Device-held identity
Every device generates and retains its own key. Existing owner authority approves enrollment, rotation, removal, and recovery.
Open infrastructure from Daemonet · A Cordine Labs company
Daemonet joins machines you control into private, cryptographically authorized profiles. Your devices create the identities, hold the keys, decide the policy, expose the services, and carry the direct traffic.
Self-hostable. AGPL-3.0. No managed account required.
The open product
A Daemonet profile is a user-owned authority graph, not a cloud tenant. Membership never silently opens an application: profile policy and a service’s own signed access policy both have to allow the connection.
Every device generates and retains its own key. Existing owner authority approves enrollment, rotation, removal, and recovery.
Signed profile DNS maps stable names to authorized services and current routes. DNS describes authority; it never pretends to be transport.
Lock an app to named members, portable entitlements, finite timed trials, or unlimited trial starts. A destination-issued pass is short-lived and bound to one device key.
Tor can introduce peers; WireGuard carries the private network; host-held HTTPS keys authenticate the application endpoint. Failure never invents an unapproved relay.
One private fabric
Attach a laptop, workstation, NAS, Raspberry Pi, home server, cloud VM, or cluster. Keep application custody at the endpoint while Daemonet supplies a consistent identity and route.
SSH, Remmina, private dashboards, administration tools, and long-running sessions without exposing the origin as an anonymous public host.
Mount network drives, resume transfers, synchronize files, stream games, or reach a media library over the same owner-controlled profile.
Publish internal HTTPS names, authorize exact users for exact periods, meter trials at the host, and revoke a device without changing the service identity.
When you want managed operations
1Man is Daemonet’s official managed operations and integration layer: enrollment coordination, verified names, certificate workflows, entitlements, availability operations, support, and explicit publication.
Non-negotiable boundaries
Free and paid users receive the same privacy model. Managed infrastructure is allowed to know only what its explicit job requires, for only as long as that job requires it.
No durable managed copy of the user’s topology can override current device state.
No password-account fallback lets Daemonet or 1Man approve a device or recover an identity.
Coordination, DNS, and entitlements cannot silently become a content proxy, CDN, or relay.
Certificate, Tor, DNS, route, entitlement, or identity failure stops visibly instead of downgrading trust.
Stable service identity survives host replacement, and leaving 1Man does not destroy the underlying Daemonet.
Encryption protects content and integrity; it does not claim encrypted packet timing was literally unobserved.
Install, inspect, improve
Start from source or a catered release. Managed access can be attached later without replacing the keys and profiles you create now.