Self-Hosted Package Installation Guide

Deploy ManageLM on bare-metal or VM with the self-extracting installer.

Overview

The ManageLM installer is a single self-extracting .sh.gz file that includes the portal, agent source, and a bundled Node.js runtime. No prerequisites need to be installed on the target server — just download, extract, and run.

What's included	Description
ManageLM Portal	Web UI, API, MCP server, task engine
Agent source	Served to managed hosts for agent installation and auto-updates
Node.js runtime	Bundled runtime — no system Node.js needed

The installer handles both first install and upgrades. On upgrade, your configuration (.env) is preserved automatically.

Prefer Docker? See the Self-Hosted Docker Installation Guide. Don't want to self-host? Use the managed SaaS at app.managelm.com.

Requirements

Linux (x64 or arm64) — Debian, Ubuntu, RHEL, Rocky, AlmaLinux, etc.
PostgreSQL 15+ — application database
Redis 7+ (or Valkey) — sessions, pub/sub, rate limiting
A domain name with trusted TLS for production. Agents verify the certificate chain against the host's system trust store and reject self-signed or untrusted CAs — this applies even on private networks. See Reverse Proxy for the options.
1 GB RAM minimum

Node.js is bundled in the installer — no system packages required beyond the database and cache.

Claude connector — pick the right flow for your network. Claude's Custom Connector setup (Pro / Max / Team, with OAuth) routes the OAuth token exchange and every MCP tool call through Anthropic's backend — so your SERVER_URL must be reachable from the public internet (public DNS + open 443) for it to work. If your ManageLM is private / internal-only (no public DNS or firewalled), the Custom Connector flow will fail at the token-exchange step with an opaque "Authorization failed" error. For those deployments, use the Claude Free / claude_desktop_config.json or Claude Code path instead: mcp-remote runs locally inside Claude Desktop / Claude Code, so private hostnames resolve and no MCP traffic leaves your network. Both options are documented in Connect Claude.

Download

Download the latest release for your architecture from GitHub Releases.

Then extract and run:

gunzip managelm-<version>-linux-<arch>.sh.gz

Install

Run the installer as root:

sudo bash managelm-<version>-linux-<arch>.sh

The installer will prompt for:

Prompt	Default	Description
Service user	`managelm`	System user the portal runs as
Portal port	`3000`	HTTP listen port (behind reverse proxy)
Register systemd service?	`Y`	Creates and enables `managelm-server.service`

For unattended installation, use --yes to accept all defaults:

sudo bash managelm-<version>-linux-<arch>.sh --yes

Other flags:

  --install-dir DIR   Override install directory (default: /opt/managelm-server)
  --user USER         Service user (default: managelm)
  --port PORT         Portal port (default: 3000)
  --no-systemd        Skip systemd service registration

Configure

Set up PostgreSQL and Redis first — see PostgreSQL Setup and Redis Setup below for the full procedure (creating the user, granting schema access, enabling persistence). The portal will fail to start until both are reachable with valid credentials.

Once PostgreSQL and Redis are running, edit the .env file:

sudo vi /opt/managelm-server/portal/.env

At minimum, set these values:

# How browsers and agents reach the portal
SERVER_URL=https://managelm.example.com

# PostgreSQL connection (created in the PostgreSQL Setup section below)
DATABASE_URL=postgresql://managelm:your-password@localhost:5432/managelm

# Redis connection
REDIS_URL=redis://localhost:6379

# Sender email (only effective when SMTP_HOST is also set)
[email protected]

Then start the service:

systemctl start managelm-server

Check it's running:

systemctl status managelm-server
curl -s http://localhost:3000/health

First Steps After Install

Once the portal is running:

Set up a reverse proxy with TLS (nginx or Apache) for production.
Register your account at your SERVER_URL. The first user becomes the account owner.
Configure the LLM — Local (Ollama), Cloud, or Proxied access mode.
Import skills from the built-in catalog.
Install an agent on your first server.
Connect Claude via MCP.

SERVER_URL must match how clients reach the portal. Agents derive their WebSocket URL from this value, so it must be the exact address reachable from agent machines.

For detailed instructions on all portal features, see the Portal Documentation.

