INSTALLATION · PROMPTS

Installer prompts

Every prompt install.sh shows you, with the explanation, a reasonable default, and why it matters.

Portal display name

Shown in the top bar, email signatures, and PDF report headers. Changeable later in Admin → Branding.

Default: Meridian NIP

Primary domain (FQDN)

The hostname users will browse to. Must resolve to this host's IP for Let's Encrypt TLS to succeed (self-signed works on any hostname). Used as the TLS cert SAN, the nginx server_name, and the default email "from" identity if you don't override it later.

Format: portal.yourcompany.com. No scheme, no trailing slash.

Admin username & email

Creates the super-admin account. The temp password is auto-generated and shown in the install summary exactly once — copy it before you let the summary scroll away or shred the log.

The admin must change their password at first login (force-change flag set).
MFA enrollment is offered (not required) at first login — enforceable later via Admin → Users.
The email address receives AUP acceptance confirmations and any alerts you route to admin@.

Database name, role, password

PostgreSQL database + role for the app to connect as. The password is auto-generated (32 chars) and shown in the summary. The DB socket is bound to localhost only via pg_hba.conf, and no other roles can read the database.

Timezone

Default display timezone for emails, PDF reports, and the UI. All stored timestamps are UTC; this only affects presentation. Each user can override in their profile.

Default: the host's /etc/timezone value, or UTC if unset.

TLS method

Choice	When to pick it
`letsencrypt`	Most installs. Port 80 must be reachable from the internet and the FQDN must resolve here. Auto-renew is configured.
`cloudflare`	You're fronting with Cloudflare and want origin-cert TLS (full-strict). Installer renders the vhost; you drop the origin cert/key in the expected paths.
`self-signed`	Airgapped labs. Browsers will warn.
`none`	HTTP only. Never use in production.

Scope of use

Sets the default visibility for tools that target internal vs external networks. Every tool's scope is overridable per group in Admin → Scope Manager after install — this is just the default.

internal — hides external-only tools (typosquat sweep, public IP reputation, BGP looking-glass) by default.
external — hides internal-only tools (SNMP walk, DHCP lease viewer, subnet sweep) by default.
both — shows everything; admins narrow per-group.

Guardrails always apply: internal-only tools refuse public IPs; external-only tools refuse RFC1918/link-local.

Custom SSH port

Optional. Moving SSH off 22 silences the vast majority of automated scan traffic. Choose a port in 1024-65535 that isn't already used.

CRITICAL

The installer applies the new port and restarts ssh at the end. Verify you can open a fresh SSH session on the new port BEFORE closing your current terminal. UFW and fail2ban are re-tuned automatically.

LUKS encryption for /var/lib/postgresql

Yes/no. If yes, the installer emits a note pointing at the LUKS setup walkthrough, which is run separately because it is destructive and needs a block device choice.

Even if you say no, Meridian still protects the data via three other layers: field-level AES-256-GCM on vault entries, HMAC-chained row hashes on sensitive tables, and localhost-only SQL access with SCRAM-SHA-256. See Database security.

Post-install summary

The installer ends with a full credential summary printed to the terminal AND appended to /root/meridian-install.log. You are prompted to shred the log once you've saved the credentials elsewhere. If you don't shred immediately, do it manually:

sudo shred -u /root/meridian-install.log

MERIDIAN 1.0.0 · DOCUMENTATION

meridiannip.com ↗