chore: remove license server installer — not for public distribution

license-server/compose.yaml

@@ -1,70 +0,0 @@
-# Triton License Server — standalone compose file.
-#
-# Self-contained: bundles its own PostgreSQL. Designed to run on a host
-# that ONLY hosts the licence server. For combined dev installs, see
-# the root /compose.yaml.
-#
-# Reads .env from the same directory (this file's parent). The deploy
-# install.sh writes that .env from env.template.
-
-services:
-
-  postgres:
-    image: docker.io/library/postgres:18-alpine
-    container_name: triton-license-db
-    hostname: triton-license-db
-    restart: unless-stopped
-    environment:
-      POSTGRES_USER: ${POSTGRES_USER:-triton}
-      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
-      POSTGRES_DB: ${POSTGRES_DB:-triton_license}
-    volumes:
-      - triton-license-db-data:/var/lib/postgresql
-    ports:
-      # Bind to localhost only — never expose Postgres to the public internet.
-      - "127.0.0.1:${POSTGRES_PORT:-5436}:5432"
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-triton} -d ${POSTGRES_DB:-triton_license}"]
-      interval: 5s
-      timeout: 3s
-      retries: 20
-
-  license-server:
-    image: ${TRITON_LICENSE_IMAGE:-ghcr.io/amiryahaya/triton-licenseserver:latest}
-    container_name: triton-licenseserver
-    hostname: triton-licenseserver
-    restart: unless-stopped
-    depends_on:
-      postgres:
-        condition: service_healthy
-    environment:
-      # Required
-      TRITON_LICENSE_SERVER_DB_URL: postgres://${POSTGRES_USER:-triton}:${POSTGRES_PASSWORD}@triton-license-db:5432/${POSTGRES_DB:-triton_license}?sslmode=disable
-      TRITON_LICENSE_SERVER_SIGNING_KEY: ${TRITON_LICENSE_SERVER_SIGNING_KEY}
-      TRITON_LICENSE_SERVER_ADMIN_EMAIL: ${TRITON_LICENSE_SERVER_ADMIN_EMAIL}
-      TRITON_LICENSE_SERVER_ADMIN_PASSWORD: ${TRITON_LICENSE_SERVER_ADMIN_PASSWORD}
-      # Optional — TLS termination at this container; omit if you proxy.
-      TRITON_LICENSE_SERVER_TLS_CERT: ${TRITON_LICENSE_SERVER_TLS_CERT:-}
-      TRITON_LICENSE_SERVER_TLS_KEY: ${TRITON_LICENSE_SERVER_TLS_KEY:-}
-      TRITON_LICENSE_SERVER_ALLOW_INSECURE: ${TRITON_LICENSE_SERVER_ALLOW_INSECURE:-}
-      TRITON_LICENSE_SERVER_LISTEN: ${TRITON_LICENSE_SERVER_LISTEN:-:8081}
-      TRITON_LICENSE_SERVER_STALE_THRESHOLD: ${TRITON_LICENSE_SERVER_STALE_THRESHOLD:-336h}
-      # Optional — public URL pushed to clients (used in invite emails).
-      TRITON_LICENSE_SERVER_PUBLIC_URL: ${TRITON_LICENSE_SERVER_PUBLIC_URL:-}
-      # Optional — Resend.com API key for sending invite emails.
-      RESEND_API_KEY: ${RESEND_API_KEY:-}
-      RESEND_FROM_EMAIL: ${RESEND_FROM_EMAIL:-}
-      # Worker binaries directory inside the container.
-      # The host directory (TRITON_LICENSE_SERVER_HOST_BIN_DIR) is mounted here.
-      TRITON_LICENSE_SERVER_BIN_DIR: /data/binaries
-    volumes:
-      # Mount TLS cert + key into the container if you set the env vars above.
-      - ${TLS_CERT_HOST_DIR:-/etc/triton/tls}:/etc/triton/tls:ro
-      # Worker binaries — persistent across container rebuilds.
-      - ${TRITON_LICENSE_SERVER_HOST_BIN_DIR:-/opt/triton/binaries}:/data/binaries
-    ports:
-      - "${TRITON_LICENSE_SERVER_HOST_PORT:-8081}:8081"
-
-volumes:
-  triton-license-db-data:
-    name: triton-license-db-data

