Installation¶

rimae/scan ships as .deb packages from the APT repository at pkg.rimae.io.

Quick Install (Debian / Ubuntu)¶

curl -fsSL https://pkg.rimae.io/install.sh | sudo bash

The installer detects your OS, adds the APT repository, and offers two install modes:

Mode	What it installs	Best for
Appliance	All Rimae packages + PostgreSQL 16, Redis, Caddy	Fresh servers, single-machine deployments
Infrastructure	Only selected Rimae packages (no infra)	Managed DB (RDS), existing reverse proxy

Skip the interactive prompts:

# Appliance
curl -fsSL https://pkg.rimae.io/install.sh | sudo bash -s -- --mode=appliance

# Infrastructure
curl -fsSL https://pkg.rimae.io/install.sh | sudo bash -s -- --mode=infra

Manual APT Setup¶

1. Add the GPG key¶

curl -fsSL https://pkg.rimae.io/gpg.key | \
  sudo gpg --dearmor -o /etc/apt/keyrings/rimae.gpg

2. Add the repository¶

echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/rimae.gpg] https://pkg.rimae.io/deb stable main" | \
  sudo tee /etc/apt/sources.list.d/rimae.list

3. Install¶

sudo apt update

Appliance (everything + PostgreSQL, Redis, Caddy):

sudo apt install rimae-scan

Server only (no infra, no workers):

sudo apt install --no-install-recommends rimae-scan-server

Custom selection:

sudo apt install --no-install-recommends \
  rimae-scan-server \
  rimae-scan-compliance \
  rimae-scan-scheduler \
  rimae-scan-sync-assets \
  rimae-scan-crawler-cve

Packages¶

Package	Description
`rimae-scan`	Meta-package -- installs server, compliance, scheduler, all workers
`rimae-scan-server`	API server with embedded web UI
`rimae-scan-compliance`	Compliance catalogs (SOC 2, ISO 27001, NIST CSF)
`rimae-scan-scheduler`	Cron dispatcher for worker jobs
`rimae-scan-workers`	Meta-package -- installs all 12 worker binaries
`rimae-scan-crawler-cve`	CVE/NVD crawler
`rimae-scan-crawler-exploit`	Exploit intelligence crawler
`rimae-scan-crawler-ecosystem`	Ecosystem advisory crawler
`rimae-scan-crawler-vendor`	Vendor/OS/CSAF advisory crawler
`rimae-scan-crawler-cert`	CERT advisory crawler
`rimae-scan-crawler-threat`	Threat intelligence crawler
`rimae-scan-crawler-supply`	Supply chain advisory crawler
`rimae-scan-crawler-scoring`	EPSS/KEV scoring crawler
`rimae-scan-report-generator`	Compliance report generator
`rimae-scan-agent-runner`	AI agent runner
`rimae-scan-sync-assets`	Asset inventory sync (multi-source)
`rimae-scan-sync-github`	GitHub inventory sync

Every package except rimae-scan-server depends on the server package. The server has no hard dependencies on other Rimae packages.

Post-Install Setup¶

Appliance mode¶

The postinstall script handles this automatically:

Generates SECRET_KEY and ENCRYPTION_KEY
Starts PostgreSQL, creates the rimae role and rimae_scan database
Writes a working DATABASE_URL to the config
Detects the system hostname and sets DOMAIN
Runs database migrations (if DB is reachable)
Enables the systemd service

After installation:

Set your public domain (if different from the system hostname):

sudo nano /etc/rimae-scan/rimae-scan.conf
# Change DOMAIN=... to your actual hostname

Configure Caddy for TLS:

echo 'scan.example.com { reverse_proxy localhost:8000 }' | sudo tee /etc/caddy/Caddyfile
sudo systemctl reload caddy

Open the setup wizard at https://your-domain/setup to create the admin account.

Infrastructure mode¶

With --no-install-recommends, no infrastructure is installed. You provide PostgreSQL, Redis (optional), and a reverse proxy.

