Install · Meridian NIP

−1 · VM appliance (import & boot, fastest)

Prebuilt Meridian VM. Download the disk image for your hypervisor, import it, power on, wait for the DHCP lease, log in at https://<dhcp-ip> with admin / password. No Debian install, no apt repo, no install.sh. ~5 minutes wall-clock.

What you get:

Debian 13.4 base, 40 GB disk (dynamic), 4 GB RAM, 2 vCPU
Meridian v1.0.0 pre-installed; all services start on boot. Add the apt repo + sudo apt upgrade meridian-nip after first boot to pick up v1.0.1 (install.sh upgrade-path fixes).
Self-signed TLS, fresh per-appliance master + row-HMAC keys, fresh SSH host keys
DHCP networking — no static IP baked in; appliance lands on whatever LAN you import it into

Pick the disk format your hypervisor speaks:

Hypervisor	Format	Compressed size	Asset
Hyper-V (Windows host)	`.vhdx`	~1 GB	`meridian-nip-v1.0.0.vhdx.zst`
VMware Workstation / Fusion / ESXi · VirtualBox	`.ova`	~1 GB	`meridian-nip-v1.0.0.ova.zst`
KVM / libvirt · Proxmox VE	`.qcow2`	~1 GB	`meridian-nip-v1.0.0.qcow2.zst`

Step 1 · Download & decompress

All three formats are zstd-compressed. Decompress before importing:

# Linux/macOS:
zstd -d meridian-nip-v1.0.0.<format>.zst

# Windows (7-Zip 21.07+ supports .zst), or PowerShell with zstd installed via winget:
zstd -d meridian-nip-v1.0.0.vhdx.zst

Step 2 · Import into your hypervisor

Hyper-V: New → Import Virtual Machine (or just drop the .vhdx into C:\VMs\ and create a new Gen 2 VM around it; Secure Boot OFF, bridged network)
VMware / VirtualBox: File → Import Appliance → pick the .ova
Proxmox VE: qm importdisk <vmid> meridian-nip-v1.0.0.qcow2 local-lvm
libvirt / virsh: virt-install --import --name meridian --disk path=...qcow2 --memory 4096 --vcpus 2

Step 3 · Power on & sign in

VM boots in ~30 seconds, picks up DHCP. Find the IP in your hypervisor's console or DHCP leases, then browse to https://<ip>. Default portal admin: admin / password. The portal forces a password change on first login and offers MFA enrollment.

Step 4 · Add the apt repo + apt upgrade to v1.0.1

The shipped appliance is built from v1.0.0. The v1.0.1 patch release contains five install.sh upgrade-path fixes you'll want before ever running install.sh --upgrade. Add the apt repo and apply it:

ssh admin@<ip>   # password: meridiannip
sudo apt update
sudo apt install -y curl gpg ca-certificates
curl -fsSL https://meridiannip.com/meridiannip.gpg \
  | sudo gpg --dearmor -o /usr/share/keyrings/meridiannip-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/meridiannip-archive-keyring.gpg] https://meridiannip.com/apt stable main" \
  | sudo tee /etc/apt/sources.list.d/meridian.list
sudo apt update
sudo apt upgrade -y meridian-nip
# v1.0.1 onwards stays current via `sudo apt upgrade`.

Step 5 · (Recommended) Rotate per-appliance secrets

Every appliance ships with the same default OS account (admin / meridiannip) and PG role password. After first browser login, change them:

sudo passwd admin                  # rotate OS password
sudo passwd root                   # ditto for root

The master encryption key and row-HMAC key were already regenerated per-image when the appliance was scrubbed, so two appliances on the same network can't impersonate each other.

0 · Apt (Debian 12/13, simplest)

If your target is already a Debian 12 or 13 host, this is the shortest path. Add the MeridianNIP apt repo, install the package, edit one config file, run the installer. ~3 minutes of operator time (plus the apt package fetch). Future versions arrive via sudo apt upgrade.

Step 1 · Add the MeridianNIP apt repo

# Tooling — a Debian minbase doesn't ship curl or gpg:
sudo apt update
sudo apt install -y curl gpg ca-certificates

# Fetch + dearmor the signing key into the system keyring:
curl -fsSL https://meridiannip.com/meridiannip.gpg \
  | sudo gpg --dearmor -o /usr/share/keyrings/meridiannip-archive-keyring.gpg

# Add the repo source:
echo "deb [signed-by=/usr/share/keyrings/meridiannip-archive-keyring.gpg] https://meridiannip.com/apt stable main" \
  | sudo tee /etc/apt/sources.list.d/meridian.list

sudo apt update

The signing key fingerprint is 5072 F226 10C9 2331 A8E2 428C EE4D C4BD 960D 8B36; the dearmored bytes go to /usr/share/keyrings/meridiannip-archive-keyring.gpg and apt verifies every download against it.

Step 2 · Install the package

sudo apt install meridian-nip

This drops the source tree under /opt/meridian and runs the Debian postinst hook. On a fresh host with no /etc/meridian/answers.local.env file, postinst prints a short notice telling you what to do next — it does not auto-run the installer until you've given it an answers file (next step).

