Merge pull request #683 from SkynetLabs/caddyfile-defaults
default Caddyfile configuration to our production servers
This commit is contained in:
commit
dab7397008
|
@ -1,30 +1,41 @@
|
||||||
(custom.domain) {
|
# This block below is optional if you want to generate an internal certificate for the server ip address.
|
||||||
{$DOMAIN_NAME} {
|
# It is useful in case you have services trying to reach the server through ip and not domain like health checks.
|
||||||
tls {$EMAIL_ADDRESS}
|
# It will generate an internal certificate so browsers will warn you when connecting but that not a problem.
|
||||||
reverse_proxy nginx:80
|
|
||||||
|
:443 {
|
||||||
|
tls internal {
|
||||||
|
on_demand
|
||||||
}
|
}
|
||||||
|
|
||||||
|
reverse_proxy nginx:80
|
||||||
}
|
}
|
||||||
|
|
||||||
(siasky.net) {
|
# Make sure you have SSL_CERTIFICATE_STRING specified in .env file because you need it to fetch correct certificates.
|
||||||
siasky.net, *.siasky.net, *.hns.siasky.net {
|
# It needs to have at least 3 parts, the absolute part (ie. example.com), the wildcard part (ie. *.example.com) and
|
||||||
tls {
|
# the hns wildcard part (ie. *.hns.example.com). The resulting string should look like:
|
||||||
dns route53 {
|
# example.com, *.example.com, *.hns.example.com
|
||||||
max_retries 50
|
# In addition, if you are running multiple servers for the single portal like we do on siasky.net, you might want to
|
||||||
}
|
# add an aliased string that is going to help you access and distinguish between servers, the result would look like:
|
||||||
|
# example.com, *.example.com, *.hns.example.com, *.germany.example.com, *.hns.germany.example.com
|
||||||
|
# Note that you don't need to specify the absolute part for the alias since it's already covered in the wildcard part
|
||||||
|
# of the original certificate string (*.example.com).
|
||||||
|
|
||||||
|
{$SSL_CERTIFICATE_STRING} {
|
||||||
|
# If you want to use basic http-01 (basic, good for one server setup) certificate challenge
|
||||||
|
# then uncomment the line below and make sure you have EMAIL_ADDRESS specified in .env file
|
||||||
|
# and comment the tls block that contains the dns challenge configuration.
|
||||||
|
|
||||||
|
# tls {$EMAIL_ADDRESS}
|
||||||
|
|
||||||
|
tls {
|
||||||
|
# We are using route53 as our dns provider and it requires additional AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
|
||||||
|
# environment variables in .env file. You can use other providers by using specific package from
|
||||||
|
# https://github.com/caddy-dns in the docker/caddy/Dockerfile instead of our route53 one.
|
||||||
|
|
||||||
|
dns route53 {
|
||||||
|
max_retries 50
|
||||||
}
|
}
|
||||||
reverse_proxy nginx:80
|
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
(localhost) {
|
reverse_proxy nginx:80
|
||||||
:443 {
|
|
||||||
tls internal {
|
|
||||||
on_demand
|
|
||||||
}
|
|
||||||
reverse_proxy nginx:80
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
import localhost
|
|
||||||
# import custom.domain
|
|
||||||
# import siasky.net
|
|
||||||
|
|
|
@ -48,7 +48,7 @@ You a can now ssh into your machine as the user `user`.
