phantom-wg/SETUP at main · ARAS-Workspace/phantom-wg · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Phantom-WG Modern — Setup Guide
=================================

Prerequisites:
  - Docker Engine 20.10+
  - Docker Compose v2
  - bash
  - git (required for update mechanism and compose lock)

Directory Structure:
  phantom-wg/
  ├── Dockerfile                  Daemon image (multi-stage build)
  ├── docker-compose.yml          Production stack (3 services)
  ├── .env.daemon.example         Daemon environment template
  ├── .env.auth-service.example   Auth service environment template
  ├── requirements.txt            Python dependencies (pinned, hashed)
  ├── SETUP                       This file
  ├── UPDATE                      Update and maintenance guide
  ├── LICENSE                     AGPL-3.0
  ├── THIRD_PARTY_LICENSES        Dependency licenses
  ├── phantom_daemon/             Daemon source
  ├── services/
  │   ├── auth-service/           Authentication service
  │   ├── nginx/                  TLS reverse proxy config
  │   └── react-spa/dist/         Web dashboard (pre-built)
  └── tools/
      ├── prod.sh                 Production CLI
      ├── prod.vars               Environment variables
      └── lib/                    Shell libraries

Quick Start:
  1. Setup (first time only):
     ./tools/prod.sh setup

     This generates:
       - .env.daemon from .env.daemon.example (if not exists)
       - .env.auth-service from .env.auth-service.example (if not exists)
       - WireGuard server keypair
       - Auth service keypair + admin account + database
       - Self-signed TLS certificate

     Credentials are written to:
       container-data/secrets/production/
       container-data/secrets/production/.admin_password

  2. Configure endpoints:
     Edit .env.daemon and set your server's public IP:
       WIREGUARD_ENDPOINT_V4=203.0.113.1
       WIREGUARD_ENDPOINT_V6=2001:db8::1    (optional)

  3. Start:
     ./tools/prod.sh up

  4. Access:
     Dashboard:  https://<server-ip>
     WireGuard:  UDP port 51820

Environment Files:
  .env.daemon               Daemon configuration (WireGuard, storage)
  .env.auth-service         Auth service configuration (JWT, rate limiting)

  These files are created from .example templates during setup.
  They are NOT tracked by git — safe for user-specific values.
  Edit them to customize ports, timeouts, or any service parameter.

Commands:
  ./tools/prod.sh help             Show all commands
  ./tools/prod.sh setup            Full setup (env + keys + auth + TLS)
  ./tools/prod.sh up               Start stack (builds images on first run)
  ./tools/prod.sh down             Stop stack
  ./tools/prod.sh restart          Restart all services
  ./tools/prod.sh build            Build images
  ./tools/prod.sh rebuild          Rebuild images from scratch (no-cache)
  ./tools/prod.sh update           Pull latest + restart
  ./tools/prod.sh show-versions    Show daemon + bridge versions
  ./tools/prod.sh logs             Follow logs
  ./tools/prod.sh status           Container status
  ./tools/prod.sh shell [service]  Open shell (default: daemon)
  ./tools/prod.sh exec <svc> <cmd> Execute command in service
  ./tools/prod.sh certbot <domain> Obtain Let's Encrypt TLS certificate
  ./tools/prod.sh hard-reset       Wipe ALL data (destructive)

  Compose Lock:
  ./tools/prod.sh compose lock     Preserve local docker-compose.yml on update
  ./tools/prod.sh compose unlock   Release lock to pull upstream changes
  ./tools/prod.sh compose status   Show current lock state

Ports:
  443/tcp     HTTPS (nginx → auth-service → daemon)
  51820/udp   WireGuard

Data Directories (created at runtime):
  container-data/
  ├── secrets/production/         Keys and certificates
  ├── db/                         Client and peer databases
  ├── state/db/                   Runtime state (bridges)
  └── auth-db/                    Authentication database

TLS Certificate:
  Default is self-signed. To use your own certificate,
  replace the files before starting the stack:
    container-data/secrets/production/tls_cert
    container-data/secrets/production/tls_key

  Let's Encrypt (optional):
    ./tools/prod.sh certbot <domain>
    ./tools/prod.sh restart nginx

Updating:
  See the UPDATE file for the full update and maintenance guide.

  Quick reference:
    ./tools/prod.sh update

  If you have local docker-compose.yml changes, lock them first:
    ./tools/prod.sh compose lock
    ./tools/prod.sh update