Skip to main content

Self-Hosting

Self hosting refers to providing your server (or VPS) and then connecting to our portal. Please read the introduction guide for more information. This documentation assumes you already have followed installation step in that guide.

Installation Description

We've documented what software installed in your server in domcloud/container GitHub repository:

It's generally safe to rerun these scripts if you found any problem during installation.

Using PSSH

If you have multiple servers, it's useful to use pssh to run SSH commands in parallel.

pssh -t 0 -iPh ~/hosts "whoami"

pssh -t 0 -IiPh ~/hosts <<'EOF'
whoami
EOF

pssh -t 0 -IiPh ~/hosts <<'EOC'
cat <<'EOF' > /output/to/file
This is line 1
This is line 2
EOF
EOC

pssh -t 0 -iPh ~/hosts "su bridge -c 'cd ~/public_html; git pull' && sudo bash /home/bridge/public_html/src/whitelist/refresh.sh"

DOM Cloud's Bridge Config

The bridge software can be configured by editing /home/bridge/public_html/.env. Visit the GitHub repository to read their GitHub config.

SECRET="<your strong secret here>"
SSL_WILDCARDS=yoursite.com
NGINX_FREE_DOMAIN=
REDIS_URL=
ALLOW_IP=159.89.198.103,2400:6180:0:d0::e08:a001

The only required envar is SECRET and REDIS_URL. Both of them should already preseeded if genpass.sh script has been executed.

It's recommended to set Allow IP to 159.89.198.103,2400:6180:0:d0::e08:a001 which is our portal IP addresses to avoid brute force attack.

After any changes, restart bridge service with sudo systemctl restart bridge.

To update bridge service, run su bridge -c 'cd ~/public_html; git pull'. Beware with any minor version increment like 1.1 to 1.2 means there maybe some software change required.

Firewall Config

We use nftables which is a more modern firewall than iptables. We generally encourages you to disable other firewall such as iptables, firewalld or ufw. The configuration is in:

  • /etc/nftables.conf - Main entry firewall, which should brings identical setup described in Security Page
  • /etc/nftables-docker.conf - Docker specific firewall setup
  • /etc/nftables-whitelist.conf - Bridge's firewall whitelist IP list
  • /etc/nftables-firewall.conf - Bridge's firewall active user list

The firewall feature is disabled by default in self-hosting scripts. But if you wish to do so, run sudo bash /home/bridge/public_html/src/whitelist/refresh.sh to preseed /etc/nftables-whitelist.conf and /etc/hosts with IPs to be whitelisted in the whitelist sites file.