license-server/env.template

@@ -1,61 +0,0 @@
-# Triton License Server environment template.
-# Copy to .env in this directory; install.sh does that automatically.
-#
-# Required values are flagged. Generated values get auto-filled by install.sh
-# when run without flags.
-
-# ─── PostgreSQL (auto-generated) ─────────────────────────────────────────
-POSTGRES_USER=triton
-POSTGRES_PASSWORD=__GENERATED_BY_INSTALL_SH__   # openssl rand -hex 24
-POSTGRES_DB=triton_license
-POSTGRES_PORT=5436                              # localhost-bound
-
-# ─── License Server core (REQUIRED) ──────────────────────────────────────
-# Ed25519 keypair as 128 hex chars (seed||pub). Generated once at install
-# time. Back this up — losing it forces every customer to re-activate.
-TRITON_LICENSE_SERVER_SIGNING_KEY=__GENERATED_BY_INSTALL_SH__
-
-# Initial superadmin seeded on first boot. After login, rotate this.
-TRITON_LICENSE_SERVER_ADMIN_EMAIL=admin@example.com
-TRITON_LICENSE_SERVER_ADMIN_PASSWORD=__GENERATED_BY_INSTALL_SH__
-
-# ─── Listener ────────────────────────────────────────────────────────────
-TRITON_LICENSE_SERVER_LISTEN=:8081
-TRITON_LICENSE_SERVER_HOST_PORT=8081           # host port to publish
-
-# ─── TLS (recommended for production) ────────────────────────────────────
-# Two paths:
-#   A) Reverse proxy terminates TLS — leave these blank, set ALLOW_INSECURE=1.
-#   B) Container terminates TLS — set CERT + KEY (paths inside container)
-#      and mount your /etc/triton/tls directory via TLS_CERT_HOST_DIR.
-TRITON_LICENSE_SERVER_TLS_CERT=
-TRITON_LICENSE_SERVER_TLS_KEY=
-TRITON_LICENSE_SERVER_ALLOW_INSECURE=
-TLS_CERT_HOST_DIR=/etc/triton/tls
-
-# ─── Operations ──────────────────────────────────────────────────────────
-# Hours after which a license is considered stale (offline grace window).
-# 336h = 14 days. Increase for longer offline tolerance.
-TRITON_LICENSE_SERVER_STALE_THRESHOLD=336h
-
-# Public URL of this server. Used in invite emails and pushed to clients
-# during validation. Leave blank if no email/external clients yet.
-TRITON_LICENSE_SERVER_PUBLIC_URL=
-
-# ─── Email (optional) ────────────────────────────────────────────────────
-# Resend.com keys for sending platform-admin invites + temp passwords.
-# Leave blank to disable email — invites are still issued, the password
-# just isn't auto-mailed.
-RESEND_API_KEY=
-RESEND_FROM_EMAIL=
-
-# ─── Worker binaries ─────────────────────────────────────────────────────
-# Host directory bind-mounted into the container at /data/binaries.
-# Binaries (triton-agent, triton-sshagent, triton-portscan) are stored as
-# files — not in the DB — so this directory must survive container rebuilds.
-# Created automatically by install.sh if it does not exist.
-TRITON_LICENSE_SERVER_HOST_BIN_DIR=/opt/triton/binaries
-
-# ─── Image ───────────────────────────────────────────────────────────────
-# Override to pin a specific build. Default tracks :latest from ghcr.io.
-TRITON_LICENSE_IMAGE=ghcr.io/amiryahaya/triton-licenseserver:latest

