triton-install/README.md

# Triton Manage Server Installer

Production installer for the Triton Manage Server. Container-based (Docker or Podman), idempotent — safe to re-run.

## Install

Your vendor provides a licence bundle — a single file:

```
license.lic   # signed offline licence token
```

The vendor's public key is baked into the image at build time — nothing else to configure.

Point the installer at the bundle:

```bash
curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --license-file /path/to/triton-bundle/license.lic
```

## Setup wizard

After install, open `http://localhost:8082` and complete the wizard:

1. Set your manage server name
2. Create the admin account

## Optional flags

Pass flags after `--`:

```bash
curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --license-file /path/to/license.lic [flags]
```

| Flag | Description |
|------|-------------|
| `--license-file PATH` | Path to `license.lic` from your vendor bundle. **Required.** |
| `--license-server-url URL` | License Server URL for ongoing heartbeats (optional, omit for air-gap). |
| `--gateway-hostname HOST` | Agent mTLS hostname (defaults to current FQDN). |
| `--manage-host-ip IP` | Host LAN IP for "+ This machine" auto-registration. |
| `--port PORT` | Host port for the web UI (default: `8082`). |
| `--image TAG` | Pin a specific image tag (e.g. `1.0.0-rc.2`). |
| `--no-tls` | Skip TLS sanity check (dev only). |

## Upgrade

Pull the latest image and restart (keeps all data, runs DB migrations automatically):

```bash
curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --upgrade
```

Pin a specific version:

```bash
curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --upgrade --image ghcr.io/primatekuntech/triton-manage-server:1.2.0
```

## Uninstall

Stop containers and remove them, but keep all data (PostgreSQL volume, credentials vault):

```bash
curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --uninstall
```

Also delete all data (irreversible):

```bash
curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --uninstall --purge-data
```

## Host-bound licences

Your vendor can issue an offline `.lic` file that is cryptographically bound to a specific host
so it cannot be used on any other machine.

**To get a host-bound licence:**

1. Run the installer on the target server. At the end of the output you will see:
   ```
   [manage-server] ── Host Machine ID ──────────────────────────────────────────────────────
   [manage-server]   Provide this value to your vendor when requesting a host-bound .lic file.
   [manage-server]   Machine ID (SHA-3-256): <64-hex-chars>
   [manage-server] ────────────────────────────────────────────────────────────────────────
   ```
2. Share the 64-character hex value with your vendor.
3. The vendor enters it in the License Portal when generating the offline `.lic` token.
4. Re-run the installer with the new `.lic` file — the Manage Server verifies the binding at every startup.

**The Machine ID is stable.** It is a SHA-3-256 hash of `/etc/machine-id`, which is written once
at OS installation and never changes. Container restarts, image upgrades, and re-running the
installer will always produce the same value.

To retrieve the Machine ID at any time without re-installing, simply re-run the install command:

```bash
curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh | sudo bash -s -- --license-file /path/to/license.lic
```

For air-gapped deployments without host binding the `.lic` file is portable, but anyone who
obtains the file can run a second instance. Host binding removes that risk.