|
||||||
**Following step will be executed on remote host logged in as a `user`:**
|
**Following step will be executed on remote host logged in as a `user`:**
|
||||||
|
|
||||||
1. `sudo apt-get install git -y` to install git
|
1. `sudo apt-get install git -y` to install git
|
||||||
1. `git clone https://github.com/NebulousLabs/skynet-webportal`
|
1. `git clone https://github.com/SkynetLabs/skynet-webportal`
|
||||||
1. `cd skynet-webportal`
|
1. `cd skynet-webportal`
|
||||||
1. run setup scripts in the exact order and provide sudo password when asked (if one of them fails, you can retry just this one before proceeding further)
|
1. run setup scripts in the exact order and provide sudo password when asked (if one of them fails, you can retry just this one before proceeding further)
|
||||||
1. `/home/user/skynet-webportal/setup-scripts/setup-server.sh`
|
1. `/home/user/skynet-webportal/setup-scripts/setup-server.sh`
|
||||||
|
@ -81,14 +81,15 @@ At this point we have almost everything running, we just need to set up your wal
|
||||||
### Step 4: configuring docker services
|
### Step 4: configuring docker services
|
||||||
|
|
||||||
1. edit `/home/user/skynet-webportal/.env` and configure following environment variables
|
1. edit `/home/user/skynet-webportal/.env` and configure following environment variables
|
||||||
- `DOMAIN_NAME` (optional) is your domain name if you have it
|
|
||||||
- `EMAIL_ADDRESS` (required) is your email address used for communication regarding SSL certification (required)
|
- `SSL_CERTIFICATE_STRING` is a list of comma separated paths that caddy will generate ssl certificates for
|
||||||
- `SIA_WALLET_PASSWORD` (required) is your wallet password (or seed if you did not set a password)
|
- `EMAIL_ADDRESS` is your email address used for communication regarding SSL certification (required if you're using http-01 challenge)
|
||||||
- `HSD_API_KEY` (optional) this is a random security key for a handshake integration that gets generated automatically
|
- `SIA_WALLET_PASSWORD` is your wallet password (or seed if you did not set a password)
|
||||||
|
- `HSD_API_KEY` this is a random security key for a handshake integration that gets generated automatically
|
||||||
- `CLOUDFLARE_AUTH_TOKEN` (optional) if using cloudflare as dns loadbalancer (need to change it in Caddyfile too)
|
- `CLOUDFLARE_AUTH_TOKEN` (optional) if using cloudflare as dns loadbalancer (need to change it in Caddyfile too)
|
||||||
- `AWS_ACCESS_KEY_ID` (optional) if using route53 as a dns loadbalancer
|
- `AWS_ACCESS_KEY_ID` (optional) if using route53 as a dns loadbalancer
|
||||||
- `AWS_SECRET_ACCESS_KEY` (optional) if using route53 as a dns loadbalancer
|
- `AWS_SECRET_ACCESS_KEY` (optional) if using route53 as a dns loadbalancer
|
||||||
- `PORTAL_NAME` (optional) e.g. `siasky.xyz`
|
- `PORTAL_NAME` a string representing name of your portal e.g. `siasky.xyz` or `my skynet portal`
|
||||||
- `DISCORD_BOT_TOKEN` (optional) if you're using Discord notifications for health checks and such
|
- `DISCORD_BOT_TOKEN` (optional) if you're using Discord notifications for health checks and such
|
||||||
- `SKYNET_DB_USER` (optional) if using `accounts` this is the MongoDB username
|
- `SKYNET_DB_USER` (optional) if using `accounts` this is the MongoDB username
|
||||||
- `SKYNET_DB_PASS` (optional) if using `accounts` this is the MongoDB password
|
- `SKYNET_DB_PASS` (optional) if using `accounts` this is the MongoDB password
|
||||||
|
@ -100,8 +101,6 @@ At this point we have almost everything running, we just need to set up your wal
|
||||||
- `S3_BACKUP_PATH` (optional) is using `accounts` and backing up the databases to S3. This path should be an S3 bucket
|
- `S3_BACKUP_PATH` (optional) is using `accounts` and backing up the databases to S3. This path should be an S3 bucket
|
||||||
with path to the location in the bucket where we want to store the daily backups.
|
with path to the location in the bucket where we want to store the daily backups.
|
||||||
|
|
||||||
1. if you have a custom domain and you configured it in `DOMAIN_NAME`, edit `/home/user/skynet-webportal/docker/caddy/Caddyfile` and uncomment `import custom.domain`
|
|
||||||
1. only for siasky.net domain instances: edit `/home/user/skynet-webportal/docker/caddy/Caddyfile`, uncomment `import siasky.net`
|
|
||||||
1. `docker-compose up -d` to restart the services so they pick up new env variables
|
1. `docker-compose up -d` to restart the services so they pick up new env variables
|
||||||
1. `docker exec caddy caddy reload --config /etc/caddy/Caddyfile` to reload Caddyfile configuration
|
1. `docker exec caddy caddy reload --config /etc/caddy/Caddyfile` to reload Caddyfile configuration
|
||||||
1. add your custom Kratos configuration to `/home/user/skynet-webportal/docker/kratos/config/kratos.yml` (in particular, the credentials for your mail server should be here, rather than in your source control). For a starting point you can take `docker/kratos/config/kratos.yml.sample`.
|
1. add your custom Kratos configuration to `/home/user/skynet-webportal/docker/kratos/config/kratos.yml` (in particular, the credentials for your mail server should be here, rather than in your source control). For a starting point you can take `docker/kratos/config/kratos.yml.sample`.
|
||||||
|
@ -120,16 +119,17 @@ To configure this on your portal, you have to make sure to configure the followi
|
||||||
|
|
||||||
We need to ensure SSL encryption for skapps that are accessed through their
|
We need to ensure SSL encryption for skapps that are accessed through their
|
||||||
subdomain, therefore we need to have a wildcard certificate. This is very easily
|
subdomain, therefore we need to have a wildcard certificate. This is very easily
|
||||||
achieved using Caddy.
|
achieved using wildcard certificates in Caddy.
|
||||||
|
|
||||||
```
|
```
|
||||||
(siasky.net) {
|
{$SSL_CERTIFICATE_STRING} {
|
||||||
siasky.net, *.siasky.net, *.hns.siasky.net {
|
...
|
||||||
...
