Skip to content

Manual Setup

Building from source — for development, or to modify the code. This uses docker compose ... --build against a checkout of the repository.

1. Configure .env

sh
cp .env.example .env

Fill in every blank value — every comment in .env.example documents what it's for. Generate secrets with openssl rand -hex 32 for JWT_SECRET, SERVICE_JWT_SECRET, API_TOKEN_PEPPER, ZA_VAULT_PASSWORD, and ZABBIX_WEBHOOK_HMAC_SECRET; openssl rand -hex 16 for ZA_VAULT_SALT. Set TLS_CERT_PATH/TLS_KEY_PATH to a cert/key pair (self-signed is fine for staging).

No secret has a default value — services fail fast at startup if a required var is missing. .env is git-ignored; never commit real values or hardcode them in source. See Configuration Reference for the full variable list.

2. Database

Choose one of two paths:

Set DB_ENGINE, DB_HOST, DB_PORT, DB_USER, DB_PASSWORD, DB_SSLMODE to point at your existing instance, then:

sh
ops/init-db.sh

This creates all four databases (seyalrun_identity, seyalrun_inventory, seyalrun_terminal, seyalrun_automation) and imports schema/<engine>/schema.sql into identity/inventory (idempotent, safe to re-run). terminal/automation have no static schema — their tables come entirely from Alembic migrations in step 4.

Dockerized Postgres/MySQL

If you have no bare-metal DB available, set DB_HOST=postgres (or mysql), then bring up the matching overlay profile — its docker-entrypoint-initdb.d scripts create all four databases automatically:

sh
docker compose -f docker-compose.yml -f docker-compose.db.yml --profile postgres-db up -d postgres
# then run ops/init-db.sh against DB_HOST=postgres to import the schema

3. Build and start the stack

sh
docker compose up -d --build
# (Dockerized DB): add -f docker-compose.db.yml --profile postgres-db

4. Run Alembic migrations

Run for every service (idempotent, safe to re-run — ops/init-db.sh only creates the databases and imports the identity/inventory schema; every service's own tables come from its own migrations):

sh
for svc in identity-service inventory-service terminal-service automation-service \
           recording-service zabbix-integration-service metrics-service; do
  docker compose run --rm --no-deps "$svc" python -m alembic upgrade head
done

5. Seed the superadmin user

sh
docker compose run --rm --no-deps identity-service python -m app.seed

If SEED_ADMIN_PASSWORD is unset in .env, a random password is generated and printed once — save it immediately.

6. Log in

Open https://<host>:${EDGE_HTTPS_PORT:-8443}/ and log in.

Service topology notes

  • edge-proxy is the only service published to the host (HTTP redirect on EDGE_HTTP_PORT, TLS on EDGE_HTTPS_PORT).
  • identity-service and inventory-service are internal-only — every call from api-gateway carries a short-lived X-Service-Token (HS256, SERVICE_JWT_SECRET) that they verify before doing any work.
  • redis backs api-gateway's per-IP/user rate limiting.
  • Self-monitoring is agentless — see Self-Monitoring.

Secure. Controlled. Automated. — Released under the Apache License 2.0.