4380aa790d
Passwords with $, &, ;, [, etc. were written unquoted to .env and cameleer.conf, causing Docker Compose to mangle them. Now all password and secret fields are written as KEY='value' with embedded single quotes escaped as '\''. Also removes inline DB_URL from docker-compose.saas.yml — the Logto entrypoint now builds it from PG_USER/PG_PASSWORD/PG_HOST using node's encodeURIComponent for URL-safe encoding. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Cameleer SaaS Installer
One-line installer for the Cameleer observability platform. Deploys as Docker containers behind Traefik with automatic TLS, Logto OIDC, and multi-tenant provisioning.
Quick Start
Linux / macOS:
bash -c "$(curl -fsSL https://registry.cameleer.io/cameleer/cameleer-saas-installer/raw/branch/main/get-cameleer.sh)"
Windows (PowerShell):
irm https://registry.cameleer.io/cameleer/cameleer-saas-installer/raw/branch/main/get-cameleer.ps1 | iex
The bootstrap downloads the installer into ./installer/ and launches it immediately. The interactive prompts run in your terminal.
Pin a version:
bash -c "$(curl -fsSL .../get-cameleer.sh)" -- --version=v1.0.0
& ([scriptblock]::Create((irm .../get-cameleer.ps1))) -Version v1.0.0
Any extra arguments are forwarded to install.sh / install.ps1 (e.g. --silent, --expert, --public-host=…).
Deployment Modes
| Multi-tenant SaaS | Standalone | |
|---|---|---|
| Containers | Traefik, PostgreSQL, ClickHouse, Logto, Cameleer SaaS | Traefik, PostgreSQL, ClickHouse, Server, Server UI |
| Auth | Logto OIDC (platform admin + tenant users) | Local auth (built-in admin, no IdP) |
| Tenants | Create/manage multiple tenants via UI | Single server instance |
| Use case | Platform vendor managing customers | Single customer running the product |
Installation Modes
| Mode | Flag | Description |
|---|---|---|
| Simple | (default) | 6 questions, sensible defaults |
| Expert | --expert |
Configure everything |
| Silent | --silent |
Fully automated, all values from CLI/env/config |
Upgrade / Reconfigure
Re-running the installer on an existing installation presents a menu:
[1] Upgrade — pull new images, update compose, restart
[2] Reconfigure — re-run interactive setup, preserve data
[3] Reinstall — fresh install (destroys data volumes)
[4] Cancel
Configuration Reference
Settings can be provided via CLI flags, environment variables, config file (cameleer.conf), or interactive prompts. Priority (highest to lowest):
- CLI arguments
- Environment variables
- Config file (via
--configor auto-detected) - Interactive prompts
- Default values
Hostname & Protocol
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| Public hostname | --public-host |
PUBLIC_HOST |
public_host |
auto-detected |
| Auth hostname | --auth-host |
AUTH_HOST |
auth_host |
same as PUBLIC_HOST |
| Protocol | --public-protocol |
PUBLIC_PROTOCOL |
public_protocol |
https |
PUBLIC_HOST is the primary hostname for the platform. AUTH_HOST defaults to the same value (single-domain setup). Set a separate AUTH_HOST only if Logto runs on a dedicated domain.
Admin Credentials
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| Admin username | --admin-user |
SAAS_ADMIN_USER |
admin_user |
admin |
| Admin password | --admin-password |
SAAS_ADMIN_PASS |
admin_password |
auto-generated |
In standalone mode, the env vars are SERVER_ADMIN_USER / SERVER_ADMIN_PASS.
TLS Certificates
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| TLS mode | --tls-mode |
TLS_MODE |
tls_mode |
self-signed |
| Certificate file | --cert-file |
CERT_FILE |
cert_file |
— |
| Private key file | --key-file |
KEY_FILE |
key_file |
— |
| CA bundle | --ca-file |
CA_FILE |
ca_file |
— |
Set --tls-mode=custom and provide PEM-encoded certificate files. With self-signed, a certificate is auto-generated at install time.
Network Ports
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| HTTP port | --http-port |
HTTP_PORT |
http_port |
80 |
| HTTPS port | --https-port |
HTTPS_PORT |
https_port |
443 |
| Logto console port | --logto-console-port |
LOGTO_CONSOLE_PORT |
logto_console_port |
3002 |
| Logto console exposed | --logto-console-exposed |
LOGTO_CONSOLE_EXPOSED |
logto_console_exposed |
true |
HTTP traffic is auto-redirected to HTTPS. The Logto admin console is bound to 127.0.0.1 by default (localhost only). Set --logto-console-exposed to bind on all interfaces.
Database Passwords
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| PostgreSQL password | --postgres-password |
POSTGRES_PASSWORD |
postgres_password |
auto-generated |
| ClickHouse password | --clickhouse-password |
CLICKHOUSE_PASSWORD |
clickhouse_password |
auto-generated |
Auto-generated passwords are stored in credentials.txt inside the install directory.
