Configuration

The setup email links to the self-hosted bundle, published as both gridnms-selfhosted-bundle.tar.gz (Linux/macOS) and gridnms-selfhosted-bundle.zip (Windows).

Bundle contents

docker-compose.selfhosted.yml   # the stack definition
.env.selfhosted.example         # config template
license-public.pem              # GridNMS license verify key (public, ships with the bundle)
install.sh                      # one-command installer (Linux/macOS)
install.ps1                     # one-command installer (Windows / PowerShell)
SETUP.md                        # setup guide

Unpack it into a working directory, e.g. /opt/gridnms.

Configure .env

cp .env.selfhosted.example .env

Edit .env and set the required values. The stack refuses to start until these are filled — there are intentionally no defaults for secrets:

Variable	What to set
GRIDNMS_DBPASSWD	A strong database password
GRIDNMS_SECRET	A strong session secret — openssl rand -hex 32
GRIDNMS_COLLECTOR_AUTO_JOIN_SECRET	A shared secret your collectors present to auto-join — openssl rand -hex 24
GRIDNMS_LICENSE_KEY	The license key from your approval email

The cloud platform URL is already defaulted correctly:

GRIDNMS_PLATFORM_URL=https://platform.gridnms.io

license-public.pem ships with the bundle and is the same for every customer — leave it next to the compose file. It is a public, verify-only key; it can never mint or grant a license, only check the signature on the one the platform issues to you.

Optional knobs

Variable	Purpose
APP_URL / APP_PORT	Where the UI is reached — also the WebAuthn / passkey origin
GRIDNMS_TLS_DOMAIN, GRIDNMS_TLS_ACME_EMAIL	Auto-issue a Let’s Encrypt cert for a public domain. HTTPS is on by default (self-signed) — see HTTPS / TLS
GRIDNMS_TLS_ENABLED=false	Disable HTTPS (serve plain HTTP on APP_PORT) — for use behind your own TLS proxy
GRIDNMS_DIAGNOSTICS_OPT_IN=1	Share anonymous diagnostics
LOGSERVER_TOKEN, CLICKHOUSE_PASSWORD	Enable the optional log-management tier (--profile logs)
R2_ENDPOINT, R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY	Let the updater auto-pull server updates — see Updates

Set APP_URL correctly

APP_URL is the WebAuthn / passkey origin — it must match the URL you actually type in the browser, or passkey enrollment fails with an origin mismatch (password login still works). If you front the instance with a DNS name or reverse proxy, set that URL.

Install

./install.sh

The installer generates your secrets, asks for your license key, and prompts for the URL users will reach the instance at (defaulting to the host’s primary IP). It then brings the stack up and waits for health. The equivalent manual command (images must already be loaded — install.sh does that):

docker compose -f docker-compose.selfhosted.yml up -d
# add --profile logs to also start the optional log-management tier

When healthy (<host> = the APP_URL you set):

Web app:  https://<host>            (HTTPS by default; the UI and API share the server)
Health:   https://<host>/health →  {"status":"ok"}

Open the UI and complete the first-run setup wizard.