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Where `SSL_CERTIFICATE_STRING` environment variable should contain the wildcard for subdomains (ie. _.example.com) and
|
||||||
|
wildcard for hns subdomains (ie. _.hns.example.com).
|
||||||
|
|
||||||
(see [docker/caddy/Caddyfile](../docker/Caddy/Caddyfile))
|
(see [docker/caddy/Caddyfile](../docker/Caddy/Caddyfile))
|
||||||
|
|
||||||
### Nginx configuration
|
### Nginx configuration
|
||||||
|
|
|
@ -21,7 +21,7 @@ sudo chmod +x /usr/local/bin/docker-compose
|
||||||
docker-compose --version # sanity check
|
docker-compose --version # sanity check
|
||||||
|
|
||||||
# Create dummy .env file for docker-compose usage with variables
|
# Create dummy .env file for docker-compose usage with variables
|
||||||
# * DOMAIN_NAME - the domain name your server is using ie. example.com
|
# * SSL_CERTIFICATE_STRING - certificate string that will be used to generate ssl certificates, read more in docker/caddy/Caddyfile
|
||||||
# * SKYNET_PORTAL_API - absolute url to the portal api ie. https://example.com
|
# * SKYNET_PORTAL_API - absolute url to the portal api ie. https://example.com
|
||||||
# * SKYNET_DASHBOARD_URL - (optional) absolute url to the portal dashboard ie. https://account.example.com
|
# * SKYNET_DASHBOARD_URL - (optional) absolute url to the portal dashboard ie. https://account.example.com
|
||||||
# * EMAIL_ADDRESS - this is the administrator contact email you need to supply for communication regarding SSL certification
|
# * EMAIL_ADDRESS - this is the administrator contact email you need to supply for communication regarding SSL certification
|
||||||
|
@ -43,7 +43,7 @@ docker-compose --version # sanity check
|
||||||
# * CR_CLUSTER_NODES - (optional) if using `accounts` the list of servers (with ports) which make up your CockroachDB cluster, e.g. `helsinki.siasky.net:26257,germany.siasky.net:26257,us-east.siasky.net:26257`
|
# * CR_CLUSTER_NODES - (optional) if using `accounts` the list of servers (with ports) which make up your CockroachDB cluster, e.g. `helsinki.siasky.net:26257,germany.siasky.net:26257,us-east.siasky.net:26257`
|
||||||
if ! [ -f /home/user/skynet-webportal/.env ]; then
|
if ! [ -f /home/user/skynet-webportal/.env ]; then
|
||||||
HSD_API_KEY=$(openssl rand -base64 32) # generate safe random key for handshake
|
HSD_API_KEY=$(openssl rand -base64 32) # generate safe random key for handshake
|
||||||
printf "DOMAIN_NAME=example.com\nSKYNET_PORTAL_API=https://example.com\nSKYNET_DASHBOARD_URL=https://account.example.com\nEMAIL_ADDRESS=email@example.com\nSIA_WALLET_PASSWORD=\nHSD_API_KEY=${HSD_API_KEY}\nCLOUDFLARE_AUTH_TOKEN=\nAWS_ACCESS_KEY_ID=\nAWS_SECRET_ACCESS_KEY=\nPORTAL_NAME=\nDISCORD_BOT_TOKEN=\n" > /home/user/skynet-webportal/.env
|
printf "SSL_CERTIFICATE_STRING=example.com, *.example.com, *.hns.example.com\nSKYNET_PORTAL_API=https://example.com\nSKYNET_DASHBOARD_URL=https://account.example.com\nEMAIL_ADDRESS=email@example.com\nSIA_WALLET_PASSWORD=\nHSD_API_KEY=${HSD_API_KEY}\nCLOUDFLARE_AUTH_TOKEN=\nAWS_ACCESS_KEY_ID=\nAWS_SECRET_ACCESS_KEY=\nPORTAL_NAME=\nDISCORD_BOT_TOKEN=\n" > /home/user/skynet-webportal/.env
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Start docker container with nginx and client
|
# Start docker container with nginx and client
|
||||||
|
|
Reference in New Issue