Docker
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| Docker socket | --docker-socket |
DOCKER_SOCKET |
docker_socket |
/var/run/docker.sock |
| Compose project name | --compose-project |
COMPOSE_PROJECT |
compose_project |
cameleer-saas |
The Docker socket is required for tenant provisioning (SaaS mode) — the platform creates per-tenant server containers on demand.
Image Registry
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| Registry | --registry |
REGISTRY |
registry |
gitea.siegeln.net/cameleer |
| Registry username | --registry-user |
REGISTRY_USER |
registry_user |
— |
| Registry token | --registry-token |
REGISTRY_TOKEN |
registry_token |
— |
| Image version | --version |
VERSION |
version |
latest |
For private registries, provide credentials and the installer runs docker login before pulling. The registry prefix is applied to all container images.
SMTP (SaaS Mode)
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| SMTP host | --smtp-host |
SMTP_HOST |
smtp_host |
— |
| SMTP port | --smtp-port |
SMTP_PORT |
smtp_port |
587 |
| SMTP username | --smtp-user |
SMTP_USER |
smtp_user |
— |
| SMTP password | --smtp-pass |
SMTP_PASS |
smtp_pass |
— |
| From email | --smtp-from-email |
SMTP_FROM_EMAIL |
smtp_from_email |
noreply@<PUBLIC_HOST> |
SMTP is required for self-service sign-up (email verification codes). Without it, only admin-created users can sign in.
Monitoring
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| Monitoring network | --monitoring-network |
MONITORING_NETWORK |
monitoring_network |
— |
Specify an external Docker network name to attach containers for Prometheus scraping. Containers expose metrics via prometheus.io/* labels.
TLS Verification
| Setting | CLI Flag | Env Var | Config Key | Default |
|---|---|---|---|---|
| Node TLS reject | --node-tls-reject |
NODE_TLS_REJECT |
node_tls_reject |
0 (self-signed) / 1 (custom) |
Controls NODE_TLS_REJECT_UNAUTHORIZED inside the Logto container. Set to 0 for self-signed certificates, 1 for production certificates from a trusted CA.
Auto-Generated Secrets
These are generated automatically and never need to be set manually:
| Secret | Env Var | Description |
|---|---|---|
| JWT signing secret | CAMELEER_SERVER_SECURITY_JWTSECRET |
Shared secret for JWT token signing across provisioned tenant servers |
| Bootstrap token | BOOTSTRAP_TOKEN |
Server initialization token (standalone mode only) |
Architecture
┌─────────────────────────────────────┐
│ Traefik :443 │
│ TLS termination + path routing │
└──────┬──────────────┬───────────────┘
│ │
/platform/* │ │ /* (catch-all)
│ │
┌──────▼──────┐ ┌─────▼──────────┐
│ Cameleer │ │ Logto │
│ SaaS :8080 │ │ OIDC :3001 │
│ Vendor + │ │ Custom sign-in │
│ Tenant UI │ │ Admin :3002 │
└──────┬─────┘ └─────────────────┘
│
Docker API │ provisions per-tenant
│
┌──────▼──────────────────────┐
│ /t/{slug}/* │
│ cameleer-server + server-ui │
│ (one pair per tenant) │
└─────────────────────────────┘
All services share a single hostname. Routing:
| Path | Target |
|---|---|
/platform/* |
Cameleer SaaS management plane |
/t/{slug}/* |
Per-tenant server dashboard |
/* |
Logto (sign-in, OIDC, experience API) |
/ |
Redirect to /platform/ |
Files
| File | Purpose |
|---|---|
get-cameleer.sh |
Bootstrap script (bash) — downloads installer files and launches install.sh |
get-cameleer.ps1 |
Bootstrap script (PowerShell) — downloads installer files and launches install.ps1 |
install.sh |
Main installer (Linux / macOS) — interactive or silent deployment |
install.ps1 |
Main installer (Windows PowerShell) — interactive or silent deployment |
templates/docker-compose.yml |
Base infrastructure (Traefik, PostgreSQL, ClickHouse) |
templates/docker-compose.saas.yml |
SaaS mode (Logto + management plane) |
templates/docker-compose.server.yml |
Standalone mode (server + UI) |
templates/docker-compose.tls.yml |
Overlay: custom TLS certificate volume |
templates/docker-compose.monitoring.yml |
Overlay: external monitoring network |
templates/traefik-dynamic.yml |
Traefik TLS certificate configuration |
templates/.env.example |
Documented environment variable template |
Silent Install Example
./install.sh --silent \
--public-host=app.example.com \
--admin-user=admin \
--admin-password=s3cret \
--tls-mode=custom \
--cert-file=/etc/ssl/cert.pem \
--key-file=/etc/ssl/key.pem \
--smtp-host=smtp.example.com \
--smtp-user=noreply@example.com \
--smtp-pass=mailpass \
--registry=registry.example.com/cameleer \
--registry-user=deploy \
--registry-token=ghp_xxx
License
Proprietary. See cameleer.io for licensing.