v1.1.0

Merge pull request #49 from balena-io/48-s3-credential-changes
s3: Update to latest version with credentials
2025-06-24 18:25:16 +00:00 · 2019-05-07 14:38:17 +03:00 · 2019-05-07 12:36:26 +01:00 · 2019-05-07 11:18:48 +01:00 · 2019-04-18 15:30:38 +03:00 · 2019-04-18 15:28:19 +03:00
29 changed files with 796 additions and 173 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1,2 @@
+# Main repo owners:
+*       @dfunckt @richbayliss
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@
 .vagrant/
 config/
 src/
+package-lock.json
--- a/.openbalenarc
+++ b/.openbalenarc
@ -0,0 +1,50 @@
+#!/bin/bash
+
+alias dc="/home/vagrant/openbalena/scripts/compose"
+
+function enter () {
+	if [[ $# -lt 1 ]]; then			
+		echo "Usage: enter <service name> [command]"
+		echo "  "
+		echo "  Runs a [command] in the service specified."
+		echo "  "
+		echo "  command:"
+		echo "    (default) /bin/bash"
+		echo "  "
+		echo "  example:"
+		echo "    enter api          # this will run the command '/bin/bash' in the API service, providing a shell prompt"
+		echo "    enter api uptime   # this will run the command 'uptime' in the API service, and return"
+		return 1
+	fi
+
+
+	service="$1"
+	shift
+	COMMAND=/bin/bash
+	if [[ $# -gt 0 ]]; then
+		COMMAND="$@"
+	fi
+	dc exec ${service} /bin/bash -c "${COMMAND}"
+}
+
+function logs () {
+	if [[ $# -lt 1 ]]; then			
+		echo "Usage: logs <service name> [options]"
+		echo "  "
+		echo "  Shows the logs from journalctl in the service specified."
+		echo "  "
+		echo "  options:"
+		echo "    -f  tail the log stream"
+		echo "    -n  number of lines to take"
+		echo "  "
+		echo "  example:"
+		echo "    logs api -fn100 # this will tail the API log, starting with the last 100 lines"
+		return 1
+	fi
+
+	service="$1"
+	shift
+	enter ${service} journalctl "$@"
+}
+
+cd /home/vagrant/openbalena
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,18 +4,100 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).

-## v0.0.4 - 2018-11-02
+# v1.1.0
+## (2019-05-07)
+
+* s3: Update to latest version with credentials [Heds Simons]
+
+# v1.0.2
+## (2019-04-17)
+
+* scripts: Handle missing coreutils on Mac [Roman Mazur]
+
+# v1.0.1
+## (2019-03-20)
+
+* vpn: Remove BALENA_ROOT_CA from the VPN trust chain [Rich Bayliss]
+
+# v1.0.0
+## (2019-03-15)
+
+* tags: Pin the image tags for the service stack [Rich Bayliss]
+
+# v0.2.2
+## (2019-03-08)
+
+* codeowners: Add CODEOWNERS file [Rich Bayliss]
+
+# v0.2.1
+## (2019-03-08)
+
+* certs: Add support for an ACME certificate provider [Rich Bayliss]
+
+# v0.2.0
+## (2019-01-25)
+
+* Do not publish DB and Redis ports to the host [Akis Kesoglou]
+
+# v0.1.4
+## (2019-01-10)
+
+* vagrant: Add missing Node dependency [Rich Bayliss]
+
+# v0.1.3
+## (2019-01-10)
+
+* vagrant: Improve the Vagrant file to make development easier [Rich Bayliss]
+
+# v0.1.2
+## (2018-12-20)
+
+* init: Make scripts macOS compatible [Rich Bayliss]
+
+# v0.1.1
+## (2018-12-17)
+
+* Ignore package-lock.json [Akis Kesoglou]
+* Print the proper path to root CA cert [Akis Kesoglou]
+
+# v0.1.0
+## (2018-11-20)
+
+* vagrant: Change into open-balena directory automatically [Will Boyce]
+* api: Pass full VPN CA chain to `os-config` [Will Boyce]
+* haproxy: Proxy port 3128 to vpn service [Will Boyce]
+
+# v0.0.7
+## (2018-11-14)
+
+* Update README [Akis Kesoglou]
+
+# v0.0.6
+## (2018-11-10)
+
+* fix changelog.md [Giovanni Garufi]
+
+# v0.0.5
+## (2018-11-07)
+
+* env: Pass superuser credentials in the environment [Rich Bayliss]
+
+# v0.0.4
+## (2018-11-02)

 * Automatically detect the correct NodeJS binary [Akis Kesoglou]

-## v0.0.3 - 2018-11-02
+# v0.0.3
+## (2018-11-02)

 * Forward VPN config to the API container [Akis Kesoglou]

-## v0.0.2 - 2018-11-01
+# v0.0.2
+## (2018-11-01)

 * Add support for automatic versioning [Akis Kesoglou]

-## v0.0.1 - 2018-02-20
+# v0.0.1
+## (2018-02-20)

 * Initial commit
--- a/README.md
+++ b/README.md
@ -1,64 +1,113 @@
+<img alt="openBalena" src="docs/assets/openbalena-logo.svg" height="82">

-## Host requirements
+---

- Docker >= 18.05.0
- Docker Compose >= 1.11
- OpenSSL >= 1.0.0
- Python >= 2.7 or >=3.4
- NodeJS >= 4.0
+OpenBalena is a platform to deploy and manage connected devices. Devices run
+[balenaOS][balena-os-website], a host operating system designed for running
+containers on IoT devices, and are managed via the [balena CLI][balena-cli],
+which you can use to configure your application containers, push updates, check
+status, view logs, and so forth. OpenBalena’s backend services, composed of
+battle-tested components that we’ve run in production on [balenaCloud][balena-cloud-website]
+for years, can store device information securely and reliably, allow remote
+management via a built-in VPN service, and efficiently distribute container
+images to your devices.

-## Installation
+To learn more about openBalena, visit [balena.io/open][open-balena-website].

-Make sure you have the software listed above installed.

-In a terminal, clone the project with:
+## Features

-    $ git clone https://github.com/balena-io/open-balena.git
+- **Simple provisioning**: Adding devices to your fleet is a breeze
+- **Easy updates**: Remotely update the software on your devices with a single command
+- **Container-based**: Benefit from the power of virtualization, optimized for the edge
+- **Scalable**: Deploy and manage one device, or one million
+- **Powerful API & SDK**: Extend openBalena to fit your needs
+- **Built-in VPN**: Access your devices regardless of their network environment

-Change into the `open-balena` directory and run the configuration script.
-This will create a new directory, `config`, and generate appropriate SSL
-certificates and configuration for the instance.

-    $ ./scripts/quickstart
+## Roadmap

-You may optionally configure the instance to run under a custom domain name.
-The default is `openbalena.local`. For example:
+OpenBalena is currently in beta. While fully functional, it lacks features we
+consider important before we can comfortably call it production-ready. During
+this phase, don’t be alarmed if things don’t work as expected just yet (and
+please let us know about any bugs or errors you encounter!). The following
+improvements and new functionality is planned:

-    $ ./scripts/quickstart -d mydomain.com
+- Full documentation
+- Full test suite
+- Simplified deployment
+- Remote host OS updates
+- Support for custom device types

-For more available options, see the script's help:

-    $ ./scripts/quickstart -h
+## Contributing

-Start the instance with:
+Everyone is welcome to contribute to openBalena. There are many different ways
+to get involved apart from submitting pull requests, including helping other
+users on the [forums][forums], reporting or triaging [issues][issue-tracker],
+reviewing and discussing [pull requests][pulls], or just spreading the word.

-    $ ./scripts/compose up -d
+All of openBalena is hosted on GitHub. Apart from its constituent components,
+which are the [API][open-balena-api], [VPN][open-balena-vpn], [Registry][open-balena-registry],
+[S3 storage service][open-balena-s3], and [Database][open-balena-db], contributions
+are also welcome to its client-side software such as the [balena CLI][balena-cli],
+the [balena SDK][balena-sdk], [balenaOS][balena-os] and [balenaEngine][balena-engine].

-Stop the instance with:

-    $ ./scripts/compose stop
+## Getting Started

-To remove all traces of the instance, run the following commands and finally
-delete the configuration folder.
+Our [Getting Started][getting-started] guide is the most direct path to getting
+an openBalena installation up and running and successfully deploying your
+application to your device(s).

-**WARNING**: This will remove *all* data.

