Complete reference for the bedrud command-line interface.
Synopsis
# Subcommand style
bedrud <command> [flags]
# Flag style
bedrud --livekit --config <path>
bedrud --run --config <path>Commands
run / server
Start the Bedrud meeting server with API, embedded web frontend, and embedded LiveKit (if configured).
bedrud run [--config <path>]
bedrud server [--config <path>]| Flag | Default | Description |
|---|---|---|
--config | $CONFIG_PATH env var → "config.yaml" | Path to Bedrud YAML config file |
Behavior:
- Loads config from specified path or defaults
- Starts embedded LiveKit if configured for internal mode
- Initializes SQLite/PostgreSQL database and runs migrations
- Creates Fiber HTTP server with all API routes
- Serves embedded React frontend
- Supports ACME (Let’s Encrypt), self-signed TLS, manual TLS, or plain HTTP
- Graceful shutdown on SIGTERM/SIGINT
Implementation: server/internal/server/server.go
--livekit
Start the embedded LiveKit media server only. Extracts binary from Go embed to a temporary directory.
bedrud --livekit --config <path>| Flag | Default | Description |
|---|---|---|
--config | (required) | Path to LiveKit YAML config file |
Used by: init livekit service created by bedrud install
Implementation: server/internal/livekit/server.go
--run
Alias for bedrud run with same --config flag behavior. Used by init bedrud service.
bedrud --run --config <path>install
Install Bedrud on a Debian/Linux system. Creates init services (systemd, OpenRC, or SysV init — auto-detected), config files, directories, and TLS certificates.
bedrud install [flags]| Flag | Default | Description |
|---|---|---|
--tls | false | Enable HTTPS (same as --self-signed) |
--self-signed | false | Generate self-signed TLS certificate |
--no-tls | false | Disable TLS entirely (plain HTTP). Overrides --tls and --self-signed |
--ip | auto-detected | Override auto-detected server IP address |
--domain | "" | Domain name for Let’s Encrypt or self-signed cert |
--email | "" | Email for Let’s Encrypt registration |
--port | "443" (TLS) / "8090" (HTTP) | Override listening port |
--cert | "" | Path to existing PEM certificate file |
--key | "" | Path to existing PEM private key file |
--lk-port | "7880" | Override LiveKit API/WebSocket port |
--lk-tcp-port | "7881" | Override LiveKit RTC TCP port |
--lk-udp-port | "7882" | Override LiveKit RTC UDP port |
--fresh | false | Remove existing installation before installing |
--behind-proxy | false | Server is behind CDN/reverse-proxy (Cloudflare, nginx) |
--external-livekit | "" | URL of fully external LiveKit server (different machine) |
--livekit-domain | "" | Separate domain for local LiveKit server (bypasses CDN) |
What it does:
- Stops and removes prior installation if
--fresh - Prompts for IP, domain, email, TLS mode (if non-interactive and flags not provided)
- Creates directories:
/etc/bedrud,/var/lib/bedrud,/var/lib/bedrud/certs,/var/log/bedrud - Copies binary to
/usr/local/bin/bedrud - Generates Bedrud server config at
/etc/bedrud/config.yaml - Generates LiveKit media server config at
/etc/bedrud/livekit.yaml - Generates self-signed certs at
/etc/bedrud/cert.pem+/etc/bedrud/key.pem(if TLS enabled and no custom certs) - Creates LiveKit init service (unless using external LiveKit)
- Creates Bedrud init service
- Enables and starts services via detected init system
- Prints access URLs
TLS options:
--domain+--email→ ACME (Let’s Encrypt)--self-signedor--tls→ self-signed certificate--cert+--key→ custom certificates--no-tls→ plain HTTP only
LiveKit topology:
- Default (embedded): LiveKit runs locally, proxied through Bedrud at
/livekit --livekit-domain: LiveKit runs locally but clients connect directly via its own domain--external-livekit: No local LiveKit; connects to remote server
Implementation: server/internal/install/linux.go
Related docs: Installation Guide • Deployment Guide • Backend Deployment Logic
uninstall
Remove Bedrud from the system.
bedrud uninstallRemoves:
- Stops and disables services across all init systems:
bedrud,livekit - Removes service files for systemd, OpenRC, and SysV init
- Removes binary:
/usr/local/bin/bedrud,/tmp/bedrud,/tmp/bedrud-livekit-server - Removes directories:
/etc/bedrud,/var/lib/bedrud,/var/log/bedrud - Removes system user:
bedrud
Implementation: server/internal/install/ (linux.go, init.go, sysv.go, openrc.go)
Related docs: Installation Guide - Uninstalling
user
Manage users in the Bedrud database.
bedrud user [--config <path>] <subcommand> [flags]| Global Flag | Default | Description |
|---|---|---|
--config | /etc/bedrud/config.yaml | Path to Bedrud config file (to locate database) |
create
Create a new user with local authentication (bcrypt hashed password).
