Viacheslav/GrapheneOS-AttestationServer-Docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
GrapheneOS-AttestationServe…/README.md
MoonDev 9e113a8bd3 Readme fix
2026-02-06 11:23:12 +03:00

166 lines
4.5 KiB
Markdown
Raw Permalink Blame History

# GrapheneOS AttestationServer Docker
Dockerized deployment of [GrapheneOS AttestationServer](https://github.com/GrapheneOS/AttestationServer) for local attestation.
## Overview
This project provides a containerized setup for running your own GrapheneOS AttestationServer. It includes:
- **AttestationServer** - The main Java application handling attestations
- **Caddy** - Reverse proxy with HTTPS support
- **SQLite** - Local database storage for attestation data
## Prerequisites
Before running the server, ensure you have:
1. **Docker** and **Docker Compose** installed
2. **TLS certificates** for your domain in the `certs/` directory
3. **DNS or hosts file configuration** to resolve your domain to your server
## Configuration
### 1. Create .env file
Copy the example environment file and edit it with your domain:
```bash
cp .env.example .env
```
Edit `.env` and set your domain:
```bash
DOMAIN=your-domain.com
```
### 2. Prepare TLS Certificates
Place your TLS certificates for your domain in the `certs/` directory:
- `certs/your-domain.com.crt` - Certificate file
- `certs/your-domain.com.key` - Private key file
> **Note:** Certificate generation is up to you. You can use self-signed certificates for local testing or certificates from a trusted CA.
> **Important:** The certificate filenames must match your domain name from the `.env` file.
### 3. Configure DNS or Hosts File
The GrapheneOS Auditor app expects to connect to the domain you configured. You must redirect this domain to your local server's IP address.
#### Option A: Local Machine (hosts file)
Edit your hosts file:
**Linux/macOS:**
```bash
sudo nano /etc/hosts
```
**Windows:**
```
C:\Windows\System32\drivers\etc\hosts
```
Add the following line (replace `192.168.1.100` with your server's IP and `your-domain.com` with your domain):
```
192.168.1.100 your-domain.com
```
#### Option B: Network-wide (DNS)
Configure your router or local DNS server (like Pi-hole or AdGuard) to resolve your domain to your server's IP address.
#### Option C: Android Device (root required)
If your Android device is rooted, edit `/system/etc/hosts`:
```bash
su
mount -o remount,rw /system
echo "192.168.1.100 your-domain.com" >> /system/etc/hosts
mount -o remount,ro /system
```
**Important:** You must configure this on the Android device running the Auditor app, not just the server.
### 4. Create Data Directory
Ensure the data directory exists for persistent SQLite storage:
```bash
mkdir -p data
```
## Running the Server
### Build and Start
```bash
docker compose up -d --build
```
This will:
1. Build the AttestationServer from source with your configured domain
2. Start the attestation service on port 8080 (internal)
3. Start Caddy reverse proxy on ports 80 and 443
### Check Status
```bash
docker compose ps
docker compose logs -f
```
### Stop the Server
```bash
docker compose down
```
### Stop and Remove All Data
```bash
docker compose down -v
rm -rf data/*.db data/*.db-*
```
## Usage
1. Ensure your Android device has your domain pointing to your server IP
2. Install [GrapheneOS Auditor](https://github.com/GrapheneOS/Auditor) app on your Android device
3. Open the Auditor app
4. The app will connect to your local attestation server instead of the official one
## Directory Structure
```
.
├── certs/ # TLS certificates
│ ├── your-domain.com.crt
│ └── your-domain.com.key
├── data/ # SQLite databases (persistent)
│ ├── attestation.db
│ └── samples.db
├── .env # Environment configuration (domain settings)
├── .env.example # Example environment file
├── Caddyfile # Caddy reverse proxy config
├── Dockerfile # AttestationServer build
├── docker-compose.yml # Service orchestration
├── entrypoint.sh # Container entrypoint
└── process-static-docker.sh # Static file processor
```
## Default Domain
If you don't create a `.env` file, the default domain `attestation.app` will be used for backward compatibility.
## Security Considerations
- Keep your private key (`certs/*.key`) secure and never commit it to version control
- The `.gitignore` file excludes sensitive files like certificates and databases
- This setup is intended for **local/private use only**
- For production deployment, use properly signed certificates from a trusted CA
## License
This Docker setup follows the same license as the upstream [GrapheneOS AttestationServer](https://github.com/GrapheneOS/AttestationServer).
Reference in New Issue View Git Blame Copy Permalink