Step 3 · Stage your answers file

sudo cp /opt/meridian/answers.example.env /etc/meridian/answers.local.env
sudo $EDITOR /etc/meridian/answers.local.env
# Set PORTAL_DOMAIN, STATIC_IP (optional), ADMIN_CIDR — comments inline.

Step 4 · Run the installer

sudo /opt/meridian/install.sh --unattended --config /etc/meridian/answers.local.env

# Or run interactively (every prompt has an inline explanation):
sudo /opt/meridian/install.sh

Default portal admin: admin / password — forced change + MFA enroll on first login. The summary at the end prints the portal URL and DB password; save them.

Upgrades: sudo apt update && sudo apt upgrade meridian-nip stages the new source and re-runs install.sh --upgrade automatically against the same answers file. Master keys and the Postgres database persist across upgrades.

1 · Install from a Windows workstation

End-to-end with native Windows tools — no WSL, no Linux subshell needed. Hyper-V is the recommended hypervisor (built into Windows, scripted) but VMware Workstation and VirtualBox work too; see the callout under the Hyper-V step.

Prerequisites (all native to Windows 10/11 / Server):

Windows host with Hyper-V — Windows 10/11 Pro/Enterprise/Education, Windows Server 2016+ with the Hyper-V role, or Hyper-V Server. Anywhere Get-VM works.
An elevated PowerShell for the Hyper-V cmdlets (right-click → "Run as administrator")
Git for Windows — git-scm.com/download/win. Gives you git in any shell.
OpenSSH client — ships with Windows 10 1809+ and every Windows 11 / Server 2019+. Gives you ssh and scp on the PATH by default. (Settings → Apps → Optional features → "OpenSSH Client" if it isn't already installed.)

Step 1 · Clone the source & create your answers file

In a regular PowerShell window (no elevation needed for this step):

cd $HOME
git clone https://github.com/MeridianNIP/meridian.git
cd meridian
copy answers.example.env answers.local.env
notepad answers.local.env
# Set PORTAL_DOMAIN, STATIC_IP (optional), ADMIN_CIDR — comments inline.

You'll push this whole directory (including answers.local.env) to the VM in step 4.

Step 2 · Download the preseed-injected ISO

One PowerShell command, ~940 MB:

New-Item -ItemType Directory -Force "C:\VMs\ISOs" | Out-Null
Invoke-WebRequest `
  -Uri "https://github.com/MeridianNIP/meridian/releases/latest/download/debian-13.4.0-amd64-meridian-unattended.iso" `
  -OutFile "C:\VMs\ISOs\debian-13.4.0-amd64-meridian-unattended.iso"

Verify with the SHA256SUMS file on the release page:

Get-FileHash "C:\VMs\ISOs\debian-13.4.0-amd64-meridian-unattended.iso" -Algorithm SHA256

Step 3 · Spin the VM (elevated PowerShell)

Right-click PowerShell → Run as administrator, then from the cloned repo:

cd $HOME\meridian
./scripts/hyperv-bootstrap.ps1 `
    -VMName meridian `
    -Unattended `
    -IsoPath "C:\VMs\ISOs\debian-13.4.0-amd64-meridian-unattended.iso"

Walk away ~10 minutes. When it's up, get the VM's DHCP IP:

Get-VMNetworkAdapter -VMName meridian | Select-Object -ExpandProperty IPAddresses

VMware Workstation / VirtualBox on Windows instead of Hyper-V? Skip the bootstrap script. Create a Gen 2 / UEFI VM manually (4 GB RAM, 2 vCPU, 40 GB disk, bridged network, attach the .iso from C:\VMs\ISOs\), boot it, and walk away the same ~10 minutes. Steps 4 + 5 then apply unchanged.

Step 4 · Copy the source onto the VM

Native Windows scp — no rsync needed (Windows doesn't ship rsync; scp from OpenSSH is the equivalent). From the cloned repo:

scp -r . admin@<vm-ip>:~/meridian/

The first connection prompts you to accept the VM's host key — answer yes. Then the auth challenge is "what's the password?" — that's meridiannip for the admin account baked into the preseed.

Step 5 · Run the installer

SSH in and let install.sh do the heavy lifting:

ssh admin@<vm-ip> "sudo rm -rf /opt/meridian; sudo mv ~/meridian /opt/meridian; sudo chown -R root:root /opt/meridian; sudo chmod 0755 /opt/meridian; sudo /opt/meridian/install.sh --unattended --config /opt/meridian/answers.local.env"

Wait ~5 minutes for install.sh to finish (apt + pip + service setup). The summary at the end prints the portal URL, admin temp password, and DB credentials — save them.

Default OS account: admin / meridiannip. Default portal admin: admin / password — forced change + MFA enrollment on first browser login.

2 · Install from a Linux or macOS workstation

End-to-end with native Unix tools. The hypervisor is VMware Workstation / Fusion, VirtualBox, Proxmox, KVM / libvirt, or anything that boots a UEFI Gen 2 VM. (Hyper-V is Windows-only — if your workstation is Linux/macOS, pick a cross-platform hypervisor.)