## Requirements

- Linux (amd64 or arm64) or macOS
- Docker or Podman with Compose (auto-installed if missing)
- Port 443 open (HTTPS)
docs: scope README to manage server only 2026-05-17 09:22:25 +02:00			`# Triton Manage Server Installer`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00
docs: scope README to manage server only 2026-05-17 09:22:25 +02:00			`Production installer for the Triton Manage Server. Container-based (Docker or Podman), idempotent — safe to re-run.`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00
docs: scope README to manage server only 2026-05-17 09:22:25 +02:00			`## Install`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00
feat(install): drop pubkey file from bundle — single license.lic is enough Pubkey is now baked into the image at build time. Bundle is just license.lic. TRITON_MANAGE_LICENSE_SERVER_PUBKEY in .env is optional (compiled-in default used when empty). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 00:08:17 +08:00			`Your vendor provides a licence bundle — a single file:`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00
			```
feat(install): drop pubkey file from bundle — single license.lic is enough Pubkey is now baked into the image at build time. Bundle is just license.lic. TRITON_MANAGE_LICENSE_SERVER_PUBKEY in .env is optional (compiled-in default used when empty). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 00:08:17 +08:00			`license.lic # signed offline licence token`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			```

feat(install): drop pubkey file from bundle — single license.lic is enough Pubkey is now baked into the image at build time. Bundle is just license.lic. TRITON_MANAGE_LICENSE_SERVER_PUBKEY in .env is optional (compiled-in default used when empty). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 00:08:17 +08:00			`The vendor's public key is baked into the image at build time — nothing else to configure.`

feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`Point the installer at the bundle:`

			```bash
			`curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh \| sudo bash -s -- --license-file /path/to/triton-bundle/license.lic`
			```
docs: simplify install to single curl command — setup wizard handles licence config 2026-05-17 10:12:41 +02:00
			`## Setup wizard`

			After install, open `http://localhost:8082` and complete the wizard:

			`1. Set your manage server name`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`2. Create the admin account`
docs: simplify install to single curl command — setup wizard handles licence config 2026-05-17 10:12:41 +02:00
			`## Optional flags`

docs(readme): rewrite with get.sh one-liners for install, upgrade, and uninstall All commands are now single-line curl one-liners referencing get.sh directly. Added dedicated Upgrade and Uninstall sections with full URLs. Requirements updated to include macOS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:37:41 +08:00			Pass flags after `--`:

docs: simplify install to single curl command — setup wizard handles licence config 2026-05-17 10:12:41 +02:00			```bash
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			`curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh \| sudo bash -s -- --license-file /path/to/license.lic [flags]`
docs: simplify install to single curl command — setup wizard handles licence config 2026-05-17 10:12:41 +02:00			```
docs: scope README to manage server only 2026-05-17 09:22:25 +02:00
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`\| Flag \| Description \|`
			`\|------\|-------------\|`
feat(install): license bundle approach — --license-file replaces pubkey fetch Remove auto-fetching pubkey from license server. Instead the vendor ships a bundle (license.lic + pubkey) and the installer reads both files from the same directory. Works for both online and air-gapped deployments. --license-server-url is now optional (heartbeats only, not required to start). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 23:29:19 +08:00			\| `--license-file PATH` \| Path to `license.lic` from your vendor bundle. Required. \|
			\| `--license-server-url URL` \| License Server URL for ongoing heartbeats (optional, omit for air-gap). \|
docs: simplify install to single curl command — setup wizard handles licence config 2026-05-17 10:12:41 +02:00			\| `--gateway-hostname HOST` \| Agent mTLS hostname (defaults to current FQDN). \|
			\| `--manage-host-ip IP` \| Host LAN IP for "+ This machine" auto-registration. \|
feat(install): add --port flag to set web UI host port at install time Passes --port PORT through to TRITON_MANAGE_HOST_PORT in .env so users can change the default 8082 at install time via the one-liner: curl ... \| sudo bash -s -- --port 9090 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:45:00 +08:00			\| `--port PORT` \| Host port for the web UI (default: `8082`). \|
docs: simplify install to single curl command — setup wizard handles licence config 2026-05-17 10:12:41 +02:00			\| `--image TAG` \| Pin a specific image tag (e.g. `1.0.0-rc.2`). \|
			\| `--no-tls` \| Skip TLS sanity check (dev only). \|
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00
docs(readme): rewrite with get.sh one-liners for install, upgrade, and uninstall All commands are now single-line curl one-liners referencing get.sh directly. Added dedicated Upgrade and Uninstall sections with full URLs. Requirements updated to include macOS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:37:41 +08:00			`## Upgrade`

			`Pull the latest image and restart (keeps all data, runs DB migrations automatically):`

			```bash
			`curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh \| sudo bash -s -- --upgrade`
			```

			`Pin a specific version:`

			```bash
			`curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh \| sudo bash -s -- --upgrade --image ghcr.io/primatekuntech/triton-manage-server:1.2.0`
			```

			`## Uninstall`

			`Stop containers and remove them, but keep all data (PostgreSQL volume, credentials vault):`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00
