Merge pull request #683 from SkynetLabs/caddyfile-defaults

default Caddyfile configuration to our production servers
2021-04-20 14:09:11 +02:00 · 2021-04-20 14:09:11 +02:00 · dab7397008
parent dec8e2305e ddf56dc21b
commit dab7397008
3 changed files with 50 additions and 39 deletions
--- a/docker/caddy/Caddyfile
+++ b/docker/caddy/Caddyfile
@ -1,30 +1,41 @@
-(custom.domain) {
-    {$DOMAIN_NAME} {
-        tls {$EMAIL_ADDRESS}
-        reverse_proxy nginx:80
-    }
-}
+# This block below is optional if you want to generate an internal certificate for the server ip address.
+# It is useful in case you have services trying to reach the server through ip and not domain like health checks.
+# It will generate an internal certificate so browsers will warn you when connecting but that not a problem.

-(siasky.net) {
-    siasky.net, *.siasky.net, *.hns.siasky.net {
-        tls {
-            dns route53 {
-                max_retries 50
-            }
-        }
-        reverse_proxy nginx:80
-    }
-}
-
-(localhost) {
 :443 {
    tls internal {
        on_demand
    }
+
    reverse_proxy nginx:80
 }
+
+# Make sure you have SSL_CERTIFICATE_STRING specified in .env file because you need it to fetch correct certificates.
+# It needs to have at least 3 parts, the absolute part (ie. example.com), the wildcard part (ie. *.example.com) and
+# the hns wildcard part (ie. *.hns.example.com). The resulting string should look like:
+# example.com, *.example.com, *.hns.example.com
+# In addition, if you are running multiple servers for the single portal like we do on siasky.net, you might want to
+# add an aliased string that is going to help you access and distinguish between servers, the result would look like:
+# example.com, *.example.com, *.hns.example.com, *.germany.example.com, *.hns.germany.example.com
+# Note that you don't need to specify the absolute part for the alias since it's already covered in the wildcard part 
+# of the original certificate string (*.example.com).
+
+{$SSL_CERTIFICATE_STRING} {
+    # If you want to use basic http-01 (basic, good for one server setup) certificate challenge
+    # then uncomment the line below and make sure you have EMAIL_ADDRESS specified in .env file
+    # and comment the tls block that contains the dns challenge configuration.
+
+    # tls {$EMAIL_ADDRESS}
+
+    tls {
+        # We are using route53 as our dns provider and it requires additional AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+        # environment variables in .env file. You can use other providers by using specific package from
+        # https://github.com/caddy-dns in the docker/caddy/Dockerfile instead of our route53 one.
+
+        dns route53 {
+            max_retries 50
+        }
    }

-import localhost
-# import custom.domain
-# import siasky.net
+    reverse_proxy nginx:80
+}
--- a/setup-scripts/README.md
+++ b/setup-scripts/README.md
@ -48,7 +48,7 @@ You a can now ssh into your machine as the user `user`.
 **Following step will be executed on remote host logged in as a `user`:**

 1. `sudo apt-get install git -y` to install git
-1. `git clone https://github.com/NebulousLabs/skynet-webportal`
+1. `git clone https://github.com/SkynetLabs/skynet-webportal`
 1. `cd skynet-webportal`
 1. run setup scripts in the exact order and provide sudo password when asked (if one of them fails, you can retry just this one before proceeding further)
   1. `/home/user/skynet-webportal/setup-scripts/setup-server.sh`
@ -81,14 +81,15 @@ At this point we have almost everything running, we just need to set up your wal
 ### Step 4: configuring docker services

 1. edit `/home/user/skynet-webportal/.env` and configure following environment variables
-   - `DOMAIN_NAME` (optional) is your domain name if you have it
-   - `EMAIL_ADDRESS` (required) is your email address used for communication regarding SSL certification (required)
-   - `SIA_WALLET_PASSWORD` (required) is your wallet password (or seed if you did not set a password)
-   - `HSD_API_KEY` (optional) this is a random security key for a handshake integration that gets generated automatically
+
+   - `SSL_CERTIFICATE_STRING` is a list of comma separated paths that caddy will generate ssl certificates for
+   - `EMAIL_ADDRESS` is your email address used for communication regarding SSL certification (required if you're using http-01 challenge)
+   - `SIA_WALLET_PASSWORD` is your wallet password (or seed if you did not set a password)
+   - `HSD_API_KEY` this is a random security key for a handshake integration that gets generated automatically
   - `CLOUDFLARE_AUTH_TOKEN` (optional) if using cloudflare as dns loadbalancer (need to change it in Caddyfile too)
   - `AWS_ACCESS_KEY_ID` (optional) if using route53 as a dns loadbalancer
   - `AWS_SECRET_ACCESS_KEY` (optional) if using route53 as a dns loadbalancer
-   - `PORTAL_NAME` (optional) e.g. `siasky.xyz`
+   - `PORTAL_NAME` a string representing name of your portal e.g. `siasky.xyz` or `my skynet portal`
   - `DISCORD_BOT_TOKEN` (optional) if you're using Discord notifications for health checks and such
   - `SKYNET_DB_USER` (optional) if using `accounts` this is the MongoDB username
   - `SKYNET_DB_PASS` (optional) if using `accounts` this is the MongoDB password
@ -100,8 +101,6 @@ At this point we have almost everything running, we just need to set up your wal
   - `S3_BACKUP_PATH` (optional) is using `accounts` and backing up the databases to S3. This path should be an S3 bucket
     with path to the location in the bucket where we want to store the daily backups.

