diff --git a/license-server/compose.yaml b/license-server/compose.yaml deleted file mode 100644 index 11fca2d..0000000 --- a/license-server/compose.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Triton License Server — standalone compose file. -# -# Self-contained: bundles its own PostgreSQL. Designed to run on a host -# that ONLY hosts the licence server. For combined dev installs, see -# the root /compose.yaml. -# -# Reads .env from the same directory (this file's parent). The deploy -# install.sh writes that .env from env.template. - -services: - - postgres: - image: docker.io/library/postgres:18-alpine - container_name: triton-license-db - hostname: triton-license-db - restart: unless-stopped - environment: - POSTGRES_USER: ${POSTGRES_USER:-triton} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} - POSTGRES_DB: ${POSTGRES_DB:-triton_license} - volumes: - - triton-license-db-data:/var/lib/postgresql - ports: - # Bind to localhost only — never expose Postgres to the public internet. - - "127.0.0.1:${POSTGRES_PORT:-5436}:5432" - healthcheck: - test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-triton} -d ${POSTGRES_DB:-triton_license}"] - interval: 5s - timeout: 3s - retries: 20 - - license-server: - image: ${TRITON_LICENSE_IMAGE:-ghcr.io/amiryahaya/triton-licenseserver:latest} - container_name: triton-licenseserver - hostname: triton-licenseserver - restart: unless-stopped - depends_on: - postgres: - condition: service_healthy - environment: - # Required - TRITON_LICENSE_SERVER_DB_URL: postgres://${POSTGRES_USER:-triton}:${POSTGRES_PASSWORD}@triton-license-db:5432/${POSTGRES_DB:-triton_license}?sslmode=disable - TRITON_LICENSE_SERVER_SIGNING_KEY: ${TRITON_LICENSE_SERVER_SIGNING_KEY} - TRITON_LICENSE_SERVER_ADMIN_EMAIL: ${TRITON_LICENSE_SERVER_ADMIN_EMAIL} - TRITON_LICENSE_SERVER_ADMIN_PASSWORD: ${TRITON_LICENSE_SERVER_ADMIN_PASSWORD} - # Optional — TLS termination at this container; omit if you proxy. - TRITON_LICENSE_SERVER_TLS_CERT: ${TRITON_LICENSE_SERVER_TLS_CERT:-} - TRITON_LICENSE_SERVER_TLS_KEY: ${TRITON_LICENSE_SERVER_TLS_KEY:-} - TRITON_LICENSE_SERVER_ALLOW_INSECURE: ${TRITON_LICENSE_SERVER_ALLOW_INSECURE:-} - TRITON_LICENSE_SERVER_LISTEN: ${TRITON_LICENSE_SERVER_LISTEN:-:8081} - TRITON_LICENSE_SERVER_STALE_THRESHOLD: ${TRITON_LICENSE_SERVER_STALE_THRESHOLD:-336h} - # Optional — public URL pushed to clients (used in invite emails). - TRITON_LICENSE_SERVER_PUBLIC_URL: ${TRITON_LICENSE_SERVER_PUBLIC_URL:-} - # Optional — Resend.com API key for sending invite emails. - RESEND_API_KEY: ${RESEND_API_KEY:-} - RESEND_FROM_EMAIL: ${RESEND_FROM_EMAIL:-} - # Worker binaries directory inside the container. - # The host directory (TRITON_LICENSE_SERVER_HOST_BIN_DIR) is mounted here. - TRITON_LICENSE_SERVER_BIN_DIR: /data/binaries - volumes: - # Mount TLS cert + key into the container if you set the env vars above. - - ${TLS_CERT_HOST_DIR:-/etc/triton/tls}:/etc/triton/tls:ro - # Worker binaries — persistent across container rebuilds. - - ${TRITON_LICENSE_SERVER_HOST_BIN_DIR:-/opt/triton/binaries}:/data/binaries - ports: - - "${TRITON_LICENSE_SERVER_HOST_PORT:-8081}:8081" - -volumes: - triton-license-db-data: - name: triton-license-db-data