{{define "title"}}{{.Title}}{{end}} {{define "content"}} {{$page := .Page}}
Dashboard/Add host
{{if eq $page.Token ""}} {{/* ============================================================ State A · form ============================================================ */}}

Add a host

Mints a one-time enrolment token (TTL 1 hour) and binds the repo credentials to it. The token can only be used once — generate a fresh one if it expires or you typed something wrong.

{{if $page.Error}}
{{$page.Error}}
{{end}}

Host

Becomes the host’s display name. Most operators use the box’s actual hostname so logs line up.
Free-form. Used for filtering and grouping on the dashboard.

Default backup paths

What restic backup runs against when an operator hits “Run now”. Until schedules ship in Phase 2, this is the only source of paths for run-now jobs — leave it empty if you’ll dispatch via the JSON API instead.

Restic repository

Whatever restic -r would accept. Most fleets terminate at a restic/rest-server; s3: and b2: URLs work equally well.
For rest-server with htpasswd, this is the per-host user.
Encrypted at rest using the server’s AEAD key, pushed to the agent only over the authenticated WebSocket. Leave blank and we’ll mint a 24-byte URL-safe random password and surface it once on the next page (alongside the htpasswd snippet you’ll need to run on the rest-server).
Cancel
{{else}} {{/* ============================================================ State B · token minted ============================================================ */}}

Token minted

expires {{relTime $page.ExpiresAt}}

Run the snippet below on the target box. The host will appear on the dashboard within a few seconds of the agent connecting.

{{if and $page.RepoUsername $page.RepoPassword}}
Run on the rest-server box first {{if $page.PasswordGenerated}} password generated {{end}} · this is the only time you’ll see the password 
echo '{{$page.RepoPassword}}' | sudo htpasswd -B -i /path/to/htpasswd {{$page.RepoUsername}}
Replace /path/to/htpasswd with whatever your restic/rest-server reads (typically the file passed via --htpasswd-file, or /data/.htpasswd in the official Docker image). The -i flag reads the password from stdin so it never appears in your shell’s process list. Then either send SIGHUP to the rest-server process or restart the container to pick up the new entry.
{{end}}
Install command · paste-and-run on the host you’re backing up 
curl -fsSL {{$page.ServerURL}}/install/install.sh | sudo \
  RM_SERVER={{$page.ServerURL}} \
  RM_TOKEN={{$page.Token}} bash
Awaiting agent connection
{{if $page.Hostname}}{{$page.Hostname}}{{else}}new host{{end}} — enrolment will mark this online
{{$page.ExpiresAt.Format "15:04:05.000"}} server token minted · 1h ttl
awaiting POST /api/agents/enroll …
← Back to dashboard Add another host
{{end}}
{{end}}