Skip to main content

Installing Pluton on Linux Servers

This guide covers installing Pluton on headless Linux servers without a desktop environment.

Prerequisites

  • Linux server (x86_64 or arm64 architecture).
  • Minimum GLIBC Version: 2.29+ (check with ldd --version)
  • Root/sudo access
  • systemd (most modern Linux distributions)
  • curl
  • setcap from libcap2-bin/libcap (installed by default on many distributions)

Interactive Installation

curl -sSL https://dl.usepluton.com/server/scripts/install.sh | sudo bash

Follow the prompts to configure:

  • Server port (default: 5173)
  • Max concurrent backups (default: 2)
  • Encryption key (min 12 characters)
  • Admin username
  • Admin password

The installer runs with sudo so it can place binaries, create a systemd service, and set file permissions. The Pluton service itself runs as the dedicated non-root pluton system user.

Non-Interactive Installation

For automated deployments, provide all configuration via command line:

curl -sSL https://dl.usepluton.com/server/scripts/install.sh | sudo bash -s -- \
    --port 5173 \
    --max-concurrent 2 \
    --encryption-key "your-secure-encryption-key" \
    --user admin \
    --password "your-secure-password" \
    --non-interactive

Installation with Config File

Create a configuration file (e.g., /tmp/pluton.env):

PLUTON_ENCRYPTION_KEY=your-secure-encryption-key
PLUTON_USER_NAME=admin
PLUTON_USER_PASSWORD=your-secure-password
SERVER_PORT=5173
MAX_CONCURRENT_BACKUPS=2

Then install:

curl -sSL https://dl.usepluton.com/server/scripts/install.sh | sudo bash -s -- \
    --config /tmp/pluton.env --non-interactive

The installer stores PLUTON_ENCRYPTION_KEY separately in /etc/pluton/pluton.enc.env and writes the remaining credentials to /etc/pluton/pluton.env.

Least-Privilege Linux Runtime

Linux server installs use a least-privilege model:

  • The systemd service runs as the dedicated pluton user and group, not as root.
  • Runtime data under /var/lib/pluton/ and sensitive environment files under /etc/pluton/ are owned by pluton with restrictive permissions.
  • /usr/bin/pluton-helper is installed for narrow elevated operations such as privileged restores and root-approved hook scripts.
  • Root-only hook scripts require an explicit sudoers rule for each allowed script path.

Local Backup Destinations

If you store backups in a local mounted path, external drive, or another directory outside /var/lib/pluton, grant the pluton user write access to that destination:

sudo apt update && sudo apt install acl -y
sudo setfacl -R -m u:pluton:rwx,d:u:pluton:rwx /path/to/pluton-backups

Replace /path/to/pluton-backups with your actual local backup destination.

Root Hook Scripts

Normal plan scripts run as the pluton user. If a script needs root privileges, enable root execution in the plan settings and allow only that script through sudoers:

sudo tee /etc/sudoers.d/pluton-helper-scripts >/dev/null <<'EOF'
pluton ALL=(root) NOPASSWD: /usr/bin/pluton-helper run-script /usr/local/libexec/pluton-hooks/pre-backup-root.sh
EOF
sudo chmod 440 /etc/sudoers.d/pluton-helper-scripts
sudo visudo -c -f /etc/sudoers.d/pluton-helper-scripts

Use a root-owned script path, and add one sudoers line per script that should be allowed to run as root.

Network Configuration

Firewall Configuration

# UFW (Ubuntu/Debian)
sudo ufw allow 5173/tcp

# firewalld (RHEL/CentOS/Fedora)
sudo firewall-cmd --permanent --add-port=5173/tcp
sudo firewall-cmd --reload

File Locations

PathDescription
/opt/pluton/Application binaries
/usr/bin/pluton-helperLeast-privilege helper for elevated Linux tasks
/var/lib/pluton/Data directory (database, logs, backups)
/etc/pluton/pluton.envAdmin username and password (secured, mode 600)
/etc/pluton/pluton.enc.envUser encryption key (secured, mode 600)
/var/lib/pluton/config/config.jsonNon-sensitive configuration
/var/lib/pluton/logs/Application logs

Custom Domain with Reverse Proxy

To access Pluton via a custom domain (e.g., backups.example.com), set up a reverse proxy that forwards traffic to Pluton's local port.

