From 17583a3746248af44761a4d38b40d96514c730fe Mon Sep 17 00:00:00 2001 From: MoonDev Date: Fri, 6 Feb 2026 11:19:50 +0300 Subject: [PATCH] Custom domain support --- .env.example | 3 +++ Caddyfile | 10 ++++---- Dockerfile | 10 +++++--- README.md | 61 +++++++++++++++++++++++++++++----------------- docker-compose.yml | 7 +++++- 5 files changed, 59 insertions(+), 32 deletions(-) create mode 100644 .env.example diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..f1c4814 --- /dev/null +++ b/.env.example @@ -0,0 +1,3 @@ +# Domain configuration for AttestationServer +# This domain will be used in the application code and Caddy reverse proxy +DOMAIN=attestation.app \ No newline at end of file diff --git a/Caddyfile b/Caddyfile index a2b880e..cccd426 100644 --- a/Caddyfile +++ b/Caddyfile @@ -6,12 +6,12 @@ redir https://{host}{uri} } -attestation.app:443 { - tls /etc/caddy/certs/attestation.app.crt /etc/caddy/certs/attestation.app.key - +{$DOMAIN}:443 { + tls /etc/caddy/certs/{$DOMAIN}.crt /etc/caddy/certs/{$DOMAIN}.key + # Disable HSTS - header Strict-Transport-Security "" - + header Strict-Transport-Security "" + # Serve static files (HTML, CSS, images, etc.) root * /srv/static file_server diff --git a/Dockerfile b/Dockerfile index 2cd7a03..1230b3e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,8 @@ FROM eclipse-temurin:21-jdk-jammy AS builder +# Build argument for domain configuration +ARG DOMAIN=attestation.app + WORKDIR /build RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/* @@ -11,10 +14,9 @@ RUN git clone --depth 1 --recurse-submodules https://github.com/GrapheneOS/Attes RUN sed -i 's/new InetSocketAddress("::1", 8080)/new InetSocketAddress("0.0.0.0", 8080)/' \ src/main/java/app/attestation/server/AttestationServer.java -# Optional: Patch the domain if you want to use a custom domain -# Uncomment and modify the following line for your domain: -# RUN sed -i 's/attestation.app/your-domain.com/g' \ -# src/main/java/app/attestation/server/AttestationServer.java +# Patch the domain using the build argument +RUN sed -i "s/attestation.app/${DOMAIN}/g" \ + src/main/java/app/attestation/server/AttestationServer.java RUN chmod +x gradlew && ./gradlew build -x test --no-daemon diff --git a/README.md b/README.md index 198c0ed..649418c 100644 --- a/README.md +++ b/README.md @@ -15,24 +15,37 @@ This project provides a containerized setup for running your own GrapheneOS Atte Before running the server, ensure you have: 1. **Docker** and **Docker Compose** installed -2. **TLS certificates** for `attestation.app` domain in the `certs/` directory: - - `certs/attestation.app.crt` - Certificate file - - `certs/attestation.app.key` - Private key file -3. **DNS or hosts file configuration** to resolve `attestation.app` to your server +2. **TLS certificates** for your domain in the `certs/` directory +3. **DNS or hosts file configuration** to resolve your domain to your server -## Pre-Launch Setup +## Configuration -### 1. Prepare TLS Certificates +### 1. Create .env file -Place your TLS certificates for `attestation.app` in the `certs/` directory: -- `certs/attestation.app.crt` - Certificate -- `certs/attestation.app.key` - Private key +Copy the example environment file and edit it with your domain: + +```bash +cp .env.example .env +``` + +Edit `.env` and set your domain: +```bash +DOMAIN=your-domain.com +``` + +### 2. Prepare TLS Certificates + +Place your TLS certificates for your domain in the `certs/` directory: +- `certs/your-domain.com.crt` - Certificate file +- `certs/your-domain.com.key` - Private key file > **Note:** Certificate generation is up to you. You can use self-signed certificates for local testing or certificates from a trusted CA. -### 2. Configure DNS or Hosts File +> **Important:** The certificate filenames must match your domain name from the `.env` file. -The GrapheneOS Auditor app