curl -fsSL https://raw.githubusercontent.com/CAPY-RPI/launch/refs/heads/main/install.sh | bashThe script does the system update, installs git + docker + terraform + uv + compose, clones the repo to ~/capy-lab, walks you through a guided .env setup, then runs make run. When it finishes, visit https://${DOMAIN_NAME} (~2 min for first-time TLS).
The installer prompts for the values below — get them first.
| What | How |
|---|---|
| Cloudflare zone + API token + Account ID + Zone ID | Create a token with Account/Cloudflare Tunnel:Edit, User/API Tokens:Edit, User/User Details:Read, Zone/Zone:Read, Zone/DNS:Edit, scoped to your account + zone. Account ID and Zone ID are on the zone overview page. |
| Google OAuth client ID + secret | Web application with redirect URI https://${DOMAIN_NAME}/api/v1/auth/google/callback |
| Authentik bootstrap admin email + password | You pick — used for the initial admin login at auth.${DOMAIN_NAME} |
| (optional) SMTP host / port / user / pass / from | Only if you want Authentik to send password-reset / invite emails |
Everything else (postgres passwords, capy JWT, authentik secret key, tunnel token, DNS-01 token) is generated by terraform on make run.
Public:
https://${DOMAIN_NAME}— capy-landerhttps://${DOMAIN_NAME}/api— capy-apihttps://auth.${DOMAIN_NAME}— authentik
Behind authentik forward-auth:
https://traefik.${DOMAIN_NAME}— traefik dashboardhttps://status.${DOMAIN_NAME}— gatushttps://home.${DOMAIN_NAME}— homepagehttps://whoami.${DOMAIN_NAME}— whoami
First-time TLS takes ~2 min (Let's Encrypt DNS-01 + propagation).