forked from toolshed/docs.coopcloud.tech
305 lines
14 KiB
Markdown
305 lines
14 KiB
Markdown
---
|
|
title: New Operators Tutorial
|
|
---
|
|
|
|
This tutorial assumes you understand the [frequently asked questions](/intro/faq/) as well as [the moving parts](/intro/strategy/) of the technical problems _Co-op Cloud_ solves. If yes, proceed :smile:
|
|
|
|
## Deploy your first app
|
|
|
|
In order to deploy an app you need two things:
|
|
|
|
1. a server with SSH access and a public IP address
|
|
2. a domain name pointing to that server
|
|
|
|
This tutorial tries to help you make choices about which server and which DNS setup you need to run a _Co-op Cloud_ deployment but it does not go into great depth about how to set up a new server.
|
|
|
|
We will deploy a new Nextcloud instance in this guide, so you will only need 1GB of RAM according to [their documentation](https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html).
|
|
|
|
### Server provisioning
|
|
|
|
Co-op Cloud is designed to run on a variety of hardware, so you can use those single-board computers, old laptops/desktops, or refurbished servers. However, hardware setup is a skill that's beyond the scope of this guide. As long as it's running Linux and has networking, it should be fine! Most Co-op Cloud deployments have been run on Debian machines so far.
|
|
|
|
If you don't have the time or equipment to run your own hardware, rented hardware is fine too! There are many hosting providers which will provide a Linux server to you for a monthly fee.
|
|
|
|
### Server configuration
|
|
|
|
Assuming you've got a running server, it's now time to configure it.
|
|
|
|
Co-op Cloud has very few system requirements. You only need to worry about the system resource usage of your apps and the overhead of running containers with the docker runtime (often negligible. If you want to know more, see [this FAQ entry](/intro/faq/#isnt-running-everything-in-containers-inefficient)).
|
|
|
|
To get started, you'll need to install Docker, add your user to the Docker group & setup swarm mode. Many hosting providers support [cloud-init](https://cloudinit.readthedocs.io/en/latest/index.html), which allows you to automate the steps in this section. If that applies to you, you can use [our cloud-init file](https://git.coopcloud.tech/toolshed/abra/raw/branch/main/scripts/cloud-init/cloud-init.yaml).
|
|
|
|
Otherwise, here are the step required:
|
|
|
|
```
|
|
# ssh into your server
|
|
ssh <server-domain>
|
|
|
|
# docker install convenience script
|
|
wget -O- https://get.docker.com | bash
|
|
|
|
# check that docker was installed correctly
|
|
sudo docker run hello-world
|
|
|
|
# now setup swarm
|
|
sudo docker swarm init
|
|
sudo docker network create -d overlay proxy
|
|
```
|
|
|
|
#### Using docker without sudo
|
|
|
|
Abra can't deploy any applications in future steps unless it can run `docker` commands without sudo.
|
|
|
|
```
|
|
# check if the docker group exists
|
|
groups | grep docker
|
|
|
|
# if the docker group doesn't already exist, add it manually
|
|
groupadd docker
|
|
|
|
# add user to docker group
|
|
sudo usermod -aG docker $USER
|
|
```
|
|
After running `usermod`, you may need to (depending on your system) log out (`exit`) and back in again (`ssh <server-domain>`) to get the required permissions for Docker before proceeding.
|
|
|
|
The [official Docker documentation](https://docs.docker.com/engine/install/linux-postinstall/) can help if you run into further issues.
|
|
|
|
### DNS setup
|
|
|
|
You'll need two A records, one to point to the server itself and another to support sub-domains for the apps. You can then support an app hosted on your root domain (e.g. `example.com`) and other apps on sub-domains (e.g. `foo.example.com`, `bar.example.com`).
|
|
|
|
Your entries in your DNS provider setup might look like the following.
|
|
|
|
@ 1800 IN A 116.203.211.204
|
|
*. 1800 IN A 116.203.211.204
|
|
|
|
Where `116.203.211.204` can be replaced with the IP address of your server.
|
|
|
|
!!! warning Beware local network pitfalls!
|
|
|
|
If you are in the same local network as the server, you might run into [NAT Hairpin](https://superuser.com/questions/663820/port-forwarding-from-inner-network-to-inner-network-hairpin-nat) issues.
|
|
|
|
??? question "How do I know my DNS is working?"
|
|
|
|
You can use a tool like `dig` on the command-line to check if your server has the necessary DNS records set up. Something like `dig +short <domain>` should show the IP address of your server if things are working.
|
|
|
|
### Install `abra`
|
|
|
|
Now we can install [`abra`](/abra) locally on your machine and hook it up to
|
|
your server. We support a script-based installation method ([script source](https://git.coopcloud.tech/toolshed/abra/src/branch/main/scripts/installer/installer)):
|
|
|
|
```bash
|
|
curl https://install.abra.coopcloud.tech | bash
|
|
```
|
|
|
|
The installer will verify the downloaded binary checksum. If you prefer, you can
|
|
[manually verify](/abra/install/#manual-verification) the binary, and then
|
|
manally place it in one the directories in your `$PATH` variable. To validate
|
|
that everything is working try listing the `--help` command or `-h` to view
|
|
output:
|
|
|
|
```bash
|
|
abra -h
|
|
```
|
|
|
|
You may need to add the `~/.local/bin/` directory to your `$PATH` variable, in
|
|
order to run the executable. Also, run this line into your terminal so
|
|
you have immediate access to `abra` on the current terminal.