expects to connect to `attestation.app`. You must redirect this domain to your local server's IP address. +### 3. Configure DNS or Hosts File + +The GrapheneOS Auditor app expects to connect to the domain you configured. You must redirect this domain to your local server's IP address. #### Option A: Local Machine (hosts file) @@ -48,14 +61,14 @@ sudo nano /etc/hosts C:\Windows\System32\drivers\etc\hosts ``` -Add the following line (replace `192.168.1.100` with your server's IP): +Add the following line (replace `192.168.1.100` with your server's IP and `your-domain.com` with your domain): ``` -192.168.1.100 attestation.app +192.168.1.100 your-domain.com ``` #### Option B: Network-wide (DNS) -Configure your router or local DNS server (like Pi-hole or AdGuard) to resolve `attestation.app` to your server's IP address. +Configure your router or local DNS server (like Pi-hole or AdGuard) to resolve your domain to your server's IP address. #### Option C: Android Device (root required) @@ -63,13 +76,13 @@ If your Android device is rooted, edit `/system/etc/hosts`: ```bash su mount -o remount,rw /system -echo "192.168.1.100 attestation.app" >> /system/etc/hosts +echo "192.168.1.100 your-domain.com" >> /system/etc/hosts mount -o remount,ro /system ``` **Important:** You must configure this on the Android device running the Auditor app, not just the server. -### 3. Create Data Directory +### 4. Create Data Directory Ensure the data directory exists for persistent SQLite storage: @@ -86,7 +99,7 @@ docker compose up -d --build ``` This will: -1. Build the AttestationServer from source +1. Build the AttestationServer from source with your configured domain 2. Start the attestation service on port 8080 (internal) 3. Start Caddy reverse proxy on ports 80 and 443 @@ -112,22 +125,23 @@ rm -rf data/*.db data/*.db-* ## Usage -1. Ensure your Android device has `attestation.app` pointing to your server IP +1. Ensure your Android device has your domain pointing to your server IP 2. Install [GrapheneOS Auditor](https://github.com/GrapheneOS/Auditor) app on your Android device 3. Open the Auditor app 4. The app will connect to your local attestation server instead of the official one - ## Directory Structure ``` . ├── certs/ # TLS certificates -│ ├── attestation.app.crt -│ └── attestation.app.key +│ ├── your-domain.com.crt +│ └── your-domain.com.key ├── data/ # SQLite databases (persistent) │ ├── attestation.db │ └── samples.db +├── .env # Environment configuration (domain settings) +├── .env.example # Example environment file ├── Caddyfile # Caddy reverse proxy config ├── Dockerfile # AttestationServer build ├── docker-compose.yml # Service orchestration @@ -135,10 +149,13 @@ rm -rf data/*.db data/*.db-* └── process-static-docker.sh # Static file processor ``` +## Default Domain + +If you don't create a `.env` file, the default domain `attestation.app` will be used for backward compatibility. ## Security Considerations -- Keep your private key (`certs/attestation.app.key`) secure and never commit it to version control +- Keep your private key (`certs/*.key`) secure and never commit it to version control - The `.gitignore` file excludes sensitive files like certificates and databases - This setup is intended for **local/private use only** - For production deployment, use properly signed certificates from a trusted CA diff --git a/docker-compose.yml b/docker-compose.yml index 2996e71..9903db2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,7 +2,10 @@ version: '3.8' services: attestation: - build: . + build: + context: . + args: + - DOMAIN=${DOMAIN:-attestation.app} container_name: attestation-server restart: unless-stopped volumes: @@ -23,6 +26,8 @@ services: - "80:80" - "443:443" - "443:443/udp" + environment: + - DOMAIN=${DOMAIN:-attestation.app} volumes: - ./Caddyfile:/etc/caddy/Caddyfile:ro - ./certs:/etc/caddy/certs:ro