/tdex-box

Docker Compose for running TDex Daemon with TLS along with the TDex Feeder

Primary LanguageHCLMIT LicenseMIT

tdex-box

Docker Compose for running TDex Daemon in production environments

1. Clone

Clone this repository and enter in the folder

$ git clone https://github.com/TDex-network/tdex-box
$ cd tdex-box

2. Price feed

Edit feederd/config.json file if you wish. By default it defines a market with LBTC-USDt and uses Kraken as price feed.

3. Explorer

Export ENV variable for Esplora REST endpoint

# if left blank will default https://blockstream.info/liquid/api 
$ export EXPLORER=zzz

4. Operator interface

By default, the daemon service is configured to have authentication for the Operator interface on port 9000 with macaroon cookies.

Without Macaroons (insecure)

If you don't need to access tdexd from outside over the public internet, it's enough to uncomment this line to set TDEX_NO_MACAROONS=true env var of tdexd to disable it. If you do this, you are done and you can skip to the Run section. DO NOT OPEN THE OPERATOR GRPC PORT VIA FIREWALL/SECURITY GROUPS

With Macaroons & TLS self-signed

The TLS key and certificate are generated by tdexd at first startup. If you want to run the daemon on a remote machine with a static IP (and possibly a DNS name), you need to uncomment one or both TDEX_OPERATOR_EXTRA IP | TDEX_OPERATOR_EXTRA_DOMAIN env vars to let the daemon create the right certificate.

To let feederd to connect to tdexd to update prices, you'll need to change the default feederd/config.json file like follows:

  • change the hostname of the rpc_address and use the static IP or DNS name you passed to TDEX_OPERATOR_EXTRA IP or TDEX_OPERATOR_EXTRA_DOMAIN eg. my.domain.com:9000
  • uncomment the feederd's volumes section in the compose file to mount the macaroon and TLS certificate into feederd service
  • change the macaroons_path and tls_cert_path in the feederd/config.json respectively to /price.macaroon and /cert.pem.
  • Last but not least, don't forget to open the port where the Operator interface listens to (default 9000) and allow in-going and out-going traffic over it on your firewalle or security groups.

5. Trader interface

Expose the TDEX Trader interface with TLS or Onion to the TDEX Network

TLS via Certificate Authority

To enable TLS encryption with a Certificate Authority on the Trader interface of the daemon, you have to obtain a TLS certificate from a Certificate Authority (ie. Let's Encrypt or ZeroSSL). Once this is done, export the ENV variables with the absolute path of the files:

$ export SSL_CERT_PATH=/path/to/fullchain.pem
$ export SSL_KEY_PATH=/path/to/privatekey.pem

The last step is to uncomment in the compose file the lines to mount these paths as volumes of tdexd in the paths /trade.crt and /trade.key.

   volumes:
      #### TLS only ####
      - ${SSL_CERT_PATH}:/trade.crt
      - ${SSL_KEY_PATH}:/trade.key

Onion

Add this compose service at the bottom of the compose file (either docker-compose.yml)

  # Tor Onion Hidden service
  tor:
    container_name: "tor"
    image: goldy/tor-hidden-service:latest
    restart: unless-stopped
    depends_on:
      - tdexd
    environment:
      # Set version 3 on TDEX
      TDEX_TOR_SERVICE_HOSTS: "80:tdexd:9945"
      TDEX_TOR_SERVICE_VERSION: "3"
      TDEX_TOR_SERVICE_KEY: ${ONION_KEY}
    # Keep keys in volumes
    volumes:
      - ./tor:/var/lib/tor/hidden_service/

Export your Onion service V3 private key or leave it blank to create a new one

$ export ONION_KEY=base64_Onion_V3_Private_Key

Run

$ docker-compose up -d

Check the Logs

$ docker logs tdexd --tail 20
$ docker logs feederd --tail 20

Onion-only Check the onion endpoint

$ docker exec tor onions

Unlock Wallet on start-up

Daemon's wallet can be unlocked, once (re)started and initialized, by providing file path, that contains password, to the daemon through environment variable.

In the compose file you can find commented lines for enabling unlocking of wallet on start-up.

Unlocking on start-up is as easy as creating a file containing the same password used to init your daemon's wallet and exporting its path in the PWD_PATH variable, like for example:

$ echo "mypassword" > pwd.txt
$ export PWD_PATH=$(pwd)/pwd.txt

Then, uncomment in the compose file the command and the volume.

That's it. You just need to start up the container with the usual command:

$ docker-compose up -d tdexd

Or you can recreate it with:

$ docker-compose up -d --no-deps --force-recreate tdexd

Automatic Deployment to AWS

As part of automatic deployment we utilize terraform to deploy our services to the AWS EC2, with S3 backup. It is required from you to provide AWS keys, s3 bucket, region, ami id, SSH keys, Explorer URL, and your access IP.

For more information how to run it properly please checkout our blog post here

cd terabox && ./deploy.sh

Deploy