tiCrypt Backend Installation
Quick Start
This section provides the minimal steps required to install the tiCrypt backend using the supported and recommended automation workflow.
wget https://storage.googleapis.com/ticrypt/install/ticrypt-setup-0.1.9.tgz
tar -xzf ticrypt-setup-0.1.9.tgz
cd ticrypt-setup
./ticrypt-setup.sh
Before running the installer, review and update the required configuration files as described below.
Overview
ticrypt-setup automates the installation and configuration of the tiCrypt backend and worker nodes using Ansible. This approach replaces the manual installation process, which is more time-consuming and prone to configuration errors.
For this reason, ticrypt-setup is the recommended and supported installation method for all tiCrypt backend deployments.
The ticrypt-setup archive includes all Ansible playbooks, roles, templates, and helper scripts required to deploy a complete tiCrypt backend environment.
Prerequisites
Ensure the following requirements are met before proceeding:
- Supported Linux distribution on all backend and worker nodes
- SSH access from the control node to all target nodes
- Python 3 installed on all target nodes
- Ansible installed on the control node
Download and Extract
Download the current supported setup archive:
wget https://storage.googleapis.com/ticrypt/install/ticrypt-setup-0.1.9.tgz
Extract the archive and enter the directory:
tar -xzf ticrypt-setup-0.1.9.tgz
cd ticrypt-setup
The extracted directory contains the Ansible playbooks, configuration files, and the installation script ticrypt-setup.sh.
Configuration
The installer consumes two primary configuration files: inventory.ini and ticrypt.yml.
inventory.ini — Node inventory
The inventory.ini file defines the backend and worker nodes targeted by Ansible.
[backend]
backend01 ansible_host=10.0.0.10
[workers]
worker01 ansible_host=10.0.0.20
worker02 ansible_host=10.0.0.21
[all:vars]
ansible_user=ticrypt
ansible_python_interpreter=/usr/bin/python3
Guidance:
- Hostnames must be resolvable or mapped using
ansible_host - The SSH user must have passwordless sudo privileges
- All nodes must be reachable from the control node
ticrypt.yml — Deployment configuration
The ticrypt.yml file defines tiCrypt-specific configuration values used during installation.
deployment_name: ticrypt-prod
backend:
listen_address: 0.0.0.0
listen_port: 8443
database:
host: localhost
port: 27017
name: ticrypt
storage:
data_root: /var/lib/ticrypt
temp_root: /var/lib/ticrypt/tmp
logging:
level: INFO
log_dir: /var/log/ticrypt
Guidance:
- Paths must exist or be creatable by the installer
- Values are consumed directly by Ansible templates
- Changes require re-running
ticrypt-setup.shto take effect
Running the Installer
From the root of the extracted ticrypt-setup directory, run:
./ticrypt-setup.sh
The installer will:
- Validate the Ansible environment
- Load configuration from
inventory.iniandticrypt.yml - Install required system dependencies
- Deploy backend and worker services
- Apply configuration templates
- Enable and start tiCrypt services
Post-Installation Verification
After installation completes:
- Confirm backend services are running on the backend node
- Verify worker nodes are registered and reachable
- Review logs under
/var/log/ticrypt - Validate connectivity using the tiCrypt frontend or API
Manual Installation
Manual installation of tiCrypt backend components is possible but not recommended. Manual workflows increase deployment complexity, introduce configuration drift, and are not the supported installation path for production environments.
