Before an Apiphani engineer installs the agent, your team needs to provide a Patch server, confirm network access, and prepare a service user with the right permissions on each managed host. This page lists every prerequisite.
Patch server
The Patch server is the host that runs the Luumen agent. You need exactly one per Luumen client.
| Requirement | Details |
|---|
| Operating system | Linux (any modern distribution with systemd) or Windows Server |
| CPU and memory | Modest — the agent is lightweight. 2 vCPU / 4 GB RAM is sufficient for hundreds of hosts. |
| Disk | A few GB for the binary and rolling logs (log_retention_days defaults to 30) |
| Network | Outbound HTTPS to the Luumen API. Outbound SSH or WinRM to every managed host. |
| Access | A service user with permission to execute the agent binary and read its config and key files. |
The Patch server should be a stable host that is not regularly rebuilt or rotated. The agent runs as a system service, so the server needs to stay up to keep the dashboard current.
Network access
The Patch server must be able to reach:
- The Luumen API base URL configured in
config.yaml (HTTPS, default port 443).
- Every managed host over SSH (port 22) or WinRM (port 5985 for HTTP, 5986 for HTTPS).
You can verify outbound API access from the Patch server with a quick curl:
curl -H "api-key: YOUR_API_KEY_HERE" "https://ns2-api.apiphani.io/v2/api/v1/config"
A successful response confirms network access and a valid API key. See Troubleshooting if the request hangs or returns an error.
Service user permissions
The agent runs as a dedicated service user on the Patch server, and authenticates to each managed host as a user you control on that host. The required permissions vary by platform.
The permissions below cover the agent’s current data collection. As new properties are added, the required permissions can change. We’ll document changes here and notify customers ahead of upgrades that require new permissions.
Linux
The service user on each Linux host needs sudo access to the following commands for standard OS data collection:
| Command | Why the agent needs it |
|---|
dmidecode | Reads DMI tables for hardware detection (vendor, model, serials) |
getenforce | Queries SELinux status |
tuned-adm | Queries the tuned daemon for active performance profile |
/var/spool/cron/tabs/root | Reads root’s crontab for scheduled-job inventory |
Application-specific properties may require additional read permissions on the relevant directories. If you’ve enabled the SAP integration, for example, the service user needs broad read access to SAP files under the SAP user’s directories — the exact paths are determined during white-glove setup. See SAP integration.
Windows
On Windows hosts, the service user needs the following access types:
| Access | Why the agent needs it |
|---|
| Registry access | Reads application data and installed software metadata |
| WMI queries | Runs Get-CimInstance and Get-WmiObject to collect OS, memory, CPU, and swap information |
| Process and service info | Runs Get-Process and Get-Service for service inventory |
Patch server service user
The user that runs the agent binary on the Patch server itself also needs:
- Execute permission on the agent binary (
chmod +x on Linux).
- Read permission on
config.yaml and any SSH private keys referenced in the host list.
sudo access on the Patch server when installing the agent as a service (during the install command only).
- If using HashiCorp Vault: a way to provide the Vault token, typically the
VAULT_TOKEN environment variable.
What Apiphani handles
The white-glove install covers everything beyond providing the Patch server and the service user:
- Downloading and placing the agent binary.
- Writing the initial
config.yaml.
- Installing the agent as a service and verifying the first scheduled run.
- Configuring the remote agent config (host list, default credentials) in the Luumen UI.
- For self-hosted deployments, provisioning the Luumen API and web app.
See White-glove setup for what Apiphani needs from your team to get started.