Skip to main content

Linux Install

Install copies a checked staging directory into place as a Linux systemd service. Run these commands from inside the prepared reploy-staging directory.

Preinstall check

Before the privileged install step, check that the directory is ready to install:

reploy doctor --preinstall

This catches common production-install mistakes before anything is copied into the install target.

Preview the privileged work before applying it:

reploy install --to /opt/arbiter --dry-run

Install

Install the prepared directory:

sudo reploy install --to /opt/arbiter

By default, install enables and restarts the systemd service. To install without starting the service:

sudo reploy install --to /opt/arbiter --no-start

Use --service when the unit should have a non-default name:

sudo reploy install --to /opt/arbiter --service arbiter-prod

Reploy copies the prepared directory as-is. To preserve production credentials or config across reinstalls, edit the staging directory from the intended installed state before running install again.

Verify

Test the installed Arbiter server with the Arbiter client:

arbiter arbiter.url=https://127.0.0.1:8075 info --yaml plugins
# server_url: https://127.0.0.1:8075
# kind: plugins
# plugins:
# - id: imap
# - id: smtp

Installed service operations use systemd:

sudo systemctl status arbiter.service
sudo journalctl -u arbiter.service -f

The generated systemd unit waits for the Docker CLI and API to become usable before running Compose. This protects boot and WSL startup from racing Docker Desktop integration or a native Docker daemon that is still starting.

Restart the installed service with:

sudo systemctl restart arbiter.service

What Install Does

install requires root unless --dry-run is used. It:

  • runs preinstall doctor checks
  • copies the prepared deployment directory to the install target
  • marks the copied deployment state as installed
  • writes /etc/systemd/system/arbiter.service, including Docker service ordering when available and a Docker API readiness check before Compose starts
  • reloads and enables systemd
  • restarts the service by default
  • runs health and live config checks from the installed directory after restart

Privilege Model

The dedicated service user is not added to the Docker group. The systemd unit is root-managed and runs docker compose; the container does not receive the Docker socket.

This avoids making the dedicated deployment user host-root-equivalent through Docker socket access. Treat Docker control, Docker socket access, Docker group membership, and passwordless sudo as root-equivalent.

For the broader boundary model, see Security Model.

Options Reference

Use these when the standard install path needs a small adjustment:

Install Parameters

The standard install uses these defaults. Override them only when needed:

ArgumentCommentDefault
--to DIRInstall target directory. Required.None
--service NAMEsystemd unit name.arbiter
--no-startInstall and enable the service without starting it.Off
--startStart after install.On
--dry-runPrint the install plan without changing the host.Off