Reverse Proxy

Place a reverse proxy in front of the portal for TLS. WebSocket support is required for agent connections.

Agents require a trusted TLS chain. They verify the portal's certificate against the agent host's system trust store and reject anything they can't verify — this includes self-signed certificates and certificates issued by a private CA the host doesn't trust. The same applies on private networks: a LAN-only deployment still needs a certificate the agent can validate.

Public domain, private IPs: use Let's Encrypt with the DNS-01 challenge — works for any domain you control via DNS, regardless of whether the portal is reachable from the public internet. This is the simplest path for most internal deployments.
Internal (private) CA: distribute the CA root certificate to every agent host's system trust store (/etc/pki/ca-trust/source/anchors/ on RHEL family, /usr/local/share/ca-certificates/ on Debian/Ubuntu) before enrolling the agent.
Plain HTTP / no TLS: agents will connect over ws://, but credentials and task payloads travel unencrypted. Acceptable only for local testing on a trusted LAN, never for production.

nginx

server {
    listen 443 ssl http2;
    server_name managelm.example.com;

    ssl_certificate     /etc/ssl/certs/managelm.pem;
    ssl_certificate_key /etc/ssl/private/managelm.key;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
}

Apache

<VirtualHost *:443>
    ServerName managelm.example.com

    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/managelm.pem
    SSLCertificateKeyFile /etc/ssl/private/managelm.key

    ProxyPreserveHost On
    ProxyPass        / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]

    ProxyTimeout 86400
</VirtualHost>

Agents stuck connecting? Check that your proxy forwards the Upgrade and Connection headers for WebSocket.

SMTP / Email

The portal sends emails for account verification, password resets, and team invitations. When SMTP_HOST is not set, email sending is disabled entirely — no connection attempts are made.

To enable emails, configure an SMTP relay (Brevo, Mailgun, SendGrid, etc.):

SMTP_HOST=smtp.brevo.com
SMTP_PORT=587
SMTP_SECURE=starttls
SMTP_USER=your-username
SMTP_PASS=your-password

PostgreSQL Setup

ManageLM requires PostgreSQL 15+ (16 recommended). The portal runs migrations automatically on startup and needs full control over its schema.

Create the database and user

# Connect as a PostgreSQL superuser
sudo -u postgres psql

-- Create the ManageLM user
CREATE USER managelm WITH PASSWORD 'your-strong-password';

-- Create the database owned by that user
CREATE DATABASE managelm OWNER managelm;

-- Connect to the new database
\c managelm

-- Grant full schema permissions (required for migrations)
GRANT ALL ON SCHEMA public TO managelm;

-- PostgreSQL 15+ changed defaults — grant CREATE explicitly
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT ALL ON TABLES TO managelm;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT ALL ON SEQUENCES TO managelm;

\q

Allow remote connections (if PostgreSQL is on a different host)

# In postgresql.conf
listen_addresses = '*'

# In pg_hba.conf — allow the portal host
host  managelm  managelm  10.0.0.0/8  scram-sha-256

Restart PostgreSQL: systemctl restart postgresql

Set DATABASE_URL in .env

DATABASE_URL=postgresql://managelm:your-strong-password@localhost:5432/managelm

Test the connection

psql "postgresql://managelm:your-strong-password@localhost:5432/managelm" -c "SELECT 1;"

SSL/TLS: For encrypted connections, set DB_SSL=require in .env. To verify the server certificate, use DB_SSL=verify-ca with DB_SSL_CA=/path/to/ca.pem.

Redis Setup

ManageLM requires Redis 7+ (or Valkey). It is used for real-time agent communication, session state, and pub/sub — it must be available at all times.

Enable persistence (recommended)

# In redis.conf
appendonly yes
appendfsync everysec

Set REDIS_URL in .env

# Without authentication
REDIS_URL=redis://localhost:6379

# With authentication (Redis 6+ ACL)
REDIS_URL=redis://username:password@redis-host:6379

Test the connection
```
redis-cli ping
# Expected: PONG
```

Redis TLS: Set REDIS_TLS=on in .env for encrypted connections. Use a rediss:// URL scheme.

Environment Variables

All settings are in /opt/managelm-server/portal/.env. The full reference is the same as the Docker guide.

