Install Sovereign Stack
Photo by Gabriel Heinzer / Unsplash installs everything you need to successfully execute Sovereign Stack on your management machine. You should go take a look at it, as it requires sudo. Just type ./ and you will be asked for a password to continue.

What software is installed?

Network Orchestration Tools

First, we install wait-for-it, dnsutils, rsync, sshfs, curl, and gnupg. These tools are necessary for service orchestration, DNS querying, and backups/restoration to/from your management machine.

Docker CLI

Next, we install docker-cli which is used to control docker daemons installed on remote VMs. Sovereign Stack configured docker-cli to tunnel all connections to remote hosts over SSH. Note, we DO NOT install docker engine on the management machine. This is left up to the administrator.


Finally, installs the software required for Trezor-T to operate correctly. Sovereign Stack intends on using Trezor for GPG and SSH operations. also updates your udev rules to ensure Trezor USB devices are correctly allowed when inserted.

Note Trezor integration is NOT complete. Lots to do on this project! whew!


We use GPG operations primarily in conjunction with the Trezor-T above and in combination with pass to give us Trezor-encrypted passwords for sensitive data-at-rest on the management machine.

LXD installs the LXD snap package if it's not installed already. If it does get installed, the script initializes the daemon for basic operation. However, the client tool lxc is primarily used to control LXD services on remote servers. For more info, check out this post.


virt-manager is useful when you want to run your management machine functions in an isolated VM, or if you are doing development on Sovereign Stack.

The Standard Unix Password Manager, pass

We use GPG certificates generated from your Trezor-T to back the encryption of passwords. Password management is required by Sovereign Stack to store sensitive data such as service passwords. Using the Trezor-T-backed password store allows Sovereign Stack to store sensitive information securely. (TODO)


The last adds are couple lines to your ~/.bashrc file. Specifically, two aliases: ss-cluster and ss-deploy. These commands 1) take an SSH endpoint under management of Sovereign Stack, and 2) deploy a cluster definition to an active cluster, respectively.

Want to support Sovereign Stack development? Consider donating to our monthly crowdfund.