|
|
|
|
```bash
|
|
export PATH=$PATH:$HOME/.local/bin
|
|
```
|
|
|
|
If you run into issues during installation, [please report a ticket](https://git.coopcloud.tech/toolshed/organising/issues/new) :pray:
|
|
|
|
??? question "Can I install `abra` on my server?"
|
|
|
|
Yes, this is possible. However, the instructions for this setup are different. For more info see [this handbook entry](/operators/handbook/#running-abra-server-side).
|
|
|
|
### Set up autocomplete
|
|
|
|
Most `abra` commands require typing the fully qualified domain name for your app, so we **highly** recommend configuring command-line auto-completion. See `abra autocomplete -h` for more on how to do this. The instructions vary depending on which shell you use.
|
|
|
|
With autocomplete enabled, you can run a command like `abra app deploy myapp.example.com` by just typing `abra app deploy myapp<tab>`.
|
|
|
|
### Add your server
|
|
|
|
Now you can connect `abra` with your server. You must have a working SSH configuration for your server before you can proceed. That means you can run `ssh <server-domain>` on your command-line and everything Works :tm:. See the [`abra` SSH troubleshooting](/abra/trouble/#ssh-connection-issues) for a working SSH configuration example.
|
|
|
|
??? warning "Beware of SSH dragons :dragon_face:"
|
|
|
|
Under the hood `abra` uses plain 'ol `ssh` and aims to make use of your
|
|
existing SSH configurations in `~/.ssh/config` and interfaces with your
|
|
running `ssh-agent` for password protected secret key files.
|
|
|
|
Running `server add` with `-d` or `--debug` should help you debug what is
|
|
going on under the hood. `ssh -v ...` should also help. If you're running
|
|
into SSH connection issues with `abra` take a moment to read [this
|
|
troubleshooting entry](/abra/trouble/#ssh-connection-issues).
|
|
|
|
```bash
|
|
ssh <server-domain> hostname -I # make sure it works
|
|
abra server add <server-domain>
|
|
```
|
|
|
|
It is important to note that `<server-domain>` here is a publicly accessible domain name which points to your server IP address. `abra` does make sure this is the case and this is done to avoid issues with HTTPS certificate rate limiting.
|
|
|
|
??? warning "Can I use arbitrary server names?"
|
|
|
|
Yes, this is possible. You need to pass `-D` to `server add` and ensure
|
|
that your `Host ...` entry in your SSH configuration includes the name.
|
|
So, for example, in `~/.ssh/config`:
|
|
```
|
|
Host example.com example
|
|
...
|
|
```
|
|
And then:
|
|
|
|
abra server add example
|
|
|
|
You will now have a new `~/.abra/` folder on your local file system which stores all the configuration of your Co-op Cloud instance.
|
|
|
|
By now `abra` should have registered this server as managed. To confirm this run:
|
|
|
|
```
|
|
abra server ls
|
|
```
|
|
|
|
??? question "How do I share my configs in `~/.abra`?"
|
|
|
|
It's possible and quite easy, for more see [this handbook
|
|
entry](/operators/handbook/#understanding-app-and-server-configuration).
|
|
|
|
### Web proxy setup
|
|
|
|
In order to have your Co-op cloud deployment serve the public internet, we need to install the core web proxy, [Traefik](https://doc.traefik.io/traefik/).
|
|
|
|
Traefik is the main entrypoint for all web requests (e.g. like NGINX) and
|
|
supports automatic SSL certificate configuration and other quality-of-life
|
|
features which make deploying libre apps more enjoyable.
|
|
|
|
You need to keep port `:80` and `:443` free on your server for web proxying to your apps. Typically, you don't need to keep any other ports free as the core web proxy keeps all app ports internal to its network. Sometimes however, you need to expose an app port when you need to use a transport which would perform better or more reliably without proxying.
|
|
|
|
??? question "Do you support multiple web proxies?"
|
|
|
|
We do not know if it is feasible and convenient to set things up on an existing server with another web proxy which uses ports `:80` & `:443`. We'd happily receive reports and documentation on how to do this if you manage to set it up!
|
|
|
|
**1. To get started, you'll need to create a new app:**
|
|
|
|
```bash
|
|
abra app new traefik
|
|
```
|
|
|
|
Choose your newly registered server and specify a domain name. By default `abra`
|
|
will suggest `<app-name>.<your-server>` or prompt you with a list of servers.
|
|
|
|
??? question "Should I use www for traefik?"
|
|
Generally no. No one will be directly accessing the traefik domain name unless they want to see the traefik dashboard. You should reserve the `www` or apex domains for apps like [custom-html](https://recipes.coopcloud.tech/custom-html-tiny) which let you host sites. Traefik is just a proxy to other apps!
