Install Veirox Connect on an airgapped host

Target: Customer hosts that have no outbound access to the
Veirox backend during binary download but do need a one-time
connection at enrollment time. If your network has zero outbound at
any time, the reverse-tunnel architecture of Veirox Connect is
incompatible — use the MCP-server connector model instead.

The airgap installer pulls everything from a local tar.gz bundle you
ship to the customer ahead of time. The only network call made by
install-offline.sh is the final veirox-connector enroll --token ...
which hits /api/connectors/enroll on the Veirox backend.

Build the bundle (on a release host)

# Requires a cosign keypair at $HOME/.veirox/cosign.key
make agent-offline-bundle
# → agent/dist/bin/veirox-connector-0.2.0-x86_64.tar.gz

The Makefile target:

  1. Runs make agent-manifest to regenerate manifest.sha256.
  2. Runs make cosign-sign-manifest to write
    manifest.sha256.sig signed with $COSIGN_KEY.
  3. Packages veirox-connector, veirox-connector.service,
    manifest.sha256, manifest.sha256.sig, and
    install-offline.sh into a single tar.gz.

The resulting tar.gz is ~5 MB for -minimal builds and is
self-verifying.

Ship to the customer

Any out-of-band channel: encrypted USB, signed S3 URL, etc. The tar
contents are all verified against a pinned cosign key baked into
install-offline.sh — tampering during transit is caught at install
time.

Install (on the airgapped host)

# assume the bundle arrived at /tmp/veirox-connector-0.2.0-x86_64.tar.gz
sudo env \
  VEIROX_BACKEND_URL=https://veirox.customer.com \
  VEIROX_ENROLLMENT_TOKEN=veirox_enr_REPLACE_ME \
  bash <(tar -xzOf /tmp/veirox-connector-0.2.0-x86_64.tar.gz \
         veirox-connector-0.2.0-x86_64/install-offline.sh) \
  /tmp/veirox-connector-0.2.0-x86_64.tar.gz

Or unpack first:

tar -xzf /tmp/veirox-connector-0.2.0-x86_64.tar.gz -C /tmp/
sudo env \
  VEIROX_BACKEND_URL=https://veirox.customer.com \
  VEIROX_ENROLLMENT_TOKEN=veirox_enr_REPLACE_ME \
  /tmp/veirox-connector-0.2.0-x86_64/install-offline.sh \
  /tmp/veirox-connector-0.2.0-x86_64

What the installer does

  1. Verifies manifest.sha256.sig against the pinned cosign public
    key using cosign verify-blob (or openssl dgst -verify as a
    fallback for hosts without cosign).
  2. Verifies veirox-connector and veirox-connector.service against
    the digests in manifest.sha256.
  3. Creates the veirox-connector system user.
  4. Installs the binary + unit + drop-in with the backend URL.
  5. Runs veirox-connector enroll --token ... — the ONLY network call.
  6. Enables and starts the service.

Corporate TLS proxy

sudo env \
  VEIROX_BACKEND_URL=https://veirox.customer.com \
  VEIROX_ENROLLMENT_TOKEN=veirox_enr_xxx \
  VEIROX_CONNECTOR_EXTRA_CA_BUNDLE=/etc/ssl/corp-ca.pem \
  /tmp/veirox-connector-0.2.0-x86_64/install-offline.sh \
  /tmp/veirox-connector-0.2.0-x86_64

The installer propagates VEIROX_CONNECTOR_EXTRA_CA_BUNDLE into the
systemd unit drop-in so the agent picks it up on every restart.

Verify

Run the verification checklist.

Upgrade

Build a new bundle on the release host, ship it, re-run
install-offline.sh. The existing cert triple is preserved; only
the binary and unit are replaced.

Uninstall

Same as the systemd guide:

sudo systemctl disable --now veirox-connector
sudo rm -f /etc/systemd/system/veirox-connector.service
sudo rm -rf /etc/systemd/system/veirox-connector.service.d
sudo rm -rf /etc/veirox-connector /var/lib/veirox-connector
sudo rm -f /usr/local/bin/veirox-connector
sudo userdel veirox-connector
sudo systemctl daemon-reload

Troubleshooting

Symptom Fix
manifest signature verification FAILED The bundle was tampered, or the cosign public key in install-offline.sh doesn't match the release's signing key. Re-fetch from a trusted channel.
neither cosign nor openssl is installed Install cosign (or openssl as a fallback) on the host before running the installer.
enrollment failed: connection refused The host has no path to the backend. Airgapped and no enrollment access means you cannot use reverse-tunnel connectors — switch to the MCP-server connector model.