Host-native convergence for systemd-based systems
CoreOps is a convergence engine for systemd-based hosts.
It takes a declared system state and makes the host match it —
without hiding systemd, without introducing a new orchestration layer,
and without requiring image rebuilds for every change.
If you are managing Fedora CoreOS or similar systems and find yourself choosing between:
- rebuilding images for every iteration, or
- drifting into imperative host configuration
CoreOps exists in that gap.
Systemd-based hosts already have a clear operating model:
- units define behavior
- the system converges toward that definition
But most tooling around them does one of two things:
- replaces the model (Kubernetes, orchestration layers)
- ignores it (imperative configuration management)
CoreOps stays inside that model.
It treats systemd and Quadlet as the source of truth and builds a convergence workflow around them instead of replacing them.
- Converges host-managed workloads declaratively
- Works with systemd-native and Quadlet-native workflows
- Produces inspectable plans, reports, and machine-readable output
- Preserves provenance and reconciliation state for later audit
- Executes VM-backed verification scenarios against real systems
- Kubernetes or general container orchestration
- A replacement for systemd
- Generic imperative configuration management (e.g. Ansible-style)
- A custom templating language or DSL
- Fleet orchestration across many hosts (at this stage)
- Supported: Fedora CoreOS
- Expected to work: other systemd-based hosts (untested)
- Unsupported: non-systemd environments
CoreOps operates directly on host-level systemd state and running CoreOps from a container is not a supported consumption method.
| Signal | Value |
|---|---|
| Published artifacts | x86_64 raw binary, aarch64 raw binary, x86_64 tar.gz + checksums, aarch64 tar.gz + checksums |
| Verification environment | fedora-coreos-self-hosted@2026-04-fcos |
This section is the stable credibility surface for outside evaluators. The badges above reflect live CI health and the latest published release version and update automatically as the project evolves.
After installing the binary:
core-ops --version
core-ops statusA valid installation should:
- report a build identity
- expose current system state
- produce stable, inspectable output
Five real-world homelab setups translated into the source-repository
layout. Each is runnable via stateless --source-repo invocation
without core-ops init. See examples/<NN-slug>/README.md for setup
intent, sources, and known limitations.
examples/01-caddy-whoami— Caddy reverse proxy fronting whoami (single-Container baseline).examples/02-nextcloud— Nextcloud + Postgres + Redis + Traefik (multi-Container, intra-service network, persistent storage).examples/03-immich— Immich photo server with ML worker (GPU device, multi-network).examples/04-traefik-authelia— Traefik + Authelia + protected backend (cross-service ForwardAuth composition).examples/05-observability— Prometheus + Grafana + node-exporter + cadvisor (host-scope sidecars).
Try one without committing to anything:
core-ops plan --source-repo examples/01-caddy-whoami --host exampleNo prior core-ops init required; nothing is written under
/var/lib/core-ops/. To switch into long-lived tracking mode after
copying an example to your own setup directory, run
git init && core-ops init <path> <ref> once.
CoreOps is currently distributed as direct binaries for x86_64 (amd64)
and aarch64 (arm64).
Download the published release bundle for your target architecture. A supported bundle includes:
core-ops-linux-<arch>core-ops.servicecore-ops.timerLICENSECHANGELOG.mdREADME.md
tar -xzf core-ops-linux-<arch>.tar.gz
install -m 0755 core-ops-linux-<arch> /usr/local/bin/core-ops
install -m 0644 core-ops.service /etc/systemd/system/core-ops.service
install -m 0644 core-ops.timer /etc/systemd/system/core-ops.timerNo external runtime dependencies are required beyond a supported host.
For unattended host-native execution, the supported integration path uses the
published canonical core-ops.service and core-ops.timer units (also
available in systemd/ in this repository). Initialize once, then enable the
timer:
# One-time setup: persist repository and tracking ref
core-ops init <repository-url> <ref>
# Install and enable the timer
install -m 0644 core-ops.service /etc/systemd/system/core-ops.service
install -m 0644 core-ops.timer /etc/systemd/system/core-ops.timer
systemctl daemon-reload
systemctl enable --now core-ops.timerTo override the quadlet directory or other defaults, use a systemd drop-in:
systemctl edit core-ops.serviceCoreOps modifies host-level systemd and Quadlet artifacts in explicitly configured locations.
Operators can audit behavior through:
- plan output before changes
- apply and verification reports during changes
- persisted provenance and status after changes
- release identity and changelog continuity
Recovery is expected to happen through explicit reconciliation and documented retry/rollback behavior — not silent mutation.
CoreOps defines its public guarantees through:
- a maintained specification
- executable verification scenarios
- a release gate
A build is only considered distribution-ready once the release gate passes.
The verification environment is versioned to detect drift over time.
Releasable changes are expected to carry explicit SemVer intent, update the
canonical version in Cargo.toml, update a checked-in release fragment at
changes/<change-id>.md, and keep CHANGELOG.md current.
Maintainers and CI validate this contract through the dedicated helper binary:
cargo run --bin core-ops-release -- validateOnce a feature PR lands on master, the post-merge release job promotes the
rendered [Unreleased] block to a new [<version>] - <date> section, removes
the consumed fragments under changes/, and publishes the GitHub Release at
the merge commit (which also creates the git tag). Maintainers do not edit
CHANGELOG.md after the [Unreleased] block — core-ops-release promote
owns that transition and is idempotent on re-run.
- Homelab operators working with systemd-based hosts
- Small and medium infrastructure teams
- Operators who prefer inspectable, host-native workflows
CoreOps is developed with AI assistance.
AI influences how the system is produced, not how it behaves.
Behavioral guarantees come from:
- the specification
- the test corpus
- the release gate
CoreOps is licensed under the GNU Affero General Public License v3 or later (AGPLv3+).
See LICENSE.
Externally visible changes are tracked in CHANGELOG.md using Keep a Changelog format.