danieldaum.net / spindle-docker
configuration for self hosting a spindle in docker
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Shell 59.2%
HCL 21.9%
Other 18.9%
1 1 0

Clone this repository

https://tangled.org/danieldaum.net/spindle-docker https://tangled.org/did:plc:be2e4qfe6docqcysyxxwvsor/spindle-docker
git@knot.danieldaum.net:danieldaum.net/spindle-docker git@knot.danieldaum.net:did:plc:be2e4qfe6docqcysyxxwvsor/spindle-docker

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

tangled spindle + openbao#

Layout#

.
├── docker-compose.yml
├── Dockerfile.spindle          # clones & builds from tangled.org/core
├── .env.example                # copy to .env and fill in
├── config/
│   └── openbao/
│       ├── server.hcl          # production file-backend config
│       ├── proxy.hcl           # AppRole auto-auth proxy
│       └── spindle-policy.hcl  # KV policy for spindle
└── scripts/
    └── init-openbao.sh         # one-time vault bootstrap

First-time setup#

1. Configure spindle#

cp .env.example .env
# edit .env — set SPINDLE_SERVER_HOSTNAME and SPINDLE_SERVER_OWNER

2. Start OpenBao only#

docker compose up -d openbao

Wait for it to be healthy (~5 s), then:

3. Initialise the vault#

chmod +x scripts/init-openbao.sh
./scripts/init-openbao.sh

Save the unseal key and root token printed to stdout.

4. Start the rest of the stack#

docker compose up -d

Spindle comes up only after the proxy is healthy, which is after the vault is unsealed and AppRole credentials are in the shared volume.

After a restart#

OpenBao is sealed on every restart — that's intentional for production. Unseal it before the proxy (and therefore spindle) can authenticate:

docker compose exec openbao bao operator unseal http://localhost:8200 <unseal_key>

Or automate this with a secrets manager / HSM if you don't want manual steps.

Verify#

# proxy health
curl http://localhost:8201/v1/sys/health

# spindle port
curl http://localhost:6555/

Notes#

  • Spindle mounts /var/run/docker.sock so it can spawn pipeline containers on the host Docker daemon — make sure the spindle user has permission.
  • TLS is disabled on both listeners; put a reverse proxy (nginx/caddy) in front for production traffic.
  • The openbao-approle volume holds the role-id/secret-id written by the init script and mounted read-only by the proxy container.