Initial Setup

This section aims to make setting up your server to host an instance of BOMnipotent Server as easy as possible.

The setup consists of the following, necessary steps:

After that you can configure the server to your personal needs.

Starting the Server

Several setup variants are presented here. You can pick the one best suited to your needs, and modify it at will. If you do not know where to start, the setup via docker compose is an excellent choice.

After following the steps of one of the variants, your server has a default configuration and should be reachable from the internet. After that, you should create an admin user account .

Docker Compose

The recommended and easiest setup for BOMnipotent Server uses docker compose .

Suggested File Structure

The suggested file structure in the favourite directory of your server looks like this:

├── .env
├── bomnipotent_config
│   ├── config.toml
│   └── config.toml.default
└── compose.yaml

This tutorial will walk through the files and explain them one by one.

.env

BOMnipotent server communicates with a database. Currently, only PostgreSQL is supported as a backend. The database is protected by a password. It is best practice to store the password inside a separate .env file instead of directly in the compose.yaml.

The name of the file must be “.env”, otherwise docker will not recognise it.

Your .env file should look like this:

BOMNIPOTENT_DB_PW=<your-database-password>

If you are using a versioning system to store your setup, do not forget to add “.env” to your .gitignore or analogous ignore file!

To put the security into perspective: The compose file will not directly expose the PostgreSQL container to the internet. The password is therefore only used for calls within the container network.

config.toml

BOMnipotent Server needs a configuration file, which is explained in more detail in another section .

The name of the file is arbitrary in principle, but the ready-to-deploy BOMnipotent Server docker container is set up to look for “config.toml”.

A minimal configuration looks like this:

# The db_url has the structure [db_client]://[user]:[password]@[container]:[port]/[db]
# Note that ${BOMNIPOTENT_DB_PW} references an environment variable.
db_url = "postgres://bomnipotent_user:${BOMNIPOTENT_DB_PW}@bomnipotent_db:5432/bomnipotent_db"
# Domain behind which bomnipotent server will be hosted
domain = "https://<your-domain>.<top-level>"

[tls]
# The path to your full TLS certificate chain
certificate_chain_path = "/etc/ssl/certs/<your-TLS-certificate-chain.crt>"
# The path to your secret TLS key
secret_key_path = "/etc/ssl/private/<your-secret-TLS-key>"

# Publisher data according to the CSAF Standard linked below
[provider_metadata.publisher]
name = "<Provide the name of your organsiation>"
# Namespace of your organisation, in form of a complete URL
namespace = "https://<your-domain>.<top-level>"
# This is most likely the enum variant you want
category = "vendor"
# Contact details are optional and in free form
contact_details = "<For security inquiries, please contact us at...>"

Fill in the braces with your data.

The section about TLS configuration contains more detailed information to avoid common pitfalls.

The publisher data is used to comply with the OASIS CSAF standard .

The section about provider-metadata goes into more details what the fields actually mean.

It is recommended to store your config.toml file inside a dedicated directory, “bomnipotent_config” in this example. The docker compose file will grant read access to this folder. This setup has two advantages:

In the unlikely case of a security breach of the BOMnipotent Server container, an attacker would only have access to you config directory, and nothing else on your server.
BOMnipotent Server will watch the directory for changes and will try to reload the configuration file if it has changed. This does not work when exposing only a single file to the docker container.

Many configuration values support hot reloading, meaning they can be modified without restarting the server.

After having set up your config.toml, you may want to copy it as for example config.toml.default, to be able to quickly restore your initial configuration. This is entirely optional, though.

compose.yaml

The compose file is where you specify the container setup. Once it is running smoothly, it does not need to be modified very often, but initially understanding it can take some time if you are new to docker.

The file needs to be called “compose.yaml”, docker can be a bit pecky otherwise.

A completely ready to deploy compose file

looks like this: f11f105efb09a356854f7c5"> cstyle initial active" tabindex="-1" 356854f7c5','annotated')" > cstyle initial" 356854f7c5','not-annotated')" span> cstyle initial active"> tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;">

