Viacheslav/GrapheneOS-AttestationServer-Docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Custom domain support

Browse Source
This commit is contained in:
MoonDev
2026-02-06 11:19:50 +03:00
parent c377acd0d6
commit 17583a3746
5 changed files with 59 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.env.example Normal file
View File

@@ -0,0 +1,3 @@
# Domain configuration for AttestationServer
# This domain will be used in the application code and Caddy reverse proxy
DOMAIN=attestation.app

4
Caddyfile
View File

@@ -6,8 +6,8 @@
redir https://{host}{uri} redir https://{host}{uri}
} }
attestation.app:443 { {$DOMAIN}:443 {
tls /etc/caddy/certs/attestation.app.crt /etc/caddy/certs/attestation.app.key tls /etc/caddy/certs/{$DOMAIN}.crt /etc/caddy/certs/{$DOMAIN}.key
# Disable HSTS # Disable HSTS
header Strict-Transport-Security "" header Strict-Transport-Security ""

10
Dockerfile
View File

@@ -1,5 +1,8 @@
FROM eclipse-temurin:21-jdk-jammy AS builder FROM eclipse-temurin:21-jdk-jammy AS builder
# Build argument for domain configuration
ARG DOMAIN=attestation.app
WORKDIR /build WORKDIR /build
RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/* RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
@@ -11,10 +14,9 @@ RUN git clone --depth 1 --recurse-submodules https://github.com/GrapheneOS/Attes
RUN sed -i 's/new InetSocketAddress("::1", 8080)/new InetSocketAddress("0.0.0.0", 8080)/' \ RUN sed -i 's/new InetSocketAddress("::1", 8080)/new InetSocketAddress("0.0.0.0", 8080)/' \
src/main/java/app/attestation/server/AttestationServer.java src/main/java/app/attestation/server/AttestationServer.java
# Optional: Patch the domain if you want to use a custom domain # Patch the domain using the build argument
# Uncomment and modify the following line for your domain: RUN sed -i "s/attestation.app/${DOMAIN}/g" \
# RUN sed -i 's/attestation.app/your-domain.com/g' \ src/main/java/app/attestation/server/AttestationServer.java
# src/main/java/app/attestation/server/AttestationServer.java
RUN chmod +x gradlew && ./gradlew build -x test --no-daemon RUN chmod +x gradlew && ./gradlew build -x test --no-daemon

