Updates & Maintenance
Updating Parako.ID
Section titled “Updating Parako.ID”Tarball installs (recommended)
Section titled “Tarball installs (recommended)”If you installed via the one-liner at https://get.parako.id, upgrade with:
curl -sSL https://get.parako.id | bash -s -- --updateThis is the same script that handled the install. In --update mode it:
- Detects the existing install at
INSTALL_DIR(default/opt/parako-idfor sudo installs, otherwise./parako-id) - Reads the supervisor (
systemdorpm2) from the.supervisormarker written at install time - Snapshots the install directory to
*.backup.YYYYMMDDHHMMSS - Stops the service
- Downloads and verifies the new tarball (SHA256)
- Extracts to a sibling
*.new.YYYYMMDDHHMMSSdirectory - Preserves your instance state across the swap. Specifically:
.env,.supervisormarker,data/(SQLite DB + uploads),logs/runtime/jwks/— signing keysruntime/views/— instance custom view overridesruntime/assets/— instance custom theme assetsruntime/config-backups/— admin-saved config snapshots- Only
runtime/locales/is refreshed from the new tarball (so new translations land)
- Runs database migrations against the new code (
yarn db:migrate:deployfor PostgreSQL oryarn db:pushfor SQLite — MongoDB is no-op) - Atomically swaps directories (old archived as
*.old.YYYYMMDDHHMMSS) - Starts the service via the recorded supervisor
- Health-checks
http://127.0.0.1:<port>/.well-known/openid-configurationfor up to 30 seconds - Automatically rolls back if the health check fails — old version is restored, broken upgrade is preserved at
*.failed.YYYYMMDDHHMMSSfor inspection
Pin a specific version with --update --version X.Y.Z. Pass --force to skip the confirmation prompt.
After a successful upgrade, you can clean up the snapshots:
rm -rf /opt/parako-id.backup.* /opt/parako-id.old.*Source / dev installs
Section titled “Source / dev installs”For installations cloned via git clone:
git pullyarn installyarn db:migrate:deploy # PostgreSQL onlyyarn buildyarn restartThere is no automatic rollback for source installs. Take a database backup first if upgrading across schema changes.
Rolling back manually (any install method)
Section titled “Rolling back manually (any install method)”If you need to revert without triggering the automatic rollback (e.g., to roll back days after a successful upgrade):
# Tarball: restore from backup snapshotsudo systemctl stop parako-id parako-id-worker # or pm2 stopsudo mv /opt/parako-id /opt/parako-id.brokensudo mv /opt/parako-id.backup.YYYYMMDDHHMMSS /opt/parako-idsudo systemctl start parako-id parako-id-worker
# Source: checkout previous taggit checkout <previous-tag>yarn installyarn buildyarn restartIf the upgrade modified the database schema, restore the database from a pre-upgrade backup before reverting application code.
Key Rotation
Section titled “Key Rotation”JWKS signing keys should be rotated periodically. Parako.ID supports automatic and manual rotation.
Automatic Rotation
Section titled “Automatic Rotation”Configure automatic rotation in security.key_store:
{ "security": { "key_store": { "rotation_interval_days": 90, "overlap_window_seconds": 7200, "algorithms": ["RS256", "ES256", "EdDSA"], }, },}Keys are rotated every 90 days by default. During the overlap window (2 hours), both old and new keys are valid for token verification. This ensures tokens signed with the old key remain valid until they expire.
Manual Rotation
Section titled “Manual Rotation”Rotate keys via the admin panel at /admin or the Management API (POST /api/v1/jwks/rotate with parako:jwks:rotate scope). Inspect current keys via GET /api/v1/jwks (scope parako:jwks:read).
The keys CLI exposes only generate, used for first-boot bootstrap; production rotation/listing is handled by the DB-backed key store. See CLI Tools and Security.