Prerequisites:

A hypervisor that supports UEFI Gen 2 VMs — VMware Workstation 17+, VMware Fusion, VMware ESXi/vSphere, VirtualBox 7+ (with EFI enabled), Proxmox, KVM/libvirt with OVMF
Standard CLI tools: git, rsync, ssh — all standard on every distro and on macOS by default
curl or wget for the ISO download

Step 1 · Clone the source & create your answers file

cd ~
git clone https://github.com/MeridianNIP/meridian.git
cd meridian
cp answers.example.env answers.local.env
$EDITOR answers.local.env
# Set PORTAL_DOMAIN, STATIC_IP (optional), ADMIN_CIDR — comments inline.

Step 2 · Download the preseed-injected ISO

curl -LO https://github.com/MeridianNIP/meridian/releases/latest/download/debian-13.4.0-amd64-meridian-unattended.iso
curl -LO https://github.com/MeridianNIP/meridian/releases/latest/download/SHA256SUMS
sha256sum -c SHA256SUMS
# expect:  debian-13.4.0-amd64-meridian-unattended.iso: OK

Step 3 · Create a VM & boot the ISO

Use your hypervisor's UI or CLI to create the VM. Settings:

Setting	Value
Guest OS	Debian GNU/Linux 13 (64-bit)
Firmware	UEFI — Secure Boot OFF
Disk	40 GB dynamic
Memory	4 GB
vCPUs	2
Network	Bridged (so the VM gets a LAN IP)
CD/DVD	attach the `.iso`, boot from CD first

Power on, walk away ~10 minutes for the unattended Debian install. Find the VM's IP via your hypervisor's UI or by checking your DHCP leases.

VirtualBox specifically: enable EFI under Settings → System → Motherboard → Enable EFI. The v1.0.0 ISO is UEFI-only — without EFI on you'll get a black screen.

Step 4 · Push source + run install.sh

Standard rsync. Run from the cloned repo:

rsync -az ./ admin@<vm-ip>:~/meridian/
ssh admin@<vm-ip> 'sudo rm -rf /opt/meridian && \
    sudo mv ~/meridian /opt/meridian && \
    sudo chown -R root:root /opt/meridian && \
    sudo chmod 0755 /opt/meridian && \
    sudo /opt/meridian/install.sh --unattended \
         --config /opt/meridian/answers.local.env'

First SSH connection asks for the host key (yes) + the admin password (meridiannip).

Default OS account: admin / meridiannip. Default portal admin: admin / password — forced change + MFA enroll on first browser login.

3 · Bare Debian (direct install, no VM)

For physical hardware, an existing Debian/Ubuntu host, or any scenario where you don't want our preseed ISO. Install Meridian directly on the box it'll run on. Linux-host only — there's no Windows operator step in this path.

Prerequisites:

Debian 13 (primary target) or Debian 12 (supported fallback)
4 GB RAM, 20 GB disk free, root access
Outbound HTTPS for Debian apt + (optionally) Let's Encrypt

Step 1 · Clone Meridian onto the target host

git clone https://github.com/MeridianNIP/meridian.git /tmp/meridian-src
sudo mkdir -p /opt/meridian
sudo cp -a /tmp/meridian-src/. /opt/meridian/
sudo chown -R root:root /opt/meridian

Step 2 · Create your answers file

sudo cp /opt/meridian/answers.example.env /opt/meridian/answers.local.env
sudo $EDITOR /opt/meridian/answers.local.env
# Set PORTAL_DOMAIN, STATIC_IP (optional), ADMIN_CIDR — comments inline.

Step 3 · Run the installer

cd /opt/meridian
sudo ./install.sh --unattended --config /opt/meridian/answers.local.env

# Or interactively (every prompt has an inline explanation):
sudo ./install.sh

Step 4 · Sign in

Browse to https://<portal-domain>/ui/login. Default portal admin: admin / password — forced change + MFA enroll on first login.

Install Meridian

−1 · VM appliance (import & boot, fastest)

Step 1 · Download & decompress

Step 2 · Import into your hypervisor

Step 3 · Power on & sign in

Step 4 · Add the apt repo + apt upgrade to v1.0.1

Step 5 · (Recommended) Rotate per-appliance secrets

0 · Apt (Debian 12/13, simplest)

Step 1 · Add the MeridianNIP apt repo

Step 2 · Install the package

Step 3 · Stage your answers file

Step 4 · Run the installer

1 · Install from a Windows workstation

Step 1 · Clone the source & create your answers file

Step 2 · Download the preseed-injected ISO

Step 3 · Spin the VM (elevated PowerShell)

Step 4 · Copy the source onto the VM

Step 5 · Run the installer

2 · Install from a Linux or macOS workstation

Step 1 · Clone the source & create your answers file

Step 2 · Download the preseed-injected ISO

Step 3 · Create a VM & boot the ISO

Step 4 · Push source + run install.sh

3 · Bare Debian (direct install, no VM)

Step 1 · Clone Meridian onto the target host

Step 2 · Create your answers file

Step 3 · Run the installer

Step 4 · Sign in

Post-install checklist