diff --git a/license-server/env.template b/license-server/env.template deleted file mode 100644 index 63c1bae..0000000 --- a/license-server/env.template +++ /dev/null @@ -1,61 +0,0 @@ -# Triton License Server environment template. -# Copy to .env in this directory; install.sh does that automatically. -# -# Required values are flagged. Generated values get auto-filled by install.sh -# when run without flags. - -# ─── PostgreSQL (auto-generated) ───────────────────────────────────────── -POSTGRES_USER=triton -POSTGRES_PASSWORD=__GENERATED_BY_INSTALL_SH__ # openssl rand -hex 24 -POSTGRES_DB=triton_license -POSTGRES_PORT=5436 # localhost-bound - -# ─── License Server core (REQUIRED) ────────────────────────────────────── -# Ed25519 keypair as 128 hex chars (seed||pub). Generated once at install -# time. Back this up — losing it forces every customer to re-activate. -TRITON_LICENSE_SERVER_SIGNING_KEY=__GENERATED_BY_INSTALL_SH__ - -# Initial superadmin seeded on first boot. After login, rotate this. -TRITON_LICENSE_SERVER_ADMIN_EMAIL=admin@example.com -TRITON_LICENSE_SERVER_ADMIN_PASSWORD=__GENERATED_BY_INSTALL_SH__ - -# ─── Listener ──────────────────────────────────────────────────────────── -TRITON_LICENSE_SERVER_LISTEN=:8081 -TRITON_LICENSE_SERVER_HOST_PORT=8081 # host port to publish - -# ─── TLS (recommended for production) ──────────────────────────────────── -# Two paths: -# A) Reverse proxy terminates TLS — leave these blank, set ALLOW_INSECURE=1. -# B) Container terminates TLS — set CERT + KEY (paths inside container) -# and mount your /etc/triton/tls directory via TLS_CERT_HOST_DIR. -TRITON_LICENSE_SERVER_TLS_CERT= -TRITON_LICENSE_SERVER_TLS_KEY= -TRITON_LICENSE_SERVER_ALLOW_INSECURE= -TLS_CERT_HOST_DIR=/etc/triton/tls - -# ─── Operations ────────────────────────────────────────────────────────── -# Hours after which a license is considered stale (offline grace window). -# 336h = 14 days. Increase for longer offline tolerance. -TRITON_LICENSE_SERVER_STALE_THRESHOLD=336h - -# Public URL of this server. Used in invite emails and pushed to clients -# during validation. Leave blank if no email/external clients yet. -TRITON_LICENSE_SERVER_PUBLIC_URL= - -# ─── Email (optional) ──────────────────────────────────────────────────── -# Resend.com keys for sending platform-admin invites + temp passwords. -# Leave blank to disable email — invites are still issued, the password -# just isn't auto-mailed. -RESEND_API_KEY= -RESEND_FROM_EMAIL= - -# ─── Worker binaries ───────────────────────────────────────────────────── -# Host directory bind-mounted into the container at /data/binaries. -# Binaries (triton-agent, triton-sshagent, triton-portscan) are stored as -# files — not in the DB — so this directory must survive container rebuilds. -# Created automatically by install.sh if it does not exist. -TRITON_LICENSE_SERVER_HOST_BIN_DIR=/opt/triton/binaries - -# ─── Image ─────────────────────────────────────────────────────────────── -# Override to pin a specific build. Default tracks :latest from ghcr.io. -TRITON_LICENSE_IMAGE=ghcr.io/amiryahaya/triton-licenseserver:latest diff --git a/license-server/install.sh b/license-server/install.sh deleted file mode 100755 index 47c0843..0000000 --- a/license-server/install.