-    $ ./scripts/compose kill
-    $ ./scripts/compose down
-    $ docker volume rm openbalena_s3 openbalena_redis openbalena_db openbalena_registry
+## Documentation

-### macOS & Windows
+While we're still working on the project documentation, please refer to the
+[balenaCloud documentation][documentation]. BalenaCloud is built on top of
+openBalena, so the core concepts and functionality is identical. The following
+sections are of particular interest:

-On macOS and Windows you need Vagrant. `open-balena` is not being tested with
-docker-machine. `open-balena` comes with an appropriate `Vagrantfile` for
-setting up the VM, installing dependencies and starting the platform.
+- [Overview / A balena primer](https://balena.io/docs/learn/welcome/primer)
+- [Overview / Core Concepts](https://balena.io/docs/learn/welcome/concepts)
+- [Overview / Going to production](https://balena.io/docs/learn/welcome/production-plan)
+- [Develop / Define a container](https://balena.io/docs/learn/develop/dockerfile)
+- [Develop / Multiple containers](https://balena.io/docs/learn/develop/multicontainer)
+- [Develop / Runtime](https://balena.io/docs/learn/develop/runtime)
+- [Develop / Interact with hardware](https://balena.io/docs/learn/develop/hardware)
+- [Deploy / Optimize your builds](https://balena.io/docs/learn/deploy/build-optimization)
+- [Reference](https://balena.io/docs/reference)
+- [FAQ](https://balena.io/docs/faq/troubleshooting/faq)

- Install Vagrant >= 2.0
- `$ vagrant plugin install vagrant-docker-compose`
- `$ vagrant up`

-When provisioning completes and the VM has started, `open-balena` services
-should be running inside the VM. You will need to expose these services to
-the outside in order for them to be reachable by devices. To do so, you must
-setup DNS for the domain name you've deployed the instance as to point to the
-VM's IP address.
+## Getting Help
+
+You are welcome to submit any questions, participate in discussions and request
+help with any issue in [openBalena forums][forums]. The balena team frequents
+these forums and will be happy to help. You can also ask other community members
+for help, or contribute by answering questions posted by fellow openBalena users.
+Please do not use the issue tracker for support-related questions.
+
+
+## License
+
+OpenBalena is licensed under the terms of AGPL v3. See [LICENSE](LICENSE) for details.
+
+
+[balena-cli]: https://github.com/balena-io/balena-cli
+[balena-cloud-website]: https://balena.io/cloud
+[balena-engine]: https://github.com/balena-os/balena-engine
+[balena-os-website]: https://balena.io/os
+[balena-os]: https://github.com/balena-os/meta-balena
+[balena-sdk]: https://github.com/balena-io/balena-sdk
+[documentation]: https://balena.io/docs/learn/welcome/introduction/
+[forums]: https://forums.balena.io/c/open-balena
+[getting-started]: https://balena.io/open/docs/getting-started
+[issue-tracker]: https://github.com/balena-io/open-balena/issues
+[open-balena-api]: https://github.com/balena-io/open-balena-api
+[open-balena-db]: https://github.com/balena-io/open-balena-db
+[open-balena-registry]: https://github.com/balena-io/open-balena-registry
+[open-balena-s3]: https://github.com/balena-io/open-balena-s3
+[open-balena-vpn]: https://github.com/balena-io/open-balena-vpn
+[open-balena-website]: https://balena.io/open
+[pulls]: https://github.com/balena-io/open-balena/pulls
--- a/2
+++ b/2
@ -1 +1 @@
-0.0.4
+1.1.0
--- a/26
+++ b/26
@ -7,22 +7,30 @@ Vagrant.require_version '>= 2.0.0'
 end

 Vagrant.configure('2') do |config|
-  config.vm.define 'openbalenavm'
-  config.vm.box = 'bento/ubuntu-16.04'
-  config.vm.box_url = 'https://vagrantcloud.com/bento/boxes/ubuntu-16.04/versions/201808.24.0/providers/virtualbox.box'
+  config.vm.define 'openbalena'
+  config.vm.hostname = 'openbalena-vagrant'
+  config.vm.box = 'bento/ubuntu-18.04'
+
+  config.vm.network "public_network",
+    use_dhcp_assigned_default_route: true

  config.vm.synced_folder '.', '/vagrant', disabled: true
-  config.vm.synced_folder '.', '/home/vagrant/open-balena'
-  config.vm.network 'public_network', bridge: ENV.fetch('OPENBALENA_BRIDGE', '')
+  config.vm.synced_folder '.', '/home/vagrant/openbalena'

  config.ssh.forward_agent = true

  config.vm.provision :docker
  config.vm.provision :docker_compose

-  # FIXME: remove node
-  config.vm.provision :shell, inline: 'apt-get update && apt-get install -y nodejs && rm -rf /var/lib/apt/lists/*'
+  $provision = <<-SCRIPT
+    touch /home/vagrant/.bashrc
+    grep -Fxq 'source /home/vagrant/openbalena/.openbalenarc' /home/vagrant/.bashrc || echo 'source /home/vagrant/openbalena/.openbalenarc' >> /home/vagrant/.bashrc
+
+    curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.34.0/install.sh | bash
+    source "/home/vagrant/.nvm/nvm.sh" # This loads nvm
+    nvm install 10.15.0 && nvm use 10.15.0
+  SCRIPT
+
+  config.vm.provision :shell, privileged: false, inline: $provision

