danieldaum.net / spindle-docker
configuration for self hosting a spindle in docker
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

spindle-docker / README.md
at 781d77d0577b00a3be47f69ac0fb307692b80ee2 86 lines 2.3 kB view raw view rendered
daniel daum fix: restructure config layout and harden docker compose setup
781d77d0
1# spindle-docker 2 3Docker Compose stack for self-hosting a [Tangled](https://tangled.org) spindle (CI runner) with [OpenBao](https://openbao.org) for secrets management. 4 5``` 6. 7├── docker-compose.yml 8├── Dockerfile 9├── init-openbao.sh # one-time vault bootstrap 10└── config/openbao/ 11 ├── server.hcl # OpenBao server config 12 ├── proxy.hcl # AppRole auto-auth proxy config 13 └── spindle-policy.hcl # KV access policy for spindle 14``` 15 16## Prerequisites 17 18- Docker + Docker Compose 19- A domain or IP reachable by the Tangled network 20- Your ATProto DID (find it in Bluesky → Settings → Advanced) 21 22## First-time setup 23 24**1. Configure environment** 25 26Edit `docker-compose.yml` and set these two values under the `spindle` service: 27 28```yaml 29SPINDLE_SERVER_HOSTNAME: "spindle.example.com" # your public hostname 30SPINDLE_SERVER_OWNER: "did:plc:xxxx" # your ATProto DID 31``` 32 33**2. Start OpenBao** 34 35```bash 36docker compose up -d openbao 37``` 38 39Wait ~5 seconds for it to be healthy. 40 41**3. Initialize the vault** (once only) 42 43```bash 44chmod +x init-openbao.sh 45./init-openbao.sh 46``` 47 48Save the **unseal key** and **root token** printed to stdout — they are not stored anywhere. 49 50**4. Start the full stack** 51 52```bash 53docker compose up -d 54``` 55 56## After a restart 57 58OpenBao seals itself on every restart. Unseal it before the proxy and spindle can start: 59 60```bash 61docker compose exec openbao bao operator unseal <unseal_key> 62``` 63 64## Verify 65 66```bash 67curl http://localhost:8201/v1/sys/health # OpenBao proxy 68curl http://localhost:6555/ # Spindle 69``` 70 71## Architecture 72 73``` 74spindle (:6555) → openbao-proxy (:8201) → openbao (:8200) 75spindle → /var/run/docker.sock (pipeline containers run on the host daemon) 76``` 77 78- **openbao** — secrets vault; sealed on every start 79- **openbao-proxy** — AppRole sidecar; auto-authenticates and exposes a token-authenticated proxy to spindle 80- **spindle** — the CI runner; starts only after the proxy is healthy 81 82## Notes 83 84- Port 8200 is exposed for local CLI access. Remove that port mapping in production. 85- TLS is disabled on both listeners. Put nginx or Caddy in front for production traffic. 86- Spindle mounts the Docker socket, so pipeline containers run on the **host** daemon.