You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Step 1b walks through allocating an Elastic IP and upserting the
broker.litentry.org A record in Route 53 — the prerequisite that lets
certbot's HTTP-01 challenge resolve the host in Step 5.
The "Automated path" callout above Step 1 points operators at
scripts/setup-broker-host.sh as the bundled automation for Steps 2-5,
making the manual walk-through the reference rather than the default.
Copy file name to clipboardExpand all lines: docs/stage7-wip.md
+37Lines changed: 37 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -268,6 +268,8 @@ For v0.1 operators, two pragmatic options:
268
268
1.**Single-host deployment with persistent state (recommended for self-hosted teams).** Keep the mock-server but add a small wrapper: front it with `systemd` (or Docker `restart: unless-stopped`), and mount the SQLite file on persistent storage — `docs/operator-runbook.md` will track the exact patches needed in the next iteration. Until that lands, treat session loss on restart as part of the operator runbook (have developers re-`init` after a backend restart).
269
269
2.**Skip the mock and wait for Heima.** If your timeline allows, hold this deployment until the chain-backed backend lands and use the real Heima session-management path. Stage 7 phase 2 isn't gated on this — the broker's interface is the same regardless of which backend implements `/session/create` + `/session/validate`.
270
270
271
+
> **Automated path:**[`scripts/setup-broker-host.sh`](../scripts/setup-broker-host.sh) bundles Steps 2–5 (binary install, `agentkeys` system user, systemd units, nginx site, certbot issuance) into a single interactive run-on-the-host script. It's idempotent, supports the three credential modes from Step 3, and prompts before each optional step. Steps 1 (provision the host) and 1b (wire DNS) are still manual prerequisites. After running the script, jump to Step 6 for the smoke test.
272
+
271
273
### Step 1 — Provision the host
272
274
273
275
Pick whatever fits your stack. Two examples that satisfy the requirements (TLS-terminating reverse proxy + ≥ 1 vCPU / 1 GiB RAM + persistent disk):
@@ -281,6 +283,41 @@ Either way you need:
281
283
- A public-CA TLS certificate covering that name (Let's Encrypt is free; ACM is free for ALB use).
282
284
- Firewall: inbound `:443` from anywhere, inbound `:22` from your admin IP, **everything else closed**. The broker's `:8091` and the backend's `:8090` are reached only via localhost or the private network.
283
285
286
+
### Step 1b — Wire DNS to the broker host
287
+
288
+
The broker hostname must resolve to the host's public IP **before** certbot runs in Step 5 (Let's Encrypt's HTTP-01 challenge resolves the name and hits port 80). Allocate an Elastic IP (so the address survives stop/start) and add an `A` record. If your DNS lives in AWS Route 53:
289
+
290
+
```bash
291
+
# 1. Allocate + attach an Elastic IP (run with the right --region for the EC2 instance)
For non-AWS DNS providers, create an equivalent A record (`broker.litentry.org` → EIP) in their console. The IAM user running these commands needs `ec2:AllocateAddress` / `ec2:AssociateAddress` / `ec2:DescribeAddresses` and `route53:ChangeResourceRecordSets` / `route53:ListHostedZonesByName` — `agentkeys-admin` is IAM-only by default, so attach a temporary inline policy or use a more privileged user for this one-off.
320
+
284
321
### Step 2 — Install the binaries
285
322
286
323
The repo doesn't yet ship a `cargo dist` release; build from source on the target arch and copy the resulting binaries:
0 commit comments