Airgap Install

For sites with no outbound internet (submarines, ships, classified networks, isolated industrial cells). One tarball, one script. No clickops, no network config.

What you get

After running the installer the destination box hosts:

• https://gitlab.local — self-hosted GitLab CE for in-airgap version control and CI
• https://harbor.local — private Harbor registry, pre-loaded with every Tetrapus image at this release
• https://minio.local — S3-compatible object store (Tofu state, artefacts, backups)
• https://datamax.local — the Tetrapus stack itself

Prerequisites

• A Linux x86_64 or macOS box with Docker engine installed
• Root or sudo (for /etc/hosts and trust-store install)
• ~30 GB free disk space for images + state
• The bundle airgap-bundle.tar — obtained over the open internet on a separate machine, then physically transported (USB, optical disc, courier)

Install

# On a connected machine: download the bundle (gated; needs a Tetrapus customer token)
curl -H "Authorization: Bearer $TETRAPUS_TOKEN" \
  -O https://harbor.tetrapus.com/artifacts/airgap/airgap-bundle-v0.4.2.tar
sha256sum -c airgap-bundle-v0.4.2.tar.sha256

# Transport the file. USB stick, write-once optical media, whatever your policy allows.

# On the destination box:
tar xf airgap-bundle-v0.4.2.tar -C /tmp/tetrapus-bundle
cd /tmp/tetrapus-bundle
sudo bash ./airgap-install.sh

The script is idempotent — if anything fails, just re-run it. It will:

1. Unpack the repo to /opt/tetrapus
2. Load all container images via docker load
3. Generate a self-signed CA + server cert via OpenTofu
4. Install the CA into the system trust store
5. Bring up Traefik, GitLab, Harbor, MinIO via docker-compose
6. Mint an admin PAT inside GitLab non-interactively
7. Configure the GitLab group, project, CI variables, and runner via the GitLab provider
8. Bring up the runner

Distribute the CA cert

Operator workstations need the CA installed so their browsers and docker client trust the local TLS. The cert is at:

/opt/tetrapus/infra/mac-mini/compose/data/traefik/certs/ca.crt

Install it on each workstation:

# Linux
sudo cp ca.crt /usr/local/share/ca-certificates/tetrapus-airgap.crt
sudo update-ca-certificates

# macOS
sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain ca.crt

# Windows (PowerShell as admin)
Import-Certificate -FilePath ca.crt -CertStoreLocation Cert:\LocalMachine\Root

First-boot passwords

The installer writes random passwords to /opt/tetrapus/infra/mac-mini/compose/.env. Override them by exporting the corresponding env vars before running the script:

export GITLAB_ROOT_PASSWORD='your-strong-password'
export HARBOR_ADMIN_PASSWORD='your-strong-password'
export MINIO_ROOT_PASSWORD='your-strong-password'
sudo -E bash ./airgap-install.sh

Upgrade

When a new bundle arrives, run the same script with the new tarball. Tofu reconciles in place; no data migration is needed.

tar xf airgap-bundle-v0.5.0.tar -C /tmp/tetrapus-bundle
sudo bash /tmp/tetrapus-bundle/airgap-install.sh

Backup

Snapshot two directories together; restore both to recover the site state at a point in time:

/opt/tetrapus/infra/mac-mini/compose/data/    # GitLab, Harbor, MinIO, Traefik state
/opt/tetrapus/infra/terraform/envs/airgap-sub/terraform.tfstate

What's deliberately not on this page

If you're trying to do one of these, you're on the wrong page:

• Internet-connected install → Docker Compose deployment
• Single-binary desktop install → Quick Start
• Embedding the SDK in your own Rust app → SDK