v3.1.2

Merge pull request #101 from balena-io/switch-tunnel-to-tls
tunnel: Expose tunnel service via TLS
2025-06-24 18:25:16 +00:00 · 2021-01-22 16:10:08 +02:00 · 2021-01-22 14:08:00 +00:00 · 2021-01-22 11:55:33 +00:00 · 2020-11-10 17:59:55 +02:00 · 2020-11-10 15:57:48 +00:00
38 changed files with 2627 additions and 220 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1,2 @@
+# Main repo owners:
+*       @dfunckt @richbayliss
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,7 @@
 .DS_Store
 .project
 .vagrant/
-config/
-src/
+
+/config
+/docker-compose.yml
+/package-lock.json
--- a/.openbalenarc
+++ b/.openbalenarc
@ -0,0 +1,50 @@
+#!/bin/bash
+
+alias dc="/home/vagrant/openbalena/scripts/compose"
+
+function enter () {
+	if [[ $# -lt 1 ]]; then			
+		echo "Usage: enter <service name> [command]"
+		echo "  "
+		echo "  Runs a [command] in the service specified."
+		echo "  "
+		echo "  command:"
+		echo "    (default) /bin/bash"
+		echo "  "
+		echo "  example:"
+		echo "    enter api          # this will run the command '/bin/bash' in the API service, providing a shell prompt"
+		echo "    enter api uptime   # this will run the command 'uptime' in the API service, and return"
+		return 1
+	fi
+
+
+	service="$1"
+	shift
+	COMMAND=/bin/bash
+	if [[ $# -gt 0 ]]; then
+		COMMAND="$@"
+	fi
+	dc exec ${service} /bin/bash -c "${COMMAND}"
+}
+
+function logs () {
+	if [[ $# -lt 1 ]]; then			
+		echo "Usage: logs <service name> [options]"
+		echo "  "
+		echo "  Shows the logs from journalctl in the service specified."
+		echo "  "
+		echo "  options:"
+		echo "    -f  tail the log stream"
+		echo "    -n  number of lines to take"
+		echo "  "
+		echo "  example:"
+		echo "    logs api -fn100 # this will tail the API log, starting with the last 100 lines"
+		return 1
+	fi
+
+	service="$1"
+	shift
+	enter ${service} journalctl "$@"
+}
+
+cd /home/vagrant/openbalena
--- a/.versionbot/CHANGELOG.yml
+++ b/.versionbot/CHANGELOG.yml
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,490 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).

+# v3.1.2
+## (2021-01-22)
+
+* tunnel: Expose tunnel service via TLS [Rich Bayliss]
+
+# v3.1.1
+## (2020-11-10)
+
+* Update open-balena-api [Akis Kesoglou]
+
+# v3.1.0
+## (2020-11-03)
+
+* Change S3 OS images folder from resinos to images [Stevche Radevski]
+
+# v3.0.1
+## (2020-10-29)
+
+* Update the API fixing an issue with migrations [Akis Kesoglou]
+
+# v3.0.0
+## (2020-10-28)
+
+* Update versions of services [Akis Kesoglou]
+
+# v2.0.5
+## (2020-10-09)
+
+* docs: add table comparing features of openBalena and balenaCloud [Matthew McGinn]
+
+# v2.0.4
+## (2020-10-08)
+
+* docs: note that balenaCLI is incompatible >12.2.2 [Matthew McGinn]
+
+# v2.0.3
+## (2020-06-01)
+
+* docs: Add PSA about balenaOS version breakage [Rich Bayliss]
+
+# v2.0.2
+## (2020-04-03)
+
+* Added units to haproxy.cfg default timeouts [Frederic Tausch]
+
+# v2.0.1
+## (2020-01-17)
+
+* cert-provider: Update to support ACMEv2 on staging provider [Rich Bayliss]
+
+# v2.0.0
+## (2019-09-02)
+
+* feature: Use S3 bucket for Registry service backend [Rich Bayliss]
+
+# v1.3.0
+## (2019-07-30)
+
+* services: Update Registry service version [Rich Bayliss]
+* feature: Support deployment via balena push to local-mode balenaOS devices [Rich Bayliss]
+
+# v1.2.0
+## (2019-05-21)
+
+* tidy: Remove unused DEVICE_CONFIG_OPENVPN_CONFIG variable [Rich Bayliss]
+* services: Update Registry service version [Akis Kesoglou]
+* services: Update API service version [Rich Bayliss]
+
+<details>
+<summary> View details </summary>
+
+## open-balena-api-0.19.5
+### (2019-05-20)
+
+* Update typed-error to 3.1.0 [Pagan Gazzard]
+
+<details>
+<summary> View details </summary>
+
+### typed-error-3.1.0
+#### (2019-04-01)
