a guide to gateway server maintenance
this page will be a guide on how to get on-boarded as a maintainer of the gateway server
the hope is that by the end of the guide, you have successfully spun up a new gateway server, decommisioned the old, and are feeling confident to help take care of the collective gateway server and/or run your own
before you get started, make sure to also get the secrets and credentials you need. message someone on signal who already has them, and they can can send you a burn-after-reading pastebin containing the credentials you need
outline of steps
create a new digital ocean droplet
- you will need a digital ocean account (this is free)
- you should do this as part of the gateway-coop digital ocean team (message someone already on the team, if you need to be added)
- this can be a minimally-resourced digital ocean droplet, as cheap as possible
- choose debian 12 as the operating system
- choose new york as the location
access the command line for this new droplet, and run the gateway server install script
- git repo: https://codeberg.org/notplants/tunnel-gateway-server
- from the terminal of the droplet, you can use the one-liner below to run the install script:
bash <(curl -fsSL https://codeberg.org/notplants/tunnel-gateway-server/raw/branch/main/setup.sh)
- from the terminal of the droplet, you can use the one-liner below to run the install script:
- git repo: https://codeberg.org/notplants/tunnel-gateway-server
manually copy over the tunnel conf data from the old gateway server to the new gateway in the correct location
- in digital ocean, access the console of the old droplet. then run
cat /etc/nginx/tunnel_map.conf. copy the output of this command to put this into a new file on the new droplet vianano /etc/nginx/tunnel_map.conf - note: be careful on this step. you don't want to lose any data. (in the future: we could also consider using scp or some other way to automate this)
- after copying this over, restart nginx, and make sure its still happy:
nginx -t systemctl reload nginx- in digital ocean, access the console of the old droplet. then run
- in digital ocean, modify the reserved IP address to point to the new gateway server, instead of the old
- this is under the networking tab (on the left), under Reserved IPs, you can then click "reassign" and assign it to the new droplet
- test everything is still working (except for https)
- by visiting some of the urls of the homeservers and confirming they still work. you can also check http://gateway.commoninternet.net/admin/ and see that this works without the certificate (note: that if your browser is automatically redirecting to https here this will cause an error, at this point only the http:// link will work)
- re-run the script adding --https flag (to get certficates for gateway.commoninternet.net)
cd /srv/tunnel-gateway-server ./setup.sh --https - test everything is still working, by additionally visiting https://gateway.commoninternet.net and seeing that it still works
- in digital ocean, destroy the old gateway server droplet
note: max will look into adding automating backups via git, so the destruction is less nerve-wracking