-  config.vm.provision :shell, privileged: false,
-    inline: "cd /home/vagrant/open-balena && ./scripts/quickstart -p -d #{ENV.fetch('OPENBALENA_DOMAIN', 'openbalena.local')}"
 end
--- a/cert-provider/Dockerfile
+++ b/cert-provider/Dockerfile
@ -0,0 +1,20 @@
+FROM alpine
+
+EXPOSE 80
+WORKDIR /usr/src/app
+VOLUME [ "/usr/src/app/certs" ]
+
+RUN apk add --update bash curl git openssl ncurses socat
+
+RUN git clone https://github.com/Neilpang/acme.sh.git && \
+    cd acme.sh && \
+    git checkout 08357e3cb0d80c84bdaf3e42ce0e439665387f57 . && \
+    ./acme.sh --install  \
+    --cert-home /usr/src/app/certs
+
+COPY entry.sh /entry.sh
+COPY cert-provider.sh ./cert-provider.sh
+COPY fake-le-bundle.pem ./
+
+ENTRYPOINT [ "/entry.sh" ]
+CMD [ "/usr/src/app/cert-provider.sh" ]
--- a/cert-provider/cert-provider.sh
+++ b/cert-provider/cert-provider.sh
@ -0,0 +1,181 @@
+#!/bin/bash
+
+# the acme.sh client script, installed via Git in the Dockerfile...
+ACME_BIN="$(realpath ~/.acme.sh/acme.sh)"
+
+# the path to a bundle of certs to verify a LetsEncrypt staging certificate until Apr 2036...
+ACME_STAGING_CA="/usr/src/app/fake-le-bundle.pem"
+
+# the path to a file which stores the last successful mode of certificate we acquired...
+ACME_MODE_FILE="/usr/src/app/certs/last_run_mode"
+
+# colour output helpers...
+reset=$(tput -T xterm sgr0)
+red=$(tput -T xterm setaf 1)
+green=$(tput -T xterm setaf 2)
+yellow=$(tput -T xterm setaf 3)
+blue=$(tput -T xterm setaf 4)
+
+logError() {
+    echo "${red}[Error]${reset} $1"
+}
+
+logWarn() {
+    echo "${yellow}[Warn]${reset} $1"
+}
+
+logInfo() {
+    echo "${blue}[Info]${reset} $1"
+}
+
+logSuccess() {
+    echo "${green}[Success]${reset} $1"
+}
+
+logErrorAndStop() {
+    logError "$1 [Stopping]"
+    while true; do
+        # do nothing forever...
+        sleep 60
+    done
+}
+
+retryWithDelay() {
+    RETRIES=${2:-3}
+    DELAY=${3:-5}
+
+    local ATTEMPT=0
+    while [ $RETRIES -gt $ATTEMPT ]; do
+        let "ATTEMPT++"
+        if $1; then
+            return $?
+        fi
+
+        echo "($ATTEMPT/$RETRIES) Retrying in ${DELAY} seconds..."
+        sleep $DELAY
+    done
+
+    return 1
+}
+
+waitForOnline() {
+    ADDRESS="${1,,}"
+
+    logInfo "Waiting for ${ADDRESS} to be available via HTTP..."
+    retryWithDelay "curl --output /dev/null --silent --head --fail http://${ADDRESS}" 6 5
+}
+
+isUsingStagingCert() {
+    HOST="${1,,}"
+    echo "" | openssl s_client -host "$HOST" -port 443 -showcerts 2>/dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | openssl verify -CAfile "$ACME_STAGING_CA" > /dev/null 2>&1
+}
+
+pre-flight() {
+    case "$ACTIVE" in
+        "true"|"yes")
+            ;;
+        *)
+            logError "ACTIVE variable is not enabled. Value should be \"true\" or \"yes\" to continue."
+            return 1
+            ;;
+    esac
+
+    if [ -z "$DOMAINS" ]; then
+        logError "DOMAINS must be set. Value should be a comma-delimited string of domains."
+        return 1
+    else
+        IFS=, read -r -a ACME_DOMAINS <<< "$DOMAINS"
+        IFS=' ' read -r -a ACME_DOMAIN_ARGS <<< "${ACME_DOMAINS[@]/#/-d }"
+    fi
+
+    if [ -z "$VALIDATION" ]; then
+        logInfo "VALIDATION not set. Using default: http-01"
+        VALIDATION="http-01"
+    else
+        case "$VALIDATION" in
+            "http-01")
+                logInfo "Using validation method: $VALIDATION"
+                ;;
+            *)
+                logError "VALIDATION is invalid. Use a valid value: http-01"
+                return 1
+                ;;
+        esac
+    fi
+
+    if [ -z "$OUTPUT_PEM" ]; then
+        logError "OUTPUT_PEM must be set. Value should be the path to install your certificate to."
+        return 1
+    fi
+}
+
+waitToSeeStagingCert() {
+    logInfo "Waiting for ${ACME_DOMAINS[0]} to use a staging certificate..."
+    retryWithDelay "isUsingStagingCert ${ACME_DOMAINS[0]}" 3 5
+}
+
+lastAcquiredCertFor() {
+    ACME_MODE="${1:-none}"
+    ACME_LAST_MODE="$(cat $ACME_MODE_FILE || echo '')"
+    logInfo "Last acquired certificate for ${ACME_LAST_MODE^^}"
+    [ "${ACME_LAST_MODE,,}" == "${ACME_MODE,,}" ]
+}
+
+acquireCertificate() {
+    ACME_MODE="${1:-staging}"
+    ACME_FORCE="${2:-false}"
+    ACME_OPTS=()
+
+    if [ "${ACME_FORCE,,}" == "true" ];then ACME_OPTS+=("--force"); fi
+    case "$ACME_MODE" in
+        "production")
+            logInfo "Using PRODUCTION mode"
+            ;;
+        *)
+            logInfo "Using STAGING mode"
+            ACME_OPTS+=("--staging")
+            ;;
+    esac
+
+    case "$VALIDATION" in
+        "http-01")
+            ACME_OPTS+=("--standalone")
+            ;;
+        *)
+            logError "VALIDATION is invalid. Use a valid value: http-01"
+            return 1
+            ;;
+    esac
+
+    if ! waitForOnline "${ACME_DOMAINS[0]}"; then
+        logError "Unable to access site over HTTP"
+        return 1
+    fi
+
+    logInfo "Issuing certificates..."
+    "$ACME_BIN" --issue "${ACME_OPTS[@]}" "${ACME_DOMAIN_ARGS[@]}"
+
+    logInfo "Installing certificates..." && \
+    "$ACME_BIN" --install-cert "${ACME_DOMAIN_ARGS[@]}" \
+    --cert-file      /tmp/cert.pem  \
+    --key-file       /tmp/key.pem  \
+    --fullchain-file /tmp/fullchain.pem \
+    --reloadcmd     "cat /tmp/fullchain.pem /tmp/key.pem > $OUTPUT_PEM" && \
+
+    echo "${ACME_MODE}" > "${ACME_MODE_FILE}"
+}
+
+pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above."
+
+waitForOnline "${ACME_DOMAINS[0]}" || logErrorAndStop "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation."
+
+if ! lastAcquiredCertFor "production"; then
+    acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate."
+    waitToSeeStagingCert || logErrorAndStop "Unable to detect certificate change over. Cannot issue a production certificate."
+    acquireCertificate "production" "true" || logErrorAndStop "Unable to acquire a production certificate."
+fi
+
+logSuccess "Done!"
+
+logInfo "Running cron..."
+crond -f -d 7
--- a/cert-provider/entry.sh
+++ b/cert-provider/entry.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec "$@"
--- a/cert-provider/fake-le-bundle.pem
+++ b/cert-provider/fake-le-bundle.pem
@ -0,0 +1,56 @@
+-----BEGIN CERTIFICATE-----
+MIIFATCCAumgAwIBAgIRAKc9ZKBASymy5TLOEp57N98wDQYJKoZIhvcNAQELBQAw
+GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTM0NloXDTM2
+MDMyMzIyNTM0NlowGjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+pYHvQw5iU3v2b3iNuYNKYgsWD6KU7aJ
+diddtZQxSWYzUI3U0I1UsRPTxnhTifs/M9NW4ZlV13ZfB7APwC8oqKOIiwo7IwlP
+xg0VKgyz+kT8RJfYr66PPIYP0fpTeu42LpMJ+CKo9sbpgVNDZN2z/qiXrRNX/VtG
+TkPV7a44fZ5bHHVruAxvDnylpQxJobtCBWlJSsbIRGFHMc2z88eUz9NmIOWUKGGj
+EmP76x8OfRHpIpuxRSCjn0+i9+hR2siIOpcMOGd+40uVJxbRRP5ZXnUFa2fF5FWd
+O0u0RPI8HON0ovhrwPJY+4eWKkQzyC611oLPYGQ4EbifRsTsCxUZqyUuStGyp8oa
+aoSKfF6X0+KzGgwwnrjRTUpIl19A92KR0Noo6h622OX+4sZiO/JQdkuX5w/HupK0
+A0M0WSMCvU6GOhjGotmh2VTEJwHHY4+TUk0iQYRtv1crONklyZoAQPD76hCrC8Cr
+IbgsZLfTMC8TWUoMbyUDgvgYkHKMoPm0VGVVuwpRKJxv7+2wXO+pivrrUl2Q9fPe
+Kk055nJLMV9yPUdig8othUKrRfSxli946AEV1eEOhxddfEwBE3Lt2xn0hhiIedbb
+Ftf/5kEWFZkXyUmMJK8Ra76Kus2ABueUVEcZ48hrRr1Hf1N9n59VbTUaXgeiZA50
+qXf2bymE6F8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFMEmdKSKRKDm+iAo2FwjmkWIGHngMA0GCSqGSIb3DQEBCwUA
+A4ICAQBCPw74M9X/Xx04K1VAES3ypgQYH5bf9FXVDrwhRFSVckria/7dMzoF5wln
+uq9NGsjkkkDg17AohcQdr8alH4LvPdxpKr3BjpvEcmbqF8xH+MbbeUEnmbSfLI8H
+sefuhXF9AF/9iYvpVNC8FmJ0OhiVv13VgMQw0CRKkbtjZBf8xaEhq/YqxWVsgOjm
+dm5CAQ2X0aX7502x8wYRgMnZhA5goC1zVWBVAi8yhhmlhhoDUfg17cXkmaJC5pDd
+oenZ9NVhW8eDb03MFCrWNvIh89DDeCGWuWfDltDq0n3owyL0IeSn7RfpSclpxVmV
+/53jkYjwIgxIG7Gsv0LKMbsf6QdBcTjhvfZyMIpBRkTe3zuHd2feKzY9lEkbRvRQ
+zbh4Ps5YBnG6CKJPTbe2hfi3nhnw/MyEmF3zb0hzvLWNrR9XW3ibb2oL3424XOwc
+VjrTSCLzO9Rv6s5wi03qoWvKAQQAElqTYRHhynJ3w6wuvKYF5zcZF3MDnrVGLbh1
+Q9ePRFBCiXOQ6wPLoUhrrbZ8LpFUFYDXHMtYM7P9sc9IAWoONXREJaO08zgFtMp4
+8iyIYUyQAbsvx8oD2M8kRvrIRSrRJSl6L957b4AFiLIQ/GgV2curs0jje7Edx34c
+idWw1VrejtwclobqNMVtG3EiPUIpJGpbMcJgbiLSmKkrvQtGng==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
+GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
+MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
+8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
+oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
+ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
+xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
+dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
+AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
+BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
+Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
+hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
+UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
+AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
+DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
+IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
+zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
+PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
+SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
+2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
+WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
+n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
+-----END CERTIFICATE-----
--- a/compose/services.yml
+++ b/compose/services.yml
@ -1,10 +1,12 @@
-version: '2.1'
+version: "2.1"

 volumes:
-  db:
-  registry:
-  s3:
-  redis:
+  certs: {}
+  cert-provider: {}
+  db: {}
+  redis: {}
+  registry: {}
+  s3: {}

 services:
  api:
@ -20,13 +22,13 @@ services:
      API_VPN_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY}
      BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
      COOKIE_SESSION_SECRET: ${OPENBALENA_COOKIE_SESSION_SECRET}
-      DB_HOST: db.${OPENBALENA_HOST_NAME}
+      DB_HOST: db
      DB_PASSWORD: docker
      DB_PORT: 5432
      DB_USER: docker
      DELTA_HOST: delta.${OPENBALENA_HOST_NAME}
      DEVICE_CONFIG_OPENVPN_CONFIG: ${OPENBALENA_VPN_CONFIG}
-      DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA}
+      DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA_CHAIN}
      DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: ${OPENBALENA_SSH_AUTHORIZED_KEYS}
      HOST: api.${OPENBALENA_HOST_NAME}
      IMAGE_MAKER_URL: img.${OPENBALENA_HOST_NAME}
@ -36,10 +38,10 @@ services:
      JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080
      JSON_WEB_TOKEN_SECRET: ${OPENBALENA_JWT_SECRET}
      MIXPANEL_TOKEN: __unused__
-      PRODUCTION_MODE: '${OPENBALENA_PRODUCTION_MODE}'
+      PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
      PUBNUB_PUBLISH_KEY: __unused__
      PUBNUB_SUBSCRIBE_KEY: __unused__
-      REDIS_HOST: redis.${OPENBALENA_HOST_NAME}
+      REDIS_HOST: redis
      REDIS_PORT: 6379
      REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
      REGISTRY_HOST: registry.${OPENBALENA_HOST_NAME}
@ -49,10 +51,12 @@ services:
      TOKEN_AUTH_CERT_KEY: ${OPENBALENA_TOKEN_AUTH_KEY}
      TOKEN_AUTH_CERT_KID: ${OPENBALENA_TOKEN_AUTH_KID}
      TOKEN_AUTH_CERT_PUB: ${OPENBALENA_TOKEN_AUTH_PUB}
-      TOKEN_AUTH_JWT_ALGO: 'ES256'
+      TOKEN_AUTH_JWT_ALGO: "ES256"
      VPN_HOST: vpn.${OPENBALENA_HOST_NAME}
      VPN_PORT: 443
      VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY}
+      SUPERUSER_EMAIL: ${OPENBALENA_SUPERUSER_EMAIL}
+      SUPERUSER_PASSWORD: ${OPENBALENA_SUPERUSER_PASSWORD}