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/env bash -# install.sh — Triton License Server installer. -# -# Idempotent. Generates secrets on first run, reuses .env on subsequent runs. -# Container-based via Podman or Docker (auto-detected). -# -# Usage: -# sudo bash install.sh # interactive defaults -# sudo bash install.sh --admin-email a@b.com # set initial admin email -# sudo bash install.sh --image TAG # pin a specific image -# sudo bash install.sh --public-url URL # set TRITON_LICENSE_SERVER_PUBLIC_URL -# sudo bash install.sh --no-tls # skip TLS check (dev) -set -euo pipefail - -SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)" -cd "$SCRIPT_DIR" - -info() { printf '[license-server] %s\n' "$*"; } -die() { printf '[license-server] error: %s\n' "$*" >&2; exit 1; } - -# ── arg parsing ────────────────────────────────────────────────────────── -ADMIN_EMAIL="" -PUBLIC_URL="" -IMAGE="" -NO_TLS=0 -while [[ $# -gt 0 ]]; do - case "$1" in - --admin-email) ADMIN_EMAIL="$2"; shift 2 ;; - --public-url) PUBLIC_URL="$2"; shift 2 ;; - --image) IMAGE="$2"; shift 2 ;; - --no-tls) NO_TLS=1; shift ;; - -h|--help) - grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;; - *) - die "unknown flag: $1 (try --help)" ;; - esac -done - -[[ $EUID -eq 0 ]] || die "must run as root" - -# ── runtime detection (podman > docker) ────────────────────────────────── -if command -v podman-compose >/dev/null 2>&1; then - COMPOSE=(podman-compose) - RUNTIME=podman -elif podman compose version >/dev/null 2>&1; then - COMPOSE=(podman compose) - RUNTIME=podman -elif docker compose version >/dev/null 2>&1; then - COMPOSE=(docker compose) - RUNTIME=docker -else - die "no compose runtime found. Install podman-compose or docker compose." -fi -info "using runtime: $RUNTIME ($(command -v $RUNTIME))" - -# ── .env bootstrap ─────────────────────────────────────────────────────── -ENV_FILE="$SCRIPT_DIR/.env" -if [[ ! -f "$ENV_FILE" ]]; then - info "writing .env from env.template (first install)" - cp env.template "$ENV_FILE" - chmod 600 "$ENV_FILE" - - # Auto-generate secrets. - PG_PASS=$(openssl rand -hex 24) - - # Ed25519 keypair: seed (32B) || pub (32B) = 64B = 128 hex chars. - # openssl emits PKCS#8 PEM; pull the seed out, re-derive the pub half via Go-style - # ed25519.NewKeyFromSeed at server startup. We just need the 128-hex format here. - TMP_PEM=$(mktemp) - trap 'rm -f "$TMP_PEM"' EXIT - openssl genpkey -algorithm ed25519 -out "$TMP_PEM" 2>/dev/null - SEED_HEX=$(openssl pkey -in "$TMP_PEM" -text -noout 2>/dev/null \ - | awk '/priv:/{found=1; next} found && /pub:/{exit} found' \ - | tr -d ' :\n' | head -c 64) - PUB_HEX=$(openssl pkey -in "$TMP_PEM" -pubout -outform DER 2>/dev/null \ - | tail -c 32 | xxd -p -c 64 | tr -d '\n') - SIGNING_KEY="${SEED_HEX}${PUB_HEX}" - - [[ ${#SIGNING_KEY} -eq 128 ]] || die "Ed25519 keygen produced bad length (${#SIGNING_KEY})" - - ADMIN_PASS=$(openssl rand -base64 24 | tr -d '\n=+/' | head -c 28) - - sed -i \ - -e "s|^POSTGRES_PASSWORD=.*|POSTGRES_PASSWORD=$PG_PASS|" \ - -e "s|^TRITON_LICENSE_SERVER_SIGNING_KEY=.*|TRITON_LICENSE_SERVER_SIGNING_KEY=$SIGNING_KEY|" \ - -e "s|^TRITON_LICENSE_SERVER_ADMIN_PASSWORD=.