The entire Konnect™ server stack is described by a single bundle file, the docker-compose.yml file, which lists all the services in the stack and their configuration. This allows the system administrator to keep all the required components to run a Konnect™ access server in a single place and makes configuration and deployment of the application stack a breeze!
On the deployment host, we will first create a directory that will hold all base application configuration and runtime data. For the following examples, we will use /opt/konnect, but feel free to use any directory as you see fit, and adjust the commands accordingly.
mkdir -p /opt/konnect
mkdir -p /opt/konnect/letsencrypt
cd /opt/konnect
Next, create a file called /opt/konnect/docker-compose.yml with the following contents:
version: "3"
services:
web:
image: ghcr.io/kuyio/konnect:latest
ports:
- "5000:5000"
- "51820:51820/udp"
links:
- db
environment:
PORT: 5000
DB_HOST: db
DB_PORT: 5432
DB_USER: postgres
DB_PASSWORD: <PASSWORD>
SECRET_KEY_BASE: "<KEY>"
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv6.conf.all.disable_ipv6=0
networks:
- wg_internal
volumes:
- ./conf:/app/config/wireguard
labels:
- "traefik.enable=true"
- "traefik.docker.network=wg_internal"
- "traefik.http.services.web.loadbalancer.server.port=5000"
- "traefik.http.routers.web.rule=Host(`<DOMAIN>`)"
- "traefik.http.routers.web.tls=true"
- "traefik.http.routers.web.tls.certresolver=le"
restart: always
db:
image: postgres:12-alpine
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=<PASSWORD>
expose:
- "5432"
volumes:
- "database:/var/lib/postgresql/data"
networks:
- wg_internal
restart: always
traefik:
container_name: traefik
image: traefik:v2.2
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entryPoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
- "--entryPoints.websecure.address=:443"
- "--certificatesResolvers.le.acme.email=<EMAIL>"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--certificatesResolvers.le.acme.tlsChallenge=true"
- "--certificatesResolvers.le.acme.httpChallenge=true"
- "--certificatesResolvers.le.acme.httpChallenge.entryPoint=web"
restart: always
ports:
- 80:80
- 443:443
- 8080:8080
networks:
- wg_internal
- konnect_wg_ingress
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./letsencrypt:/letsencrypt
labels:
# Redirect all HTTP to HTTPS permanently
- traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)
- traefik.http.routers.http_catchall.entrypoints=web
- traefik.http.routers.http_catchall.middlewares=https_redirect
- traefik.http.middlewares.https_redirect.redirectscheme.scheme=https
- traefik.http.middlewares.https_redirect.redirectscheme.permanent=true
volumes:
database:
networks:
wg_internal:
external: false
konnect_wg_ingress:
external: true
Please replace the placeholders <KEY>, <PASSWORD>, <EMAIL>, and <DOMAIN> in the above file with values that are appropriate for your deployment.
<KEY> should be a 32-length random alpha-numeric string, and specifies the secret key used to encrypt session storage, authentication cookies, and XSRF protection tokens for the administrator and user web-portals.
<PASSWORD> should be a strong database password
<DOMAIN> should specify the full-qualified hostname of your deployment, e.g., vpn.my-company.org.
<EMAIL> should be the IT administrator email address that you wish to associate with the Let's Encrypt SSL certificate for the <DOMAIN>.
Note: The
docker-compose.ymlfile can be also be automatically generated with our Quickstart Scripts. In this case, the database password and secret key base will be automatically generated.
What's happening here? The stack file describes three services called web - the Konnect™ access server container image, db - a Postgres database, and traefik - a software defined network router. For each service, the stack file also describes service specific configuration that must be present before the application boots.
Finally, we create the ingress network specified in the file above, as launching an application stack with docker compose will not automatically create external networks and reports and error when the network does not exist:
docker network create konnect_wg_ingress
Congratulations! You are now ready to start your Konnect™ server deployment.