Install
Installing the agent takes a device from factory-fresh to live in the fleet in one step. The same flow gives the device its own identity, the trust anchor it needs to verify updates, and a running, hardened service.
One-line install
The simplest path is the enrollment installer. In the console, open Devices → Add device to mint a short-lived enrollment token, then run the rendered command on the device:
curl -fsSL https://<your-domain>/install.sh | sudo bash -s -- \
--token mesh_xxxxxxxxxxxxxxxxxxxx \
--name jetson-line7-01
The installer is plain shell — download and read it first if you prefer. It:
- downloads the agent binary for this CPU architecture (ARM64 or AMD64),
- generates the device's private key locally and builds a certificate signing request — the key never leaves the device,
- exchanges the token for a signed device certificate, the fleet CA, and the trust anchor for updates,
- installs and starts the agent as a hardened systemd service.
Re-running the installer on the same device re-enrolls it with a fresh key and certificate and picks up a new binary.
What gets placed on the device
| Path | Contents |
|---|---|
/usr/local/bin/meshanics-agent | the agent binary |
/etc/meshanics/ | device certificate, fleet CA, trust anchor, environment file |
/var/lib/meshanics/ | agent state — downloaded artifacts and the metadata cache |
/etc/systemd/system/meshanics-agent.service | the hardened service unit |
The private key is written with restrictive permissions and is readable only by root. On decommission, the agent wipes its key material and update state itself.
The service unit
The installed unit runs the agent under standard systemd hardening — no new privileges, a protected filesystem with a short list of writable paths, a private temporary directory, and a protected home. It restarts on failure with a backoff, but treats a decommission signal as terminal so a removed device does not crash-loop against a fleet that has offboarded it.
Air-gapped install
Where a device has no path to the internet, the agent can be installed from a local checkout instead of the online token exchange. The binary, the device certificate material, and the trust anchor are staged on the device, and the same hardened service unit is installed. The agent verifies every update identically regardless of how it was enrolled — the trust anchor, not the network path, is what matters.
Confirm it appears
Within a heartbeat the device shows up in Devices, live, with its detected
hardware profile. You can check the service directly with
systemctl status meshanics-agent.