Required

Variable	Description
`SERVER_URL`	The public URL that browsers and agents use to reach the portal. This must be the externally reachable address — agents derive their WebSocket connection from it. Behind a reverse proxy (recommended for production): use the proxy's public URL with `https://`. Do not include the portal port — the proxy listens on 443. Example: `https://managelm.example.com` Without a reverse proxy (testing / LAN): use the server IP or hostname with `http://` and include the portal port. Example: `http://192.168.1.10:3000`
`DATABASE_URL`	PostgreSQL connection string
`REDIS_URL`	Redis connection string
`SMTP_FROM`	Sender email address. Validated at startup but only effective when `SMTP_HOST` is also set; otherwise no emails are sent.

Strongly recommended

Set this before adding cloud connectors, configuring an LLM API key, enrolling agents, or generating a PKI CA — the portal starts without it (warning only), but any feature that encrypts data at rest will fail until it's configured. Rotating the key invalidates existing encrypted rows, so set it once and keep it.

Variable	Default	Description
`ENCRYPTION_KEY`	—	AES-256 master key for secrets at rest: cloud connector credentials, LLM API keys, agent signing keys, PKI CA private keys. Must be a 64-character hex string. Generate with: `openssl rand -hex 32`

Database & Redis

Variable	Default	Description
`DB_SSL`	`none`	SSL mode (`none`, `require`, `verify`, `verify-ca`)
`DB_SSL_CA`	—	Path to CA certificate file (used with `DB_SSL=verify-ca`)
`DB_POOL_MAX`	`20`	Maximum PostgreSQL connections per portal worker
`REDIS_TLS`	`auto`	Redis TLS (`auto` = on for `rediss://`/`valkeys://`, `on` = force, `off` = skip)
`REDIS_DB`	`0`	Logical database number (0–15). Useful when sharing a Redis instance.

SMTP & DKIM

Variable	Default	Description
`SMTP_HOST`	—	SMTP server hostname. When empty, email is disabled (no connection attempts).
`SMTP_PORT`	`25`	SMTP port (587 for STARTTLS, 465 for implicit TLS)
`SMTP_SECURE`	`none`	`none`, `starttls`, `tls`
`SMTP_USER`	—	SMTP authentication username (for external relays)
`SMTP_PASS`	—	SMTP authentication password
`DKIM_DOMAIN`	—	DKIM signing domain (set to enable DKIM signing)
`DKIM_SELECTOR`	`default`	DKIM selector published in DNS
`DKIM_PRIVATE_KEY`	—	Inline DKIM private key in PEM format. Prefer `DKIM_PRIVATE_KEY_PATH` — env vars expose keys to anything that can read the process environment.
`DKIM_PRIVATE_KEY_PATH`	—	Path to DKIM private key file (read at startup, never logged)

Optional

Variable	Default	Description
`SERVER_PORT`	`3000`	Portal listen port
`CLUSTER_WORKERS`	`2`	Node.js cluster workers (set to `1` to disable)
`LOG_LEVEL`	`info`	`trace`, `debug`, `info`, `warn`, `error`

Advanced

Variable	Default	Description
`DEFAULT_TIMEZONE`	`UTC`	Default timezone for the portal UI and notifications
`ACCESS_TOKEN_TTL`	`86400`	Access token lifetime in seconds (default 24h). Opaque tokens stored in Redis.
`REFRESH_TOKEN_TTL`	`2592000`	Refresh token lifetime in seconds (default 30d)
`TASK_TIMEOUT_SECONDS`	`300`	Max synchronous task wait (5 min default)
`TASK_LOG_RETENTION_DAYS`	`30`	Task log retention before automatic cleanup
`AUDIT_LOG_RETENTION_DAYS`	`90`	Audit log retention before automatic cleanup
`FILE_TRANSFER_MAX_BYTES`	`26214400`	Max file transfer size (default 25 MB)

File Layout

/opt/managelm-server/
├── nodejs/          # Bundled Node.js runtime
│   └── bin/node
├── portal/          # ManageLM portal application
│   ├── dist/        # Compiled backend (bytecode)
│   ├── web/dist/    # Frontend build
│   ├── node_modules/
│   ├── cluster.cjs  # Multi-worker entry point
│   ├── loader.cjs   # Bytecode loader
│   ├── .env         # Configuration (root:managelm 640)
│   └── ...
└── agent/           # Agent source (served to managed hosts)
    ├── managelm-agent.py
    ├── lib/
    └── bin/

All files are owned by root:root except .env which is root:<service-user> 640. The service user can read the configuration but cannot modify any binaries.

