chore: remove license server installer — not for public distribution

2026-05-17 09:22:09 +02:00 · 2026-05-17 09:22:09 +02:00 · bd67e55625
commit bd67e55625
parent 92b0eeec90
5 changed files with 0 additions and 379 deletions
--- a/license-server/compose.yaml
+++ b/license-server/compose.yaml
@ -1,70 +0,0 @@
 # Triton License Server — standalone compose file.
 #
 # Self-contained: bundles its own PostgreSQL. Designed to run on a host
 # that ONLY hosts the licence server. For combined dev installs, see
 # the root /compose.yaml.
 #
 # Reads .env from the same directory (this file's parent). The deploy
 # install.sh writes that .env from env.template.
 services:
  postgres:
    image: docker.io/library/postgres:18-alpine
    container_name: triton-license-db
    hostname: triton-license-db
    restart: unless-stopped
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-triton}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: ${POSTGRES_DB:-triton_license}
    volumes:
      - triton-license-db-data:/var/lib/postgresql
    ports:
      # Bind to localhost only — never expose Postgres to the public internet.
      - "127.0.0.1:${POSTGRES_PORT:-5436}:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-triton} -d ${POSTGRES_DB:-triton_license}"]
      interval: 5s
      timeout: 3s
      retries: 20
  license-server:
    image: ${TRITON_LICENSE_IMAGE:-ghcr.io/amiryahaya/triton-licenseserver:latest}
    container_name: triton-licenseserver
    hostname: triton-licenseserver
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      # Required
      TRITON_LICENSE_SERVER_DB_URL: postgres://${POSTGRES_USER:-triton}:${POSTGRES_PASSWORD}@triton-license-db:5432/${POSTGRES_DB:-triton_license}?sslmode=disable
      TRITON_LICENSE_SERVER_SIGNING_KEY: ${TRITON_LICENSE_SERVER_SIGNING_KEY}
      TRITON_LICENSE_SERVER_ADMIN_EMAIL: ${TRITON_LICENSE_SERVER_ADMIN_EMAIL}
      TRITON_LICENSE_SERVER_ADMIN_PASSWORD: ${TRITON_LICENSE_SERVER_ADMIN_PASSWORD}
      # Optional — TLS termination at this container; omit if you proxy.
      TRITON_LICENSE_SERVER_TLS_CERT: ${TRITON_LICENSE_SERVER_TLS_CERT:-}
      TRITON_LICENSE_SERVER_TLS_KEY: ${TRITON_LICENSE_SERVER_TLS_KEY:-}
      TRITON_LICENSE_SERVER_ALLOW_INSECURE: ${TRITON_LICENSE_SERVER_ALLOW_INSECURE:-}
      TRITON_LICENSE_SERVER_LISTEN: ${TRITON_LICENSE_SERVER_LISTEN:-:8081}
      TRITON_LICENSE_SERVER_STALE_THRESHOLD: ${TRITON_LICENSE_SERVER_STALE_THRESHOLD:-336h}
      # Optional — public URL pushed to clients (used in invite emails).
      TRITON_LICENSE_SERVER_PUBLIC_URL: ${TRITON_LICENSE_SERVER_PUBLIC_URL:-}
      # Optional — Resend.com API key for sending invite emails.
      RESEND_API_KEY: ${RESEND_API_KEY:-}
      RESEND_FROM_EMAIL: ${RESEND_FROM_EMAIL:-}
      # Worker binaries directory inside the container.
      # The host directory (TRITON_LICENSE_SERVER_HOST_BIN_DIR) is mounted here.
      TRITON_LICENSE_SERVER_BIN_DIR: /data/binaries
    volumes:
      # Mount TLS cert + key into the container if you set the env vars above.
      - ${TLS_CERT_HOST_DIR:-/etc/triton/tls}:/etc/triton/tls:ro
      # Worker binaries — persistent across container rebuilds.
      - ${TRITON_LICENSE_SERVER_HOST_BIN_DIR:-/opt/triton/binaries}:/data/binaries
    ports:
      - "${TRITON_LICENSE_SERVER_HOST_PORT:-8081}:8081"
 volumes:
  triton-license-db-data:
    name: triton-license-db-data
--- a/license-server/env.template
+++ b/license-server/env.template
@ -1,61 +0,0 @@
 # Triton License Server environment template.
 # Copy to .env in this directory; install.sh does that automatically.
 #
 # Required values are flagged. Generated values get auto-filled by install.sh
 # when run without flags.
 # ─── PostgreSQL (auto-generated) ─────────────────────────────────────────
 POSTGRES_USER=triton
 POSTGRES_PASSWORD=__GENERATED_BY_INSTALL_SH__   # openssl rand -hex 24
 POSTGRES_DB=triton_license
 POSTGRES_PORT=5436                              # localhost-bound
 # ─── License Server core (REQUIRED) ──────────────────────────────────────
 # Ed25519 keypair as 128 hex chars (seed||pub). Generated once at install
 # time. Back this up — losing it forces every customer to re-activate.
 TRITON_LICENSE_SERVER_SIGNING_KEY=__GENERATED_BY_INSTALL_SH__
 # Initial superadmin seeded on first boot. After login, rotate this.
 TRITON_LICENSE_SERVER_ADMIN_EMAIL=admin@example.com
 TRITON_LICENSE_SERVER_ADMIN_PASSWORD=__GENERATED_BY_INSTALL_SH__
 # ─── Listener ────────────────────────────────────────────────────────────
 TRITON_LICENSE_SERVER_LISTEN=:8081
 TRITON_LICENSE_SERVER_HOST_PORT=8081           # host port to publish
 # ─── TLS (recommended for production) ────────────────────────────────────
 # Two paths:
 #   A) Reverse proxy terminates TLS — leave these blank, set ALLOW_INSECURE=1.
 #   B) Container terminates TLS — set CERT + KEY (paths inside container)
 #      and mount your /etc/triton/tls directory via TLS_CERT_HOST_DIR.
 TRITON_LICENSE_SERVER_TLS_CERT=
 TRITON_LICENSE_SERVER_TLS_KEY=
 TRITON_LICENSE_SERVER_ALLOW_INSECURE=
 TLS_CERT_HOST_DIR=/etc/triton/tls
 # ─── Operations ──────────────────────────────────────────────────────────
 # Hours after which a license is considered stale (offline grace window).
 # 336h = 14 days. Increase for longer offline tolerance.
 TRITON_LICENSE_SERVER_STALE_THRESHOLD=336h
 # Public URL of this server. Used in invite emails and pushed to clients
 # during validation. Leave blank if no email/external clients yet.
 TRITON_LICENSE_SERVER_PUBLIC_URL=
 # ─── Email (optional) ────────────────────────────────────────────────────
 # Resend.com keys for sending platform-admin invites + temp passwords.
 # Leave blank to disable email — invites are still issued, the password
 # just isn't auto-mailed.
 RESEND_API_KEY=
 RESEND_FROM_EMAIL=
 # ─── Worker binaries ─────────────────────────────────────────────────────
 # Host directory bind-mounted into the container at /data/binaries.
 # Binaries (triton-agent, triton-sshagent, triton-portscan) are stored as
 # files — not in the DB — so this directory must survive container rebuilds.
 # Created automatically by install.sh if it does not exist.
 TRITON_LICENSE_SERVER_HOST_BIN_DIR=/opt/triton/binaries
 # ─── Image ───────────────────────────────────────────────────────────────
 # Override to pin a specific build. Default tracks :latest from ghcr.io.
 TRITON_LICENSE_IMAGE=ghcr.io/amiryahaya/triton-licenseserver:latest