*|TRITON_LICENSE_SERVER_ADMIN_PASSWORD=$ADMIN_PASS|" \ - "$ENV_FILE" - - [[ -n "$ADMIN_EMAIL" ]] && sed -i "s|^TRITON_LICENSE_SERVER_ADMIN_EMAIL=.*|TRITON_LICENSE_SERVER_ADMIN_EMAIL=$ADMIN_EMAIL|" "$ENV_FILE" - [[ -n "$PUBLIC_URL" ]] && sed -i "s|^TRITON_LICENSE_SERVER_PUBLIC_URL=.*|TRITON_LICENSE_SERVER_PUBLIC_URL=$PUBLIC_URL|" "$ENV_FILE" - [[ -n "$IMAGE" ]] && sed -i "s|^TRITON_LICENSE_IMAGE=.*|TRITON_LICENSE_IMAGE=$IMAGE|" "$ENV_FILE" - [[ $NO_TLS -eq 1 ]] && sed -i "s|^TRITON_LICENSE_SERVER_ALLOW_INSECURE=.*|TRITON_LICENSE_SERVER_ALLOW_INSECURE=1|" "$ENV_FILE" - - info ".env created at $ENV_FILE" - info "INITIAL ADMIN PASSWORD: $ADMIN_PASS" - info " rotate after first login (Account → Change password)" -else - info "reusing existing .env at $ENV_FILE" -fi - -# ── binary directory ───────────────────────────────────────────────────── -BIN_DIR_HOST=$(grep -E '^TRITON_LICENSE_SERVER_HOST_BIN_DIR=' "$ENV_FILE" | cut -d= -f2) -BIN_DIR_HOST="${BIN_DIR_HOST:-/opt/triton/binaries}" -if [[ ! -d "$BIN_DIR_HOST" ]]; then - info "creating binary directory: $BIN_DIR_HOST" - mkdir -p "$BIN_DIR_HOST" - chmod 755 "$BIN_DIR_HOST" -fi -info "binary directory: $BIN_DIR_HOST" - -# ── start ──────────────────────────────────────────────────────────────── -info "starting containers..." -"${COMPOSE[@]}" --env-file "$ENV_FILE" up -d - -info "waiting for license server to become healthy..." -HOST_PORT=$(grep -E '^TRITON_LICENSE_SERVER_HOST_PORT=' "$ENV_FILE" | cut -d= -f2) -HOST_PORT=${HOST_PORT:-8081} - -for i in $(seq 1 30); do - if curl -sf "http://localhost:${HOST_PORT}/api/v1/health" >/dev/null 2>&1; then - info "license server is up: http://localhost:${HOST_PORT}" - break - fi - sleep 2 -done - -info "done. Admin UI: http://localhost:${HOST_PORT}/ui/" -info " login as: $(grep ADMIN_EMAIL "$ENV_FILE" | cut -d= -f2)" -info " see manage-server.md to wire a manage server to this licence server." diff --git a/license-server/uninstall.sh b/license-server/uninstall.sh deleted file mode 100755 index 747cb6f..0000000 --- a/license-server/uninstall.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env bash -# uninstall.sh — stop and remove License Server containers. -# -# By default, KEEPS the PostgreSQL volume (license data). Pass --purge-data -# to delete the volume as well — irreversible. -# -# Usage: -# sudo bash uninstall.sh # stop + remove containers, keep DB volume -# sudo bash uninstall.sh --purge-data # also delete DB volume (DESTRUCTIVE) -set -euo pipefail - -SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)" -cd "$SCRIPT_DIR" - -info() { printf '[license-server] %s\n' "$*"; } -die() { printf '[license-server] error: %s\n' "$*" >&2; exit 1; } - -[[ $EUID -eq 0 ]] || die "must run as root" - -PURGE=0 -while [[ $# -gt 0 ]]; do - case "$1" in - --purge-data) PURGE=1; shift ;; - -h|--help) grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;; - *) die "unknown flag: $1" ;; - esac -done - -if command -v podman-compose >/dev/null 2>&1; then COMPOSE=(podman-compose) -elif podman compose version >/dev/null 2>&1; then COMPOSE=(podman compose) -elif docker compose version >/dev/null 2>&1; then COMPOSE=(docker compose) -else