bedrud user [--config <path>] create --email <email> --password <password> --name <name> [--admin]Required flags:
--email: User email address--password: User password, hashed with bcrypt before storage--name: User display name
Optional flags:
--admin: Create user as superadmin
Access level: user by default. Use --admin to create a superadmin in one command.
delete
Delete a user by email address.
bedrud user [--config <path>] delete --email <email>promote
Set a user’s role by replacing their access array. Defaults to superadmin.
bedrud user [--config <path>] promote --email <email> [--role <role>]| Flag | Default | Description |
|---|---|---|
--role | superadmin | Target role: superadmin, admin, moderator, user, guest |
Examples:
# Grant superadmin (default)
bedrud user promote --email admin@example.com
# Grant admin
bedrud user promote --email admin@example.com --role admin
# Grant moderator
bedrud user promote --email mod@example.com --role moderatorEach role maps to a specific access array:
superadmin→['superadmin', 'user']admin→['admin', 'user']moderator→['moderator', 'user']user→['user']guest→['guest']
demote
Remove a specific role from a user. Defaults to removing superadmin.
bedrud user [--config <path>] demote --email <email> [--role <role>]| Flag | Default | Description |
|---|---|---|
--role | superadmin | Role to remove: superadmin, admin, moderator |
If the user has no remaining roles after removal, user access is added automatically.
Implementation: server/internal/usercli/usercli.go
cert
Manage TLS certificates. Relevant when using self-signed certificates (generated by bedrud install --self-signed).
bedrud cert [--config <path>] <subcommand>| Global Flag | Default | Description |
|---|---|---|
--config | /etc/bedrud/config.yaml | Path to Bedrud config file |
--algo | "" | Key algorithm: ed25519, ecdsa256, rsa2048, rsa4096 (default: detect from existing cert) |
renew
Force-renew the self-signed TLS certificate. Detects the existing certificate’s key algorithm and regenerates with the same type (default: Ed25519). The new certificate is valid for 1825 days (~5 years).
bedrud cert renew [--config <path>]The server also auto-renews the certificate daily via its built-in scheduler when it’s within 30 days of expiry. This command is for manual or out-of-band renewal.
SANs: Derived from the server config — domain (if set), plus localhost, 127.0.0.1, and ::1.
Implementation: server/internal/utils/tls.go (RenewSelfSignedCert)
info
Print TLS certificate metadata to stdout.
bedrud cert info [--config <path>]Output fields: subject, issuer, notBefore, notAfter, daysRemaining, status (valid/expiring/error), SANs.
Implementation: server/internal/utils/tls.go (ValidateTLSCertPair)
help
Show usage message with all commands and flags.
bedrud helpAlso triggered when no arguments are provided. Displays the printUsage() output.
Examples
Basic dev server start
# Run with default config.yaml in current directory
bedrud run
# Run with custom config
bedrud run --config /path/to/config.yaml
# Via env var (fallback)
export CONFIG_PATH=/etc/bedrud/config.yaml
bedrud runInteractive installation (prompts for inputs)
bedrud installNon-interactive installation with Let’s Encrypt
bedrud install --domain example.com --email admin@example.comSelf-signed TLS with custom ports
bedrud install --self-signed --port 8443 --lk-port 7880 --lk-tcp-port 7881 --lk-udp-port 7882Behind CDN with separate LiveKit domain
bedrud install --domain bedrud.example.com --email admin@example.com --livekit-domain lk.example.com --behind-proxyFresh reinstall
bedrud install --fresh --domain example.com --email admin@example.comUser management
# Create first admin user (single command)
bedrud user [--config <path>] create --email admin@example.com --password secret123 --name "Admin User" --admin
# Or create a regular user, then promote
bedrud user [--config <path>] create --email admin@example.com --password secret123 --name "Admin User"
bedrud user [--config <path>] promote --email admin@example.com
# Grant admin access (not superadmin)
bedrud user [--config <path>] promote --email admin@example.com --role admin
# Grant moderator access
bedrud user [--config <path>] promote --email mod@example.com --role moderator
# Create regular user
bedrud user [--config <path>] create --email user@example.com --password pass456 --name "Regular User"
# Remove a user
bedrud user [--config <path>] delete --email user@example.com
# Remove admin access
bedrud user [--config <path>] demote --email admin@example.com
# Remove moderator access, reverts to user
bedrud user [--config <path>] demote --email mod@example.com --role moderatorCertificate management
# Check certificate status
bedrud cert info --config /etc/bedrud/config.yaml
# Force-renew self-signed certificate
bedrud cert renew --config /etc/bedrud/config.yamlRelated Documentation
- Installation Guide - Detailed
bedrud installwalkthrough, TLS topologies, post-install steps - Configuration Reference - Server and LiveKit config file structure
- Backend Deployment Logic - How
installanduninstallwork internally - Deployment Guide - Full deployment options including init system services