--- a/license-server/install.sh
+++ b/license-server/install.sh
@ -1,129 +0,0 @@
 #!/usr/bin/env bash
 # install.sh — Triton License Server installer.
 #
 # Idempotent. Generates secrets on first run, reuses .env on subsequent runs.
 # Container-based via Podman or Docker (auto-detected).
 #
 # Usage:
 #   sudo bash install.sh                         # interactive defaults
 #   sudo bash install.sh --admin-email a@b.com   # set initial admin email
 #   sudo bash install.sh --image TAG             # pin a specific image
 #   sudo bash install.sh --public-url URL        # set TRITON_LICENSE_SERVER_PUBLIC_URL
 #   sudo bash install.sh --no-tls                # skip TLS check (dev)
 set -euo pipefail
 SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
 cd "$SCRIPT_DIR"
 info() { printf '[license-server] %s\n' "$*"; }
 die()  { printf '[license-server] error: %s\n' "$*" >&2; exit 1; }
 # ── arg parsing ──────────────────────────────────────────────────────────
 ADMIN_EMAIL=""
 PUBLIC_URL=""
 IMAGE=""
 NO_TLS=0
 while [[ $# -gt 0 ]]; do
    case "$1" in
        --admin-email)  ADMIN_EMAIL="$2"; shift 2 ;;
        --public-url)   PUBLIC_URL="$2";  shift 2 ;;
        --image)        IMAGE="$2";       shift 2 ;;
        --no-tls)       NO_TLS=1;         shift ;;
        -h|--help)
            grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;;
        *)
            die "unknown flag: $1 (try --help)" ;;
    esac
 done
 [[ $EUID -eq 0 ]] || die "must run as root"
 # ── runtime detection (podman > docker) ──────────────────────────────────
 if command -v podman-compose >/dev/null 2>&1; then
    COMPOSE=(podman-compose)
    RUNTIME=podman
 elif podman compose version >/dev/null 2>&1; then
    COMPOSE=(podman compose)
    RUNTIME=podman
 elif docker compose version >/dev/null 2>&1; then
    COMPOSE=(docker compose)
    RUNTIME=docker
 else
    die "no compose runtime found. Install podman-compose or docker compose."
 fi
 info "using runtime: $RUNTIME ($(command -v $RUNTIME))"
 # ── .env bootstrap ───────────────────────────────────────────────────────
 ENV_FILE="$SCRIPT_DIR/.env"
 if [[ ! -f "$ENV_FILE" ]]; then
    info "writing .env from env.template (first install)"
    cp env.template "$ENV_FILE"
    chmod 600 "$ENV_FILE"
    # Auto-generate secrets.
    PG_PASS=$(openssl rand -hex 24)
    # Ed25519 keypair: seed (32B) || pub (32B) = 64B = 128 hex chars.
    # openssl emits PKCS#8 PEM; pull the seed out, re-derive the pub half via Go-style
    # ed25519.NewKeyFromSeed at server startup. We just need the 128-hex format here.
    TMP_PEM=$(mktemp)
    trap 'rm -f "$TMP_PEM"' EXIT
    openssl genpkey -algorithm ed25519 -out "$TMP_PEM" 2>/dev/null
    SEED_HEX=$(openssl pkey -in "$TMP_PEM" -text -noout 2>/dev/null \
        | awk '/priv:/{found=1; next} found && /pub:/{exit} found' \
        | tr -d ' :\n' | head -c 64)
    PUB_HEX=$(openssl pkey -in "$TMP_PEM" -pubout -outform DER 2>/dev/null \
        | tail -c 32 | xxd -p -c 64 | tr -d '\n')
    SIGNING_KEY="${SEED_HEX}${PUB_HEX}"
    [[ ${#SIGNING_KEY} -eq 128 ]] || die "Ed25519 keygen produced bad length (${#SIGNING_KEY})"
    ADMIN_PASS=$(openssl rand -base64 24 | tr -d '\n=+/' | head -c 28)
    sed -i \
        -e "s|^POSTGRES_PASSWORD=.*|POSTGRES_PASSWORD=$PG_PASS|" \