  registry:
    extends:
@ -71,10 +75,10 @@ services:
      BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
      BALENA_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME}
      BALENA_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token
-      COMMON_REGION: 
-      REGISTRY2_S3_BUCKET: 
-      REGISTRY2_S3_KEY: 
-      REGISTRY2_S3_SECRET: 
+      COMMON_REGION:
+      REGISTRY2_S3_BUCKET:
+      REGISTRY2_S3_KEY:
+      REGISTRY2_S3_SECRET:
      REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY}
      REGISTRY2_STORAGEPATH: /data

@ -92,10 +96,10 @@ services:
      BALENA_API_HOST: api.${OPENBALENA_HOST_NAME}
      BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
      BALENA_VPN_PORT: 443
-      PRODUCTION_MODE: '${OPENBALENA_PRODUCTION_MODE}'
+      PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
      RESIN_VPN_GATEWAY: 10.2.0.1
-      SENTRY_DSN: 
-      VPN_HAPROXY_USEPROXYPROTOCOL: 'true'
+      SENTRY_DSN:
+      VPN_HAPROXY_USEPROXYPROTOCOL: "true"
      VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA}
      VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT}
      VPN_OPENVPN_SERVER_DH: ${OPENBALENA_VPN_SERVER_DH}
@ -113,10 +117,13 @@ services:
  s3:
    extends:
      file: ./common.yml
-      service: system
+      service: component
    image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG:-master}
    volumes:
      - s3:/export
+    environment:
+      S3_MINIO_ACCESS_KEY: abcdef1234
+      S3_MINIO_SECRET_KEY: "1234567890"

  redis:
    extends:
@ -133,17 +140,20 @@ services:
    build: ../haproxy
    depends_on:
      - api
-      - registry
-      - vpn
+      - cert-provider
      - db
      - s3
      - redis
+      - registry
+      - vpn
    ports:
      - "80:80"
-      - "222:222"
      - "443:443"
-      - "5432:5432"
-      - "6379:6379"
+      - "3128:3128"
+    expose:
+      - "222"
+      - "5432"
+      - "6379"
    networks:
      default:
        aliases:
@ -158,3 +168,15 @@ services:
      BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY}
      BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
      HAPROXY_HOSTNAME: ${OPENBALENA_HOST_NAME}
+    volumes:
+      - certs:/certs:ro
+
+  cert-provider:
+    build: ../cert-provider
+    volumes:
+      - certs:/certs
+      - cert-provider:/usr/src/app/certs
+    environment:
+      ACTIVE: ${OPENBALENA_ACME_CERT_ENABLED}
+      DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME}"
+      OUTPUT_PEM: /certs/open-balena.pem
--- a/compose/versions
+++ b/compose/versions
@ -0,0 +1,5 @@
+export OPENBALENA_API_VERSION_TAG=v0.11.8
+export OPENBALENA_DB_VERSION_TAG=v2.0.3
+export OPENBALENA_REGISTRY_VERSION_TAG=v2.5.0
+export OPENBALENA_S3_VERSION_TAG=v2.6.2
+export OPENBALENA_VPN_VERSION_TAG=v8.10.0
--- a/docs/assets/openbalena-logo.svg
+++ b/docs/assets/openbalena-logo.svg
@ -0,0 +1,8 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="228" height="42" viewBox="0 0 228 42">
+    <g fill="none" fill-rule="evenodd">
+        <path fill="#00D2EA" d="M57.231 23.086c0 2.186 1.667 3.8 3.635 3.8 1.968 0 3.635-1.614 3.635-3.828 0-2.213-1.667-3.826-3.635-3.826-1.968 0-3.635 1.613-3.635 3.826v.028zm-4.537-.055c0-3.69 2.651-8.035 8.172-8.035 5.521 0 8.172 4.346 8.172 8.062 0 3.718-2.65 8.063-8.172 8.063-5.52 0-8.172-4.345-8.172-8.063v-.027zM83.55 23.059c0-1.776-1.312-3.854-3.8-3.854-1.093 0-2.05.437-2.732 1.148-.657.684-1.067 1.667-1.067 2.76 0 1.067.41 2.023 1.094 2.706a3.82 3.82 0 0 0 2.706 1.12c2.378 0 3.799-1.94 3.799-3.853v-.027zm-11.944-7.57h4.264v1.666c.984-1.147 2.487-2.186 4.81-2.186 5.384 0 7.407 4.728 7.407 8.253 0 4.374-3.061 7.954-7.38 7.954-2.733 0-4.018-1.312-4.564-1.886v6.424h-4.537V15.488zM101.204 21.2c-.11-.71-1.038-2.405-3.389-2.405-2.35 0-3.28 1.695-3.389 2.405h6.778zm-6.833 3.444c.191 1.612 1.722 2.678 3.499 2.678 1.448 0 2.214-.628 2.76-1.42h4.647c-.738 1.694-1.804 3.006-3.088 3.88a7.373 7.373 0 0 1-4.32 1.367c-4.344 0-8.035-3.526-8.035-8.036 0-4.236 3.335-8.144 7.954-8.144 2.323 0 4.318.902 5.74 2.405 1.913 2.05 2.487 4.482 2.131 7.27H94.371zM108.31 15.488h4.235v1.613c.52-.738 1.476-2.132 4.182-2.132 5.111 0 5.63 4.154 5.63 6.204v9.484h-4.537v-8.282c0-1.667-.355-3.143-2.377-3.143-2.241 0-2.597 1.613-2.597 3.17v8.255h-4.537V15.488zM33.85 15.174v11.583c0 1.704-.918 3.29-2.395 4.139l-10.1 5.807c-.27.155-.55.277-.839.372v4.636c.49-.128.96-.312 1.396-.564l13.117-7.542a5.92 5.92 0 0 0 2.962-5.118V13.444c0-.512-.077-1.017-.213-1.513l-4.015 2.382c.054.281.087.568.087.86M2.955 8.323c-.515.297-.98.682-1.385 1.128l3.986 2.365c.29-.298.605-.57.974-.783L16.59 5.23a4.79 4.79 0 0 1 4.766-.003l10.1 5.808c.303.174.573.388.823.621l3.967-2.353c-.368-.377-.764-.717-1.216-.978L21.913.783a5.927 5.927 0 0 0-5.895.004L2.955 8.323zM16.588 36.7L6.53 30.898a4.787 4.787 0 0 1-2.39-4.136V15.17c0-.21.027-.417.056-.623L.163 12.154A5.72 5.72 0 0 0 0 13.437v15.056a5.918 5.918 0 0 0 2.955 5.114l13.063 7.537c.454.262.943.452 1.456.582v-4.643a4.517 4.517 0 0 1-.886-.382"/>
+        <g fill="#2A506F">
+            <path d="M132.219 20.286c-.995.804-1.492 1.83-1.492 3.077 0 1.32.458 2.426 1.372 3.321.915.895 2.118 1.342 3.609 1.342 1.411 0 2.554-.426 3.43-1.279.874-.85 1.311-1.912 1.311-3.181 0-1.25-.437-2.315-1.312-3.194-.875-.88-2.018-1.32-3.43-1.32-1.332.019-2.495.43-3.488 1.234zM127 11h3.966v6.588h.06c.437-.578 1.018-1.025 1.745-1.342a8.611 8.611 0 0 1 2.251-.637c.199-.018.387-.031.567-.04.178-.01.358-.014.536-.014 2.426 0 4.414.805 5.965 2.413 1.55 1.609 2.326 3.47 2.326 5.584 0 .308-.02.629-.06.963a5.71 5.71 0 0 1-.209.99 8.547 8.547 0 0 1-.716 1.898 7.322 7.322 0 0 1-1.132 1.626 7.133 7.133 0 0 1-2.714 1.857 9 9 0 0 1-3.34.638c-1.134 0-2.182-.196-3.147-.584-.965-.388-1.764-1.025-2.4-1.911l-.06-.027v2.033H127V11zM159.655 23.499c0-1.247-.443-2.3-1.328-3.16-.885-.858-2.033-1.278-3.444-1.26-1.452-.018-2.64.416-3.564 1.302-.924.886-1.386 1.988-1.386 3.307 0 1.23.481 2.264 1.446 3.104.964.84 2.112 1.253 3.444 1.234 1.432.019 2.595-.407 3.49-1.274.894-.868 1.342-1.943 1.342-3.226v-.027zm3.757 7.536h-3.638v-2.033h-.06c-.497.65-1.154 1.184-1.969 1.6a8.656 8.656 0 0 1-2.534.84l-.551.054c-.19.018-.374.027-.552.027-1.273 0-2.427-.222-3.46-.664a7.556 7.556 0 0 1-2.624-1.83 7.805 7.805 0 0 1-1.52-2.494 8.312 8.312 0 0 1-.538-2.983c0-1.048.164-2.014.492-2.9.329-.885.87-1.717 1.625-2.494.836-.886 1.764-1.541 2.789-1.966 1.024-.424 2.141-.637 3.355-.637 1.133 0 2.177.222 3.13.664a6.44 6.44 0 0 1 2.417 1.939v-2.142h3.638v15.019zM166.364 31.035h3.966V11h-3.966zM186.046 21.926c-.319-.886-.895-1.582-1.73-2.087a5.247 5.247 0 0 0-2.773-.76h-.24a5.695 5.695 0 0 0-2.683.847c-.835.51-1.391 1.176-1.67 2h9.096zm-9.036 3.2c.298.885.85 1.59 1.655 2.113a4.842 4.842 0 0 0 2.699.787c.755 0 1.465-.118 2.131-.352.666-.236 1.189-.552 1.567-.95l4.384-.027c-.498 1.356-1.506 2.5-3.027 3.43-1.521.93-3.157 1.396-4.906 1.396-2.406 0-4.458-.763-6.158-2.29-1.7-1.527-2.55-3.385-2.55-5.572 0-2.223.845-4.13 2.535-5.72 1.69-1.59 3.767-2.386 6.232-2.386 2.366 0 4.37.789 6.01 2.366 1.64 1.576 2.46 3.41 2.46 5.5 0 .235-.015.465-.045.69-.03.225-.065.446-.105.662-.02.073-.035.136-.044.19a.888.888 0 0 0-.015.162H177.01zM192.607 16.016h3.668V17.4h.06c.456-.56 1.058-.994 1.804-1.302a7.395 7.395 0 0 1 2.34-.542h.597c.079 0 .16.01.239.027a6.924 6.924 0 0 1 2.31.57c.747.325 1.388.75 1.924 1.273l.224.204c.07.063.134.14.194.23.635.814 1.014 1.682 1.133 2.603.12.922.18 1.862.18 2.82v7.753h-3.967v-7.781c0-.253-.01-.505-.03-.759a7.26 7.26 0 0 0-.21-1.152c-.099-.37-.248-.709-.446-1.017a2.753 2.753 0 0 0-1.06-.868 3.827 3.827 0 0 0-1.385-.379h-.373c-.07 0-.144.01-.224.027a3.904 3.904 0 0 0-1.342.421 2.63 2.63 0 0 0-1.014.88c-.198.29-.348.629-.447 1.018-.1.388-.16.781-.18 1.179-.02.235-.029.47-.029.705v7.726h-3.966V16.016zM223.472 23.499c0-1.247-.443-2.3-1.327-3.16-.885-.858-2.034-1.278-3.444-1.26-1.453-.018-2.64.416-3.564 1.302-.924.886-1.388 1.988-1.388 3.307 0 1.23.483 2.264 1.447 3.104.964.84 2.113 1.253 3.445 1.234 1.431.019 2.594-.407 3.489-1.274.894-.868 1.342-1.943 1.342-3.226v-.027zm3.758 7.536h-3.64v-2.033h-.058c-.498.65-1.154 1.184-1.969 1.6a8.666 8.666 0 0 1-2.535.84l-.551.054c-.19.018-.373.027-.552.027-1.272 0-2.426-.222-3.46-.664a7.548 7.548 0 0 1-2.623-1.83 7.796 7.796 0 0 1-1.521-2.494 8.312 8.312 0 0 1-.538-2.983c0-1.048.165-2.014.492-2.9.33-.885.87-1.717 1.626-2.494.835-.886 1.764-1.541 2.788-1.966 1.024-.424 2.142-.637 3.355-.637 1.133 0 2.177.222 3.131.664a6.44 6.44 0 0 1 2.416 1.939v-2.142h3.639v15.019z"/>
+        </g>
+    </g>
+</svg>
--- a/haproxy/Dockerfile
+++ b/haproxy/Dockerfile
@ -1,6 +1,10 @@
-FROM haproxy:1.8-alpine
+FROM haproxy:1.9-alpine
+
+VOLUME [ "/certs" ]
+
+RUN apk add --update inotify-tools

 COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
-COPY entry.sh /open-balena-entry
+COPY start-haproxy.sh /start-haproxy

-CMD /open-balena-entry
+CMD /start-haproxy
--- a/haproxy/entry.sh
+++ b/haproxy/entry.sh
@ -1,11 +0,0 @@
-#!/bin/sh
-set -e
-
-HAPROXY_CHAIN=/etc/ssl/private/open-balena.pem
-mkdir -p "$(dirname "${HAPROXY_CHAIN}")"
-(
-    echo "${BALENA_HAPROXY_CRT}" | base64 -d
-    echo "${BALENA_HAPROXY_KEY}" | base64 -d
-    echo "${BALENA_ROOT_CA}" | base64 -d
-) > "${HAPROXY_CHAIN}"
-exec haproxy -f /usr/local/etc/haproxy/haproxy.cfg
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@ -12,6 +12,9 @@ frontend http-in
  bind *:80
  reqadd X-Forwarded-Proto:\ http

+  acl is_cert_validation path -i -m beg "/.well-known/acme-challenge/"
+  use_backend cert-provider if is_cert_validation
+
  acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
  use_backend backend_api if host_api

@ -80,6 +83,12 @@ backend backend_s3
  option forwardfor
  balance roundrobin

+backend cert-provider
+  mode http
+  option forwardfor
+  balance roundrobin
+  server resin_cert-provider_1 cert-provider:80 no-check
+
 backend vpn-devices
  mode tcp
  server resin_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
@ -103,3 +112,8 @@ frontend redis
 backend backend_redis
  mode tcp
  server resin_redis_1 redis:6379 check port 6379
+
+listen vpn-tunnel
+  mode tcp
+  bind *:3128
+  server balena_vpn vpn:3128 check port 3128
--- a/haproxy/start-haproxy.sh
+++ b/haproxy/start-haproxy.sh
@ -0,0 +1,32 @@
+#!/bin/sh
+
+OPENBALENA_CERT=/etc/ssl/private/open-balena.pem
+mkdir -p "$(dirname "${OPENBALENA_CERT}")"
+
+if [ -f "/certs/open-balena.pem" ]; then
+    echo "Using certificate from cert-provider..."
+    cp /certs/open-balena.pem "${OPENBALENA_CERT}"
+else
+    echo "Building certificate from environment variables..."
+    (
+        echo "${BALENA_HAPROXY_CRT}" | base64 -d
+        echo "${BALENA_HAPROXY_KEY}" | base64 -d
+        echo "${BALENA_ROOT_CA}" | base64 -d
+    ) > "${OPENBALENA_CERT}"
+fi
+
+haproxy -f /usr/local/etc/haproxy/haproxy.cfg -W &
+HAPROXY_PID=$!
+
+while true; do
+    inotifywait -r -e create -e modify -e delete /certs
+    
+    if [ -f "/certs/open-balena.pem" ]; then
+        echo "Updating certificate from cert-provider..."
+        cp /certs/open-balena.pem "${OPENBALENA_CERT}"
+    fi
+    
+    echo "Certificate change detected. Reloading..."
+    kill -SIGUSR2 $HAPROXY_PID
+    sleep 1;
+done
--- a/package-lock.json
+++ b/package-lock.json
@ -1,3 +0,0 @@
-{
-  "lockfileVersion": 1
-}
--- a/scripts/_realpath
+++ b/scripts/_realpath
@ -0,0 +1,35 @@
+#!/bin/bash -e
+
+echo_error() {
+    local RED=`tput setaf 1`
+    local RESET=`tput sgr0`
+    echo "${RED}ERROR: ${1}${RESET}"
+}
+
+REALPATH=
+REALPATHS=(
+    'realpath'
+    'grealpath'
+    'greadlink -f'
+)
+for cmd in "${REALPATHS[@]}"; do
+if command -v "${cmd%% *}" &>/dev/null; then
+    REALPATH="${cmd}"
+    break
+fi
+done
+
+if [ -z "${REALPATH}" ]; then
+    echo_error 'Unable to find suitable command for realpath.'
+    if [ $(uname) == 'Darwin' ]; then
+        echo 'GNU coreutils are required to build openBalena on MacOS. To install with brew, run'
+        echo ''
+        echo '    brew install coreutils'
+        echo ''
+    fi
+    exit 1
+fi
+
+realpath() {
+  echo $(command ${REALPATH} "$@")
+}
--- a/scripts/compose
+++ b/scripts/compose
@ -1,5 +1,7 @@
 #!/bin/bash -e