Database Maintenance
Section titled “Database Maintenance”MongoDB
Section titled “MongoDB”MongoDB handles most maintenance automatically. Periodic tasks:
# Check index usagemongosh parako --eval "db.users.getIndexes()"
# Compact a collection (reclaim disk space)mongosh parako --eval "db.runCommand({compact: 'activities'})"
# View collection statsmongosh parako --eval "db.stats()"PostgreSQL
Section titled “PostgreSQL”# Run VACUUM to reclaim spacepsql -d parako -c "VACUUM ANALYZE;"
# Check table sizespsql -d parako -c "SELECT relname, pg_size_pretty(pg_total_relation_size(relid)) FROM pg_catalog.pg_statio_user_tables ORDER BY pg_total_relation_size(relid) DESC;"
# Run pending migrationsyarn db:migrate:deploySQLite
Section titled “SQLite”SQLite maintenance is minimal. For backup, see SQLite Backup with Litestream.
# Check database integritysqlite3 data/parako.db "PRAGMA integrity_check;"
# Check database sizels -lh data/parako.dbLogging
Section titled “Logging”Parako.ID uses Pino for structured JSON logging in production and pretty-printed logs in development.
Configuration
Section titled “Configuration”| Variable | Default | Description |
|---|---|---|
SECURITY_LOGGING_ENABLED | true | Enable logging |
SECURITY_LOGGING_LEVEL | info | Log level: trace, debug, info, warn, error, fatal |
SECURITY_LOGGING_PRETTY_PRINT | true | Pretty-print (development only) |
SECURITY_LOGGING_FILE_LOGGING_ENABLED | true | Write logs to files |
SECURITY_LOGGING_FILE_LOGGING_DIRECTORY | logs | Log directory |
Log Levels
Section titled “Log Levels”| Level | Use |
|---|---|
fatal | Unrecoverable errors |
error | Operation failures |
warn | Unexpected conditions that are handled |
info | Normal operations (default) |
debug | Detailed operational information |
trace | Very detailed debugging |
Viewing Logs
Section titled “Viewing Logs”# PM2 logspm2 logs # All logspm2 logs parako-id # Application onlypm2 logs parako-id-worker # Worker onlypm2 monit # PM2 monitoring dashboard
# Systemd logsjournalctl -u parako-id -fjournalctl -u parako-id-worker -f
# Log filestail -f logs/pm2_output.logtail -f logs/pm2_error.logIn production, set SECURITY_LOGGING_PRETTY_PRINT=false to output JSON for log aggregation tools (ELK, Datadog, etc.).
Monitoring
Section titled “Monitoring”Prometheus Metrics
Section titled “Prometheus Metrics”Enable the built-in Prometheus metrics endpoint:
{ "features": { "metrics": { "enabled": true, "path": "/metrics", "include_default_metrics": true, "prefix": "parako_", }, },}Scrape https://your-parako.example.com/metrics with Prometheus.
PM2 Monitoring
Section titled “PM2 Monitoring”# Real-time process monitoringpm2 monit
# Process list with CPU/memorypm2 listHealth Check
Section titled “Health Check”The Management API provides a health check endpoint:
curl https://your-parako.example.com/api/v1/stats/health \ -H "Authorization: Bearer API_TOKEN"Activity Audit Log
Section titled “Activity Audit Log”Parako.ID logs all security-relevant events to the activity log, stored in the database.
Logged Events
Section titled “Logged Events”- User registration, login, logout
- Password changes and resets
- MFA setup, verification, and removal
- Social login linking and unlinking
- OIDC client CRUD operations
- Admin actions (user management, settings changes)
- Session creation, switching, and revocation
- Failed authentication attempts
- Configuration changes
Viewing the Audit Log
Section titled “Viewing the Audit Log”- Admin panel — Navigate to
/adminand view the Activity Log section - Management API —
GET /api/v1/auditwithparako:audit:readscope - CSV export — Export filtered results from the admin panel
Filtering
Section titled “Filtering”Filter audit entries by:
- Event type
- User
- IP address
- Date range
- Tenant (in multi-tenant mode)