        -e "s|^TRITON_LICENSE_SERVER_SIGNING_KEY=.*|TRITON_LICENSE_SERVER_SIGNING_KEY=$SIGNING_KEY|" \
        -e "s|^TRITON_LICENSE_SERVER_ADMIN_PASSWORD=.*|TRITON_LICENSE_SERVER_ADMIN_PASSWORD=$ADMIN_PASS|" \
        "$ENV_FILE"
    [[ -n "$ADMIN_EMAIL" ]] && sed -i "s|^TRITON_LICENSE_SERVER_ADMIN_EMAIL=.*|TRITON_LICENSE_SERVER_ADMIN_EMAIL=$ADMIN_EMAIL|" "$ENV_FILE"
    [[ -n "$PUBLIC_URL"  ]] && sed -i "s|^TRITON_LICENSE_SERVER_PUBLIC_URL=.*|TRITON_LICENSE_SERVER_PUBLIC_URL=$PUBLIC_URL|"   "$ENV_FILE"
    [[ -n "$IMAGE"       ]] && sed -i "s|^TRITON_LICENSE_IMAGE=.*|TRITON_LICENSE_IMAGE=$IMAGE|"                                "$ENV_FILE"
    [[ $NO_TLS -eq 1     ]] && sed -i "s|^TRITON_LICENSE_SERVER_ALLOW_INSECURE=.*|TRITON_LICENSE_SERVER_ALLOW_INSECURE=1|"     "$ENV_FILE"
    info ".env created at $ENV_FILE"
    info "INITIAL ADMIN PASSWORD: $ADMIN_PASS"
    info "  rotate after first login (Account → Change password)"
 else
    info "reusing existing .env at $ENV_FILE"
 fi
 # ── binary directory ─────────────────────────────────────────────────────
 BIN_DIR_HOST=$(grep -E '^TRITON_LICENSE_SERVER_HOST_BIN_DIR=' "$ENV_FILE" | cut -d= -f2)
 BIN_DIR_HOST="${BIN_DIR_HOST:-/opt/triton/binaries}"
 if [[ ! -d "$BIN_DIR_HOST" ]]; then
    info "creating binary directory: $BIN_DIR_HOST"
    mkdir -p "$BIN_DIR_HOST"
    chmod 755 "$BIN_DIR_HOST"
 fi
 info "binary directory: $BIN_DIR_HOST"
 # ── start ────────────────────────────────────────────────────────────────
 info "starting containers..."
 "${COMPOSE[@]}" --env-file "$ENV_FILE" up -d
 info "waiting for license server to become healthy..."
 HOST_PORT=$(grep -E '^TRITON_LICENSE_SERVER_HOST_PORT=' "$ENV_FILE" | cut -d= -f2)
 HOST_PORT=${HOST_PORT:-8081}
 for i in $(seq 1 30); do
    if curl -sf "http://localhost:${HOST_PORT}/api/v1/health" >/dev/null 2>&1; then
        info "license server is up: http://localhost:${HOST_PORT}"
        break
    fi
    sleep 2
 done
 info "done. Admin UI: http://localhost:${HOST_PORT}/ui/"
 info "  login as: $(grep ADMIN_EMAIL "$ENV_FILE" | cut -d= -f2)"
 info "  see manage-server.md to wire a manage server to this licence server."
--- a/license-server/uninstall.sh
+++ b/license-server/uninstall.sh
@ -1,55 +0,0 @@
 #!/usr/bin/env bash
 # uninstall.sh — stop and remove License Server containers.
 #
 # By default, KEEPS the PostgreSQL volume (license data). Pass --purge-data
 # to delete the volume as well — irreversible.
 #
 # Usage:
 #   sudo bash uninstall.sh             # stop + remove containers, keep DB volume
 #   sudo bash uninstall.sh --purge-data  # also delete DB volume (DESTRUCTIVE)
 set -euo pipefail
 SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
 cd "$SCRIPT_DIR"
 info() { printf '[license-server] %s\n' "$*"; }
 die()  { printf '[license-server] error: %s\n' "$*" >&2; exit 1; }
 [[ $EUID -eq 0 ]] || die "must run as root"
 PURGE=0
 while [[ $# -gt 0 ]]; do
    case "$1" in
        --purge-data) PURGE=1; shift ;;
        -h|--help) grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;;
        *) die "unknown flag: $1" ;;
    esac
 done
 if command -v podman-compose >/dev/null 2>&1; then COMPOSE=(podman-compose)
 elif podman compose version >/dev/null 2>&1; then  COMPOSE=(podman compose)
 elif docker compose version >/dev/null 2>&1; then  COMPOSE=(docker compose)
 else die "no compose runtime found"; fi
 if [[ -f .env ]]; then
    info "stopping containers..."
