Bootimus — Modern PXE/HTTP boot server

// features

Everything a modern netboot setup should be.

Not a fork of 15-year-old Perl scripts. Not a wrapper around dnsmasq. A proper server, written in Go, with batteries included.

[01]

Single binary

Go binary with embedded iPXE, web UI, SQLite, and all assets. No runtime deps. Scp it and run.

[02]

Built-in proxyDHCP

Answers PXE on UDP/67 without touching your existing DHCP. Zero router reconfig. Drop in on any LAN.

[03]

50+ distros

Automatic kernel/initrd extraction for Ubuntu, Debian, Arch, Fedora, NixOS, Alpine, FreeBSD, Windows (wimboot), and more.

[04]

MAC-based ACL

Assign specific images per MAC. Auto-discover new clients on first PXE. Promote leases to static when ready.

[05]

One-click tools

GParted, Clonezilla, Memtest86+, SystemRescue, ShredOS, netboot.xyz. Enable from the UI, they show up in the menu.

[06]

JWT + LDAP

Token auth with bcrypt. Optional LDAP/AD backend with group-based admin. Local accounts stay as fallback.

[07]

REST API

Everything the UI does is an API call. Script boot assignments, scans, WOL triggers. Live log stream over SSE.

[08]

Runs anywhere

Multi-arch Docker (amd64/arm64), static binary, or a 2GB Alpine-based appliance image you can flash to USB.

[09]

Unattended installs

Drop autounattend.xml, kickstart, preseed, or cloud-init in. Attach to an image as the default, override per client. Bootimus stages it at boot — no clicks, no setup wizard.

// how it works

The lifecycle of a PXE boot.

Client sends DHCPDISCOVER. Bootimus answers PXE details via proxyDHCP while your normal DHCP still hands out the IP. iPXE loads over TFTP, chains to HTTP, fetches the menu. User picks an image. Kernel and initrd stream from the server. Done.

pts/0

pxe boot trace — ubuntu-24.04

# Client boots, sends DHCPDISCOVER broadcast
[dhcp]  → DHCPDISCOVER from b4:2e:99:01:5f:a3 (no PXE options from primary DHCP)
[proxy] ← DHCPOFFER-PXE: next-server=bootimus, filename=ipxe.efi
[tftp]  → RRQ ipxe.efi  (198 KiB, 14 ms)

# iPXE loads, chains to HTTP menu
[http]  → GET /menu.ipxe  200  2.1 KiB
[menu] ↳ 17 images · 3 groups · 6 tools
[menu] ↳ user selected: ubuntu-24.04-live-server

# Kernel + initrd stream over HTTP
[http]  → GET /iso/ubuntu-24.04/vmlinuz  200  14 MiB · 612 MB/s
[http]  → GET /iso/ubuntu-24.04/initrd   200  76 MiB · 598 MB/s
[boot]  handoff ok · client booting

// transparency

100% open. Auditable end-to-end.

No proprietary blobs. No telemetry. No sneaky binary firmware vendored in. The whole stack is on GitHub under Apache 2.0 — clone it, audit it, fork it, fly your own.

✓
Single Go binary · statically linked, ldd returns "not a dynamic executable". Reproducible builds from make release.
✓
No proprietary blobs · embedded iPXE is upstream FOSS (GPL-2.0). No closed-source firmware shipped.
✓
No telemetry, ever · zero call-home. Zero analytics. Zero "anonymous usage stats". Air-gapped LAN safe.
✓
Apache 2.0 · permissive licence. Use in commercial environments, ship internally, fork without strings.
✓
Vendored deps, all FOSS · every transitive Go dependency is open source. go mod why any package.
✓
Bring your own bootloader · don't trust the embedded iPXE? Drop your own signed binaries in. See below.

pts/0

bootimus version --verbose

$ bootimus version --verbose
bootimus      1.0.0
commit       8e87824 (clean)
go           1.23.4 linux/amd64
build        static · reproducible
licence      Apache-2.0

embedded
  ipxe        1.21.1+upstream  GPL-2.0
  proprietary 0 blobs
  telemetry   disabled (compile-time)

$ ldd ./bootimus
not a dynamic executable

$ sha256sum ./bootimus
7f3a9b0c…  bootimus

// bootloaders

Swap iPXE for whatever you need.

Bootimus ships with embedded iPXE for every common arch. Need Microsoft-signed binaries for Secure Boot, a custom-themed iPXE, GRUB, syslinux, or your own internal-CA-signed loader? Drop a folder in data/bootloaders/, pick it from the UI, done. Missing files transparently fall back to the embedded set — never a broken boot.

iPXE · UEFI x86_64

ipxe.efi · the default. Built from upstream master, embedded in the binary.

embedded · fallback

iPXE · UEFI ARM64

ipxe-arm64.efi · for Raspberry Pi 4/5, Apple Silicon hosts, ARM servers.

embedded · fallback

iPXE · Legacy BIOS

undionly.kpxe · for old kit that won't UEFI. Still relevant in 2026.

embedded · fallback

Microsoft-signed shim

Drop a signed shimx64.efi + grubx64.efi in for Secure-Boot-enforced fleets. No firmware MOK enrolment needed.

custom · BYO

Custom-themed iPXE

Compile your own iPXE with branding, custom menu colours, embedded scripts. Drop the .efi in.

custom · BYO

GRUB / syslinux / pxelinux

Not iPXE? No problem. Anything that speaks TFTP and HTTP works. Bootimus just serves bytes.

custom · BYO

pts/0

bootloader sets — file fallthrough

$ tree /var/lib/bootimus/bootloaders
data/bootloaders
├── ipxe-builtin/          # embedded — always available
│   ├── ipxe.efi
│   ├── ipxe-arm64.efi
│   └── undionly.kpxe
├── ipxe-secureboot/       # your custom set
│   ├── shimx64.efi             (signed by Microsoft)
│   ├── grubx64.efi             (signed by Microsoft)
│   └── ipxe.efi                (signed by your CA)
└── ipxe-themed/
    └── ipxe.efi                (custom branding)

$ bootimus bootloaders use ipxe-secureboot
✓ active set: ipxe-secureboot
✓ falls back to ipxe-builtin for: ipxe-arm64.efi, undionly.kpxe

# PXE boot trace, Secure Boot client
[tftp] RRQ shimx64.efi      → ipxe-secureboot/shimx64.efi
[tftp] RRQ ipxe-arm64.efi   → ipxe-builtin/ipxe-arm64.efi (fallback)

Ready to stop babysitting tftpd?

Docker, bare metal, or flashable USB. Pick your poison.

$ get bootimus read the docs →

PXE boot, without the pain.

Single binary

Built-in proxyDHCP

50+ distros

MAC-based ACL

One-click tools

JWT + LDAP

REST API

Runs anywhere

Unattended installs

iPXE · UEFI x86_64

iPXE · UEFI ARM64

iPXE · Legacy BIOS

Microsoft-signed shim

Custom-themed iPXE

GRUB / syslinux / pxelinux

Ready to stop babysitting tftpd?

PXE boot,
without the pain.