die "no compose runtime found"; fi - -if [[ -f .env ]]; then - info "stopping containers..." - "${COMPOSE[@]}" --env-file .env down -else - info ".env not found, attempting raw container cleanup..." - podman rm -f triton-licenseserver triton-license-db 2>/dev/null || true -fi - -if [[ $PURGE -eq 1 ]]; then - info "DESTRUCTIVE: removing license DB volume..." - read -r -p " Are you sure? Type 'yes' to confirm: " CONFIRM - [[ "$CONFIRM" == "yes" ]] || die "aborted" - podman volume rm -f triton-license-db-data 2>/dev/null \ - || docker volume rm -f triton-license-db-data 2>/dev/null \ - || true - info " DB volume removed" - info " .env and signing key still on disk at $SCRIPT_DIR/.env — delete manually if desired" -else - info "DB volume retained (run with --purge-data to delete)" -fi - -info "uninstall complete" diff --git a/license-server/upgrade.sh b/license-server/upgrade.sh deleted file mode 100755 index fbe2578..0000000 --- a/license-server/upgrade.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/usr/bin/env bash -# upgrade.sh — pull the latest license-server image and restart. -# -# DB schema migrations run on startup automatically. No app data is touched. -# -# Usage: -# sudo bash upgrade.sh # pull :latest, recreate containers -# sudo bash upgrade.sh --image TAG # pin a specific image -set -euo pipefail - -SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)" -cd "$SCRIPT_DIR" - -info() { printf '[license-server] %s\n' "$*"; } -die() { printf '[license-server] error: %s\n' "$*" >&2; exit 1; } - -[[ $EUID -eq 0 ]] || die "must run as root" -[[ -f .env ]] || die ".env not found — run install.sh first" - -IMAGE="" -while [[ $# -gt 0 ]]; do - case "$1" in - --image) IMAGE="$2"; shift 2 ;; - -h|--help) grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;; - *) die "unknown flag: $1" ;; - esac -done - -if [[ -n "$IMAGE" ]]; then - sed -i "s|^TRITON_LICENSE_IMAGE=.*|TRITON_LICENSE_IMAGE=$IMAGE|" .env - info "pinned image to $IMAGE" -fi - -if command -v podman-compose >/dev/null 2>&1; then COMPOSE=(podman-compose) -elif podman compose version >/dev/null 2>&1; then COMPOSE=(podman compose) -elif docker compose version >/dev/null 2>&1; then COMPOSE=(docker compose) -else die "no compose runtime found"; fi - -info "pre-upgrade DB backup..." -DUMP_DIR=/var/backups/triton -mkdir -p "$DUMP_DIR" -DUMP_FILE="$DUMP_DIR/license-pre-upgrade-$(date +%F-%H%M%S).sql.gz" -podman exec triton-license-db pg_dump -U triton triton_license 2>/dev/null \ - | gzip > "$DUMP_FILE" || die "pg_dump failed — aborting upgrade" -info " saved: $DUMP_FILE" - -info "pulling latest image..." -"${COMPOSE[@]}" --env-file .env pull license-server - -info "recreating license-server container..." -"${COMPOSE[@]}" --env-file .env up -d --no-deps license-server - -HOST_PORT=$(grep -E '^TRITON_LICENSE_SERVER_HOST_PORT=' .env | cut -d= -f2) -HOST_PORT=${HOST_PORT:-8081} - -info "waiting for new container to become healthy..." -for i in $(seq 1 30); do - if curl -sf "http://localhost:${HOST_PORT}/api/v1/license/health" >/dev/null 2>&1; then - info "upgrade complete" - exit 0 - fi - sleep 2 -done -die "new container did not become healthy in 60s — check logs and consider rollback"