triton-install/README.md

# Triton Manage Server Installer

Production installer for the Triton Manage Server. Container-based (Docker or Podman), idempotent — safe to re-run.

## Install

One line, no licence needed at install time — you upload the `.lic` file in the setup
wizard after the server starts.

```bash
curl -fsSL https://forgejo.primatekun.tech/primatekuntech/triton-install/raw/branch/main/get.sh | sudo bash
```

## Setup wizard

After install, open `http://localhost:8082` and complete the wizard:

1. Set your manage server name
2. Create the admin account
3. Upload your licence (`.lic` file from your vendor bundle)

The vendor's public key is baked into the image at build time, so the `.lic` file is the
only artefact you need from your vendor.

## Optional flags

Pass flags after `--`:

```bash
curl -fsSL https://forgejo.primatekun.tech/primatekuntech/triton-install/raw/branch/main/get.sh | sudo bash -s -- [flags]
```

| Flag | Description |
|------|-------------|
| `--gateway-hostname HOST` | Agent mTLS hostname (defaults to current FQDN). |
| `--manage-host-ip IP` | Host LAN IP for "+ This machine" auto-registration. |
| `--image TAG` | Pin a specific image tag (e.g. `1.0.0-rc.2`). |
| `--license-pubkey HEX` | Hex-encoded Ed25519 verifier key. Only needed when not baked into the image at build time. |
| `--no-tls` | Skip TLS sanity check (dev only). |

## Upgrade

Pull the latest image and restart (keeps all data, runs DB migrations automatically):

```bash
curl -fsSL https://forgejo.primatekun.tech/primatekuntech/triton-install/raw/branch/main/get.sh | sudo bash -s -- --upgrade
```

Pin a specific version:

```bash
curl -fsSL https://forgejo.primatekun.tech/primatekuntech/triton-install/raw/branch/main/get.sh | sudo bash -s -- --upgrade --image forgejo.primatekun.tech/primatekuntech/triton-manage-server:1.2.0
```

## Uninstall

Stop containers and remove them, but keep all data (PostgreSQL volume, credentials vault):

```bash
curl -fsSL https://forgejo.primatekun.tech/primatekuntech/triton-install/raw/branch/main/get.sh | sudo bash -s -- --uninstall
```

Also delete all data (irreversible):

```bash
curl -fsSL https://forgejo.primatekun.tech/primatekuntech/triton-install/raw/branch/main/get.sh | sudo bash -s -- --uninstall --purge-data
```

## Host-bound licences

Your vendor can issue an offline `.lic` file that is cryptographically bound to a specific host
so it cannot be used on any other machine.

**To get a host-bound licence:**

1. Run the installer on the target server. At the end of the output you will see:
   ```
   [manage-server] ── Host Machine ID ──────────────────────────────────────────────────────
   [manage-server]   Provide this value to your vendor when requesting a host-bound .lic file.
   [manage-server]   Machine ID (SHA-3-256): <64-hex-chars>
   [manage-server] ────────────────────────────────────────────────────────────────────────
   ```
   The same value is also shown in the setup wizard's licence-upload step.
2. Share the 64-character hex value with your vendor.
3. The vendor enters it in the License Portal when generating the offline `.lic` token.
4. Upload the new `.lic` file via the setup wizard (or, if already past wizard, in
   the admin UI under *Settings → Licence*). The Manage Server verifies the binding at
   every startup.

**The Machine ID is stable.** It is a SHA-3-256 hash of `/etc/machine-id`, which is written once
at OS installation and never changes. Container restarts, image upgrades, and re-running the
installer will always produce the same value.

To retrieve the Machine ID at any time without re-installing, re-run the install command:

```bash
curl -fsSL https://forgejo.primatekun.tech/primatekuntech/triton-install/raw/branch/main/get.sh | sudo bash
```

For air-gapped deployments without host binding the `.lic` file is portable, but anyone who
obtains the file can run a second instance. Host binding removes that risk.

## Requirements

- Linux (amd64 or arm64) or macOS
- Docker or Podman with Compose (auto-installed if missing)
- Port 443 open (HTTPS)