Requirements
This page lists the prerequisites for deploying Atrium on your own infrastructure.
Hardware
Atrium is lightweight. A minimal deployment runs comfortably on:
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 2 vCPU | 4 vCPU |
| RAM | 4 GB | 8 GB |
| Storage | 20 GB | 50 GB+ (depends on visitor volume and PDF archive size) |
These numbers cover the full stack: application server, PostgreSQL, NATS, WeasyPrint sidecar, and Traefik reverse proxy. The Atrium Agent runs on a separate host (on your local network) and has minimal requirements (1 vCPU, 256 MB RAM).
Operating system
Any Linux distribution that supports Docker:
- Ubuntu 22.04 LTS or later
- Debian 12 (Bookworm) or later
- Rocky Linux 9 or later
- RHEL 9 or later
Other distributions work if they run Docker Engine 24+.
Software
| Dependency | Version | Notes |
|---|---|---|
| Docker Engine | 24+ | With the Docker Compose plugin (docker compose, not the legacy docker-compose). |
| Docker Compose | v2.20+ | Bundled with Docker Engine as a plugin. |
No other runtime dependencies. No Java, Python, Node.js, or database software needs to be installed on the host — everything runs in containers.
Network
Domain name
You need a domain name (or subdomain) pointing to your server's IP address. Atrium uses this domain for:
- The admin dashboard and API (
https://atrium.yourdomain.com) - Pre-registration emails (QR code deep links)
- Kiosk access
An A record pointing to the server's public IP is sufficient.
Ports
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 80 | TCP | Inbound | HTTP → automatic redirect to HTTPS |
| 443 | TCP | Inbound | HTTPS (Traefik reverse proxy) |
If you're also deploying the Atrium Agent on the same host (unusual but possible):
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 1812 | UDP | Inbound (from WiFi controllers) | RADIUS Authentication |
| 1813 | UDP | Inbound (from WiFi controllers) | RADIUS Accounting |
Outbound connectivity
The Atrium server needs outbound HTTPS access to:
| Destination | Purpose | Required? |
|---|---|---|
ghcr.io | Container image pulls (updates) | Yes |
Control Plane (cp.atrium.sprocksystems.de) | License validation, feature flags, updates | Yes (grace period if unavailable) |
Let's Encrypt (acme-v02.api.letsencrypt.org) | TLS certificate issuance | Yes (if using Let's Encrypt) |
Your OIDC provider (e.g., login.microsoftonline.com) | User authentication | Only if using external IdP |
Your CRM API (e.g., login.salesforce.com) | CRM integration | Only if CRM integration is configured |
| SMTP server | Email delivery | Yes (for notifications) |
If the server operates behind a corporate proxy or strict egress firewall, ensure these destinations are whitelisted.
Air-gapped deployments
Fully air-gapped deployments (no internet access) are supported with limitations:
- Container images must be transferred manually (exported and imported).
- TLS certificates must be provided manually (no Let's Encrypt).
- The license operates on a grace period after the last successful Control Plane check-in.
- Updates must be applied manually.
See Network Requirements for details.