insightd

Trust model

Privacy and security model

insightd is designed for self-hosted homelabs. It runs on your hardware, stores monitoring data locally, and only talks to integrations you configure.

Short version

  • • No hosted insightd cloud service is required for normal operation.
  • • Monitoring data is stored locally by the hub in SQLite.
  • • The hub, agent, and Mosquitto broker are intended to run on your LAN or VPN.
  • • Do not expose MQTT directly to the public internet.
  • • No telemetry is required for insightd to operate.
  • • Email, webhooks, and optional AI diagnosis only run when you configure them.

What data is collected

Depending on what you enable, insightd can collect host metrics, container and pod status, Proxmox guest status, HTTP endpoint checks, recent logs used for diagnosis, restart history, health-check output, alerts, and insight feedback. This can reveal hostnames, internal URLs, service names, and operational patterns, so treat the hub database and backups as sensitive operational data.

Local storage

The hub uses SQLite for local persistence. Keep the database and backups private. If you copy the database for debugging or support, redact hostnames, URLs, logs, tokens, webhook URLs, and credentials first.

Network model

In a multi-host setup, agents publish to MQTT, the hub subscribes and stores data, and the web UI, email, and webhooks are served from the hub. Keep the hub UI behind your LAN, VPN, reverse proxy authentication, or another access-control layer that fits your environment. Keep Mosquitto/MQTT private to your LAN or VPN.

Docker permissions

Docker monitoring usually requires access to the Docker socket. The Docker socket is highly privileged: software with write-capable Docker socket access can often control containers and may effectively gain root-equivalent power on the host. Keep container actions and remote updates disabled unless you deliberately want those capabilities.

Kubernetes and Proxmox permissions

For Kubernetes, review the RBAC manifest before applying it and keep permissions read-only unless a future feature explicitly requires otherwise. For Proxmox VE, prefer a dedicated API token with only the permissions needed for monitoring the nodes and guests you want insightd to see.

Email, webhooks, and optional AI diagnosis

Email digests and webhook alerts are optional. Treat webhook URLs and SMTP credentials as secrets. The optional “Diagnose with AI” feature requires a configured Gemini API key and is not required for the built-in diagnosis engine. If you enable it, assume relevant diagnosis context may be sent to the configured AI provider.

Install script auditability

The quick install command downloads and runs a shell script. If you prefer to audit it before running it, inspect the script first: 

curl -fsSL https://insightd.org/install.sh

Reporting vulnerabilities

Please do not open public GitHub issues for security vulnerabilities. Use GitHub private vulnerability reporting from the repository security tab.

Open GitHub security page →