omotam img

Skip to main content
  1. Posts/

Install Fleet

··311 words·2 mins·
Fleet Mdm Device-Management Endpoint-Security Vulnerability-Management
Cover for Install Fleet
Table of Contents

Dependencies #

Install requirements from apt:

apt install redis nginx python3-certbot-nginx gnupg

MySQL #

Install #

Install MySQL Community Server via apt:

wget "https://dev.mysql.com/get/mysql-apt-config_0.8.33-1_all.deb"

dpkg -i "mysql-apt-config_0.8.33-1_all.deb"

apt update && apt install mysql-community-server

Configure #

Dont forget to change the password!

Setup a new database and user:

export MYSQL_PASSWD="$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16; echo)"

mysql --execute="CREATE DATABASE fleet; CREATE USER 'fleet'@'localhost' IDENTIFIED BY '${MYSQL_PASSWD}'; GRANT ALL PRIVILEGES ON fleet.* TO 'fleet'@'localhost'; FLUSH PRIVILEGES;"

Redis #

Nothing to config on localhost.

Certbot #

certbot certonly --nginx -d fleet.example.com
The default key algorithm from version 2.0.0 is ECDSA. See here how to generate RSA key.

Nginx #

nano /etc/nginx/sites-available/fleet.example.com

Template for site config:

server {

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name fleet.example.com;

        ssl_certificate /etc/letsencrypt/live/fleet.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/fleet.example.com/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/fleet.example.com/fullchain.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 1.1.1.1 1.0.0.1;
        resolver_timeout 5s;

        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy 'strict-origin' always;
        add_header Strict-Transport-Security "max-age=63072000" always;

           location / {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;

                proxy_pass http://127.0.0.1:8080;
        }
}

server {

        listen 80;
        listen [::]:80;

        server_name  fleet.example.com;

        return 301 https://$host$request_uri;
}

ln -s /etc/nginx/sites-available/fleet.example.com /etc/nginx/sites-enabled/
This is just the site config. Check the other configurations for nginx

User and Group #

Create the group first:

groupadd --system "fleet"

Create the fleet user:

useradd --system --gid="fleet" --create-home  --home-dir="/var/lib/fleet" --shell="/usr/sbin/nologin" "fleet"

Binary #

Download the binary:

wget 'https://github.com/fleetdm/fleet/releases/download/fleet-v4.62.1/fleet_v4.62.1_linux.tar.gz'

Extract the archive:

tar -xvf "fleet_*_linux.tar.gz"

Install the binary:

install fleet_*_linux/fleet /usr/local/bin/

Remove the leftover files:

rm -r fleet_*_linux*

Config #

Create the directory:

install -o fleet -g fleet -d /etc/fleet

Dump the config:

sudo -u fleet fleet config_dump > /etc/fleet/config.yaml

systemd #

nano /etc/systemd/system/fleet.service

[Unit]
Description=Fleet
After=network.target

[Service]
User=fleet
Group=fleet
LimitNOFILE=8192
ExecStart=/usr/local/bin/fleet serve --config /etc/fleet/config.yaml

[Install]
WantedBy=multi-user.target

systemctl daemon-reload

Prepare #

sudo -u fleet /usr/local/bin/fleet prepare db --config /etc/fleet/config.yaml

Start #

systemctl enable --now fleet