+source "${BASH_SOURCE%/*}/_realpath"
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 BASE_DIR="$(dirname "${DIR}")"
@ -9,6 +11,12 @@ echo_bold() {
  printf "\\033[1m%s\\033[0m\\n" "$@"
 }

+VERSIONS_FILE="${BASE_DIR}/compose/versions"
+if [ ! -f "$VERSIONS_FILE" ]; then
+  echo_bold "No service versions defined in ${VERSIONS_FILE}"
+  exit 1
+fi
+
 ENV_FILE="${CONFIG_DIR}/activate"
 if [ ! -f "$ENV_FILE" ]; then
  echo_bold 'No configuration found; please create one first with: ./scripts/quickstart'
@ -17,7 +25,7 @@ if [ ! -f "$ENV_FILE" ]; then
 fi

 # shellcheck source=/dev/null
-source "${ENV_FILE}"; docker-compose \
+source "${VERSIONS_FILE}"; source "${ENV_FILE}"; docker-compose \
  --project-name 'openbalena' \
  -f "${BASE_DIR}/compose/services.yml" \
  -f "${CONFIG_DIR}/docker-compose.yml" \
--- a/scripts/create-superuser
+++ b/scripts/create-superuser
@ -18,6 +18,8 @@ echo_bold() {
  printf "\\033[1m%s\\033[0m\\n" "${@}"
 }

+source "${BASH_SOURCE%/*}/_realpath"
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 FIG="${DIR}/compose"
--- a/scripts/gen-root-ca
+++ b/scripts/gen-root-ca
@ -22,12 +22,14 @@ OUT="$(realpath "${2:-.}")"
 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"

-# Create a secret key and CA file for the self-signed CA
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" init-pki 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="ca.${CN}" build-ca nopass 2>/dev/null
 ROOT_CA="${ROOT_PKI}/ca.crt"
-echo "ROOT_CA=${ROOT_CA//$OUT/\$OUT}"

-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+if [ ! -f $ROOT_CA ]; then
+  # Create a secret key and CA file for the self-signed CA
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" init-pki 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="ca.${CN}" build-ca nopass 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+fi
--- a/scripts/gen-root-cert
+++ b/scripts/gen-root-cert
@ -22,13 +22,15 @@ OUT="$(realpath "${2:-.}")"
 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"

-# generate default CSR and sign (root + wildcard)
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
 ROOT_CRT="${ROOT_PKI}"'/issued/*.'"${CN}"'.crt'
 ROOT_KEY="${ROOT_PKI}"'/private/*.'"${CN}"'.key'
-echo "ROOT_CRT=${ROOT_CRT//$OUT/\$OUT}"
-echo "ROOT_KEY=${ROOT_KEY//$OUT/\$OUT}"

-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+if [ ! -f $ROOT_CRT ] || [ ! -f $ROOT_KEY ]; then
+  rm -f $ROOT_CRT $ROOT_KEY
+  # generate default CSR and sign (root + wildcard)
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+fi;
--- a/scripts/gen-token-auth-cert
+++ b/scripts/gen-token-auth-cert
@ -42,13 +42,12 @@ JWT_CRT="${CERT_FILE}.crt"
 JWT_KEY="${CERT_FILE}.pem"
 JWT_KID="${CERT_FILE}.kid"

-mkdir -p "${CERT_DIR}"
-openssl ecparam -name prime256v1 -genkey -noout -out "${JWT_KEY}" 2>/dev/null
-openssl req -x509 -new -nodes -days "${CRT_EXPIRY_DAYS}" -key "${JWT_KEY}" -subj "/CN=api.${CN}" -out "${JWT_CRT}" 2>/dev/null
-openssl ec -in "${JWT_KEY}" -pubout -outform DER -out "${CERT_FILE}.der" 2>/dev/null
-keyid "${CERT_FILE}.der" >"${JWT_KID}"
-rm "${CERT_FILE}.der"
-
-echo "JWT_CRT=${JWT_CRT//$OUT/\$OUT}"
-echo "JWT_KEY=${JWT_KEY//$OUT/\$OUT}"
-echo "JWT_KID=${JWT_KID//$OUT/\$OUT}"
+if [ ! -f $JWT_CRT ] || [ ! -f $JWT_KEY ] || [ ! -f $JWT_KID ]; then
+  rm -f $JWT_CRT $JWT_KEY $JWT_KID
+  mkdir -p "${CERT_DIR}"
+  openssl ecparam -name prime256v1 -genkey -noout -out "${JWT_KEY}" 2>/dev/null
+  openssl req -x509 -new -nodes -days "${CRT_EXPIRY_DAYS}" -key "${JWT_KEY}" -subj "/CN=api.${CN}" -out "${JWT_CRT}" 2>/dev/null
+  openssl ec -in "${JWT_KEY}" -pubout -outform DER -out "${CERT_FILE}.der" 2>/dev/null
+  keyid "${CERT_FILE}.der" >"${JWT_KID}"
+  rm "${CERT_FILE}.der"
+fi
--- a/scripts/gen-vpn-certs
+++ b/scripts/gen-vpn-certs
@ -21,33 +21,28 @@ OUT="$(realpath "${2:-.}")"

 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"
+
 VPN_PKI="$(realpath "${OUT}/vpn")"
-
-# generate VPN sub-CA
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" init-pki 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass subca 2>/dev/null
-
-# import sub-CA CSR into root PKI, sign, and copy back to vpn PKI
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" import-req "${VPN_PKI}/reqs/ca.req" "vpn-ca" 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" sign-req ca "vpn-ca" 2>/dev/null
-cp "${ROOT_PKI}/issued/vpn-ca.crt" "${VPN_PKI}/ca.crt"
 VPN_CA="${VPN_PKI}/ca.crt"
-echo "VPN_CA=${VPN_CA//$OUT/\$OUT}"
-
-# generate and sign vpn server certificate
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CRT_EXPIRY_DAYS}" build-server-full "vpn.${CN}" nopass 2>/dev/null
 VPN_CRT="${VPN_PKI}/issued/vpn.${CN}.crt"
 VPN_KEY="${VPN_PKI}/private/vpn.${CN}.key"
-echo "VPN_CRT=${VPN_CRT//$OUT/\$OUT}"
-echo "VPN_KEY=${VPN_KEY//$OUT/\$OUT}"
-
-# generate vpn dhparams (keysize of 2048 will do, 4096 can wind up taking hours to generate)
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --keysize=2048 gen-dh 2>/dev/null
 VPN_DH="${VPN_PKI}/dh.pem"
-echo "VPN_DH=${VPN_DH//$OUT/\$OUT}"

-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-crl 2>/dev/null
+if [ ! -f $VPN_CA ] || [ ! -f $VPN_CRT ] || [ ! -f $VPN_KEY ] || [ ! -f $VPN_DH ]; then
+
+  rm -f $VPN_CA $VPN_CRT $VPN_DH $VPN_KEY
+
+  # generate VPN CA
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" init-pki &>/dev/null
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass 2>/dev/null
+
+  # generate and sign vpn server certificate
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CRT_EXPIRY_DAYS}" build-server-full "vpn.${CN}" nopass 2>/dev/null
+
+  # generate vpn dhparams (keysize of 2048 will do, 4096 can wind up taking hours to generate)
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --keysize=2048 gen-dh 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-crl 2>/dev/null
+fi
--- a/scripts/make-env
+++ b/scripts/make-env
@ -12,14 +12,16 @@ usage() {
  echo "  JWT_CRT    Path to Token Auth certificate"
  echo "  JWT_KEY    Path to Token Auth private key"
  echo "  JWT_KID    Path to KeyID for the Token Auth certificate"
-  echo "  VPN_CA     Path to the VPN sub-CA certificate"
+  echo "  VPN_CA     Path to the VPN CA certificate"
  echo "  VPN_CRT    Path to the VPN server certificate"
  echo "  VPN_KEY    Path to the VPN server private key"
  echo "  VPN_DH     Path to the VPN server Diffie Hellman parameters"
+  echo "  SUPERUSER_EMAIL     Email address of the superuser"
+  echo "  SUPERUSER_PASSWORD  Password of the superuser"
  echo
 }

-for var in DOMAIN ROOT_CA ROOT_CRT ROOT_KEY JWT_CRT JWT_KEY JWT_KID VPN_CA VPN_CRT VPN_KEY VPN_DH; do
+for var in DOMAIN ROOT_CA ROOT_CRT ROOT_KEY JWT_CRT JWT_KEY JWT_KID VPN_CA VPN_CRT VPN_KEY VPN_DH SUPERUSER_EMAIL SUPERUSER_PASSWORD; do
  if [ -z "${!var-}" ]; then
    usage
    exit 1
@ -31,10 +33,14 @@ randstr() {
 }

 b64encode() {
-  cat "$@" | base64 --wrap=0 2>/dev/null || cat "$@" | base64 --break=0
+    echo "$@" | base64 --wrap=0 2>/dev/null || echo "$@" | base64 --break=0 2>/dev/null
 }

