Backend Installation (Docker)
import { Steps, Aside } from ‘@astrojs/starlight/components’;
Docker Compose (recommended)
Section titled “Docker Compose (recommended)”The production deployment uses Docker Compose to run SurrealDB and the Bastion backend together.
-
Download the release bundle
Terminal window curl -Lo bastion-server.tar.gz \https://github.com/halden-technologies/bastion/releases/latest/download/bastion-server-linux-x86_64.tar.gztar -xzf bastion-server.tar.gzcd bastion-server -
Edit configuration
Copy the example config:
Terminal window cp config/backend.example.toml config/backend.tomlSet your JWT secret and any optional settings (SMTP, SIEM, etc.) in
config/backend.toml. See Backend Configuration. -
Start services
Terminal window docker compose up -d -
Verify
Terminal window curl http://localhost:8080/health# {"status":"ok","version":"13.0.0"}
Ports to expose
Section titled “Ports to expose”| Port | Expose to | Purpose |
|---|---|---|
| 8080 | Console workstations | REST API |
| 50051 | Endpoints | gRPC agent connections |
| 8000 | localhost only | SurrealDB |
TLS (production)
Section titled “TLS (production)”For production deployments, terminate TLS at a reverse proxy (nginx, Caddy, or Cloudflare Tunnel) in front of port 8080. The gRPC port (50051) supports optional mTLS — see Backend Configuration.
Updating
Section titled “Updating”docker compose pulldocker compose up -dBastion uses zero-downtime rolling updates. Existing agent connections are maintained during restarts.
Backup
Section titled “Backup”SurrealDB data is in the ./data/ directory. Back it up with any standard file backup:
# Stop, snapshot, restartdocker compose stop surrealdbtar -czf backup-$(date +%Y%m%d).tar.gz ./data/docker compose start surrealdb