminal is free to download and use. The Controller is available under an enterprise license for teams that need centralized management features.

Q: What database does the Controller use?

A: The Controller uses PostgreSQL 16 with the pgvector extension. pgvector enables vector similarity search for AI features like semantic configuration search and NOC agent memory. The official Docker Compose configuration uses the pgvector/pgvector:pg16 image.

Q: How does NetStacks handle credential security?

A: In standalone mode, credentials are stored locally on your machine using OS-level secure storage. In enterprise mode, the Controller's credential vault encrypts all secrets at rest using AES-256-GCM with master keys derived through Argon2. The SSH Certificate Authority issues short-lived certificates (configurable TTL) so no permanent SSH keys need to exist on target devices.

Q: What devices does NetStacks work with?

A: NetStacks works with any SSH-enabled device. It has first-class support for Cisco IOS, IOS-XE, IOS-XR, NX-OS, and ASA; Juniper Junos; Arista EOS; Palo Alto PAN-OS; Fortinet FortiOS; and Linux/Unix hosts. Unsupported platforms work in generic SSH mode with basic terminal features.

Troubleshooting

Terminal won't launch on macOS

macOS Gatekeeper may block the app because it is not signed with an Apple Developer ID. Right-click the NetStacks app in Finder and select "Open", then click "Open" in the confirmation dialog. You only need to do this once.

Windows SmartScreen warning

Windows may show a SmartScreen warning on first launch. Click "More info" and then "Run anyway". This happens because the binary is not yet widely distributed enough for Microsoft to recognize it automatically.

Controller won't start

Verify Docker is running and the required ports (3000 for the API, 5432 for PostgreSQL) are not already in use:

# Check if Docker is running
docker info

# Check for port conflicts
ss -tlnp | grep -E '3000|5432'   # Linux
lsof -i :3000 -i :5432           # macOS

Cannot connect to a device

If the Terminal cannot reach a device, verify basic connectivity first:

• Confirm the device is reachable: ping 10.0.1.1
• Confirm SSH is open: nc -zv 10.0.1.1 22
• Confirm credentials work outside NetStacks: ssh admin@10.0.1.1
• Check your firewall rules allow outbound TCP/22 from your workstation

I cannot find the download

Visit the Installation Guide for download links for all supported platforms.

Related Features

Continue exploring NetStacks with these guides:

• Installation Guide — Download and install the Terminal and deploy the Controller
• Quick Start Guide — Connect to your first device in under 5 minutes
• System Requirements — Hardware, software, and network prerequisites
• Terminal Overview — Deep dive into Terminal features, tabs, and session management
• Credential Vault — How the Controller encrypts and manages device credentials