|
|
|
|
**2. Configure this new `traefix` app**
|
|
|
|
You will want to take a look at your generated configuration and update the placeholder `LETS_ENCRYPT_EMAIL` value, used by Let's Encrypt to manage SSL certificates. You can do that by running `abra app config`:
|
|
|
|
```bash
|
|
abra app config <traefik-domain>
|
|
```
|
|
|
|
Every app you deploy will have one of these `.env` files, which contains
|
|
variables which will be injected into app configurations when deployed. These
|
|
files exist at relevantly named path:
|
|
|
|
```bash
|
|
~/.abra/servers/<domain>/<traefik-domain>.env
|
|
```
|
|
|
|
Variables starting with `#` are optional, others are required. Some things to
|
|
consider here is that by default our *Traefik* recipe exposes the metric
|
|
dashboard unauthenticated on the public internet at the URL `<traefik-domain>`
|
|
it is deployed to, which while helpful for debugging, is not ideal in production environments. You can disable this with:
|
|
|
|
```
|
|
DASHBOARD_ENABLED=false
|
|
```
|
|
|
|
**3. Now it is time to deploy your app:**
|
|
|
|
```
|
|
abra app deploy <traefik-domain>
|
|
```
|
|
|
|
Voila. Abracadabra :magic_wand: your first app is deployed :sparkles:
|
|
|
|
|
|
### Deploy Nextcloud
|
|
|
|
And now we can deploy apps. Let's create a new Nextcloud app.
|
|
|
|
```bash
|
|
abra app new nextcloud --secrets
|
|
```
|
|
|
|
The `-S` or `--secrets` flag is used to generate secrets for the app: database connection password, root password and admin password.
|
|
|
|
??? warning "Beware of password dragons :dragon:"
|
|
|
|
Take care, these secrets are only shown once on the terminal so make sure to take note of them! `abra` makes use of the [Docker secrets](/operators/handbook/#managing-secret-data) mechanism to ship these secrets securely to the server and store them as encrypted data. Only the apps themselves have access to the values from here on, they're placed in `/run/secrets` on the container file system.
|
|
|
|
Now we can deploy Nextcloud:
|
|
|
|
```bash
|
|
abra app deploy <nextcloud-domain>
|
|
```
|
|
|
|
`abra app deploy` will wait nearly a minute for an app to deploy until it times out and shows some helpful commands for how to debug what is going on. If things don't come up in time, try running the following:
|
|
|
|
```
|
|
abra app ps -w <nextcloud-domain> # status check
|
|
abra app logs <nextcloud-domain> # logs trailing
|
|
abra app errors -w <nextcloud-domain> # error catcher
|
|
```
|
|
|
|
Your new `traefik` instance will detect that a new app is coming up and generate TLS certificates for it. You can see what `traefik` is up to using the same commands above but replacing `<nextcloud-domain>` with the `<traefik-domain>` you chose earlier (`abra app ls` will remind you what domains you chose :grinning:).
|
|
|
|
### Upgrade Nextcloud
|
|
|
|
To upgrade an app manually to the newest available version run:
|
|
|
|
```bash
|
|
abra app upgrade <nextcloud-domain>
|
|
```
|
|
|
|
### Automatic Upgrades
|
|
|
|
`kadabra` the auto-updater is still under development, use it with care and don't use it in production environments. To setup the auto-updater copy the `kadabra` binary to the server and configure a cronjob for regular app upgrades. The following script will configure ssmtp for email notifications and setup a cronjob. This cronjob checks daily for new app versions, notifies if any kind of update is available and upgrades all apps to the latest patch/minor version.
|
|
|
|
|
|
```bash
|
|
apt install ssmtp
|
|
|
|
cat > /etc/ssmtp/ssmtp.conf << EOF
|
|
mailhub=$MAIL_SERVER:587
|
|
hostname=$MAIL_DOMAIN
|
|
AuthUser=$USER
|
|
AuthPass=$PASSWORD
|
|
FromLineOverride=yes
|
|
UseSTARTTLS=yes
|
|
EOF
|
|
|
|
cat > /etc/cron.d/abra_updater << EOF
|
|
MAILTO=admin@example.com
|
|
MAILFROM=noreply@example.com
|
|
|
|
0 6 * * * root ~/kadabra notify --major
|
|
30 4 * * * root ~/kadabra upgrade --all
|
|
EOF
|
|
|
|
```
|
|
|
|
Add `ENABLE_AUTO_UPDATE=true` to the env config (`abra app config <app name>`) to enable the auto-updater for a specific app.
|
|
|
|
## Finishing up
|
|
|
|
Hopefully you got something running! Well done! The [operators handbook](/operators/handbook) would probably be the next place to go check out if you're looking for more help. Especially on topics of ongoing maintenance.
|
|
|
|
If not, please [get in touch](/intro/contact) or [raise a ticket](https://git.coopcloud.tech/toolshed/organising/issues/new/choose) and we'll try to help out. We want our operator onboarding to be as smooth as possible, so we do appreciate any feedback we receive.
|