Configure d.rymcg.tech for the sentry

Run the main config

The main config must be run for each new context you create:

Run this on the Raspberry Pi

sentry config

(stdout)

> This will make a configuration for the current docker context (sentry). Proceed? Yes

ROOT_DOMAIN: Enter the root domain for this context (e.g., d.example.com)

: sentry.example.com

Install Traefik

This is a very similar process as when you installed Traefik on the Raspberry Pi:

Run this on the Raspberry Pi

sentry make traefik config

(stdout)

? Traefik:
> Config
  Install (make install)
  Admin
  Exit (ESC)

Create the traefik user:

(stdout)

? Traefik Configuration:
> Traefik user

Configure ACME:

(stdout)

? Traefik TLS config:
  Configure certificate authorities (CA)
> Configure ACME (Let's Encrypt or Step-CA)
  Configure TLS certificates (make certs)

Choose Let’s Encrypt:

(stdout)

? Which ACME provider do you want to use?
> Let's Encrypt (ACME)
  Step-CA (ACME)
  Disable ACME
  Cancel / Go back

Choose the Production environment:

(stdout)

? Which LE environment do you want to use?
> Production (recommended!)
  Staging (untrusted / testing)

Choose the DNS-01 challenge type:

(stdout)

? Which type of ACME challenge should be used?
  TLS-ALPN-01 (default for public servers, easy, but no wildcard certs)
> DNS-01 (requires API key, but good behind firewalls, and allows wildcard certs)

Find the provider code of your supported DNS provider here:
https://go-acme.github.io/lego/dns/#dns-providers

TRAEFIK_ACME_DNS_PROVIDER: Enter the LEGO code for your DNS Provider (e.g., digitalocean)

: digitalocean

Enter the variable name literal DO_AUTH_TOKEN:

(stdout)

TRAEFIK_ACME_DNS_VARNAME_1: Enter the 1st DNS provider variable name (e.g., DO_AUTH_TOKEN)

: DO_AUTH_TOKEN

TRAEFIK_ACME_DNS_VARNAME_2: Enter the 2nd DNS provider variable name (or leave blank)

:

Enter a blank for the second var name, because there isn’t one.

Now enter the variable value for DO_AUTH_TOKEN (this should actually be the secret personal access token that you generate on DigitalOcean):

(stdout)

Now to enter the values for the custom DNS API variables:
DO_AUTH_TOKEN: Enter the value for DO_AUTH_TOKEN (e.g., your-actual-digitalocean-token-here)

: dop_v1_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Create a new TLS certificate:

(stdout)

? Traefik TLS config:
  Configure certificate authorities (CA)
  Configure ACME (Let's Encrypt or Step-CA)
> Configure TLS certificates (make certs)

? Configure Traefik TLS certificates
  Manage all certificates.
> Create a new certificate.
  Done / Go back

Enter the main domain (CN) for this certificate (e.g., `d.rymcg.tech` or `*.d.rymcg.tech`)

: sentry.example.com

Now enter additional domains (SANS), one per line:
Enter a secondary domain (enter blank to skip)

: *.sentry.example.com

Enter a secondary domain (enter blank to skip)

:

Main domain:
 sentry.example.com
Secondary (SANS) domains:
 *.sentry.example.com

Install Traefik

Press ESC three times to go back to the main menu.

Install Traefik:

(stdout)

? Traefik:
  Config
> Install (make install)
  Admin
  Exit (ESC)

When done, press ESC to quit the Traefik config program.

Install whoami

Run this on the Raspberry Pi

sentry make whoami config

(stdout)

WHOAMI_TRAEFIK_HOST: Enter the whoami domain name (e.g., whoami.example.com)

: whoami.sentry.example.com

? Do you want to enable sentry authorization in front of this app (effectively making the entire site private)?
> No
  Yes, with HTTP Basic Authentication
  Yes, with Oauth2
  Yes, with Mutual TLS (mTLS)

Run this on the Raspberry Pi

sentry make whoami install

Whoami on the sentry

This instance of whoami runs on the droplet, and it is only to test the connectivity of the public droplet itself. We still have not yet exposed the whoami running on the Raspberry Pi publicly.

Wait a few minutes for the TLS certificate to generate

Test the whoami instance

You can open the page in w3m:

Run this on the Raspberry Pi

sentry make whoami open

Or test it with curl:

Run this on the Raspberry Pi

curl https://whoami.sentry.example.com

Note that if the TLS certificate has not been issued yet, you will get this error from curl (and a similar error in w3m):

(stdout)

curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Simply wait a bit longer for the TLS cert to issue, or check the logs for errors (d make traefik logs service=traefik). You can also tell curl to ignore the error (-k):

Run this on the Raspberry Pi

## This is insecure, but fine for testing:
curl -k https://whoami.sentry.example.com

A valid whoami response page looks like similar to this:

(stdout)

Name: default
Hostname: 52a9750ecaa4
IP: 127.0.0.1
IP: ::1
IP: 172.19.0.2
RemoteAddr: 172.19.0.1:56082
GET / HTTP/1.1
Host: whoami.sentry.example.com
User-Agent: curl/7.88.1
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: X.X.X.X
X-Forwarded-Host: whoami.sentry.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: sentry
X-Real-Ip: X.X.X.X

Next steps

Configure the WireGuard VPN.
Set up public SSH.
Install core services.
Install apps.