systemd Units
deploy/systemd
ships hardened systemd unit files for running Tetrapus on bare-metal or VM Linux
hosts. The control plane and gateway each run as a single static unit; data planes
run one instance per Org via a templated unit
(tetrapus-server@<orgslug>.service).
Files shipped
| File | Role |
|---|---|
| tetrapus-server@.service | Template unit. One instance per Org slug. |
| tetrapus-control.service | Single-instance control plane. |
| tetrapus-gateway.service | Public-facing reverse proxy. |
| tetrapus-server.env.example | Sample EnvironmentFile; copy to /etc/tetrapus/server.env. |
| install.sh | Idempotent installer. Creates user, dirs, copies units, runs daemon-reload. |
Install
Bash
# Run as root from the unpacked deploy/systemd directory.
sudo ./install.sh
# Edit /etc/tetrapus/server.env (and create control.env, gateway.env).
sudo $EDITOR /etc/tetrapus/server.env
# Bring up the static services.
sudo systemctl enable --now tetrapus-control.service
sudo systemctl enable --now tetrapus-gateway.serviceTenant onboarding
Each Org runs as its own systemd instance. The slug after @ is passed through as the DM_ORG_SLUG env var and as --org-slug %i.
Bash
# Optional: per-org overrides in /etc/tetrapus/server.acme.env
# (the template unit also EnvironmentFile-loads this if present).
sudo $EDITOR /etc/tetrapus/server.acme.env
# Onboard the new Org.
sudo systemctl enable --now tetrapus-server@acme.service
# Tell the control plane about it.
tetrapus-admin tenant-plane add --slug acme --region us-east-1 \
--control-url https://control.internal:9100Sandbox flags shipped
Every unit applies the same hardening profile:
ini
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
MemoryDenyWriteExecute=true
LimitNOFILE=65535
ReadWritePaths=/var/lib/tetrapus/%i /run/tetrapus/%i /var/log/tetrapus/%iPer-Org filesystem layout
| Path | Owner | Purpose |
|---|---|---|
| /etc/tetrapus/ | root:tetrapus 0750 | Env files, TLS certs, JWT keys. |
| /var/lib/tetrapus/<slug>/ | tetrapus:tetrapus 0750 | Per-Org SQLite, WAL, audit log. |
| /var/log/tetrapus/<slug>/ | tetrapus:tetrapus 0750 | Per-Org JSON log output. |
| /run/tetrapus/<slug>/ | tetrapus:tetrapus 0750 | Per-Org runtime sockets / PID files. |
Lifecycle commands
Bash
# Inspect every onboarded org.
systemctl list-units 'tetrapus-server@*.service' --all
# Restart one tenant without disturbing others.
sudo systemctl restart tetrapus-server@acme.service
# Suspend a tenant (keeps the env file + state for re-enabling).
sudo systemctl disable --now tetrapus-server@acme.service
# Tail per-org logs.
journalctl -u tetrapus-server@acme.service -fRelated
- tetrapus-admin CLI — day-2 ops (key rotate, backup, audit verify).
- Control plane — what the gateway and admin CLI talk to.
- Air-gap install — signed-bundle delivery on top of these units.
Questions?
Reach out for help with integration, deployment, or custom domain codecs.