Skip to content

Install Walter

Walter's public docs site ships with a small self-host bundle so operators do not need source repo access just to bring up the stack.

Requirements

  • Docker with the Compose plugin
  • A Walter registry username and token
  • A Walter image tag, for example ghcr.io/matchylabs/walter:YOUR_WALTER_VERSION
  • A hostname or IP address clients will use to reach Walter

License keys and LLM settings are optional at boot. You can enter them in the browser after Walter starts.

One-command install

For the fastest first boot:

WALTER_IMAGE=ghcr.io/matchylabs/walter:YOUR_WALTER_VERSION
curl -fsSL https://onprem.walterops.com/install/install-walter.sh | \
  bash -s -- --host 192.168.1.50 --image "$WALTER_IMAGE"

The installer:

  1. Downloads the Walter self-host bundle into ~/walter-selfhost
  2. Verifies the bundle checksum before extracting it
  3. Prompts for GHCR credentials if the image pull is not already authorized
  4. Writes or updates ~/walter-selfhost/.env.deploy
  5. Pulls the Walter image
  6. Starts the Docker Compose stack

When the stack is up, open https://192.168.1.50.

Useful flags

The installer defaults to internal-tls so private deployments stay encrypted from the first boot.

# Public hostname with automatic Let's Encrypt
WALTER_IMAGE=ghcr.io/matchylabs/walter:YOUR_WALTER_VERSION
curl -fsSL https://onprem.walterops.com/install/install-walter.sh | \
  bash -s -- --mode public-tls --host walter.example.com --image "$WALTER_IMAGE"

# Private TLS with Walter's generated internal CA
WALTER_IMAGE=ghcr.io/matchylabs/walter:YOUR_WALTER_VERSION
curl -fsSL https://onprem.walterops.com/install/install-walter.sh | \
  bash -s -- --mode internal-tls --host walter.internal.example --image "$WALTER_IMAGE"

# Preseed license and LLM settings
WALTER_IMAGE=ghcr.io/matchylabs/walter:YOUR_WALTER_VERSION
curl -fsSL https://onprem.walterops.com/install/install-walter.sh | \
  bash -s -- \
    --host 192.168.1.50 \
    --image "$WALTER_IMAGE" \
    --license-key "<provided-license-key>" \
    --llm-base-url https://api.openai.com/v1 \
    --llm-api-key "<provided-api-key>"

Manual bundle install

If you prefer not to pipe the installer into bash, download the bundle explicitly:

curl -fsSL https://onprem.walterops.com/downloads/walter-selfhost.tar.gz -o walter-selfhost.tar.gz
curl -fsSL https://onprem.walterops.com/downloads/walter-selfhost.tar.gz.sha256 -o walter-selfhost.tar.gz.sha256
sha256sum -c walter-selfhost.tar.gz.sha256
# or: shasum -a 256 -c walter-selfhost.tar.gz.sha256
mkdir -p ~/walter-selfhost
tar -xzf walter-selfhost.tar.gz -C ~/walter-selfhost
cd ~/walter-selfhost
bin/selfhost-install --host 192.168.1.50 --image ghcr.io/matchylabs/walter:YOUR_WALTER_VERSION

Trust the internal CA

internal-tls uses Walter's generated internal certificate authority. That keeps traffic encrypted, but browsers and turf hosts need to trust the generated CA before the experience feels smooth.

Walter's turf bootstrap flow carries that CA forward for the installed agent, so agents can keep verifying wss traffic after the first bootstrap. Browsers still need manual CA trust if you want a warning-free experience.

For a quick first boot, expect your browser to warn about the certificate until that CA is trusted. If you want a clean browser experience without manual trust steps, use public-tls with a real DNS hostname and public 80/443 reachability. Treat internal-tls as an evaluation or tightly-controlled private-network mode, not the default long-lived production path.

What happens next

After first boot:

  1. Create your admin account
  2. Enter your Walter license key if it was not preseeded
  3. Enter your LLM provider details if they were not preseeded
  4. Add your first turf from the Walter sidebar