add chirpstack prerequisites; add verbosity; use caddy

2023-11-25 14:07:07 -05:00 · 2023-11-25 14:07:07 -05:00 · 2b3cd1843e
commit 2b3cd1843e
parent 1c1e22d885
3 changed files with 116 additions and 42 deletions
--- a/doc/0-chirpstack/0-prerequisites.md
+++ b/doc/0-chirpstack/0-prerequisites.md
@ -1 +1,16 @@
 # ChirpStack Server Prerequisites
+
+First, purchase a domain name. I use Gandi, and they are generally good enough for what I need.
+
+Next, rent a cloud compute instance with either Debian or Ubuntu as the OS. I use Vultr, but there are many providers available. You likely do not need a big instance; 1 vCPU with 1GB RAM and 25GB SSD is fine for starting out.
+
+Once you have the compute instance, find its public IP address from the hosting provider's interface, and create an A record for it in your DNS provider's interface. I own `roeber.dev` and created an A record for `chirpstack.roeber.dev`.
+
+On a Linux machine, you can confirm the DNS entry is set up by using the `host` command:
+
+```console
+jon@desktop:~$ host chirpstack.roeber.dev
+chirpstack.roeber.dev has address 140.82.24.228
+```
+
+Use SSH to connect to your cloud instance according to your hosting provider's instructions. Once you have connected, you are ready to start installing ChirpStack.
--- a/doc/0-chirpstack/1-chirpstack.md
+++ b/doc/0-chirpstack/1-chirpstack.md
@ -1,10 +1,38 @@
-# ChirpStack
+# ChirpStack Server Install

-Reference install instructions: <https://www.chirpstack.io/docs/getting-started/debian-ubuntu.html>
+If you prefer, you can use the [official guide](https://www.chirpstack.io/docs/getting-started/debian-ubuntu.html) as a cross-reference. Differences between the official guide and this one:

-Additional instructions/tips not on the official site:
+- This guide does not cover ChirpStack Gateway Bridge setup; it is covered later in the series.
+- This guide uses a newer method to install the ChirpStack GPG key.
+- This guide secures the ChirpStack installation with TLS via the Caddy web server.

-To install the ChirpStack GPG key, use this instead of what's on the ChirpStack documentation page:
+## Prerequisite Services
+
+ChirpStack requires PostgreSQL, Redis, and an MQTT broker (we will use Mosquitto). Install these prerequisites:
+
+```sh
+sudo apt install \
+  mosquitto \
+  mosquitto-clients \
+  redis-server \
+  redis-tools \
+  postgresql
+```
+
+Next, run this command to set up PostgreSQL (use a different password for security):
+
+```sh
+sudo -iu postgres psql <<EOF
+create role chirpstack with login password 'CHANGE_ME_PLEASE';
+create database chirpstack with owner chirpstack;
+\c chirpstack
+create extension pg_trgm;
+EOF
+```
+
+## ChirpStack
+
+Install the ChirpStack GPG key:

 ```sh
 # https://superuser.com/a/1773782
@ -13,57 +41,87 @@ gpg --export 1CE2AFD36DBCCA00 | sudo tee /etc/apt/trusted.gpg.d/chirpstack.gpg >
 gpg --batch --yes --delete-keys 1CE2AFD36DBCCA00
 ```

-Don't install the `chirpstack-gateway-bridge` here; just do `chirpstack`.
+This may take several seconds to finish.

-Edit `/etc/chirpstack/chirpstack.toml` as needed (specifically the PostgreSQL config). Add the missing US regions.
+Install ChirpStack:

-## Nginx + TLS setup
+```sh
+sudo apt update && sudo apt install -y chirpstack
+```

-Install Lego
+Edit `/etc/chirpstack/chirpstack.toml` as needed to add the PostgreSQL config, US regions, and API secret. Also, change the API bind address to only listen locally. The relevant lines are included here:

-Get certificate (using DNS-01 + ACME-DNS)
+```toml
+[postgresql]
+  dsn="postgres://chirpstack:YOUR_PG_PASSWORD@localhost/chirpstack?sslmode=disable"

-Setup certificate for autorenewal and auto-reload Nginx
+[network]
+  enabled_regions=[
+    "us915_0",
+    "us915_1",
+    "us915_2",
+    "us915_3",
+    "us915_4",
+    "us915_5",
+    "us915_6",
+    "us915_7"
+  ]

-Set Nginx config to have two files:
+[api]
+  bind="127.0.0.1:8080"
+  secret="SOME_SECRET_VALUE_DONT_OVERTHINK_IT_BUT_ALSO_DONT_UNDERTHINK_IT"
+```

-`default`:
+Replace `YOUR_PG_PASSWORD` with whatever password you chose in the PostgreSQL step.

