README.md

# GrapheneOS AttestationServer Docker

Dockerized deployment of [GrapheneOS AttestationServer](https://github.com/GrapheneOS/AttestationServer) for local attestation.

## Overview

This project provides a containerized setup for running your own GrapheneOS AttestationServer. It includes:

- **AttestationServer** - The main Java application handling attestations
- **Caddy** - Reverse proxy with HTTPS support
- **SQLite** - Local database storage for attestation data

## Prerequisites

Before running the server, ensure you have:

1. **Docker** and **Docker Compose** installed
2. **TLS certificates** for your domain in the `certs/` directory
3. **DNS or hosts file configuration** to resolve your domain to your server

## Configuration

### 1. Create .env file

Copy the example environment file and edit it with your domain:

```bash
cp .env.example .env
```

Edit `.env` and set your domain:
```bash
DOMAIN=your-domain.com
```

### 2. Prepare TLS Certificates

Place your TLS certificates for your domain in the `certs/` directory:
- `certs/your-domain.com.crt` - Certificate file
- `certs/your-domain.com.key` - Private key file

> **Note:** Certificate generation is up to you. You can use self-signed certificates for local testing or certificates from a trusted CA.

> **Important:** The certificate filenames must match your domain name from the `.env` file.

### 3. Configure DNS or Hosts File

The GrapheneOS Auditor app expects to connect to the domain you configured. You must redirect this domain to your local server's IP address.

#### Option A: Local Machine (hosts file)

Edit your hosts file:

**Linux/macOS:**
```bash
sudo nano /etc/hosts
```

**Windows:**
```
C:\Windows\System32\drivers\etc\hosts
```

Add the following line (replace `192.168.1.100` with your server's IP and `your-domain.com` with your domain):
```
192.168.1.100 your-domain.com
```

#### Option B: Network-wide (DNS)

Configure your router or local DNS server (like Pi-hole or AdGuard) to resolve your domain to your server's IP address.

#### Option C: Android Device (root required)

If your Android device is rooted, edit `/system/etc/hosts`:
```bash
su
mount -o remount,rw /system
echo "192.168.1.100 your-domain.com" >> /system/etc/hosts
mount -o remount,ro /system
```

**Important:** You must configure this on the Android device running the Auditor app, not just the server.

### 4. Create Data Directory

Ensure the data directory exists for persistent SQLite storage:

```bash
mkdir -p data
```

## Running the Server

### Build and Start

```bash
docker compose up -d --build
```

This will:
1. Build the AttestationServer from source with your configured domain
2. Start the attestation service on port 8080 (internal)
3. Start Caddy reverse proxy on ports 80 and 443

### Check Status

```bash
docker compose ps
docker compose logs -f
```

### Stop the Server

```bash
docker compose down
```

### Stop and Remove All Data

```bash
docker compose down -v
rm -rf data/*.db data/*.db-*
```

## Usage

1. Ensure your Android device has your domain pointing to your server IP
2. Install [GrapheneOS Auditor](https://github.com/GrapheneOS/Auditor) app on your Android device
3. Open the Auditor app
4. The app will connect to your local attestation server instead of the official one

## Directory Structure

```
.
├── certs/                  # TLS certificates
│   ├── your-domain.com.crt
│   └── your-domain.com.key
├── data/                   # SQLite databases (persistent)
│   ├── attestation.db
│   └── samples.db
├── .env                    # Environment configuration (domain settings)
├── .env.example            # Example environment file
├── Caddyfile               # Caddy reverse proxy config
├── Dockerfile              # AttestationServer build
├── docker-compose.yml      # Service orchestration
├── entrypoint.sh           # Container entrypoint
└── process-static-docker.sh # Static file processor
```

## Default Domain

If you don't create a `.env` file, the default domain `attestation.app` will be used for backward compatibility.

## Security Considerations

- Keep your private key (`certs/*.key`) secure and never commit it to version control
- The `.gitignore` file excludes sensitive files like certificates and databases
- This setup is intended for **local/private use only**
- For production deployment, use properly signed certificates from a trusted CA

## License

This Docker setup follows the same license as the upstream [GrapheneOS AttestationServer](https://github.com/GrapheneOS/AttestationServer).
first commit 2026-02-05 23:16:18 +03:00			`# GrapheneOS AttestationServer Docker`

			`Dockerized deployment of [GrapheneOS AttestationServer](https://github.com/GrapheneOS/AttestationServer) for local attestation.`

			`## Overview`

			`This project provides a containerized setup for running your own GrapheneOS AttestationServer. It includes:`

			`- AttestationServer - The main Java application handling attestations`
			`- Caddy - Reverse proxy with HTTPS support`
			`- SQLite - Local database storage for attestation data`

			`## Prerequisites`

			`Before running the server, ensure you have:`

			`1. Docker and Docker Compose installed`
Custom domain support 2026-02-06 11:19:50 +03:00			2. TLS certificates for your domain in the `certs/` directory
			`3. DNS or hosts file configuration to resolve your domain to your server`
first commit 2026-02-05 23:16:18 +03:00
Custom domain support 2026-02-06 11:19:50 +03:00			`## Configuration`
first commit 2026-02-05 23:16:18 +03:00
Custom domain support 2026-02-06 11:19:50 +03:00			`### 1. Create .env file`
first commit 2026-02-05 23:16:18 +03:00
Custom domain support 2026-02-06 11:19:50 +03:00			`Copy the example environment file and edit it with your domain:`

			```bash
			`cp .env.example .env`
			```

			Edit `.env` and set your domain:
			```bash
			`DOMAIN=your-domain.com`
			```

			`### 2. Prepare TLS Certificates`

			Place your TLS certificates for your domain in the `certs/` directory:
			- `certs/your-domain.com.crt` - Certificate file
			- `certs/your-domain.com.key` - Private key file
first commit 2026-02-05 23:16:18 +03:00
			`> Note: Certificate generation is up to you. You can use self-signed certificates for local testing or certificates from a trusted CA.`

Custom domain support 2026-02-06 11:19:50 +03:00			> Important: The certificate filenames must match your domain name from the `.env` file.