-VPN_CONFIG=$(b64encode <<STR
+b64file() {
+  b64encode "$(cat "$@")"
+}
+
+VPN_CONFIG=$(cat <<STR
 client
 remote vpn.$DOMAIN 443
 resolv-retry infinite
@ -59,6 +65,7 @@ persist-tun
 verb 3
 user openvpn
 group openvpn
+
 STR
 )

@ -68,21 +75,24 @@ export OPENBALENA_COOKIE_SESSION_SECRET=$(randstr 32)
 export OPENBALENA_HOST_NAME=$DOMAIN
 export OPENBALENA_JWT_SECRET=$(randstr 32)
 export OPENBALENA_RESINOS_REGISTRY_CODE=$(randstr 32)
-export OPENBALENA_ROOT_CA=$(b64encode "$ROOT_CA")
-export OPENBALENA_ROOT_CRT=$(b64encode "${ROOT_CRT}")
-export OPENBALENA_ROOT_KEY=$(b64encode "${ROOT_KEY}")
+export OPENBALENA_ROOT_CA=$(b64file "${ROOT_CA}")
+export OPENBALENA_ROOT_CRT=$(b64file "${ROOT_CRT}")
+export OPENBALENA_ROOT_KEY=$(b64file "${ROOT_KEY}")
 export OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN=$(randstr 64)
-export OPENBALENA_TOKEN_AUTH_PUB=$(b64encode "$JWT_CRT")
-export OPENBALENA_TOKEN_AUTH_KEY=$(b64encode "$JWT_KEY")
-export OPENBALENA_TOKEN_AUTH_KID=$(b64encode "$JWT_KID")
-export OPENBALENA_VPN_CA=$(b64encode "$VPN_CA")
-export OPENBALENA_VPN_CONFIG=$VPN_CONFIG
-export OPENBALENA_VPN_SERVER_CRT=$(b64encode "$VPN_CRT")
-export OPENBALENA_VPN_SERVER_KEY=$(b64encode "$VPN_KEY")
-export OPENBALENA_VPN_SERVER_DH=$(b64encode "$VPN_DH")
+export OPENBALENA_TOKEN_AUTH_PUB=$(b64file "$JWT_CRT")
+export OPENBALENA_TOKEN_AUTH_KEY=$(b64file "$JWT_KEY")
+export OPENBALENA_TOKEN_AUTH_KID=$(b64file "$JWT_KID")
+export OPENBALENA_VPN_CA=$(b64file "$VPN_CA")
+export OPENBALENA_VPN_CA_CHAIN=$(b64file "$VPN_CA")
+export OPENBALENA_VPN_CONFIG=$(b64encode "$VPN_CONFIG")
+export OPENBALENA_VPN_SERVER_CRT=$(b64file "$VPN_CRT")
+export OPENBALENA_VPN_SERVER_KEY=$(b64file "$VPN_KEY")
+export OPENBALENA_VPN_SERVER_DH=$(b64file "$VPN_DH")
 export OPENBALENA_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_API_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_REGISTRY_SECRET_KEY=$(randstr 32)
 export OPENBALENA_SSH_AUTHORIZED_KEYS=
-export NODE_EXTRA_CA_CERTS="$ROOT_CA"
+export OPENBALENA_SUPERUSER_EMAIL=$SUPERUSER_EMAIL
+export OPENBALENA_SUPERUSER_PASSWORD=$(printf "%q" "${SUPERUSER_PASSWORD}")
+export OPENBALENA_ACME_CERT_ENABLED=${ACME_CERT_ENABLED:-false}
 STR
--- a/scripts/quickstart
+++ b/scripts/quickstart
@ -1,5 +1,30 @@
 #!/bin/bash -e

+BLACK=`tput setaf 0`
+RED=`tput setaf 1`
+GREEN=`tput setaf 2`
+YELLOW=`tput setaf 3`
+BLUE=`tput setaf 4`
+MAGENTA=`tput setaf 5`
+CYAN=`tput setaf 6`
+WHITE=`tput setaf 7`
+
+BOLD=`tput bold`
+RESET=`tput sgr0`
+
+# for macos machines, we need proper OpenSSL...
+OPENSSL_VERSION=$(openssl version -v)
+if [[ "${OPENSSL_VERSION}" =~ ^LibreSSL.*$ ]]; then
+  echo -e "${RED}ERROR: You may not have a compatible OpenSSL version (${OPENSSL_VERSION}). Please install OpenSSL version 1.0.2q or above.${RESET}"
+  exit 1
+fi
+
+source "${BASH_SOURCE%/*}/_realpath"
+
+domainResolves() {
+  getent hosts "$1" > /dev/null 2>&1
+}
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 BASE_DIR="$(dirname "${DIR}")"
@ -9,20 +34,27 @@ CERTS_DIR="${CONFIG_DIR}/certs"
 DOMAIN=openbalena.local

 usage() {
-  echo "usage: $0 [-h] [-p] [-d DOMAIN]"
+  echo "usage: $0 [-c] [-h] [-p] [-d DOMAIN] -U EMAIL -P PASSWORD"
  echo
-  echo "  -p         patch hosts - patch the host /etc/hosts file"
-  echo "  -d DOMAIN  the domain name this deployment will run as, eg. example.com. Default is 'openbalena.local'"
+  echo "  -c           enable the ACME certificate service in staging or production mode."
+  echo "  -p           patch hosts - patch the host /etc/hosts file"
+  echo "  -d DOMAIN    the domain name this deployment will run as, eg. example.com. Default is 'openbalena.local'"
+  echo "  -U EMAIL     the email address of the superuser account, used to login to your install from the Balena CLI"
+  echo "  -P PASSWORD  the password to use for the superuser account."
  echo
 }

 show_help=false
 patch_hosts=false
-while getopts ":hpd:" opt; do
+while getopts ":chpxd:U:P:" opt; do
  case "${opt}" in
    h) show_help=true;;
    p) patch_hosts=true;;
+    x) set -x;;
    d) DOMAIN="${OPTARG}";;
+    U) SUPERUSER_EMAIL="${OPTARG}";;
+    P) SUPERUSER_PASSWORD="${OPTARG}";;
+    c) ACME_CERT_ENABLED="true";;
    *)
      echo "Invalid argument: -${OPTARG}"
      usage
@ -32,23 +64,35 @@ while getopts ":hpd:" opt; do
 done
 shift $((OPTIND-1))

+if [ -z "${SUPERUSER_EMAIL}" ] || [ -z "${SUPERUSER_PASSWORD}" ]; then
+  usage
+  exit 1
+fi
+
 if [ "$show_help" = "true" ]; then
  usage
  exit 1
 fi

-echo_bold() {
-  printf "\\033[1m%s\\033[0m\\n" "${@}"
-}
-
-if [ -d "$CONFIG_DIR" ]; then
-  echo 'Configuration directory already exists; please remove it first.'
-  exit 1
+if [ ! -z "$ACME_CERT_ENABLED" ]; then
+  echo "${BLUE}[INFO]${RESET} ACME Certificate request is ${BOLD}ENABLED${RESET}."
+  
+  if ! domainResolves "api.${DOMAIN}"; then
+    echo "${YELLOW}[WARN]${RESET} Unable to resolve \"api.${DOMAIN}\"!"
+    echo "${YELLOW}[WARN]${RESET} This might mean that you cannot use an ACME issued certificate."
+  fi
 fi

+echo_bold() {
+  echo "${BOLD}${@}${RESET}"
+}
+
 echo_bold "==> Creating new configuration at: $CONFIG_DIR"
 mkdir -p "$CONFIG_DIR" "$CERTS_DIR"