			```bash
docs(readme): rewrite with get.sh one-liners for install, upgrade, and uninstall All commands are now single-line curl one-liners referencing get.sh directly. Added dedicated Upgrade and Uninstall sections with full URLs. Requirements updated to include macOS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:37:41 +08:00			`curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh \| sudo bash -s -- --uninstall`
			```

			`Also delete all data (irreversible):`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00
docs(readme): rewrite with get.sh one-liners for install, upgrade, and uninstall All commands are now single-line curl one-liners referencing get.sh directly. Added dedicated Upgrade and Uninstall sections with full URLs. Requirements updated to include macOS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:37:41 +08:00			```bash
			`curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh \| sudo bash -s -- --uninstall --purge-data`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			```

docs: expand host-bound licence instructions with machine ID details Clarifies the exact installer output format, emphasises that the Machine ID is stable (SHA-3-256 of /etc/machine-id, set once at OS install), and shows how to retrieve it at any time by re-running the install command. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:34:03 +02:00			`## Host-bound licences`
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00
			Your vendor can issue an offline `.lic` file that is cryptographically bound to a specific host
docs: expand host-bound licence instructions with machine ID details Clarifies the exact installer output format, emphasises that the Machine ID is stable (SHA-3-256 of /etc/machine-id, set once at OS install), and shows how to retrieve it at any time by re-running the install command. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:34:03 +02:00			`so it cannot be used on any other machine.`
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00
			`To get a host-bound licence:`

docs: expand host-bound licence instructions with machine ID details Clarifies the exact installer output format, emphasises that the Machine ID is stable (SHA-3-256 of /etc/machine-id, set once at OS install), and shows how to retrieve it at any time by re-running the install command. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:34:03 +02:00			`1. Run the installer on the target server. At the end of the output you will see:`
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00			```
docs: expand host-bound licence instructions with machine ID details Clarifies the exact installer output format, emphasises that the Machine ID is stable (SHA-3-256 of /etc/machine-id, set once at OS install), and shows how to retrieve it at any time by re-running the install command. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:34:03 +02:00			`[manage-server] ── Host Machine ID ──────────────────────────────────────────────────────`
			`[manage-server] Provide this value to your vendor when requesting a host-bound .lic file.`
			`[manage-server] Machine ID (SHA-3-256): <64-hex-chars>`
			`[manage-server] ────────────────────────────────────────────────────────────────────────`
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00			```
docs: expand host-bound licence instructions with machine ID details Clarifies the exact installer output format, emphasises that the Machine ID is stable (SHA-3-256 of /etc/machine-id, set once at OS install), and shows how to retrieve it at any time by re-running the install command. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:34:03 +02:00			`2. Share the 64-character hex value with your vendor.`
			3. The vendor enters it in the License Portal when generating the offline `.lic` token.
			4. Re-run the installer with the new `.lic` file — the Manage Server verifies the binding at every startup.
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00
docs: expand host-bound licence instructions with machine ID details Clarifies the exact installer output format, emphasises that the Machine ID is stable (SHA-3-256 of /etc/machine-id, set once at OS install), and shows how to retrieve it at any time by re-running the install command. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 07:34:03 +02:00			The Machine ID is stable. It is a SHA-3-256 hash of `/etc/machine-id`, which is written once
			`at OS installation and never changes. Container restarts, image upgrades, and re-running the`
			`installer will always produce the same value.`

			`To retrieve the Machine ID at any time without re-installing, simply re-run the install command:`

			```bash
			`curl -fsSL https://raw.githubusercontent.com/primatekuntech/triton-install/main/get.sh \| sudo bash -s -- --license-file /path/to/license.lic`
			```

			For air-gapped deployments without host binding the `.lic` file is portable, but anyone who
feat(security): add host-bound licence support (/etc/machine-id binding) - compose.yaml: mount /etc/machine-id read-only into the manage-server container - install.sh: print SHA-3-256 of /etc/machine-id after install so customers can share it with their vendor when requesting a host-bound .lic file - README.md: document "Host-bound licences" flow Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-20 10:19:44 +08:00			`obtains the file can run a second instance. Host binding removes that risk.`

feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`## Requirements`

docs(readme): rewrite with get.sh one-liners for install, upgrade, and uninstall All commands are now single-line curl one-liners referencing get.sh directly. Added dedicated Upgrade and Uninstall sections with full URLs. Requirements updated to include macOS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-19 19:37:41 +08:00			`- Linux (amd64 or arm64) or macOS`
			`- Docker or Podman with Compose (auto-installed if missing)`
feat: initial installer scripts for manage server and license server 2026-05-17 08:57:58 +02:00			`- Port 443 open (HTTPS)`