Summary
Allow users to download an agent (and any supporting install artifacts) as a single zip archive from the Infrawatch web UI, so they can manually transfer it to a target server and install it by hand.
Motivation
Many corporate and air-gapped environments do not permit target hosts to reach the Infrawatch server directly during provisioning, or require change-controlled manual installs. Today the assumption is that the agent is fetched from the server at install time. A downloadable zip bundle gives operators a portable artifact they can:
- Transfer across network boundaries (e.g. via a jump host, USB, or approved file-transfer tool)
- Attach to change tickets for auditability
- Stage on internal file shares for bulk rollouts
- Install on hosts that have no outbound connectivity to the Infrawatch server at install time
This aligns with the project's air-gap-first design goal (see CLAUDE.md — "No internet access required for any core feature").
Proposed behaviour
From the agents / install section of the web UI, allow an authenticated user to download a zip containing:
- The agent binary for a selected OS/architecture (Linux amd64/arm64, Windows, macOS as applicable)
- An install script (e.g.
install.sh / install.ps1) that performs the same steps the one-line installer would
- A config template (
agent.yaml / .env) pre-populated with the server URL and any non-secret defaults
- A README explaining the manual install steps, verification, and how to approve the agent in the UI after first check-in
- Checksums (e.g.
SHA256SUMS) and, where available, a detached signature for the binary
Open questions to resolve during design:
- Should the zip include an enrollment token? If yes, it should be single-use, short-lived, and clearly flagged as sensitive in the UI. If no, the operator enters it during install.
- Should we offer per-OS zips, or a single multi-arch bundle?
- Do we gate this behind a specific RBAC permission (e.g.
org_admin or engineer with an explicit "generate install bundle" permission)?
Acceptance criteria
Out of scope
- Automated mass provisioning (Ansible/Chef/Salt integrations) — separate feature
- Agent auto-update via the zip path — existing self-update flow continues to apply post-install
Summary
Allow users to download an agent (and any supporting install artifacts) as a single zip archive from the Infrawatch web UI, so they can manually transfer it to a target server and install it by hand.
Motivation
Many corporate and air-gapped environments do not permit target hosts to reach the Infrawatch server directly during provisioning, or require change-controlled manual installs. Today the assumption is that the agent is fetched from the server at install time. A downloadable zip bundle gives operators a portable artifact they can:
This aligns with the project's air-gap-first design goal (see
CLAUDE.md— "No internet access required for any core feature").Proposed behaviour
From the agents / install section of the web UI, allow an authenticated user to download a zip containing:
install.sh/install.ps1) that performs the same steps the one-line installer wouldagent.yaml/.env) pre-populated with the server URL and any non-secret defaultsSHA256SUMS) and, where available, a detached signature for the binaryOpen questions to resolve during design:
org_adminorengineerwith an explicit "generate install bundle" permission)?Acceptance criteria
organisationIdand gated by RBACapps/docs/docs/(agent install / air-gap sections)Out of scope