Reference Configuration Files (Complete Examples)
These reference files are provided as complete, copy-paste-ready examples. Update values to match your environment before running ticrypt-setup.sh.
inventory.ini (complete reference)
# -----------------------------------------------------------------------------
# tiCrypt Ansible Inventory
#
# - Define backend nodes in [backend]
# - Define worker nodes in [workers]
# - Provide common SSH settings in [all:vars]
#
# Notes:
# - Use hostnames if DNS is in place; otherwise set ansible_host=<ip>
# - The ansible_user must be able to sudo without being prompted for a password
# - Ensure Python 3 exists on each target node and set ansible_python_interpreter
# -----------------------------------------------------------------------------
[backend]
# Primary backend node (API/services, database, etc., depending on your playbooks)
backend01 ansible_host=10.0.0.10
[workers]
# Worker nodes used for compute / job execution / services as defined by your roles
worker01 ansible_host=10.0.0.20
worker02 ansible_host=10.0.0.21
[all:vars]
# SSH user used by Ansible to connect to all nodes above
ansible_user=ticrypt
# Path to Python on the target nodes (required for Ansible modules)
ansible_python_interpreter=/usr/bin/python3
# Optional: if your environment requires privilege escalation
# ansible_become=true
# ansible_become_method=sudo
# Optional: if you use SSH keys in a non-default location
# ansible_ssh_private_key_file=~/.ssh/id_rsa
# Optional: if your SSH daemon uses a non-standard port
# ansible_port=22
ticrypt.yml (complete reference)
# -----------------------------------------------------------------------------
# tiCrypt Deployment Configuration
#
# This file provides deployment-specific values consumed by Ansible templates
# and roles during installation. Update values to match your environment.
#
# Guidance:
# - Use fully qualified hostnames where appropriate
# - Ensure all paths are valid and writable by the installed services
# - If you change this file after installation, re-run ticrypt-setup.sh
# -----------------------------------------------------------------------------
# A short identifier used in logs, tags, and generated artifacts
deployment_name: ticrypt-prod
# -----------------------------------------------------------------------------
# Backend service configuration
# -----------------------------------------------------------------------------
backend:
# Address the backend binds to. 0.0.0.0 listens on all interfaces.
listen_address: 0.0.0.0
# Public/service port for the backend API (adjust to match your environment)
listen_port: 8443
# Optional: external hostname clients use to reach the backend
# public_hostname: ticrypt.example.edu
# Optional: if TLS termination is handled elsewhere, document that here
# tls_terminated_upstream: false
# -----------------------------------------------------------------------------
# Database configuration (example assumes MongoDB-like configuration)
# -----------------------------------------------------------------------------
database:
# Database host. Use localhost if DB is colocated with the backend.
host: localhost
# Database port
port: 27017
# Database name / schema identifier
name: ticrypt
# Optional: credentials if required by your deployment
# username: ticrypt
# password: change-me
# Optional: replica set or connection options
# options: "replicaSet=rs0&authSource=admin"
# -----------------------------------------------------------------------------
# Storage paths
# -----------------------------------------------------------------------------
storage:
# Root directory for persistent tiCrypt data (keys, metadata, etc. per roles)
data_root: /var/lib/ticrypt
# Temporary working directory for installers, staging, and intermediate files
temp_root: /var/lib/ticrypt/tmp
# Optional: additional mounts/paths used in your deployment
# inbox_root: /var/lib/ticrypt/inboxes
# drives_root: /var/lib/ticrypt/drives
# -----------------------------------------------------------------------------
# Logging configuration
# -----------------------------------------------------------------------------
logging:
# Log level (common values: DEBUG, INFO, WARNING, ERROR)
level: INFO
# Directory where logs should be written
log_dir: /var/log/ticrypt
# Optional: log rotation behavior if your roles support it
# rotate: true
# max_size_mb: 100
# max_files: 10
# -----------------------------------------------------------------------------
# Optional: integrations / feature flags (uncomment if your roles support these)
# -----------------------------------------------------------------------------
# integrations:
# slurm:
# enabled: false
# # controller_host: slurmctld.example.edu
# # rest_api_url: https://slurmrest.example.edu
#
# security:
# # Whether to enforce hardened defaults (depends on role support)
# hardened_defaults: true
#
# networking:
# # If your environment requires explicit interface binding
# # interface: eth0