    "${COMPOSE[@]}" --env-file .env down
 else
    info ".env not found, attempting raw container cleanup..."
    podman rm -f triton-licenseserver triton-license-db 2>/dev/null || true
 fi
 if [[ $PURGE -eq 1 ]]; then
    info "DESTRUCTIVE: removing license DB volume..."
    read -r -p "  Are you sure? Type 'yes' to confirm: " CONFIRM
    [[ "$CONFIRM" == "yes" ]] || die "aborted"
    podman volume rm -f triton-license-db-data 2>/dev/null \
        || docker volume rm -f triton-license-db-data 2>/dev/null \
        || true
    info "  DB volume removed"
    info "  .env and signing key still on disk at $SCRIPT_DIR/.env — delete manually if desired"
 else
    info "DB volume retained (run with --purge-data to delete)"
 fi
 info "uninstall complete"
--- a/license-server/upgrade.sh
+++ b/license-server/upgrade.sh
@ -1,64 +0,0 @@
 #!/usr/bin/env bash
 # upgrade.sh — pull the latest license-server image and restart.
 #
 # DB schema migrations run on startup automatically. No app data is touched.
 #
 # Usage:
 #   sudo bash upgrade.sh                # pull :latest, recreate containers
 #   sudo bash upgrade.sh --image TAG    # pin a specific image
 set -euo pipefail
 SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
 cd "$SCRIPT_DIR"
 info() { printf '[license-server] %s\n' "$*"; }
 die()  { printf '[license-server] error: %s\n' "$*" >&2; exit 1; }
 [[ $EUID -eq 0 ]] || die "must run as root"
 [[ -f .env     ]] || die ".env not found — run install.sh first"
 IMAGE=""
 while [[ $# -gt 0 ]]; do
    case "$1" in
        --image) IMAGE="$2"; shift 2 ;;
        -h|--help) grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;;
        *) die "unknown flag: $1" ;;
    esac
 done
 if [[ -n "$IMAGE" ]]; then
    sed -i "s|^TRITON_LICENSE_IMAGE=.*|TRITON_LICENSE_IMAGE=$IMAGE|" .env
    info "pinned image to $IMAGE"
 fi
 if command -v podman-compose >/dev/null 2>&1; then COMPOSE=(podman-compose)
 elif podman compose version >/dev/null 2>&1; then  COMPOSE=(podman compose)
 elif docker compose version >/dev/null 2>&1; then  COMPOSE=(docker compose)
 else die "no compose runtime found"; fi
 info "pre-upgrade DB backup..."
 DUMP_DIR=/var/backups/triton
 mkdir -p "$DUMP_DIR"
 DUMP_FILE="$DUMP_DIR/license-pre-upgrade-$(date +%F-%H%M%S).sql.gz"
 podman exec triton-license-db pg_dump -U triton triton_license 2>/dev/null \
    | gzip > "$DUMP_FILE" || die "pg_dump failed — aborting upgrade"
 info "  saved: $DUMP_FILE"
 info "pulling latest image..."
 "${COMPOSE[@]}" --env-file .env pull license-server
 info "recreating license-server container..."
 "${COMPOSE[@]}" --env-file .env up -d --no-deps license-server
 HOST_PORT=$(grep -E '^TRITON_LICENSE_SERVER_HOST_PORT=' .env | cut -d= -f2)
 HOST_PORT=${HOST_PORT:-8081}
 info "waiting for new container to become healthy..."
 for i in $(seq 1 30); do
    if curl -sf "http://localhost:${HOST_PORT}/api/v1/license/health" >/dev/null 2>&1; then
        info "upgrade complete"
        exit 0
    fi
    sleep 2
 done
 die "new container did not become healthy in 60s — check logs and consider rollback"