Installation

One interactive installer, two modes. It asks for IP, port, admin password and standalone / cluster — and handles everything else: packages, PostgreSQL, PKI, systemd, nginx TLS.

OnlineAny distro family

Connected install

Fetches OS packages and Python wheels as it goes. Detects apt, dnf/yum, zypper or pacman and maps package names per family; PostgreSQL paths are interrogated from the engine itself, so Debian, RHEL, SUSE and Arch layouts all work.

# as root on a fresh host
./install-ofortmaut.sh
  • Checks required packages, installs what's missing, warns on outdated versions
  • Requires systemd and Python ≥ 3.10 (installed automatically where the default is older, e.g. RHEL 9)
OfflineDebian 12RHEL 9

Air-gapped install

Self-contained bundles per family — OS packages, Python wheels and the application — for hosts with no internet access. The installer auto-detects bundle/ and refuses a bundle built for the wrong family with a clear message.

# Debian 12
tar xzf ofortmaut-offline-<ver>-debian12-amd64.tar.gz
# RHEL / Rocky / AlmaLinux 9
tar xzf ofortmaut-offline-<ver>-rhel9-x86_64.tar.gz
cd ofortmaut-installer && ./install-ofortmaut.sh
  • Debian bundle: full .deb dependency closure + wheels
  • RHEL bundle: a local dnf repository (with metadata) + wheels for Python 3.11 — dnf resolves only what the host actually needs

Standalone or two-node cluster

Cluster setup is part of the same installer run — no separate procedure.

1️⃣

Install the primary

Choose cluster → primary. At the end the installer prints a one-line join key that encodes everything the secondary needs.

2️⃣

Join the secondary

Run the same installer on the second host, choose cluster → secondary, and paste the key. Streaming replication, shared secrets and the data sync configure themselves.

3️⃣

Certificates mint locally

The secondary receives the internal CA through the join key and mints its own leaf certificate during installation — private keys never travel between nodes.

What the installer sets up

ComponentDetail
PackagesPython ≥ 3.10, PostgreSQL, nginx, rsync, openssl — installed or upgraded per distro family
ApplicationCode deployed with a dedicated virtualenv; pinned dependencies from wheels (offline) or PyPI (online)
DatabasePostgreSQL cluster initialized if needed; app database, roles and schema created; replication on clusters
PKIInternal CA on the primary; per-node leaf certificates; nginx TLS on your chosen port
Servicessystemd units for the web app and the scheduler sidecar, enabled and health-checked (/healthz)
HardeningSELinux and firewalld handled best-effort on RHEL/SUSE; a manual covers sudoers policy, hardening and uninstall