license-server/install.sh

@@ -1,129 +0,0 @@
-#!/usr/bin/env bash
-# install.sh — Triton License Server installer.
-#
-# Idempotent. Generates secrets on first run, reuses .env on subsequent runs.
-# Container-based via Podman or Docker (auto-detected).
-#
-# Usage:
-#   sudo bash install.sh                         # interactive defaults
-#   sudo bash install.sh --admin-email a@b.com   # set initial admin email
-#   sudo bash install.sh --image TAG             # pin a specific image
-#   sudo bash install.sh --public-url URL        # set TRITON_LICENSE_SERVER_PUBLIC_URL
-#   sudo bash install.sh --no-tls                # skip TLS check (dev)
-set -euo pipefail
-
-SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
-cd "$SCRIPT_DIR"
-
-info() { printf '[license-server] %s\n' "$*"; }
-die()  { printf '[license-server] error: %s\n' "$*" >&2; exit 1; }
-
-# ── arg parsing ──────────────────────────────────────────────────────────
-ADMIN_EMAIL=""
-PUBLIC_URL=""
-IMAGE=""
-NO_TLS=0
-while [[ $# -gt 0 ]]; do
-    case "$1" in
-        --admin-email)  ADMIN_EMAIL="$2"; shift 2 ;;
-        --public-url)   PUBLIC_URL="$2";  shift 2 ;;
-        --image)        IMAGE="$2";       shift 2 ;;
-        --no-tls)       NO_TLS=1;         shift ;;
-        -h|--help)
-            grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;;
-        *)
-            die "unknown flag: $1 (try --help)" ;;
-    esac
-done
-
-[[ $EUID -eq 0 ]] || die "must run as root"
-
-# ── runtime detection (podman > docker) ──────────────────────────────────
-if command -v podman-compose >/dev/null 2>&1; then
-    COMPOSE=(podman-compose)
-    RUNTIME=podman
-elif podman compose version >/dev/null 2>&1; then
-    COMPOSE=(podman compose)
-    RUNTIME=podman
-elif docker compose version >/dev/null 2>&1; then
-    COMPOSE=(docker compose)
-    RUNTIME=docker
-else
-    die "no compose runtime found. Install podman-compose or docker compose."
-fi
-info "using runtime: $RUNTIME ($(command -v $RUNTIME))"
-
-# ── .env bootstrap ───────────────────────────────────────────────────────
-ENV_FILE="$SCRIPT_DIR/.env"
-if [[ ! -f "$ENV_FILE" ]]; then
-    info "writing .env from env.template (first install)"
-    cp env.template "$ENV_FILE"
-    chmod 600 "$ENV_FILE"
-
-    # Auto-generate secrets.
-    PG_PASS=$(openssl rand -hex 24)
-
-    # Ed25519 keypair: seed (32B) || pub (32B) = 64B = 128 hex chars.
-    # openssl emits PKCS#8 PEM; pull the seed out, re-derive the pub half via Go-style
-    # ed25519.NewKeyFromSeed at server startup. We just need the 128-hex format here.
-    TMP_PEM=$(mktemp)
-    trap 'rm -f "$TMP_PEM"' EXIT
-    openssl genpkey -algorithm ed25519 -out "$TMP_PEM" 2>/dev/null
-    SEED_HEX=$(openssl pkey -in "$TMP_PEM" -text -noout 2>/dev/null \