Upgrading

Download the new release and run it on the same server. The installer detects the existing installation and upgrades in place:

gunzip managelm-<version>-linux-<arch>.sh.gz
sudo bash managelm-<version>-linux-<arch>.sh

The upgrade will:

Stop the running service
Replace compiled code, static assets, and the bundled Node.js runtime
Reinstall production dependencies
Update the systemd unit file
Preserve your .env (never overwritten)
Restart the service

Database migrations run automatically on startup.

Backup & Restore

PostgreSQL holds the durable data and is the only thing you strictly need to back up. Redis is rebuilt from PostgreSQL on portal startup; back it up only if you want to preserve in-flight sessions across restores. Don't forget to copy .env — it holds ENCRYPTION_KEY and is not regenerable.

Backup

# PostgreSQL (run regularly)
pg_dump -U managelm managelm > managelm-backup-$(date +%F).sql

# Configuration (contains ENCRYPTION_KEY — store securely)
cp /opt/managelm-server/portal/.env ./env-backup-$(date +%F)

# Optional — Redis snapshot (in-flight session state)
redis-cli BGSAVE
cp /var/lib/redis/dump.rdb ./redis-backup-$(date +%F).rdb

Restore

# Stop the portal
systemctl stop managelm-server

# Restore PostgreSQL
psql -U managelm managelm < managelm-backup-YYYY-MM-DD.sql

# Restore configuration (if needed)
cp env-backup-YYYY-MM-DD /opt/managelm-server/portal/.env

# Start the portal — Redis state rebuilds automatically (users will need to log in again)
systemctl start managelm-server

Monitoring

# Service status
systemctl status managelm-server

# Health check
curl -s http://localhost:3000/health

# Live logs
journalctl -u managelm-server -f

# Last 100 lines
journalctl -u managelm-server -n 100

Uninstall

# Stop and disable the service
systemctl stop managelm-server
systemctl disable managelm-server
rm /etc/systemd/system/managelm-server.service
systemctl daemon-reload

# Remove the install directory
rm -rf /opt/managelm-server

# (Optional) Remove the service user
userdel managelm

This does not remove PostgreSQL or Redis data. Drop the database manually if no longer needed:

sudo -u postgres dropdb managelm
sudo -u postgres dropuser managelm

Troubleshooting

Portal won't start

Check logs: journalctl -u managelm-server -n 50
Verify DATABASE_URL and REDIS_URL in .env are correct.
Test PostgreSQL: psql "$DATABASE_URL" -c "SELECT 1;"
Test Redis: redis-cli ping
Check for port conflicts: ss -tlnp | grep 3000

Agents can't connect

Verify SERVER_URL in .env is reachable from the agent server.
Check reverse proxy forwards WebSocket headers. See Reverse Proxy.
Test: curl -I https://your-hostname/health

Database permission errors

"permission denied for schema public" — Connect as a superuser and run:
GRANT ALL ON SCHEMA public TO managelm;
"permission denied for relation …" — The user needs ownership or full grants. Re-run:
ALTER DATABASE managelm OWNER TO managelm;
"FATAL: password authentication failed" — Check DATABASE_URL credentials match the PostgreSQL user. Test with psql first.
"could not connect to server: Connection refused" — Verify listen_addresses in postgresql.conf and check pg_hba.conf allows the portal host.
Managed PostgreSQL (AWS RDS, GCP Cloud SQL, etc.) — The managed user is usually not a superuser. Grant schema access explicitly and ensure the security group / firewall allows the portal.

Email not sending

Without SMTP_HOST, email is disabled. Set it to your SMTP server.
Check logs: journalctl -u managelm-server | grep -i mail

.env permission denied

The .env file is root:managelm 640. Edit with sudo.
After editing, verify permissions: ls -la /opt/managelm-server/portal/.env