# Giving the setup a name is optional, it will be derived by docker otherwise. style="color:#f92672">name: bomnipotent_server_containers style="color:#75715e"># The docker containers need to communicate, and they need a network for that. style="color:#f92672">networks: # This network needs a reference bomnipotent_network: # Since the containers are on the same docker host, "bridge" is a reasonable driver choice. driver: bridge # Giving the network the same name as the reference is ok. name: bomnipotent_network style="color:#f92672">volumes: # Define the volume for persistent storage of the database bomnipotent_data: driver: local # The server itself also needs persistence if you do not want to activate the subscription after every reboot bomnipotent_subscription: driver: local style="color:#f92672">services: bomnipotent_db: # Name of the database container container_name: bomnipotent_db deploy: resources: limits: # Limit the CPU usage to 0.5 cores cpus: "0.5" # Limit the memory usage to 512MB memory: "512M" environment: # Set the database name POSTGRES_DB: bomnipotent_db # Set the database user POSTGRES_USER: bomnipotent_user # Set the database password from the .env file variable POSTGRES_PASSWORD: ${BOMNIPOTENT_DB_PW} healthcheck: # Check if the database is ready test: ["CMD-SHELL", "pg_isready -U bomnipotent_user -d bomnipotent_db"] # Interval between health checks interval: 60s # Timeout for each health check timeout: 10s # Number of retries before considering the container unhealthy retries: 5 # Start period before the first health check start_period: 10s # Use the specified PostgreSQL image # You may ddjust the container tag at will image: postgres:17-alpine3.21 logging: # Use the local logging driver driver: local options: # Limit the log size to 10MB max-size: "10m" # Keep a maximum of 3 log files max-file: "3" networks: # Connect to the specified network - bomnipotent_network # Restart the container if it has stopped for some reason other than a user command restart: always volumes: # Mount the volume for persistent data storage - bomnipotent_data:/var/lib/postgresql/data bomnipotent_server: # Name of the server container container_name: bomnipotent_server depends_on: # Ensure the database service is healthy before starting the server bomnipotent_db: condition: service_healthy deploy: resources: limits: # Limit the CPU usage to 0.5 cores cpus: "0.5" # Limit the memory usage to 512MB memory: "512M" environment: # Pass the database password on to the server. BOMNIPOTENT_DB_PW: ${BOMNIPOTENT_DB_PW} healthcheck: # Check if the server is healthy # Your TLS certificate is most likely not valid for "localhost" # Hence the --insecure flag test: ["CMD-SHELL", "curl --fail --insecure https://localhost:8443/health || exit 1"] # Interval between health checks interval: 60s # Timeout for each health check timeout: 10s # Number of retries before considering the container unhealthy retries: 5 # Start period before the first health check start_period: 10s # This is the official docker image running a BOMnipotent Server instance. image: wwhsoft/bomnipotent_server:latest logging: # Use the local logging driver driver: local options: # Limit the log size to 10MB max-size: "10m" # Keep a maximum of 3 log files max-file: "3" networks: # Connect to the specified network - bomnipotent_network ports: # Map port 443 on the host to port 8443 on the container # This allows to connect to it via encrypted communication from the internet - target: 8443 published: 443 # Restart the container if it has stopped for some reason other than a user command restart: always volumes: # Bind mount the config folder on the host - type: bind source: ./bomnipotent_config target: /etc/bomnipotent_server/configs/ read_only: true # Bind mount the SSL directory - type: bind source: /etc/ssl target: /etc/ssl read_only: true # The subscription can be stored inside the container - bomnipotent_subscription:/root/.config/bomnipotent

Creating an Admin

Several interactions with BOMnipotent require a user with admin rights. One of these is granting a new user admin rights. This means that some kind of bootstrapping mechanism is required.

Step 1: Create User

First, you will need to create a user account :

bomnipotent_client --domain=<server> user request <your-email>

bomnipotent_client -d <server> user request <your-email>

[INFO] Generating new key pair
[INFO] Storing secret key to "/home/simon/.config/bomnipotent/secret_key.pem" and public key to "/home/simon/.config/bomnipotent/public_key.pem"
[INFO] User request submitted. It now needs to be confirmed by a user manager.

To make things a litle less verbose, let’s store the domain of your server and your email address in a user session :

bomnipotent_client --domain=<server> --email=<your-email> session login

bomnipotent_client -d <server> -e <your-email> session login

[INFO] Storing session data in /home/simon/.config/bomnipotent/session.toml

Step 2: Mark User as TMP Admin

Due to security reasons, the user needs to already exist in the database at this point. Otherwise, a malicious actor could anticipate the email address you use for your admin, and make their own request at an opportune time. To prevent this, the tmp admin mechanism blocks all requests to newly add this particular user to the database.

Next, you will become the user manager that was mentioned in the server reply: Log onto your server machine, and in your server configuration file prepend

tmp_admin = "<your-email>"

It is important to add this line at the beginning of the file, otherwise BOMnipotent might try to interpret this field as part of another section.

Your server logs should now show that the configuration has been reloaded, in addition to the user request you made earlier.

docker logs bomnipotent_server

...
2025-03-06 11:30:15 +00:00 [INFO] Received POST request from 101.102.103.104 to https://bomnipotent.wwh-soft.com/user/info@wwh-soft.com
2025-03-06 11:32:56 +00:00 [INFO] Configuration successfully reloaded from "/etc/bomnipotent_server/configs/config.toml"
...

Step 3: Make User a full Admin

The server now treats authenticated requests from that user as if that user was an admin. To become a permanent admin, you first need to approve your user request. Back on the client, call

bomnipotent_client user approve <your-email>

[INFO] Changed status of info@wwh-soft.com to APPROVED

Now you can make yourself a full server admin:

bomnipotent_client user-role add <your-email> admin

[INFO] Added role to user

Step 4: Remove TMP Admin Mark

The stat of being a temporary admin is intended to be, well, temporary. The server logs a warning whenever you use temporary access rights:

docker logs bomnipotent_server -n 4

2025-03-06 14:51:35 +00:00 [INFO] Received POST request from info@wwh-soft.com to https://bomnipotent.wwh-soft.com/user/info@wwh-soft.com/roles
2025-03-06 14:51:35 +00:00 [WARN] Temporary admin functionality is enabled for info@wwh-soft.com
2025-03-06 14:51:35 +00:00 [INFO] User info@wwh-soft.com was authenticated as a temporary admin
2025-03-06 14:51:35 +00:00 [INFO] Temporary admin info@wwh-soft.com has permission USER_MANAGEMENT to perform this action

But now that you have successfully made yourself a permanent admin, you can and should remove the “tmp_admin” field from the configuration file again.

You are now ready to activate your subscription .