danieldaum.net / spindle-docker
configuration for self hosting a spindle in docker
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Shell 61.2%
HCL 20.8%
Dockerfile 18.0%
3 1 0

Clone this repository

https://tangled.org/danieldaum.net/spindle-docker https://tangled.org/did:plc:be2e4qfe6docqcysyxxwvsor/spindle-docker
git@knot.danieldaum.net:danieldaum.net/spindle-docker git@knot.danieldaum.net:did:plc:be2e4qfe6docqcysyxxwvsor/spindle-docker

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

spindle-docker#

Docker Compose stack for self-hosting a Tangled spindle (CI runner) with OpenBao for secrets management.

.
├── docker-compose.yml
├── Dockerfile
├── init-openbao.sh          # one-time vault bootstrap
└── config/openbao/
    ├── server.hcl           # OpenBao server config
    ├── proxy.hcl            # AppRole auto-auth proxy config
    └── spindle-policy.hcl   # KV access policy for spindle

Prerequisites#

  • Docker + Docker Compose
  • A domain or IP reachable by the Tangled network
  • Your ATProto DID (find it in Bluesky → Settings → Advanced)

First-time setup#

1. Configure environment

Edit docker-compose.yml and set these two values under the spindle service:

SPINDLE_SERVER_HOSTNAME: "spindle.example.com"  # your public hostname
SPINDLE_SERVER_OWNER: "did:plc:xxxx"            # your ATProto DID

2. Start OpenBao

docker compose up -d openbao

Wait ~5 seconds for it to be healthy.

3. Initialize the vault (once only)

chmod +x init-openbao.sh
./init-openbao.sh

Save the unseal key and root token printed to stdout — they are not stored anywhere.

4. Start the full stack

docker compose up -d

After a restart#

OpenBao seals itself on every restart. Unseal it before the proxy and spindle can start:

docker compose exec openbao bao operator unseal <unseal_key>

Verify#

curl http://localhost:8201/v1/sys/health   # OpenBao proxy
curl http://localhost:6555/               # Spindle

Architecture#

spindle (:6555) → openbao-proxy (:8201) → openbao (:8200)
spindle → /var/run/docker.sock  (pipeline containers run on the host daemon)
  • openbao — secrets vault; sealed on every start
  • openbao-proxy — AppRole sidecar; auto-authenticates and exposes a token-authenticated proxy to spindle
  • spindle — the CI runner; starts only after the proxy is healthy

Notes#

  • Port 8200 is exposed for local CLI access. Remove that port mapping in production.
  • TLS is disabled on both listeners. Put nginx or Caddy in front for production traffic.
  • Spindle mounts the Docker socket, so pipeline containers run on the host daemon.