Deployment
Supported Platforms
| Platform | Minimum Version |
|---|---|
| Debian | 11+ |
| Ubuntu | 20.04+ |
| Raspberry Pi OS | Bullseye+ |
Architecture Overview
┌─────────────────────────────────────────────────────┐
│ m1nd process │
│ │
│ ┌──────────────┐ ┌────────────────────────────┐ │
│ │ asyncio │ │ Flask (threaded) │ │
│ │ scheduler │────>│ web dashboard + REST API │ │
│ │ (main thd) │ │ SSE stream │ │
│ └──────┬───────┘ └────────────┬───────────────┘ │
│ │ │ │
│ v v │
│ ┌──────────────────────────────────────────────────┐ │
│ │ SQLite (WAL mode) data/m1nd.db │ │
│ │ test_results · alerts · webhooks · subscribers │ │
│ │ monitors · brain_* · users · app_state │ │
│ └──────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘Everything runs in a single Python process — the asyncio scheduler dispatches test jobs, and Flask serves the web dashboard and REST API in a threaded mode. All data lives in one SQLite file.
OOB Access — ZeroTier
bash
curl -s https://install.zerotier.com | sudo bash
sudo systemctl enable --now zerotier-oneJoin your ZeroTier network from the dashboard: OOB Access > ZeroTier.
OOB Access — Tailscale
bash
curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaledBring up the tunnel from the dashboard: OOB Access > Tailscale.
Reverse Proxy (Optional)
If running behind nginx:
nginx
server {
listen 80;
server_name m1nd.example.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off; # Required for SSE
proxy_cache off;
}
}SSE Support
m1nd uses Server-Sent Events for live dashboard updates. Make sure proxy_buffering off is set, or SSE streams will be delayed.
Service Management
bash
# Start / stop / restart
sudo systemctl start m1nd
sudo systemctl stop m1nd
sudo systemctl restart m1nd
# View logs
sudo journalctl -u m1nd -f
# Check status
sudo systemctl status m1ndSecurity Hardening
The systemd service includes hardening directives out of the box:
- NoNewPrivileges — prevents privilege escalation
- PrivateTmp — isolated temp directory
- ProtectSystem=full — read-only filesystem except
ReadWritePaths - ReadWritePaths — only
data/andconfig.yamlare writable - Unprivileged user — runs as
m1ndsystem user, not root - AmbientCapabilities — only
CAP_NET_RAW,CAP_NET_ADMIN,CAP_NET_BIND_SERVICE