Nginx

First Install Nginx:

sudo apt install nginx   # Debian/Ubuntu
sudo dnf install nginx   # RHEL/Fedora

And then create /etc/nginx/sites-available/pluton:

server {
    listen 80;
    server_name backups.example.com;

    location / {
        proxy_pass http://127.0.0.1:5173;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    client_max_body_size 0;
}

Enable the site and reload:

sudo ln -s /etc/nginx/sites-available/pluton /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

Caddy (Alternative)

Caddy provides automatic HTTPS with no extra configuration. Install Caddy and create /etc/caddy/Caddyfile:

backups.example.com {
    reverse_proxy 127.0.0.1:5173
}

Reload with sudo systemctl reload caddy. Caddy automatically provisions and renews SSL certificates.

Apache (Alternative)

Enable required modules and create /etc/apache2/sites-available/pluton.conf:

sudo a2enmod proxy proxy_http proxy_wstunnel
<VirtualHost *:80>
    ServerName backups.example.com
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:5173/
    ProxyPassReverse / http://127.0.0.1:5173/

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /(.*) ws://127.0.0.1:5173/$1 [P,L]
</VirtualHost>
sudo a2ensite pluton && sudo systemctl reload apache2

SSL Certificate with Let's Encrypt

If using Caddy, SSL is automatic — no extra steps needed.

For Nginx or Apache, use Certbot:

# Install certbot
sudo apt install certbot python3-certbot-nginx   # Nginx
sudo apt install certbot python3-certbot-apache  # Apache

# Obtain and install certificate
sudo certbot --nginx -d backups.example.com   # Nginx
sudo certbot --apache -d backups.example.com  # Apache

Certbot automatically configures SSL and sets up auto-renewal via a systemd timer. Verify renewal works:

sudo certbot renew --dry-run
tip

Ensure your domain's DNS A record points to your server's public IP address before requesting a certificate.

Uninstalling Pluton

curl -sSL https://dl.usepluton.com/server/scripts/uninstall.sh | sudo bash

For automated removal including all data:

curl -sSL https://dl.usepluton.com/server/scripts/uninstall.sh | sudo bash -s -- \
    --remove-data --non-interactive

Or use the local uninstall script:

sudo /opt/pluton/uninstall.sh

Managing the Service

# Check status
sudo systemctl status pluton

# Stop service
sudo systemctl stop pluton

# Start service
sudo systemctl start pluton

# Restart service
sudo systemctl restart pluton

# View logs
sudo journalctl -u pluton -f

Updating Pluton

curl -sSL https://dl.usepluton.com/server/scripts/install.sh | sudo bash -s -- --upgrade

This preserves your credentials and data while updating the binaries.

Troubleshooting

View Application Logs

# Service logs
sudo journalctl -u pluton -f

# Application stdout/stderr
tail -f /var/lib/pluton/logs/stdout.log
tail -f /var/lib/pluton/logs/stderr.log

Check Service Status

sudo systemctl status pluton

Verify Credentials File

sudo cat /etc/pluton/pluton.env
sudo cat /etc/pluton/pluton.enc.env

Restart After Configuration Changes

sudo systemctl daemon-reload
sudo systemctl restart pluton

Resetting the admin password or username:

Follow these steps to reset your password or username:

  1. Run this command to stop the pluton service:
sudo systemctl stop pluton
  1. Run this command to start the password reset process:
sudo /opt/pluton/pluton --reset-password

  1. You will be prompted to set both the admin username and password.

  2. After setting the new password, Start the pluton service again:

sudo systemctl start pluton
  1. Use your new login credentials to log into Pluton.