Launch DigitalOcean droplet
Set up your SSH key on DigitalOcean
How to do this in the DigitalOcean cloud console
- Login to the DigitalOcean cloud console.
- Click
Settingsin the menu. - Click on the
Securitytab. - Click on the
Add SSH Keybutton. - Paste the public SSH key of the
piuser into the box. (copy the contents of~/.ssh/id_ed25519.pubfrom the Raspberry Pi.) - Enter a key name e.g.,
pi@pi.example.com. - Finish adding the key, click
Add SSH Key.
Create a DigitalOcean firewall template
How to do this in the DigitalOcean cloud console
- Login to the DigitalOcean cloud console.
- Click
Networkingin the menu. - Click the
Firewallstab. - Click
Create Firewall. - Enter the name, e.g.,
sentry.example.com. - Enter the following rules:
- SSH:
- Type:
SSH - Protocol:
TCP - Port Range:
22 - Sources: All IPv4, All IPv6, or a specific static IP address if you want to be more secure.
- Description: This is so you can access the SSH console of the public sentry.
- Type:
- HTTP:
- Type:
HTTP - Protocol:
TCP - Port Range:
80 - Sources: All IPv4, All IPv6.
- Description: This is used solely to forward incoming HTTP connections to HTTPS.
- Type:
- HTTPS:
- Type:
HTTPS - Protocol:
TCP - Port Range:
443 - Sources: All IPv4, All IPv6.
- Description: This allows incoming HTTPs connections.
- Type:
- WireGuard VPN:
- Type:
Custom - Protocol:
UDP - Port Range:
51820 - Sources: All IPv4, All IPv6, unless you know the Pi will only connect from a set of specific IP addresses.
- Description: This allows incoming VPN connections from the Pi.
- Type:
- ICMP:
- Type: ICMP
- Description: Optional - to allow ping response to the public sentry.
- Public SSH to the Pi:
- Type:
Custom - Protocol:
TCP - Port Range:
2220 - Sources: All IPv4, All IPv6, or a specific set of static IP addresses if you want to be more secure.
- Description: Optional - this is so you can access the SSH console of the Raspberry Pi through the public sentry.
- Type:
- Public SSH access for Forgejo (public git access):
- Type:
Custom - Protocol:
TCP - Port Range:
2222 - Sources: All IPv4, All IPv6, or a specific set of static IP addresses if you want to be more secure.
- Description: Optional - this is so you can fetch and push to git repositories over SSH.
- Type:
- Public SFTP access:
- Type:
Custom - Protocol:
TCP - Port Range:
2223 - Sources: All IPv4, All IPv6, or a specific set of static IP addresses if you want to be more secure.
- Description: Optional - this is so you can use SFTP.
- Type:
- Click
Create Firewall.
- SSH:
Create the DigitalOcean droplet
How to do this in the DigitalOcean cloud console
- Login to the DigitalOcean cloud console.
- Click
Dropletsin the menu. - Click
Create Droplet. - Choose a Region (e.g., New York), where the droplet will be created.
- Underneath the heading
Choose an image, chooseDebian(select the latest version). - Choose a droplet size. For a wireguard proxy by itself, 1GB should be fine. 2GB RAM and 50GB disk recommended for medium size production installs with some apps installed on the droplet itself. (It is also tested working on as little as 512MB ram, if you enable zram and/or create a 1GB swapfile. Do not abuse swap space like this in production! However I think its fine for development use, but you may occasionally run into low memory issues if less than 1GB.)
- Select the
piuser’s SSH key to access this droplet. - Set the hostname for the Docker server. The name should be short
and typeable, as it will become a part of the canononical service
URLs. For this example, we choose
sentry. - Verify everything is correct, and then click
Create Dropet.
Apply the DigitalOcean droplet firewall
How to do this in the DigitalOcean cloud console
- Login to the DigitalOcean cloud console.
- Click
Networkingin the menu. - Find the firewall template you created, and click on it.
- Click on the firewall’s
Dropletstab. - Click
Add Dropletsand search for the droplet you created and select it. - Click
Add Dropletto add the firewall to the droplet.
Create wildcard DNS records for the droplet
How to do this in the DigitalOcean cloud console
- Login to the DigitalOcean cloud console.
- Click
Networkingin the menu. - Click the
Domainstab. - Find the domain you created earlier, and click it.
- Create an
Arecord for the sentry:- Hostname: enter the subdomain name without the domain part (e.g.,
sentry, the name of your docker server, without the.example.comsuffix). - Will direct to: select the droplet you created from the list.
- Click
Create Record.
- Hostname: enter the subdomain name without the domain part (e.g.,
- Create another
Arecord, for the wildcard of the sentry:- Hostname: enter the same name as before but prepend
*.in front of it (e.g., if the server is namedsentry, create a record for*.sentry, without the.example.comsuffix). - Will direct to: select the same droplet as before.
- Click
Create Record.
- Hostname: enter the same name as before but prepend
- Create another
Arecord, for the Raspberry Pi:- Hostname: e.g.,
pi.example.com. - Will direct to to: select the same droplet as before.
- Click
Create Record.
- Hostname: e.g.,
- Create another
Arecord, for the wildcard of the Raspberry Pi:- Hostname: e.g.,
*.pi.example.com. - Will direct to to: select the same droplet as before.
- Click
Create Record.
- Hostname: e.g.,
- Create any more
Arecords that you may need.
Test DNS
Test that your wildcard record actually works. Use the dig command
(For Debian/Ubuntu install the dnsutils package. For Arch Linux
install bind-tools. For Fedora install bind-utils.)
Pick some random subdomain off your domain:
[bash]: Run this on your workstation:
dig laksdflkweieri.sentry.example.com
(stdout)
;; ANSWER SECTION: laksdflkweieri.sentry.example.com. 3600 IN A 153.114.12.78
Since you created the wildcard record for *.sentry.example.com dig
should return your Docker server’s IP address in the ANSWER SECTION
of the output. You can test all your other records the same way.
If you run into DNS caching problems, verify with the source DNS server directly:
[bash]: Run this on your workstation:
dig @ns1.digitalocean.com laksdflkweieri.sentry.example.com