-```nginx
-server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
+The API binding is changed from `0.0.0.0:8080` to `127.0.0.1:8080` to prevent the API from being exposed on port 8080 on the public IP address assigned to your instance. You will use a secure reverse proxy to reach it from the outside world instead.

-    server_name _;
+The API secret just needs to be some random value; you won't use it anywhere else.

-    return 301 https://$host$request_uri;
+Finally, enable the ChirpStack service ("enable" means it will start at boot time), and ensure it is started right now with `--now`. Then verify that is it active:
+
+```sh
+sudo systemctl enable --now chirpstack
+sudo systemctl status chirpstack # you should see "active (running)"
+```
+
+Chirpstack is installed, and its web interface is running locally on port 8080. You should **not** be able to reach it from your web browser at `http://your.site.name:8080` (test to make sure).
+
+## Caddy
+
+You need to make the ChirpStack web interface accessible over the internet. To do that, you will install the Caddy web server, set it to listen on ports 80 and 443, and proxy incoming traffic to the ChirpStack API (which is only listening on the local machine at port 8080).
+
+First, you may need to allow traffic to ports 80 and 443 if your cloud provider's image includes Uncomplicated Firewall (`ufw`) by default:
+
+```sh
+sudo ufw allow http
+sudo ufw allow https
+```
+
+Next, add the Caddy repository and install Caddy (cross-reference the [official instructions](https://caddyserver.com/docs/install#debian-ubuntu-raspbian)):
+
+```sh
+sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
+sudo apt update
+sudo apt install caddy
+```
+
+Caddy is now running. Modify `/etc/caddy/Caddyfile` to have the following:
+
+```caddy
+your.site.name {
+    reverse_proxy :8080
 }
 ```

-`chirpstack`:
+Reload Caddy:

-```nginx
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    ssl_protocols TLSv1.2 TLSv1.3;
-    
-    ssl_certificate /var/www-certs/chirpstack.roeber.dev.crt;
-    ssl_certificate_key /var/www-certs/chirpstack.roeber.dev.key;
-
-    server_name chirpstack.roeber.dev;
-
-    server_tokens off; # disable banner
-
-    location / {
-        proxy_pass http://localhost:8080;
-    }
-}
+```sh
+sudo systemctl reload caddy
 ```

-Symlink `chirpstack` to be active: `sudo ln -s /etc/nginx/sites-available/chirpstack /etc/nginx/sites-enabled/chirpstack`
+Wait a few minutes, then go to `https://your.site.name/` in your browser. Notice that you are connected securely and that a certificate from ZeroSSL or Let's Encrypt was issued; Caddy automatically handles TLS certificate issuance and renewals for you.

-Reload Nginx: `sudo systemctl reload nginx`
-
-(Optional) Run [`testssl.sh`](https://github.com/drwetter/testssl.sh/) to verify security: clone, then `./testssl.sh chirpstack.roeber.dev`
+(Optional) Run [`testssl.sh`](https://github.com/drwetter/testssl.sh/) to verify security: clone, then `./testssl.sh your.site.name`
--- a/doc/0-overview.md
+++ b/doc/0-overview.md
@ -51,7 +51,7 @@ flowchart TD

 ## Necessary Experience

-Experience with the following is not required but will come in handy:
+Experience with the following is recommended but not required if you are able to learn on your own:

 - LoRaWAN
 - Debian/Ubuntu-flavored Linux
@ -71,6 +71,7 @@ Experience with the following is not required but will come in handy:
 - Computer networking
  - Purchasing a domain name
  - Renting compute from a cloud vendor
+  - Secure shell (SSH)
  - Nginx reverse proxy
  - TLS certificate generation
    - Let's Encrypt