-        | awk '/priv:/{found=1; next} found && /pub:/{exit} found' \
-        | tr -d ' :\n' | head -c 64)
-    PUB_HEX=$(openssl pkey -in "$TMP_PEM" -pubout -outform DER 2>/dev/null \
-        | tail -c 32 | xxd -p -c 64 | tr -d '\n')
-    SIGNING_KEY="${SEED_HEX}${PUB_HEX}"
-
-    [[ ${#SIGNING_KEY} -eq 128 ]] || die "Ed25519 keygen produced bad length (${#SIGNING_KEY})"
-
-    ADMIN_PASS=$(openssl rand -base64 24 | tr -d '\n=+/' | head -c 28)
-
-    sed -i \
-        -e "s|^POSTGRES_PASSWORD=.*|POSTGRES_PASSWORD=$PG_PASS|" \
-        -e "s|^TRITON_LICENSE_SERVER_SIGNING_KEY=.*|TRITON_LICENSE_SERVER_SIGNING_KEY=$SIGNING_KEY|" \
-        -e "s|^TRITON_LICENSE_SERVER_ADMIN_PASSWORD=.*|TRITON_LICENSE_SERVER_ADMIN_PASSWORD=$ADMIN_PASS|" \
-        "$ENV_FILE"
-
-    [[ -n "$ADMIN_EMAIL" ]] && sed -i "s|^TRITON_LICENSE_SERVER_ADMIN_EMAIL=.*|TRITON_LICENSE_SERVER_ADMIN_EMAIL=$ADMIN_EMAIL|" "$ENV_FILE"
-    [[ -n "$PUBLIC_URL"  ]] && sed -i "s|^TRITON_LICENSE_SERVER_PUBLIC_URL=.*|TRITON_LICENSE_SERVER_PUBLIC_URL=$PUBLIC_URL|"   "$ENV_FILE"
-    [[ -n "$IMAGE"       ]] && sed -i "s|^TRITON_LICENSE_IMAGE=.*|TRITON_LICENSE_IMAGE=$IMAGE|"                                "$ENV_FILE"
-    [[ $NO_TLS -eq 1     ]] && sed -i "s|^TRITON_LICENSE_SERVER_ALLOW_INSECURE=.*|TRITON_LICENSE_SERVER_ALLOW_INSECURE=1|"     "$ENV_FILE"
-
-    info ".env created at $ENV_FILE"
-    info "INITIAL ADMIN PASSWORD: $ADMIN_PASS"
-    info "  rotate after first login (Account → Change password)"
-else
-    info "reusing existing .env at $ENV_FILE"
-fi
-
-# ── binary directory ─────────────────────────────────────────────────────
-BIN_DIR_HOST=$(grep -E '^TRITON_LICENSE_SERVER_HOST_BIN_DIR=' "$ENV_FILE" | cut -d= -f2)
-BIN_DIR_HOST="${BIN_DIR_HOST:-/opt/triton/binaries}"
-if [[ ! -d "$BIN_DIR_HOST" ]]; then
-    info "creating binary directory: $BIN_DIR_HOST"
-    mkdir -p "$BIN_DIR_HOST"
-    chmod 755 "$BIN_DIR_HOST"
-fi
-info "binary directory: $BIN_DIR_HOST"
-
-# ── start ────────────────────────────────────────────────────────────────
-info "starting containers..."
-"${COMPOSE[@]}" --env-file "$ENV_FILE" up -d
-
-info "waiting for license server to become healthy..."
-HOST_PORT=$(grep -E '^TRITON_LICENSE_SERVER_HOST_PORT=' "$ENV_FILE" | cut -d= -f2)
-HOST_PORT=${HOST_PORT:-8081}
-
-for i in $(seq 1 30); do
-    if curl -sf "http://localhost:${HOST_PORT}/api/v1/health" >/dev/null 2>&1; then
-        info "license server is up: http://localhost:${HOST_PORT}"
-        break
-    fi
-    sleep 2
-done
-
-info "done. Admin UI: http://localhost:${HOST_PORT}/ui/"
-info "  login as: $(grep ADMIN_EMAIL "$ENV_FILE" | cut -d= -f2)"
-info "  see manage-server.md to wire a manage server to this licence server."

