Mantrinol.
Control Plane · A workshop tool by Old Forge
Platform overview
Cross-tenant view for platform admins. Lists every tenant in the fleet with rough activity stats, plus flat lists of all agents and recent runs across tenants. Use the Switch button on a tenant card to act as that tenant for the rest of your session.
Loading…
Fleet overview
Snapshot of agents, runs, repos and schedules in this tenant. Click any tile to jump to the relevant tab.
Loading…
Registered Agents
Loading…
Runs
Loading…
Hierarchy & Enrollment
Agents enrol into a group. Groups belong to a site, sites belong to an organization. Each group has its own enrollment token. The bootstrapped Default rows are recreated on every server start — they can be renamed but not deleted.
Loading…
Server-owned repositories
Repositories defined here are owned by the control plane. Their secrets — repository password, network credentials, env vars — are sealed with the server's KEK and stored encrypted at rest. Slice 3 will push resolved values down to assigned agents over NATS; for now this is the staging area.
Loading…
Server-defined schedules
A schedule is a backup job defined here on the control plane and pushed to assigned agents. Each one binds to a server-owned repository and carries paths, excludes, tags, schedule, and the full set of restic options. Assigned agents pick it up over NATS and run it via their local scheduler — no agent UI changes needed.
Loading…
Alert channels
Where Mantrinol sends an alert when a backup fails or an agent's coverage goes stale (no good backup in N hours). Add one or more destinations — generic webhook, Slack, Microsoft Teams, Discord, email (SMTP), or PagerDuty. Secrets (URLs, passwords, routing keys) are sealed with the server's KEK and are never shown again after saving. Use Test on a channel to send a sample alert.
Loading…
Tenant
Manage the tenant you're currently acting on: rename it,
invite Old Forge users in, set their roles. Invites are
consumed on the invitee's next sign-in — they don't
receive an email; just send them the
server.mantrinol.com URL.
Loading…
About this server
Spine wiring
Agents enrol via POST /api/v1/agents/register, then
receive commands over per-agent NATS subjects of the form
mantrinol.{tenant}.{org}.{site}.{group}.{agent}.command.
Status, heartbeat, and job lifecycle traffic flows back over the
matching .status / .job.* subjects, signed
with HMAC-SHA256 using each agent's per-registration secret.
See ROADMAP_TODO.md in the repo for what's done
and what's next.
Smoke-test recipe
# Start the agent against this server
restic-agent.exe --no-daemon \
--server-url=http://localhost:8090
# Trigger a backup
curl -X POST http://localhost:8090/api/v1/agents/{id}/run-backup \
-H "Authorization: Bearer $MANTRINOL_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"paths":["C:/temp"],"repo_path":"C:/temp/repo","repo_password":"x"}'