+echo_bold "==> Bootstrapping easy-rsa..."
+source "${DIR}/ssl-common.sh"
+
 echo_bold "==> Generating root CA cert..."
 # shellcheck source=scripts/gen-root-ca
 source "${DIR}/gen-root-ca" "${DOMAIN}" "${CERTS_DIR}"
@ -81,5 +125,7 @@ fi
 echo_bold "==> Success!"
 echo '  - Start the instance with: ./scripts/compose up -d'
 echo '  - Stop the instance with: ./scripts/compose stop'
-echo '  - To create the superuser, see: ./scripts/create-superuser -h'
-echo "  - Use the following certificate with Balena CLI: ${CONFIG_DIR}/root/ca.crt"
+
+if [ -z "${ACME_CERT_ENABLED}" ]; then
+  echo "  - Use the following certificate with Balena CLI: ${CERTS_DIR}/root/ca.crt"
+fi
--- a/scripts/ssl-common.sh
+++ b/scripts/ssl-common.sh
@ -7,6 +7,7 @@ if [ -z "${easyrsa_bin-}" ] || [ ! -x "${easyrsa_bin}" ]; then
    if [ -z "${easyrsa_bin}" ]; then
        easyrsa_dir="$(mktemp -dt easyrsa.XXXXXXXX)"
        easyrsa_url="https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz"
+        echo "  - Downloading easy-rsa..."
        (cd "${easyrsa_dir}"; curl -sL "${easyrsa_url}" | tar xz --strip-components=1)
        easyrsa_bin="${easyrsa_dir}/easyrsa"
        # shellcheck disable=SC2064
Author	SHA1	Message	Date
Resin CI	c1ee146f0d	v1.1.0	2019-05-07 14:38:17 +03:00
Heds Simons	9ad92596b9	Merge pull request #49 from balena-io/48-s3-credential-changes s3: Update to latest version with credentials	2019-05-07 12:36:26 +01:00
Heds Simons	56de2d20bb	s3: Update to latest version with credentials Credentials for S3 can now be specified using the following docker-compose based envvars: * S3_MINIO_ACCESS_KEY * S3_MINIO_SECRET_KEY Connects-to: #48 Change-type: minor Signed-off-by: Heds Simons <heds@balena.io>	2019-05-07 11:18:48 +01:00
Resin CI	290c90c262	v1.0.2	2019-04-18 15:30:38 +03:00
dfunckt	98b6100fed	Merge pull request #45 from roman-mazur/roman/fix-build scripts: Handle missing coreutils on Mac	2019-04-18 15:28:19 +03:00
Roman Mazur	e1bfb7f7b0	scripts: Handle missing coreutils on Mac For convenience, also add instructions what to install. Tha change also addresses invalid usage of 'local' outside of a function. Change-type: patch Signed-off-by: Roman Mazur <mazur.roman@gmail.com>	2019-04-16 18:05:16 +03:00
Resin CI	35ab5300e6	v1.0.1	2019-03-20 11:24:21 +02:00
Rich Bayliss	fd031ad3a4	Merge pull request #42 from balena-io/prevent-root-ca-signing-vpn-ca vpn: Remove BALENA_ROOT_CA from the VPN trust chain	2019-03-20 09:22:11 +00:00
Rich Bayliss	95d53993bc	vpn: Remove BALENA_ROOT_CA from the VPN trust chain The VPN CA shouldn't need to be signed by the same CA that the HAproxy service certificate is signed by. By removing this chain we are able to use a different CA for the HTTPS services without impacting on the VPN service. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-20 09:13:19 +00:00
Resin CI	1721728794	v1.0.0	2019-03-15 17:29:55 +02:00
Rich Bayliss	061440f109	Merge pull request #43 from balena-io/pin-service-tags tags: Pin the image tags for the service stack	2019-03-15 15:28:08 +00:00
Rich Bayliss	2f0fb27145	tags: Pin the image tags for the service stack In order to have concrete releases of openBalena we should pin each service to a given version. This PR is the start of this and marks the first version of openBalena with known service tags. Change-type: major Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-15 15:14:57 +00:00
Resin CI	210bdcda37	v0.2.2	2019-03-08 15:44:55 +02:00
Rich Bayliss	fac66040c8	Merge pull request #39 from balena-io/add-codeowners codeowners: Add CODEOWNERS file	2019-03-08 13:42:59 +00:00
Rich Bayliss	85a69c1ef1	codeowners: Add CODEOWNERS file Add a CODEOWNERS file which includes the main repo owners. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-08 13:38:49 +00:00
Resin CI	e37a61e5f0	v0.2.1	2019-03-08 14:31:30 +02:00
Rich Bayliss	0fc85ff5b6	Merge pull request #38 from balena-io/add-acme-support certs: Add support for an ACME certificate provider	2019-03-08 12:29:44 +00:00
Rich Bayliss	99dd615e55	certs: Add support for an ACME certificate provider Add a service which will acquire certificates from an ACME cert provider, such as LetsEncrypt (), to allow an openBalena instance to use a publicly trusted certificate instead of the self-signed one it wil generate on setup. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-08 12:23:46 +00:00
Resin CI	d3b021a1cb	v0.2.0	2019-01-28 20:38:12 +01:00
Rich Bayliss	b9b9b65ce6	Merge pull request #35 from balena-io/hide-db-redis Do not publish DB and Redis ports to the host	2019-01-28 19:36:27 +00:00
Akis Kesoglou	9fb3f76858	Do not publish DB and Redis ports to the host We are currently exposing the DB and Redis ports to the host, making the services externally accessible, which is very useful for a development environment. `docker-compose` is however the only deployment method we currently support, and our Getting Started guide uses the very same configuration to guide users through the process of deploying open-balena on a public server (mostly because it’s easier with regards to DNS). This means we’re effectively guiding users to deploy open-balena in a very insecure way. This commit removes host port bindings for the database and Redis services, effectively making them externally inaccessible. Fixes #34 Change-type: minor	2019-01-25 15:34:58 +02:00
Resin CI	52fb653223	v0.1.4	2019-01-10 12:03:32 +01:00
Rich Bayliss	7332b6971e	Merge pull request #33 from balena-io/improve-vagrant vagrant: Add missing Node dependency	2019-01-10 11:01:42 +00:00
Rich Bayliss	011f3a35f9	vagrant: Add missing Node dependency Signed-off-by: Rich Bayliss <rich@balena.io> Change-type: patch	2019-01-10 10:57:53 +00:00
Resin CI	0842b7b4ae	v0.1.3	2019-01-10 10:47:30 +01:00
Rich Bayliss	37ecfb8996	Merge pull request #32 from balena-io/improve-vagrant vagrant: Improve the Vagrant file to make development easier	2019-01-10 09:45:45 +00:00
Rich Bayliss	bd638ac409	vagrant: Improve the Vagrant file to make development easier Vagrant machine is based on Ubuntu 18.04 including: - docker - docker-compose Provisions some helper functions to the CLI: - dc (shortcut to ./scripts/compose) - enter {service} (opens a terminal in the service's container) - logs {service} (access the journal of the service) Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-01-10 09:41:11 +00:00
Resin CI	cec371f0b8	v0.1.2	2018-12-20 11:54:47 +01:00
Rich Bayliss	eb1db83058	Merge pull request #29 from balena-io/make-macos-compatible Make scripts macOS compatible	2018-12-20 10:53:00 +00:00
Rich Bayliss	709d00b898	init: Make scripts macOS compatible The quickstart script should be able to run on macOS machines and not just Linux ones. Signed-off-by: Rich Bayliss <rich@balena.io> Change-type: patch	2018-12-20 10:42:50 +00:00
Resin CI	6f56ee8fbd	v0.1.1	2018-12-17 15:22:53 +02:00
dfunckt	9d48debca6	Merge pull request #27 from balena-io/fix-quickstart-paths Fix quickstart paths	2018-12-17 15:21:06 +02:00
Akis Kesoglou	254fd3b499	Ignore package-lock.json Change-type: patch	2018-12-17 14:58:07 +02:00
Akis Kesoglou	5bc74c3f75	Print the proper path to root CA cert Change-type: patch	2018-12-17 14:57:49 +02:00
Resin CI	93d51fcdd5	v0.1.0	2018-12-17 14:45:53 +02:00
Will Boyce	b2ec80fbdb	Merge pull request #14 from balena-io/vpn vpn requirements	2018-12-17 12:44:15 +00:00
Will Boyce	ed077b5722	vagrant: Change into open-balena directory automatically Change-type: patch Signed-off-by: Will Boyce <will@balena.io>	2018-11-20 16:04:04 +00:00
Will Boyce	a50910ca83	api: Pass full VPN CA chain to `os-config` Change-type: patch Signed-off-by: Will Boyce <will@balena.io>	2018-11-20 16:04:04 +00:00
Will Boyce	318362cc25	haproxy: Proxy port 3128 to vpn service Change-type: minor Signed-off-by: Will Boyce <will@balena.io>	2018-11-20 16:04:04 +00:00
Resin CI	acd40a79e6	v0.0.7	2018-11-15 10:30:31 +01:00
dfunckt	627867aec4	Merge pull request #20 from balena-io/update-readme Update README	2018-11-15 11:28:13 +02:00
Akis Kesoglou	2e4064fab7	Update README Change-type: patch	2018-11-14 14:22:37 +02:00
Resin CI	c426aa9453	v0.0.6	2018-11-12 16:14:02 +01:00
dfunckt	baaba366ec	Merge pull request #19 from balena-io/fix-changelog fix changelog.md	2018-11-12 17:11:51 +02:00
Giovanni Garufi	9ec63e4fcf	fix changelog.md Fix versionist formatting error in CHANGELOG.md. Also re-formatted previous changelog entries for consistency with the new format. Change-type: patch Signed-off-by: Giovanni Garufi <giovanni@balena.io>	2018-11-10 16:43:04 +01:00
Resin CI	5a83bb80b1	v0.0.5	2018-11-07 11:25:26 +01:00
Rich Bayliss	8c68f2c01d	Merge pull request #15 from balena-io/pass-superuser-creds-in-env env: Pass superuser credentials in the environment	2018-11-07 10:23:39 +00:00
Rich Bayliss	55f60c60d2	env: Pass superuser credentials in the environment Allows the credentials to be passed via the environment in order that the application can create the user on start up. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2018-11-07 10:10:26 +00:00
 @ -1 +1 @@
 .0.4
 .1.0