1. PostgreSQL¶

Provide a PostgreSQL 16+ instance. Note your connection URL:

postgres://rimae:<password>@<host>:5432/rimae_scan?sslmode=require

2. Redis (optional)¶

Redis backs rate limiting and token revocation. Without it, the server falls back to in-memory storage. Set REDIS_URL in the config, or leave it empty to skip Redis.

redis://<host>:6379/0

3. Configuration¶

sudo nano /etc/rimae-scan/rimae-scan.conf

Required settings:

Setting	Description	How to generate
`DATABASE_URL`	PostgreSQL connection string	From step 1
`REDIS_URL`	Redis connection string (optional)	From step 2, or leave empty
`SECRET_KEY`	JWT signing key (min 32 chars)	`openssl rand -base64 32`
`ENCRYPTION_KEY`	Stored secret encryption key (min 32 chars)	`openssl rand -base64 32`
`DOMAIN`	Public domain name	e.g. `scan.example.com`

4. Database migrations¶

sudo rimae-scan-server --migrate --config /etc/rimae-scan/rimae-scan.conf

5. Reverse proxy¶

Point your reverse proxy at localhost:8000. The Go server handles both API and frontend -- the React UI is embedded in the binary.

Nginx:

server {
    listen 443 ssl;
    server_name scan.example.com;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Apache:

<VirtualHost *:443>
    ServerName scan.example.com
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>

Caddy (if installed separately):

scan.example.com {
    reverse_proxy localhost:8000
}

6. Start the service¶

sudo systemctl enable --now rimae-scan-server
sudo systemctl enable --now rimae-scan-scheduler   # if installed

Verify:

systemctl status rimae-scan-server
curl -sf http://localhost:8000/api/health

Post-Install Checklist¶

[ ] DATABASE_URL points to a running PostgreSQL 15+ instance
[ ] SECRET_KEY and ENCRYPTION_KEY are set (not placeholder values)
[ ] DOMAIN matches your actual hostname
[ ] Database migrations have been run
[ ] Reverse proxy forwards to port 8000 with TLS
[ ] rimae-scan-server service is running
[ ] Health check passes: curl -sf http://localhost:8000/api/health
[ ] Setup wizard is accessible at https://your-domain/setup
[ ] Admin account has been created

Package Details¶

Item	Path
Server binary	`/usr/bin/rimae-scan-server`
Worker binaries	`/usr/lib/rimae-scan/workers/`
Configuration	`/etc/rimae-scan/rimae-scan.conf`
Compliance catalogs	`/etc/rimae-scan/compliance/factory/`
Data directory	`/var/lib/rimae-scan/`
Log directory	`/var/log/rimae-scan/`
Systemd units	`rimae-scan-server.service`, `rimae-scan-scheduler.service`
Service user	`rimae-scan`

Configuration files are marked conffiles and will not be overwritten on upgrade.

Upgrading¶

APT upgrade¶

sudo apt update
sudo apt upgrade rimae-scan-server

Or upgrade all Rimae packages:

sudo apt upgrade 'rimae-scan*'

The postinstall script runs database migrations automatically if the database is reachable. Otherwise, run manually:

sudo rimae-scan-server --migrate --config /etc/rimae-scan/rimae-scan.conf

Uninstalling¶

Remove packages (keep config)¶

sudo apt remove rimae-scan-server

Purge packages and config¶

sudo apt purge 'rimae-scan*'

Clean up data¶

sudo rm -rf /var/lib/rimae-scan /var/log/rimae-scan
sudo userdel rimae-scan

Drop database (irreversible)¶

sudo -u postgres dropdb rimae_scan
sudo -u postgres dropuser rimae

Supported Platforms¶

OS	Status	Install method
Ubuntu 22.04 LTS	Supported	APT repository
Ubuntu 24.04 LTS	Supported	APT repository
Debian 12 (Bookworm)	Supported	APT repository
RHEL 9 / AlmaLinux 9	Planned	RPM repository
Fedora 40+	Planned	RPM repository