Sovereign Server

Your server. Your gate. Access from any device. One command.

What This Is

Deploy LimenGate on a VPS you control. The entire sovereign computing environment — Guardian, Education, Office, Archive, Etymology — runs on your server. Your family accesses it from any device with a web browser. No install on the client.

Your own VPS. One command. Full sovereignty. Not Google’s server. Not Apple’s server. Your server.

Deploy

From bare Ubuntu VPS to fully running LimenGate.

Verified install (recommended):

# Download, verify, then run
curl -sSL https://limengate.quest/sovereign-vps.sh -o sovereign-vps.sh
sha256sum sovereign-vps.sh
# Compare with: https://limengate.quest/sovereign-vps.sh.sha256
bash sovereign-vps.sh

Quick install (trust the pipe):

curl -sSL https://limengate.quest/sovereign-vps.sh | bash

The sovereignty of the deploy begins with the deploy command. We publish the SHA-256 hash so you can verify before you run.

What It Installs

1. System Dependencies

Build tools, graphics libraries, fonts, Xvfb virtual framebuffer.

2. Entropy Check

Verifies system entropy before generating cryptographic keys. Installs haveged if needed. Keys generated from thin entropy on a fresh VPS are a known weakness — this prevents it.

3. Rust & LimenGate

Rust 1.92.0 stable. LimenGate built from source via FlameHub. Installed to /usr/local/bin/.

4. Trinity Keys

Ed25519 witness key generated for the VPS node. Idempotent — safe to re-run. Keys stored at ~/.limen/flamenet/keys/ with 0600 permissions.

5. Headless Services

systemd services for LimenGate + VNC. Starts on boot. Restarts on failure. Named per user for legibility.

6. Education Layer

Kolibri, Stellarium, GCompris, PhET, Gutenberg library — all configured for offline use.

How to Connect

🖥

SSH X11 Forwarding

Native iced UI on your local display. Best performance from a Linux or macOS machine.

ssh -X user@your-server limengate

Note: X11 forwarding over WAN will feel slower than local. This is the honest characteristic of remote display, not a bug.

🌐

Web Browser (Guacamole)

Access from any device — phone, tablet, laptop. No install on the client. Apache Guacamole serves the UI over HTTPS.

bash scripts/guacamole-setup.sh

Adds web access after the base server is running.

Family Setup

Add family members. Each gets their own profile, their own display, their own Guardian settings. The child’s record belongs to their profile.

# Add children (age enables Guardian auto-activate)
bash scripts/multiuser-setup.sh add kai 8
bash scripts/multiuser-setup.sh add nova 12
bash scripts/multiuser-setup.sh add zuri 6

# Add parent (no age = no Guardian auto-activate)
bash scripts/multiuser-setup.sh add parent

# See all users and status
bash scripts/multiuser-setup.sh list

Display allocation is static and deterministic: Slot 0 → display :99, Slot 1 → :100, Slot 2 → :101. Each user’s display is known and stable. systemctl status shows whose gate is running — “LimenGate — kai (display :100)”.

Remote Access Consent

What your family members see on first connection:

You are connecting to a LimenGate instance running on a remote server.

Your browsing data, Guardian logs, consent records, and documents are stored on that server — not on this device.

The connection between this device and the server is encrypted. No data is transmitted to third parties.

The server is controlled by your family. It is not operated by LimenGate, FlameNet, or any external organization.

I understand and consent to this connection.

This ceremony fires once per device. The timestamp is logged. The user can revoke connection consent at any time.

Full Disclosure

  • ✔ Your server, your data. We have no access.
  • ✔ Zero telemetry in the server deployment.
  • ✔ All traffic between client and server is encrypted.
  • ✔ Script integrity verifiable via published SHA-256 hash.
  • ✔ Re-runnable and idempotent. Safe to run twice.
  • ✔ Built from source on your server. No pre-built binaries.
  • ✔ Trinity Keys generated with verified entropy.
Download for Desktop Child AI Guardian