RailwardenRailwarden Docs

FAQ

Short answers to the questions teams ask when evaluating or adopting Railwarden. New here? Start with the quickstart, or switching from AWX if you are migrating.

What can Railwarden run?

Ansible playbooks, Bash scripts, Terraform, OpenTofu, Python, PowerShell, and Go, plus any tool you add through the Go SDK. A run, a saved template, or a single step of a pipeline picks its tool. A pipeline can mix them: Terraform to build infrastructure, Ansible to configure it, Bash to smoke-test it, as one dependency graph. Bash shells out to anything on the host, so kubectl, the cloud CLIs, and your own scripts all work.

Do I need Kubernetes?

No. Railwarden is one binary that is the API, the executor, the scheduler, and the UI. State is one database: a SQLite file to start, or PostgreSQL when you want more than one instance. No Redis, no operator, no separate task engine.

What is a dry run?

A run that makes no changes. Ansible runs in check mode, Terraform runs plan instead of apply, and Bash and Python are syntax checked without executing. A dry run set on a sharded run is carried to every shard, so a preview is always a preview.

How do I migrate from AWX?

From the command line:

railwarden import awx export.json           # preview the plan, changes nothing
railwarden import awx export.json --apply    # import

It maps projects, inventories, job templates with their surveys and schedules and job slicing, and credentials. See switching from AWX for the full mapping.

Two things to know. AWX omits secret values on export for security, so credentials import without their secrets and you set those once after importing. And AWX dynamic inventory sources are not mapped yet. Static inventories import fully. A Semaphore importer exists too, with railwarden import semaphore export.json.

How do I rerun the same job on a set of hosts without re-entering everything?

Save it as a template. A template bundles the tool, the command or playbook, the inventory, the credentials, and the variables, so a rerun is one click or one API call. Stored inventories let you name a host set once and reuse it across templates.

How are secrets stored?

Sealed with AES-256-GCM, the key derived from an operator passphrase through argon2id. Secrets decrypt only at execution, into a temporary file wiped when the run finishes, and never appear in API responses. Kinds include SSH keys, vault passwords, become passwords, container registry logins, and environment bundles, which is where API tokens and other KEY=VALUE secrets go. Set RAILWARDEN_ENCRYPTION_KEY and RAILWARDEN_ENCRYPTION_SALT to enable them.

A credential can also be a command source, so the value lives in an external store instead of in Railwarden. Railwarden seals a command, for example vault kv get -field=password secret/prod or an aws secretsmanager get-secret-value call, and runs it at execution time. The command's output is the secret and is never stored. This works with any secret manager reachable from a command: Vault, AWS, GCP, 1Password, or your own script.

Are webhook triggers safe to expose?

Yes. A trigger can require a verified HMAC signature, keyed by a per-trigger secret sealed at rest and separate from the URL, so a leaked webhook URL cannot forge a push. Set the same secret on the git host, turn enforcement on, and an unsigned or wrong request is rejected before anything runs. Secrets rotate at any time.

Does it support single sign-on?

Yes: OpenID Connect, SAML, and LDAP directory sign-in, with just-in-time account provisioning and a configurable default role.

Does Railwarden send my data to an AI model?

Only if you turn AI on, and only to the provider you chose. With local Ollama nothing leaves your machines. With a cloud provider, prompts carry automation content such as commands, playbook names, masked failed-run logs, and drift summaries. Credential values are masked before any prompt is built, and fleet questions send metadata only. AI is off by default. See the AI guide for exactly what each feature sends.

Can the AI change my infrastructure?

No. A provider only produces text a human reads or a proposal a human releases. Anything AI drafts that could become a run is born held at the same approval gate an operator faces, an admin reviews the generated command before it moves, and the request and decision both land in the audit trail.

Can I extend Railwarden?

Yes, in Go, two ways: compile an extension into the binary, or drop a plugin binary into --plugins-dir on a stock release. Both register execution tools, AI providers, secret engines, and notification channels. See Extend in Go and the official railwarden-plugins repo for a working example.

What about scale?

Runs stream and page by a sequence cursor, the runs list and event history paginate, and a large host matrix renders one cell at a time. Split a run across workers by measured host duration, and run more than one instance against PostgreSQL when a single binary is not enough.

What is the license?

Business Source License 1.1: free to self-host and modify, with a restriction on offering it as a competing hosted service, and it converts to Apache 2.0 after four years.