-1. if you have a custom domain and you configured it in `DOMAIN_NAME`, edit `/home/user/skynet-webportal/docker/caddy/Caddyfile` and uncomment `import custom.domain`
-1. only for siasky.net domain instances: edit `/home/user/skynet-webportal/docker/caddy/Caddyfile`, uncomment `import siasky.net`
 1. `docker-compose up -d` to restart the services so they pick up new env variables
 1. `docker exec caddy caddy reload --config /etc/caddy/Caddyfile` to reload Caddyfile configuration
 1. add your custom Kratos configuration to `/home/user/skynet-webportal/docker/kratos/config/kratos.yml` (in particular, the credentials for your mail server should be here, rather than in your source control). For a starting point you can take `docker/kratos/config/kratos.yml.sample`.
@ -120,16 +119,17 @@ To configure this on your portal, you have to make sure to configure the followi

 We need to ensure SSL encryption for skapps that are accessed through their
 subdomain, therefore we need to have a wildcard certificate. This is very easily
-achieved using Caddy.
+achieved using wildcard certificates in Caddy.

 ```
-(siasky.net) {
-    siasky.net, *.siasky.net, *.hns.siasky.net {
+{$SSL_CERTIFICATE_STRING} {
    ...
 }
-}
 ```

+Where `SSL_CERTIFICATE_STRING` environment variable should contain the wildcard for subdomains (ie. _.example.com) and
+wildcard for hns subdomains (ie. _.hns.example.com).
+
 (see [docker/caddy/Caddyfile](../docker/Caddy/Caddyfile))

 ### Nginx configuration
--- a/setup-scripts/setup-docker-services.sh
+++ b/setup-scripts/setup-docker-services.sh
@ -21,7 +21,7 @@ sudo chmod +x /usr/local/bin/docker-compose
 docker-compose --version # sanity check

 # Create dummy .env file for docker-compose usage with variables
-# * DOMAIN_NAME - the domain name your server is using ie. example.com
+# * SSL_CERTIFICATE_STRING - certificate string that will be used to generate ssl certificates, read more in docker/caddy/Caddyfile
 # * SKYNET_PORTAL_API - absolute url to the portal api ie. https://example.com
 # * SKYNET_DASHBOARD_URL - (optional) absolute url to the portal dashboard ie. https://account.example.com
 # * EMAIL_ADDRESS - this is the administrator contact email you need to supply for communication regarding SSL certification
@ -43,7 +43,7 @@ docker-compose --version # sanity check
 # * CR_CLUSTER_NODES - (optional) if using `accounts` the list of servers (with ports) which make up your CockroachDB cluster, e.g. `helsinki.siasky.net:26257,germany.siasky.net:26257,us-east.siasky.net:26257`
 if ! [ -f /home/user/skynet-webportal/.env ]; then
    HSD_API_KEY=$(openssl rand -base64 32) # generate safe random key for handshake
-    printf "DOMAIN_NAME=example.com\nSKYNET_PORTAL_API=https://example.com\nSKYNET_DASHBOARD_URL=https://account.example.com\nEMAIL_ADDRESS=email@example.com\nSIA_WALLET_PASSWORD=\nHSD_API_KEY=${HSD_API_KEY}\nCLOUDFLARE_AUTH_TOKEN=\nAWS_ACCESS_KEY_ID=\nAWS_SECRET_ACCESS_KEY=\nPORTAL_NAME=\nDISCORD_BOT_TOKEN=\n" > /home/user/skynet-webportal/.env
+    printf "SSL_CERTIFICATE_STRING=example.com, *.example.com, *.hns.example.com\nSKYNET_PORTAL_API=https://example.com\nSKYNET_DASHBOARD_URL=https://account.example.com\nEMAIL_ADDRESS=email@example.com\nSIA_WALLET_PASSWORD=\nHSD_API_KEY=${HSD_API_KEY}\nCLOUDFLARE_AUTH_TOKEN=\nAWS_ACCESS_KEY_ID=\nAWS_SECRET_ACCESS_KEY=\nPORTAL_NAME=\nDISCORD_BOT_TOKEN=\n" > /home/user/skynet-webportal/.env
 fi

 # Start docker container with nginx and client