Skip to main content

EXTENSIONS

User-built models, drivers, vaults, and reports — the parts that plug into swamp.

Filter by what you need and pull what fits.

Selection
9 results
from:@thomas

Garage

@thomas/garage · v2026.06.24.1

Control-plane administration of a Garage (S3-compatible object store) cluster via its Admin API v2 (bearer token). Read/audit of cluster health, buckets, access keys, and the full key×bucket permission matrix; plus management — create /update/delete buckets, manage aliases, create/import/update/rotate/delete access keys, and grant/revoke read/write/owner permissions. Never touches S3 object data; destructive verbs verify the target by id first.

upd Jun 240 pullsA100/100

Stalwart

@thomas/stalwart · v2026.06.24.1

Careful, non-destructive administration of a Stalwart mail server (v0.16+) over its JMAP-over-HTTP management API, authenticated with a scoped admin API key. Read/audit of domains, accounts, aliases, groups, DMARC/TLS reports, the outbound queue and server health; idempotent provisioning of accounts and aliases, groups, mailing lists and roles; spam-filter configuration; certificate install + reload and config reload; and reversible deactivate/reactivate. No hard deletes — the only "off switch" is the reversible set-state pair. Secrets (account passwords, certificate keys) are sent once and never read back.

upd Jun 240 pullsA100/100

Forgejo

@thomas/forgejo · v2026.06.24.1

Careful administration of a Forgejo (or Gitea) server over its /api/v1 REST API, authenticated with a scoped access token. Find-or-create organizations and repositories and converge their settings, run GitHub pull-mirrors (create via /repos/migrate, reconcile interval/visibility, queue immediate syncs), and audit every mirror's sync health. Mutations are find-or-create or reversible (archive/unarchive); there are no delete methods — a failed migration's empty shell repo is detected and reported, never auto-deleted. Mirror source credentials are write-only: supplied via a vault reference, sent once, never read back or emitted.

upd Jun 240 pullsA100/100

Truenas

@thomas/truenas · v2026.06.24.1

Administration of a TrueNAS SCALE host (25.04+) via its JSON-RPC 2.0 WebSocket API (wss://, API-key auth). Read/audit of apps + their port bindings, NFS/SMB shares + their host allowlists, services, network interfaces, and a service- exposure roll-up; plus a narrow, reversible mutating surface — flip an app port between published/exposed, and set NFS networks/hosts and SMB hostsallow/hostsdeny. Refuses any non-TLS endpoint by construction (TrueNAS revokes an API key sent over cleartext). Verify-first; no pool/dataset/user or service start/stop.

upd Jun 240 pullsA100/100

Zitadel

@thomas/zitadel · v2026.06.24.1

Careful, non-destructive administration of a Zitadel instance over its Management API (v1 REST), authenticated with a JWT private-key service account. Read/audit of orgs, projects, applications, users and managers; idempotent provisioning of OIDC/API applications and machine (service) users; project-role and user-grant authorization (roles, grants, and the role-assertion flag that surfaces roles in tokens); rotation of client secrets, PATs, machine keys and secrets; and reversible deactivate/reactivate. Machine identities only. The only hard delete is a single, verify-first project-role removal (roles have no deactivate state); secrets are emitted once and marked sensitive.

upd Jun 240 pullsA100/100

Technitium

@thomas/technitium · v2026.06.24.1

Management of a Technitium DNS Server via its HTTP API — built-in ad-blocking control (enable/disable, temporary disable, allow/block list URLs), authoritative zone + record lifecycle, allowed/blocked custom domains, dashboard stats, DNS client + query-log debugging, cache flush, settings backup/restore, and security settings (admin web-service TLS certificate + DNSSEC validation).

upd Jun 245 pullsA100/100

Arcane

@thomas/arcane · v2026.06.24.1

Management of an Arcane Docker instance via its REST API — GitOps sync setup, compose project lifecycle with validated mode-aware deploy, swarm stack deploy (render-validated, convergence-polled) + secret/config rotation, and volume/prune cleanup.

upd Jun 242 pullsA100/100

Woodpecker

@thomas/woodpecker · v2026.06.04.1

Careful administration of a Woodpecker CI server over its REST API, authenticated with a personal access token. Onboard and configure repositories (enable, mark trusted, set timeout/visibility/approval), promote shared CI credentials to org- or repo-scoped secrets idempotently, inspect recent pipelines, and trigger runs. Mutations are additive or reversible (disable/secret-delete undo by re-running enable/set); secret values are write-only — supplied via a vault reference, sent once, and never read back or emitted.

upd Jun 40 pullsunscored

Postgres Admin

@thomas/postgres-admin · v2026.06.01.1

Non-destructive PostgreSQL administration over a direct TCP connection (node-postgres). Read/audit of databases, roles, permissions, tables, connections, and extensions; plus data-safe admin DDL — create database/role, grant/revoke, rotate passwords, and an idempotent app_provision composite. Never reads or writes table rows; never DROP/TRUNCATE; no arbitrary-SQL passthrough.

upd May 312 pullsB85/100