Plexsphere Node Agent Documentation
Capabilities
The Plexsphere node agent (plexd) is a lightweight daemon that runs on every managed node. It handles:
- Registration — self-registers with the control plane using a bootstrap token
- WireGuard Mesh — creates and manages WireGuard interfaces and encrypted peer tunnels
- NAT Traversal — discovers public endpoints via STUN and exchanges them with peers
- Network Policy — enforces peer visibility rules and firewall policies via nftables
- Secure Tunneling — provides SSH-based secure access tunnels through the mesh
- State Reconciliation — periodically fetches desired state and applies drift corrections
- Remote Actions — executes built-in and hook-based actions requested via SSE events
- Observability — collects and forwards metrics, logs, and audit events to the control plane
- Local Node API — exposes node state (metadata, data, secrets) to local workloads via Unix socket API or PlexdNodeState CRD
- Integrity — verifies checksums of the plexd binary and hook scripts
- Bridge Mode — optional gateway mode with NAT relay, public ingress, user access, and site-to-site VPN
Operating Modes
| Mode | Status | Description |
|---|---|---|
node | Active | Default mode. Runs all core subsystems. |
bridge | Active | Extends node mode with bridge-specific subsystems (relay, ingress, user access, site-to-site). Enabled when mode: bridge and bridge.enabled: true. |
High-Level Overview
The diagram below shows the three layers of a plexd deployment: the central control plane, the managed nodes, and the external access provided by bridge nodes.
┌───────────────────────┐
│ Plexsphere │
│ Control Plane │
└───────────┬───────────┘
│
HTTPS + SSE (outbound only)
│
┌──────────────┬───────────────────┼──────────────────┬──────────────┐
▼ ▼ ▼ ▼ ▼
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ Bare-Metal │ │ VM │ │ VM │ │ K8s │ │ Bridge / │
│ │ │ │ │ │ │ Cluster │ │ Gateway │
└─────┬──────┘ └─────┬──────┘ └─────┬──────┘ └─────┬──────┘ └──┬──────┬──┘
│ │ │ │ │ │
│◄════ Encrypted Mesh (direct P2P + NAT Traversal) ═════════════►│ │
│ │ │ │ │ │
└──────────────┴───────────────────┴─────────────────┘ ┌────┘ └────┐
│ │
▼ ▼
┌──────────┐ ┌────────────┐
│ User │ │ External │
│ Access │ │ Traffic │
│ │ │ │
│ Tailscale│ │ Public IPs │
│ Netbird │ │ Site-to- │
│ WireGuard│ │ Site VPN │
└────┬─────┘ └──────┬─────┘
│ │
▼ ▼
┌───────────┐ ┌──────────────┐
│ Developers│ │ Public │
│ Admins │ │ Internet │
│ On-Call │ │ Partner Nets │
└───────────┘ └──────────────┘All communication between nodes and the control plane is outbound-only — nodes initiate HTTPS and SSE connections; no inbound ports or public IPs are required on the node side.
Between nodes, plexd forms an encrypted WireGuard mesh. Every node establishes direct peer-to-peer tunnels with all authorized peers. NAT traversal is handled automatically via STUN. The control plane coordinates key exchange and peer discovery but never sits in the data path.
Bridge nodes serve a dual role: they participate in the mesh like any other node, but additionally provide external connectivity — user access (Tailscale, Netbird, WireGuard), public ingress, and site-to-site VPN — making internal services reachable from outside the mesh.
For a detailed view of the control plane components, mesh topology, and bridge internals, see Architecture.
Guide
- Installation & Quick Start — Install plexd and get running
- Architecture — Platform support, architecture diagrams, mesh topology
- Agent Lifecycle — Startup phases, heartbeat, SSE, deregistration, operational behavior
- Platform Communication & Mesh — Communication channels, node lifecycle, mesh topology, and capabilities
- Security & Trust Model — Key exchange, threat model, network requirements
- Troubleshooting — Common issues and diagnostics
How-To Guides
Step-by-step guides for common operational tasks.
- Bare-Metal Installation — Install plexd on a bare-metal Linux server
- VM Deployment — Deploy plexd on cloud VMs using Cloud-Init
- Kubernetes Deployment — Deploy plexd as a DaemonSet on Kubernetes
- Using the Local Node API — Read node state and write reports via the local API
- Creating Custom Hook Scripts — Extend plexd with custom hook scripts for remote actions
Reference
Operator and admin reference for configuring and deploying plexd.
- CLI Reference — Command-line interface and subcommands
- Configuration Reference — Full YAML configuration schema with all fields and defaults
- Environment Variables Reference — All PLEXD_* environment variable overrides
- Key Storage — Private keys, PSKs, NSK, and signing key storage
- Control Plane API Endpoints — Full control plane REST API reference
- Local Node API — Unix socket and TCP API for local node state access
Actions
- Remote Actions and Hooks — Remote action execution and hook system
- Session-Based Action Authorization — Session JWT authorization for SSH-triggered actions
- Sandbox Options — Sandbox levels for hook execution
- PlexdHook CRD Reference — Kubernetes CRD for declarative hook execution
Deployment
- Bare-Metal Packaging Reference — Systemd service installation and packaging
- Cloud-Init Deployment Reference — IMDS provider, cloud-init templates, and Terraform examples
- Kubernetes DaemonSet Deployment Reference — Kubernetes manifests, RBAC, and DaemonSet configuration
- Container Image (Dockerfile) Reference — Container image build and configuration
Internals
Developer and contributor reference for plexd subsystem internals.
- Agent Internals — Core concepts, subsystem architecture, and agent lifecycle
Core
- Control Plane Client — HTTP client for the Plexsphere control plane API
- API Types — Shared API request/response types
- Event Verification — SSE event signature verification
- Registration — Node self-registration and bootstrap authentication
- Configuration Reconciliation — State reconciliation with the control plane
- Heartbeat Service — Periodic heartbeat reporting
Networking
- WireGuard Tunnel Management — WireGuard interface and peer management
- NAT Traversal via STUN — STUN-based NAT traversal for mesh connectivity
- Peer Endpoint Exchange — Peer endpoint discovery and exchange
- Network Policy Enforcement — Network policy rules and enforcement
- nftables Firewall Controller — nftables-based firewall management
- Secure Access Tunneling — Secure tunnel access for services
Bridge
- Bridge Mode — Gateway bridge mode operation
- NAT Relay — NAT relay for indirect connectivity
- User Access Integration — User access control integration
- VPN Providers — VPN provider integrations
- Public Ingress — Public ingress configuration
- ACME and SNI Routing — ACME certificate management and SNI-based routing
- Site-to-Site VPN — Site-to-site VPN connectivity
- Tunnel Providers — Tunnel provider integrations
- Netlink Route Controller — Netlink-based route management
Observability
- Metrics Collection & Reporting — System metrics collection and forwarding
- Log Forwarding — Log collection and forwarding to the control plane
- Audit Forwarding — Audit event collection and forwarding
Integrity
- Integrity Verification — Hook integrity verification via checksums
Development
- Getting Started (Development) — Prerequisites, build, project structure
- CI Workflow — Continuous integration workflow
- Container Workflow — Container image build workflow
- Release Workflow — Release and versioning workflow
- E2E Workflow — End-to-end test orchestration workflow
- Docker E2E Test — Docker Compose-based E2E test
- Kubernetes E2E Test — kind-based Kubernetes E2E test
- Systemd E2E Test — Systemd-based E2E test
- Mock Central API Server — Mock API server for testing
- File System Utilities — File system utility functions