Self-Hosted Installation
Introduction
Because Nanitor believes in making things easy for their customers, including meeting them where they are, we offer both a cloud-hosted solution, where we take care of everything, and a self-hosted option where the customer has full ownership and control.
For a pro/con analysis on cloud vs. self-hosted as well for the process to move to the cloud later, check out Migrating from a self-hosted to a cloud-hosted solution - Nanitor Knowledgebase
One of the main advantages of self-hosting your Nanitor instance is complete control over your instance, including where your data is processed, etc. However, this also comes with complete responsibility for the server running your instance, the operating system on it, and the network connection of your instance, especially when it comes to sizing your server and performance-tuning it. We will of course help you out as much as we can but there are a lot of limits to what we can do with self-hosted instances, and ultimately the responsibility is yours.
All the Nanitor-hosted instances are run on a Debian 12 server, on top of an image we get directly from the Debian Org. This is therefore the only setup we have any experience with and thus these instructions are based on that. Our product should work on any Debian-based or Red Hat-based flavors of Linux. We have performed limited testing on both Ubuntu, Alma and Red Hat Linux and they all seem fine. If you have any issues using your favorite flavor of Linux please submit a support ticket and we will do our best to help you out.
High level, the installation consists of the following:
- Install prerequisites nginx, libpcre3 and curl
- Install PostgreSQL 15 Server with client and utilities
- Setting PostgreSQL access permissions to trust local connections
- Tune PostgreSQL Server configuration for optimal performance. We recommend using PGTune to calculate the best settings for your site. [Optional]
- Download and run the installation script.
See the next section for detailed instructions to accomplish these steps as they apply to the Debian 12, Ubuntu, Alma or Red Hat operating system. If you are an experienced sysadmin you should be able to translate these to your flavor of Linux using the above goals as guidelines, otherwise, we suggest you reconsider going with a Nanitor-hosted solution.
We recommend using PGTune to calculate the best settings for your site and make the necessary adjustments to your postgresql.conf file. However, this is optional if you are happy with the performance of the system. The settings we implement work well for a large number of setups.
Prerequisites
The only prerequisites that are not explicitly taken care of in the installation instructions below (but are kind of implied) is that the system you are using needs to be able to reach an update package repository (for apt update, upgrade, and installs), as well as reach nanitor.io for file downloads and hub.nanitor.com for signature updates.
There are no partition requirements and the sizing of your server will depend on the size of your environment. Here are a couple of sample sizes to guide your decision.
Server Size 150 Assets
2 vCPU
8 GB RAM
80 GB Disk
Server Size for 15K Assets
12 vCPU
32 GB RAM
250 GB Disk
Installation
These instructions assume you already have a fresh Linux server setup ready to go. These directions were written for the Debian 12 operating system and have only been tested on Debian 12. If you have something else you may need to make some adjustments, to make it work for your operating system, particularly when it comes to paths, package names, and package manager (apt vs yum).
Log into your new Linux server using a sudo capable account and execute the following command.
The last line is the actual server installation and it prompts you for three things.
- Organization name: What do you want your instance to be called? While there is no limit it is advisable to choose something short. If your organization has a common acronym or a short nickname that might be a good choice here. Note that all symbols and special characters will be stripped out and spaces replaced with a dash. Also, all characters will be lowercase only.
- Hub Username: Get this from your Nanitor Contact
- Hub Password: Get this from your Nanitor Contact
Important: Before you run that installation line figure out what your internal FQDN for the installation will be and replace demo.nanitor.local
with your actual FQDN
Run the following commands as root.
apt install -y postgresql postgresql-contrib nginx curl libpcre3
curl -o /etc/postgresql/15/main/pg_hba.conf https://nanitor.io/files/postgresql/pg_hba.conf
systemctl restart postgresql
# Adding the nanitor APT repository.
echo 'deb https://deb.nanitor.com/nanitor-server bookworm main' > /etc/apt/sources.list.d/nanitor-server.list
curl -o /etc/apt/trusted.gpg.d/nanitor.gpg.asc https://deb.nanitor.com/nanitor-agent/DEB-GPG-KEY-nanitor
apt update
apt -y install nanitor-server
/opt/nanitor-server/bin/nanitor-server-ctl server_install --nanitor_hostname demo.nanitor.local
# We recommend using unattended-upgrades and configure it to automatically upgrade nanitor.
apt -y install unattended-upgrades
# Then edit /etc/apt/apt.conf.d/50unattended-upgrades and a line like this into Unattended-Upgrade::Origins-Pattern:
"origin=nanitor-server,codename=${distro_codename},label=nanitor-server";
Then run unattended-upgrade and make sure there are no errors in the output. Now the Nanitor Server will update itself when it applies security updates and such to the server.
# Install PostgreSQL database
dnf -y install glibc-all-langpacks
localectl set-locale LANG=en_US.utf8
dnf -y install postgresql postgresql-server postgresql-contrib curl nginx dmidecode pcre pcre2 tar
# Ensure the locale is en_US.utf8 as that is what Nanitor expects.
PGSETUP_INITDB_OPTIONS="--locale en_US.utf8" /usr/bin/postgresql-setup --initdb
curl -o /var/lib/pgsql/data/pg_hba.conf https://nanitor.io/files/postgresql/pg_hba.conf
systemctl enable postgresql
systemctl start postgresql
# Selinux needs to allow the nginx proxy_pass to nanitor-api, nanitor-uiapi and others.
setsebool httpd_can_network_connect 1 -P
# Allow inbound https in the OS firewall.
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload
# Install nanitor from the package repositories.
rpm --import https://yum.nanitor.com/RPM-GPG-KEY-nanitor
curl -so /etc/yum.repos.d/nanitor-server.repo https://yum.nanitor.com/nanitor-server/rhel-9-x86_64/nanitor-server.repo
yum -y install nanitor-server
# Finish the installation.
/opt/nanitor-server/bin/nanitor-server-ctl server_install --nanitor_hostname demo.nanitor.local
# Installer puts the nginx config in place, but does not start it.
systemctl enable nginx
systemctl start nginx
Post Installation
Log in
Log into the system with the credentials displayed at the end of the setup process, and change the password to something very strong as this is the super admin account with access to everything. We recommend a 25-character string, mix case, special characters, and numbers. Then add TOTP MFA to this super admin account.
Set up email relay
The next step in your setup is to set up your email relay configuration. This is required so that your instance can send emails such as new user invitations, alerting, etc. Here is how you do that. (First, make sure you are still logged in as the super admin)
Start by clicking on the admin menu in the upper right corner
Then click on the System Management Settings on the right-hand side, make sure you distinguish between Organization Management Settings in the center and the System Management Settings on the right.
Then fill out the information for the highlighted fields
Once you filled in the right information, you can put your email address in the "Test e-mail" field, and click "Send test e-mail" to test if the new configuration is working correctly.
Add users
Once you have configured your email settings, and tested that it works right, then start inviting users to the system. For instructions on how to add users to your installation check out How do I create a new user in my organization? - Nanitor Knowledgebase