license-server/uninstall.sh

@@ -1,55 +0,0 @@
-#!/usr/bin/env bash
-# uninstall.sh — stop and remove License Server containers.
-#
-# By default, KEEPS the PostgreSQL volume (license data). Pass --purge-data
-# to delete the volume as well — irreversible.
-#
-# Usage:
-#   sudo bash uninstall.sh             # stop + remove containers, keep DB volume
-#   sudo bash uninstall.sh --purge-data  # also delete DB volume (DESTRUCTIVE)
-set -euo pipefail
-
-SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
-cd "$SCRIPT_DIR"
-
-info() { printf '[license-server] %s\n' "$*"; }
-die()  { printf '[license-server] error: %s\n' "$*" >&2; exit 1; }
-
-[[ $EUID -eq 0 ]] || die "must run as root"
-
-PURGE=0
-while [[ $# -gt 0 ]]; do
-    case "$1" in
-        --purge-data) PURGE=1; shift ;;
-        -h|--help) grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;;
-        *) die "unknown flag: $1" ;;
-    esac
-done
-
-if command -v podman-compose >/dev/null 2>&1; then COMPOSE=(podman-compose)
-elif podman compose version >/dev/null 2>&1; then  COMPOSE=(podman compose)
-elif docker compose version >/dev/null 2>&1; then  COMPOSE=(docker compose)
-else die "no compose runtime found"; fi
-
-if [[ -f .env ]]; then
-    info "stopping containers..."
-    "${COMPOSE[@]}" --env-file .env down
-else
-    info ".env not found, attempting raw container cleanup..."
-    podman rm -f triton-licenseserver triton-license-db 2>/dev/null || true
-fi
-
-if [[ $PURGE -eq 1 ]]; then
-    info "DESTRUCTIVE: removing license DB volume..."
-    read -r -p "  Are you sure? Type 'yes' to confirm: " CONFIRM
-    [[ "$CONFIRM" == "yes" ]] || die "aborted"
-    podman volume rm -f triton-license-db-data 2>/dev/null \
-        || docker volume rm -f triton-license-db-data 2>/dev/null \
-        || true
-    info "  DB volume removed"
-    info "  .env and signing key still on disk at $SCRIPT_DIR/.env — delete manually if desired"
-else
-    info "DB volume retained (run with --purge-data to delete)"
-fi
-
-info "uninstall complete"

license-server/upgrade.sh

@@ -1,64 +0,0 @@
-#!/usr/bin/env bash
-# upgrade.sh — pull the latest license-server image and restart.
-#
-# DB schema migrations run on startup automatically. No app data is touched.
-#
-# Usage:
-#   sudo bash upgrade.sh                # pull :latest, recreate containers
-#   sudo bash upgrade.sh --image TAG    # pin a specific image
-set -euo pipefail
-
-SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
-cd "$SCRIPT_DIR"
-
-info() { printf '[license-server] %s\n' "$*"; }
-die()  { printf '[license-server] error: %s\n' "$*" >&2; exit 1; }
-
-[[ $EUID -eq 0 ]] || die "must run as root"
-[[ -f .env     ]] || die ".env not found — run install.sh first"
-
-IMAGE=""
-while [[ $# -gt 0 ]]; do
-    case "$1" in
-        --image) IMAGE="$2"; shift 2 ;;
-        -h|--help) grep '^#' "$0" | sed 's/^# //;s/^#//'; exit 0 ;;
-        *) die "unknown flag: $1" ;;
-    esac
-done
-
-if [[ -n "$IMAGE" ]]; then
-    sed -i "s|^TRITON_LICENSE_IMAGE=.*|TRITON_LICENSE_IMAGE=$IMAGE|" .env
-    info "pinned image to $IMAGE"
-fi
-
-if command -v podman-compose >/dev/null 2>&1; then COMPOSE=(podman-compose)
-elif podman compose version >/dev/null 2>&1; then  COMPOSE=(podman compose)
-elif docker compose version >/dev/null 2>&1; then  COMPOSE=(docker compose)
-else die "no compose runtime found"; fi
-
-info "pre-upgrade DB backup..."
-DUMP_DIR=/var/backups/triton
-mkdir -p "$DUMP_DIR"
-DUMP_FILE="$DUMP_DIR/license-pre-upgrade-$(date +%F-%H%M%S).sql.gz"
-podman exec triton-license-db pg_dump -U triton triton_license 2>/dev/null \
-    | gzip > "$DUMP_FILE" || die "pg_dump failed — aborting upgrade"
-info "  saved: $DUMP_FILE"
-
-info "pulling latest image..."
-"${COMPOSE[@]}" --env-file .env pull license-server
-
-info "recreating license-server container..."
-"${COMPOSE[@]}" --env-file .env up -d --no-deps license-server
-
-HOST_PORT=$(grep -E '^TRITON_LICENSE_SERVER_HOST_PORT=' .env | cut -d= -f2)
-HOST_PORT=${HOST_PORT:-8081}
-
-info "waiting for new container to become healthy..."
-for i in $(seq 1 30); do
-    if curl -sf "http://localhost:${HOST_PORT}/api/v1/license/health" >/dev/null 2>&1; then
-        info "upgrade complete"
-        exit 0
-    fi
-    sleep 2
-done
-die "new container did not become healthy in 60s — check logs and consider rollback"