			`### 3. Configure DNS or Hosts File`
first commit 2026-02-05 23:16:18 +03:00
Custom domain support 2026-02-06 11:19:50 +03:00			`The GrapheneOS Auditor app expects to connect to the domain you configured. You must redirect this domain to your local server's IP address.`
first commit 2026-02-05 23:16:18 +03:00
			`#### Option A: Local Machine (hosts file)`

			`Edit your hosts file:`

			`Linux/macOS:`
			```bash
			`sudo nano /etc/hosts`
			```

			`Windows:`
			```
			`C:\Windows\System32\drivers\etc\hosts`
			```

Custom domain support 2026-02-06 11:19:50 +03:00			Add the following line (replace `192.168.1.100` with your server's IP and `your-domain.com` with your domain):
first commit 2026-02-05 23:16:18 +03:00			```
Custom domain support 2026-02-06 11:19:50 +03:00			`192.168.1.100 your-domain.com`
first commit 2026-02-05 23:16:18 +03:00			```

			`#### Option B: Network-wide (DNS)`

Custom domain support 2026-02-06 11:19:50 +03:00			`Configure your router or local DNS server (like Pi-hole or AdGuard) to resolve your domain to your server's IP address.`
first commit 2026-02-05 23:16:18 +03:00
			`#### Option C: Android Device (root required)`

			If your Android device is rooted, edit `/system/etc/hosts`:
			```bash
			`su`
			`mount -o remount,rw /system`
Custom domain support 2026-02-06 11:19:50 +03:00			`echo "192.168.1.100 your-domain.com" >> /system/etc/hosts`
first commit 2026-02-05 23:16:18 +03:00			`mount -o remount,ro /system`
			```

			`Important: You must configure this on the Android device running the Auditor app, not just the server.`

Custom domain support 2026-02-06 11:19:50 +03:00			`### 4. Create Data Directory`
first commit 2026-02-05 23:16:18 +03:00
			`Ensure the data directory exists for persistent SQLite storage:`

			```bash
			`mkdir -p data`
			```

			`## Running the Server`

			`### Build and Start`

			```bash
Update README.md 2026-02-06 09:58:22 +03:00			`docker compose up -d --build`
first commit 2026-02-05 23:16:18 +03:00			```

			`This will:`
Custom domain support 2026-02-06 11:19:50 +03:00			`1. Build the AttestationServer from source with your configured domain`
first commit 2026-02-05 23:16:18 +03:00			`2. Start the attestation service on port 8080 (internal)`
			`3. Start Caddy reverse proxy on ports 80 and 443`

			`### Check Status`

			```bash
Readme fix 2026-02-06 11:23:12 +03:00			`docker compose ps`
			`docker compose logs -f`
first commit 2026-02-05 23:16:18 +03:00			```

			`### Stop the Server`

			```bash
Update README.md 2026-02-06 09:58:22 +03:00			`docker compose down`
first commit 2026-02-05 23:16:18 +03:00			```

			`### Stop and Remove All Data`

			```bash
Update README.md 2026-02-06 09:58:22 +03:00			`docker compose down -v`
first commit 2026-02-05 23:16:18 +03:00			`rm -rf data/.db data/.db-*`
			```

			`## Usage`

Custom domain support 2026-02-06 11:19:50 +03:00			`1. Ensure your Android device has your domain pointing to your server IP`
first commit 2026-02-05 23:16:18 +03:00			`2. Install [GrapheneOS Auditor](https://github.com/GrapheneOS/Auditor) app on your Android device`
			`3. Open the Auditor app`
			`4. The app will connect to your local attestation server instead of the official one`

			`## Directory Structure`

			```
			`.`
			`├── certs/ # TLS certificates`
Custom domain support 2026-02-06 11:19:50 +03:00			`│ ├── your-domain.com.crt`
			`│ └── your-domain.com.key`
first commit 2026-02-05 23:16:18 +03:00			`├── data/ # SQLite databases (persistent)`
			`│ ├── attestation.db`
			`│ └── samples.db`
Custom domain support 2026-02-06 11:19:50 +03:00			`├── .env # Environment configuration (domain settings)`
			`├── .env.example # Example environment file`
first commit 2026-02-05 23:16:18 +03:00			`├── Caddyfile # Caddy reverse proxy config`
			`├── Dockerfile # AttestationServer build`
			`├── docker-compose.yml # Service orchestration`
			`├── entrypoint.sh # Container entrypoint`
			`└── process-static-docker.sh # Static file processor`
			```

Custom domain support 2026-02-06 11:19:50 +03:00			`## Default Domain`

			If you don't create a `.env` file, the default domain `attestation.app` will be used for backward compatibility.
first commit 2026-02-05 23:16:18 +03:00
			`## Security Considerations`

Custom domain support 2026-02-06 11:19:50 +03:00			- Keep your private key (`certs/*.key`) secure and never commit it to version control
first commit 2026-02-05 23:16:18 +03:00			- The `.gitignore` file excludes sensitive files like certificates and databases
			`- This setup is intended for local/private use only`
			`- For production deployment, use properly signed certificates from a trusted CA`

			`## License`

			`This Docker setup follows the same license as the upstream [GrapheneOS AttestationServer](https://github.com/GrapheneOS/AttestationServer).`