CronFu Agent
The cronfu-agent is a daemon that runs on your server, automatically discovers cron jobs, and optionally enables remote management — all secured by HMAC-signed commands.
Installation
curl -fsSL https://app.cronfu.dev/agent/install | bash
The installer:
- Downloads the latest binary for your platform (Linux/macOS, amd64/arm64)
- Verifies the SHA-256 checksum
- Installs to
/usr/local/bin/cronfu-agent - Creates a
cronfu-agentsystem user (Linux) - Installs and enables a systemd service (Linux with systemd)
Provisioning
Before running the setup wizard, create an agent in the CronFu dashboard:
- Go to Settings → Agents and click Create Agent
- The response includes three credentials:
- Agent key (
cfu_agent_...) — authenticates this agent to the gateway - Telemetry key (
cfu_tel_...) — used for forwarding ping results - HMAC secret — the account-level secret for verifying signed commands
- Agent key (
Save these credentials — the HMAC secret is only shown once.
Interactive Setup
Run the setup wizard to configure the agent:
cronfu-agent --setup
The default flow uses OAuth 2.1 + PKCE — it prints a URL you open in any browser (works on headless servers):
- Agent prints an authorization URL
- Open the URL in any browser and sign in
- A callback page displays a one-time authorization code
- Paste the code back into the terminal
- The agent creates itself via the API and writes config automatically
For environments without browser access, use manual mode:
cronfu-agent --setup --manual
Manual mode prompts for each credential individually:
| Prompt | Default | Validation |
|---|---|---|
| Gateway URL | wss://gw.cronfu.dev/ws | — |
| Agent key | — | Must start with cfu_agent_ |
| Telemetry key | — | Must start with cfu_tel_ (optional) |
| HMAC secret | — | Required, input hidden |
| Enable remote control | No | y/N |
Configuration is saved to ~/.cronfu/agent.yml with restricted permissions (0600).
systemd Integration
On Linux with systemd, the installer creates /etc/systemd/system/cronfu-agent.service:
[Unit]
Description=CronFu Agent
After=network.target
[Service]
Type=simple
User=cronfu-agent
ExecStart=/usr/local/bin/cronfu-agent
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
Manage the service:
sudo systemctl status cronfu-agent # Check status
sudo systemctl restart cronfu-agent # Restart after config changes
sudo journalctl -u cronfu-agent -f # View logs
Automatic Discovery
The agent periodically scans for cron jobs (default: every 5 minutes) from:
- Current user's crontab
/etc/crontab/etc/cron.d/*- systemd timers (Linux)
Discovered jobs appear in the dashboard under Settings → Agents → [agent name] as "Discovered" state monitors. From there you can promote them to active monitors with one click.
Remote Control
When enabled, the agent can execute commands sent from the dashboard. Remote control is disabled by default — opt in explicitly during setup or by setting enable_remote_control: true in the config file.
Security Model
All remote commands are secured with HMAC-SHA256 signed payloads:
- Signature format:
HMAC-SHA256(id:command_type:nonce:issued_at:expires_at:sha256(payload)) - Nonce replay protection: Each command includes a unique nonce; the agent rejects reused nonces
- 5-minute expiry: Commands expire 5 minutes after issuance; expired commands are rejected
- Metacharacter rejection: Shell metacharacters in command payloads are rejected
Command Allowlist
Restrict which commands can be executed remotely by setting a command_allowlist in the config:
enable_remote_control: true
command_allowlist:
- /usr/local/bin/backup.sh
- /opt/scripts/cleanup.py
When a command allowlist is set, only listed commands can be executed. If the allowlist is empty and remote control is enabled, all commands are allowed (use with caution).
Configuration Reference
All settings in ~/.cronfu/agent.yml (environment variables override YAML values):
| Config Key | Env Var | Default | Required | Description |
|---|---|---|---|---|
gateway_url | CRONFU_GATEWAY_URL | — | Yes | WebSocket gateway endpoint |
agent_key | CRONFU_AGENT_KEY | — | Yes | Agent authentication key (cfu_agent_) |
hmac_secret | CRONFU_HMAC_SECRET | — | Yes | Account-level HMAC signing secret |
telemetry_key | CRONFU_TELEMETRY_KEY | — | No | Telemetry key for ping forwarding (cfu_tel_) |
enable_remote_control | CRONFU_ENABLE_REMOTE_CONTROL | false | No | Enable remote command execution |
discover_interval | CRONFU_DISCOVER_INTERVAL | 5m | No | How often to scan for cron jobs |
heartbeat_interval | CRONFU_HEARTBEAT_INTERVAL | 30s | No | How often to send heartbeats |
snapshot_interval | CRONFU_SNAPSHOT_INTERVAL | 1h | No | How often to send system snapshots |
command_allowlist | CRONFU_COMMAND_ALLOWLIST | — | No | Comma-separated list of allowed commands |
Duration values accept Go format: 30s, 5m, 1h, or plain seconds.
The config file must have restricted permissions — the agent rejects files readable by group or others.