Deployment

SAMURAI Networks is distributed as a single hardened Docker image (beyrak44/samurai). It bundles the Go backend, the React UI behind Nginx, and an embedded MongoDB.

Prerequisites

A host with Docker Engine 20.10+ (or Docker Desktop) and roughly 2 GB of free RAM. SAMURAI Networks ships as a single container, so Docker is the only dependency.

On most Linux hosts:


curl -fsSL https://get.docker.com | sh

See Docker’s official install guide for Windows, macOS, or distribution-specific steps, and verify with docker --version.

Run

Deploy with the Docker CLI or Docker Compose. Both publish ports 80/443; for production, set stable secrets (see Environment) and persist the database in a volume.

docker run

A minimal run, suitable for evaluation:


docker run -d --name samurai -p 80:80 -p 443:443 beyrak44/samurai:latest

To keep the database when the container is removed, add a volume: -v samurai-data:/app/mongo-data.

For production, generate stable secrets once, store them somewhere safe, and pass the same values on every run:


JWT_SECRET_KEY=$(openssl rand -hex 32)
DEVICE_ENCRYPTION_KEY=$(openssl rand -hex 32)
 
docker run -d --name samurai -p 80:80 -p 443:443 \
  -v samurai-data:/app/mongo-data \
  -e JWT_SECRET_KEY="$JWT_SECRET_KEY" \
  -e DEVICE_ENCRYPTION_KEY="$DEVICE_ENCRYPTION_KEY" \
  beyrak44/samurai:latest

Database: external-first, embedded-fallback

The entrypoint decides at runtime:

MONGODB_URL set and reachable → uses your external MongoDB.
MONGODB_URL set but unreachable → falls back to the embedded mongod.
MONGODB_URL unset → uses the embedded mongod.

Mount a volume at /app/mongo-data to persist the embedded database. For a production high-availability database, see Database Redundancy.

Environment

Bootstrap configuration is provided via environment variables; most runtime settings (sync schedule, CORS, branding, timezone) are managed in Settings and hot-reloaded.

Variable	Purpose
`JWT_SECRET_KEY`	Signs session tokens. Set a stable value in production.
`DEVICE_ENCRYPTION_KEY`	64-hex AES-256 key for stored credentials. Set a stable value in production.
`MONGODB_URL`	External MongoDB (optional; the embedded `mongod` is used if unset)
`MONGODB_DATABASE`	Database name (optional)

⚠️

The minimal command above omits JWT_SECRET_KEY and DEVICE_ENCRYPTION_KEY to get you running quickly; the production command sets both. For any persistent deployment, set them to stable values and keep them safe. If DEVICE_ENCRYPTION_KEY later changes, previously stored device credentials can no longer be decrypted; if JWT_SECRET_KEY changes, existing sessions are invalidated.

Device passwords, SMTP/LDAP secrets, and tokens are encrypted at rest with AES-256-GCM. TLS verification is handled per connector.

Licensing

SAMURAI Networks is license-gated. Get a free trial license , then upload your license file in Settings → License, where you can review the active license: customer, validity, per-type device limits and current usage. A running deployment also needs outbound network access to validate the license, covered next.

License verification

SAMURAI Networks validates its license at startup and periodically while running. This needs outbound network access from the SAMURAI Networks server for two things: trusted time (to verify the license has not expired) and the server’s public IP (to enforce IP-locked licenses). All licensing traffic is outbound, so no inbound firewall rules are needed.

Required outbound access

Purpose	Host	Protocol	Port
Trusted time (primary)	`pool.ntp.org`	UDP (NTP)	123
Trusted time (fallback)	`www.google.com`	TCP (HTTPS)	443
Trusted time (fallback)	`cloudflare.com`	TCP (HTTPS)	443
Public IP (consensus)	`checkip.amazonaws.com`	TCP (HTTPS)	443
Public IP (consensus)	`api.ipify.org`	TCP (HTTPS)	443
Public IP (consensus)	`ifconfig.me`	TCP (HTTPS)	443
DNS resolution	your resolver	UDP/TCP	53

What must succeed

Check	Rule
Trusted time	Either UDP 123 to `pool.ntp.org`, or TCP 443 to Google or Cloudflare. One source is enough.
Public IP	At least 2 of the 3 HTTPS sources must be reachable and agree.
Both fail	A 6-hour grace window applies; after that the API returns `403 LICENSE_REQUIRED` until access is restored.

Notes

Allowlist by domain or by port, not by IP. pool.ntp.org is a rotating DNS pool and the IP-lookup services sit behind CDNs, so destination IPs are not stable. Permit the hostnames (egress proxy) or the ports (UDP 123, TCP 443) outbound, and keep DNS (UDP/TCP 53) open.
These endpoints are fixed; there is currently no setting to use an internal NTP server or route through a proxy. Air-gapped or restricted-egress sites that cannot allow this outbound access will reach the 6-hour limit. If you need internal NTP or offline licensing, contact us.
The license is locked to one or more specific public IPs (exact match). The public IP discovered above is what each match is compared against.