61
README.md
View File

@@ -15,24 +15,37 @@ This project provides a containerized setup for running your own GrapheneOS Atte
Before running the server, ensure you have: Before running the server, ensure you have:
1. **Docker** and **Docker Compose** installed 1. **Docker** and **Docker Compose** installed
2. **TLS certificates** for `attestation.app` domain in the `certs/` directory: 2. **TLS certificates** for your domain in the `certs/` directory
- `certs/attestation.app.crt` - Certificate file 3. **DNS or hosts file configuration** to resolve your domain to your server
- `certs/attestation.app.key` - Private key file
3. **DNS or hosts file configuration** to resolve `attestation.app` to your server
## Pre-Launch Setup ## Configuration
### 1. Prepare TLS Certificates ### 1. Create .env file
Place your TLS certificates for `attestation.app` in the `certs/` directory: Copy the example environment file and edit it with your domain:
- `certs/attestation.app.crt` - Certificate
- `certs/attestation.app.key` - Private key ```bash
cp .env.example .env
```
Edit `.env` and set your domain:
```bash
DOMAIN=your-domain.com
```
### 2. Prepare TLS Certificates
Place your TLS certificates for your domain in the `certs/` directory:
- `certs/your-domain.com.crt` - Certificate file
- `certs/your-domain.com.key` - Private key file
> **Note:** Certificate generation is up to you. You can use self-signed certificates for local testing or certificates from a trusted CA. > **Note:** Certificate generation is up to you. You can use self-signed certificates for local testing or certificates from a trusted CA.
### 2. Configure DNS or Hosts File > **Important:** The certificate filenames must match your domain name from the `.env` file.
The GrapheneOS Auditor app expects to connect to `attestation.app`. You must redirect this domain to your local server's IP address. ### 3. Configure DNS or Hosts File
The GrapheneOS Auditor app expects to connect to the domain you configured. You must redirect this domain to your local server's IP address.
#### Option A: Local Machine (hosts file) #### Option A: Local Machine (hosts file)
@@ -48,14 +61,14 @@ sudo nano /etc/hosts
C:\Windows\System32\drivers\etc\hosts C:\Windows\System32\drivers\etc\hosts
``` ```
Add the following line (replace `192.168.1.100` with your server's IP): Add the following line (replace `192.168.1.100` with your server's IP and `your-domain.com` with your domain):
``` ```
192.168.1.100 attestation.app 192.168.1.100 your-domain.com
``` ```
#### Option B: Network-wide (DNS) #### Option B: Network-wide (DNS)
Configure your router or local DNS server (like Pi-hole or AdGuard) to resolve `attestation.app` to your server's IP address. Configure your router or local DNS server (like Pi-hole or AdGuard) to resolve your domain to your server's IP address.
#### Option C: Android Device (root required) #### Option C: Android Device (root required)
@@ -63,13 +76,13 @@ If your Android device is rooted, edit `/system/etc/hosts`:
```bash ```bash
su su
mount -o remount,rw /system mount -o remount,rw /system
echo "192.168.1.100 attestation.app" >> /system/etc/hosts echo "192.168.1.100 your-domain.com" >> /system/etc/hosts
mount -o remount,ro /system mount -o remount,ro /system
``` ```
**Important:** You must configure this on the Android device running the Auditor app, not just the server. **Important:** You must configure this on the Android device running the Auditor app, not just the server.
### 3. Create Data Directory ### 4. Create Data Directory
Ensure the data directory exists for persistent SQLite storage: Ensure the data directory exists for persistent SQLite storage:
@@ -86,7 +99,7 @@ docker compose up -d --build
``` ```
This will: This will:
1. Build the AttestationServer from source 1. Build the AttestationServer from source with your configured domain
2. Start the attestation service on port 8080 (internal) 2. Start the attestation service on port 8080 (internal)
3. Start Caddy reverse proxy on ports 80 and 443 3. Start Caddy reverse proxy on ports 80 and 443
@@ -112,22 +125,23 @@ rm -rf data/*.db data/*.db-*
## Usage ## Usage
1. Ensure your Android device has `attestation.app` pointing to your server IP 1. Ensure your Android device has your domain pointing to your server IP
2. Install [GrapheneOS Auditor](https://github.com/GrapheneOS/Auditor) app on your Android device 2. Install [GrapheneOS Auditor](https://github.com/GrapheneOS/Auditor) app on your Android device
3. Open the Auditor app 3. Open the Auditor app
4. The app will connect to your local attestation server instead of the official one 4. The app will connect to your local attestation server instead of the official one
## Directory Structure ## Directory Structure
``` ```
. .
├── certs/ # TLS certificates ├── certs/ # TLS certificates
│ ├── attestation.app.crt │ ├── your-domain.com.crt
│ └── attestation.app.key │ └── your-domain.com.key
├── data/ # SQLite databases (persistent) ├── data/ # SQLite databases (persistent)
│ ├── attestation.db │ ├── attestation.db
│ └── samples.db │ └── samples.db
├── .env # Environment configuration (domain settings)
├── .env.example # Example environment file
├── Caddyfile # Caddy reverse proxy config ├── Caddyfile # Caddy reverse proxy config
├── Dockerfile # AttestationServer build ├── Dockerfile # AttestationServer build
├── docker-compose.yml # Service orchestration ├── docker-compose.yml # Service orchestration
@@ -135,10 +149,13 @@ rm -rf data/*.db data/*.db-*
└── process-static-docker.sh # Static file processor └── process-static-docker.sh # Static file processor
``` ```
## Default Domain
If you don't create a `.env` file, the default domain `attestation.app` will be used for backward compatibility.
## Security Considerations ## Security Considerations
- Keep your private key (`certs/attestation.app.key`) secure and never commit it to version control - Keep your private key (`certs/*.key`) secure and never commit it to version control
- The `.gitignore` file excludes sensitive files like certificates and databases - The `.gitignore` file excludes sensitive files like certificates and databases
- This setup is intended for **local/private use only** - This setup is intended for **local/private use only**
- For production deployment, use properly signed certificates from a trusted CA - For production deployment, use properly signed certificates from a trusted CA

7
docker-compose.yml
View File

@@ -2,7 +2,10 @@ version: '3.8'
services: services:
attestation: attestation:
build: . build:
context: .
args:
- DOMAIN=${DOMAIN:-attestation.app}
container_name: attestation-server container_name: attestation-server
restart: unless-stopped restart: unless-stopped
volumes: volumes:
@@ -23,6 +26,8 @@ services:
- "80:80" - "80:80"
- "443:443" - "443:443"
- "443:443/udp" - "443:443/udp"
environment:
- DOMAIN=${DOMAIN:-attestation.app}
volumes: volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro - ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./certs:/etc/caddy/certs:ro - ./certs:/etc/caddy/certs:ro