Bootimus — Modern PXE/HTTP boot server<br>v1.x · apache 2.0 go · iPXE · sqlite/postgres<br>PXE boot, without the pain.

Self-contained PXE and HTTP boot server. One binary. Zero config. Built-in proxyDHCP so you never touch your router. 50+ distros detected automatically.<br>$ get bootimus view source →<br>pts/0<br>bootimus — quickstart

# Pull, run, PXE boots. Thirty seconds.<br>$ docker run -d --name bootimus \<br>--cap-add NET_BIND_SERVICE \<br>-p 67:67/udp -p 69:69/udp \<br>-p 8080:8080/tcp -p 8081:8081/tcp \<br>-v $(pwd)/data:/data \<br>garybowers/bootimus:latest

$ docker logs bootimus | grep Password<br>admin: Password: 7f3a-plum-swift-echo

$ open http://localhost:8081<br>[0] bash* 1:vim 2:htop "bootimus" 11:00

50+<br>distros detected

binary, zero deps

DHCP reconfigs

arch: amd64 · arm64

[01] Single binary

Go binary with embedded iPXE, web UI, SQLite, and all assets. No runtime deps. Scp it and run.

[02] Built-in proxyDHCP

Answers PXE on UDP/67 without touching your existing DHCP. Zero router reconfig. Drop in on any LAN.

[03] 50+ distros

Automatic kernel/initrd extraction for Ubuntu, Debian, Arch, Fedora, NixOS, Alpine, FreeBSD, Windows (wimboot), and more.

[04] MAC-based ACL

Assign specific images per MAC. Auto-discover new clients on first PXE. Promote leases to static when ready.

[05] One-click tools

GParted, Clonezilla, Memtest86+, SystemRescue, ShredOS, netboot.xyz. Enable from the UI, they show up in the menu.

[06] JWT + LDAP

Token auth with bcrypt. Optional LDAP/AD backend with group-based admin. Local accounts stay as fallback.

[07] REST API

Everything the UI does is an API call. Script boot assignments, scans, WOL triggers. Live log stream over SSE.

[08] Runs anywhere

Multi-arch Docker (amd64/arm64), static binary, or a 2GB Alpine-based appliance image you can flash to USB.

[09] Unattended installs

Drop autounattend.xml, kickstart, preseed, or cloud-init in. Attach to an image as the default, override per client. Bootimus stages it at boot — no clicks, no setup wizard.

pts/0<br>pxe boot trace — ubuntu-24.04

# Client boots, sends DHCPDISCOVER broadcast<br>[dhcp] → DHCPDISCOVER from b4:2e:99:01:5f:a3 (no PXE options from primary DHCP)<br>[proxy] ← DHCPOFFER-PXE: next-server=bootimus, filename=ipxe.efi<br>[tftp] → RRQ ipxe.efi (198 KiB, 14 ms)

# iPXE loads, chains to HTTP menu<br>[http] → GET /menu.ipxe 200 2.1 KiB<br>[menu] ↳ 17 images · 3 groups · 6 tools<br>[menu] ↳ user selected: ubuntu-24.04-live-server

# Kernel + initrd stream over HTTP<br>[http] → GET /iso/ubuntu-24.04/vmlinuz 200 14 MiB · 612 MB/s<br>[http] → GET /iso/ubuntu-24.04/initrd 200 76 MiB · 598 MB/s<br>[boot] handoff ok · client booting<br>[0] bash* 1:vim 2:htop "bootimus" 11:00

✓Single Go binary · statically linked, ldd returns "not a dynamic executable". Reproducible builds from make release.

✓No proprietary blobs · embedded iPXE is upstream FOSS (GPL-2.0). No closed-source firmware shipped.

✓No telemetry, ever · zero call-home. Zero analytics. Zero "anonymous usage stats". Air-gapped LAN safe.

✓Apache 2.0 · permissive licence. Use in commercial environments, ship internally, fork without strings.

✓Vendored deps, all FOSS · every transitive Go dependency is open source. go mod why any package.

✓Bring your own bootloader · don't trust the embedded iPXE? Drop your own signed binaries in. See below.

pts/0<br>bootimus version --verbose

$ bootimus version --verbose<br>bootimus 1.0.0<br>commit 8e87824 (clean)<br>go 1.23.4 linux/amd64<br>build static · reproducible<br>licence Apache-2.0

embedded<br>ipxe 1.21.1+upstream GPL-2.0<br>proprietary 0 blobs<br>telemetry disabled (compile-time)

$ ldd ./bootimus<br>not a dynamic executable

$ sha256sum ./bootimus<br>7f3a9b0c… bootimus<br>[0] bash* 1:vim 2:htop "bootimus" 11:00

iPXE · UEFI x86_64<br>ipxe.efi · the default. Built from upstream master, embedded in the binary.<br>embedded · fallback<br>iPXE · UEFI ARM64<br>ipxe-arm64.efi · for Raspberry Pi 4/5, Apple Silicon hosts, ARM servers.<br>embedded · fallback<br>iPXE · Legacy BIOS<br>undionly.kpxe · for old kit that won't UEFI. Still relevant in 2026.<br>embedded · fallback<br>Microsoft-signed shim<br>Drop a signed shimx64.efi + grubx64.efi in for Secure-Boot-enforced fleets. No firmware MOK enrolment needed.<br>custom · BYO<br>Custom-themed iPXE<br>Compile your own iPXE with branding, custom menu colours, embedded scripts. Drop the .efi in.<br>custom · BYO<br>GRUB / syslinux / pxelinux<br>Not iPXE? No problem. Anything that speaks TFTP and HTTP works. Bootimus just serves bytes.<br>custom · BYO

pts/0<br>bootloader sets — file fallthrough

$ tree /var/lib/bootimus/bootloaders<br>data/bootloaders<br>├── ipxe-builtin/ # embedded — always available<br>│ ├── ipxe.efi<br>│ ├── ipxe-arm64.efi<br>│ └── undionly.kpxe<br>├── ipxe-secureboot/ # your custom set<br>│ ├── shimx64.efi (signed by Microsoft)<br>│ ├── grubx64.efi (signed by Microsoft)<br>│ └── ipxe.efi (signed by your CA)<br>└── ipxe-themed/<br>└── ipxe.efi (custom branding)

$ bootimus bootloaders use ipxe-secureboot<br>✓ active set: ipxe-secureboot<br>✓ falls back to ipxe-builtin for: ipxe-arm64.efi, undionly.kpxe

# PXE boot trace, Secure Boot...