+
+* dev: Enforce prettier coding standards [Will Boyce]
+* npm: Update dependencies and remove `package-lock.json` [Will Boyce]
+* codeowners: Add top contributors @wrboyce, @Page-, and @dfunckt [Will Boyce]
+* versionbot: Add CHANGELOG.yml (for nested changelogs) [Will Boyce]
+
+### typed-error-3.0.2
+#### (2018-11-01)
+
+* Update README with new import style [CameronDiver]
+
+### typed-error-3.0.1
+#### (2018-10-29)
+
+* Update to typescript 3 [Pagan Gazzard]
+* Update dev dependencies [Pagan Gazzard]
+* Add node-10 to the circle test suite [Pagan Gazzard]
+
+### typed-error-3.0.0
+#### (2018-04-17)
+
+* Distribute generated typescript declaration [Will Boyce]
+* use circle for build/publish and add package-lock [Will Boyce]
+* add lint scripts/requirements [Will Boyce]
+* Remove `BaseError` class and  directly subclass `Error` [Will Boyce]
+* Update dependencies, clean up package/tsconfig [Will Boyce]
+
+### typed-error-2.0.1
+#### (2017-12-15)
+
+* Add LICENSE [Akis Kesoglou]
+</details>
+
+
+## open-balena-api-0.19.4
+### (2019-05-20)
+
+* Some linting fixes for resin-lint 3 [Pagan Gazzard]
+
+## open-balena-api-0.19.3
+### (2019-05-17)
+
+* Silence expected API key related rejections [Akis Kesoglou]
+
+## open-balena-api-0.19.2
+### (2019-05-17)
+
+* Update dependencies [Pagan Gazzard]
+
+## open-balena-api-0.19.1
+### (2019-05-15)
+
+* Make use of a prepared query for device state query [Pagan Gazzard]
+* Update pinejs to 10.14.0 [Pagan Gazzard]
+
+<details>
+<summary> View details </summary>
+
+### pinejs-10.14.0
+#### (2019-05-15)
+
+* Update pinejs-client-core and make use of prepared queries [Pagan Gazzard]
+
+<details>
+<summary> View details </summary>
+
+#### odata-parser-1.0.3
+##### (2019-05-08)
+
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### odata-parser-1.0.2
+##### (2019-04-15)
+
+* Update dependencies [Pagan Gazzard]
+
+#### abstract-sql-compiler-6.4.2
+##### (2019-05-09)
+
+* Update and fix lodash typings [Pagan Gazzard]
+* Update husky/mocha dev dependencies [Pagan Gazzard]
+
+#### abstract-sql-compiler-6.4.1
+##### (2019-05-08)
+
+* Fix typescript compilation [Pagan Gazzard]
+
+<details>
+<summary> View details </summary>
+
+##### sbvr-parser-0.2.2
+###### (2019-05-08)
+
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+</details>
+
+* Add node 12 tests [Pagan Gazzard]
+* Add repo.yml for upstream changelogs [Pagan Gazzard]
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### pinejs-client-js-5.5.1
+##### (2019-05-15)
+
+* Fix downstream declaration creation errors due to `Dictionary` [Pagan Gazzard]
+
+#### pinejs-client-js-5.5.0
+##### (2019-05-15)
+
+* Add a prepare method that prepares a query into a function [Pagan Gazzard]
+
+#### pinejs-client-js-5.4.1
+##### (2019-05-10)
+
+* Add CODEOWNERS [Gergely Imreh]
+
+#### pinejs-client-js-5.4.0
+##### (2019-05-10)
+
+* Add support for parameter aliases in resource ids [Pagan Gazzard]
+
+#### pinejs-client-js-5.3.10
+##### (2019-05-10)
+
+* Deduplicate transformation of GET results [Pagan Gazzard]
+
+#### pinejs-client-js-5.3.9
+##### (2019-05-10)
+
+* Simplify how we expose types, which means `subscribe` is now exposed [Pagan Gazzard]
+
+#### pinejs-client-js-5.3.8
+##### (2019-05-09)
+
+* Add automatic formatting via prettier [Pagan Gazzard]
+
+#### pinejs-client-js-5.3.7
+##### (2019-05-08)
+
+* Remove node 4 build, add node 12 [Pagan Gazzard]
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### odata-to-abstract-sql-3.1.2
+##### (2019-05-08)
+
+* Add node 12 tests [Pagan Gazzard]
+* Add repo.yml for upstream changelogs [Pagan Gazzard]
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### sbvr-types-2.0.3
+##### (2019-05-08)
+
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### sbvr-parser-0.2.2
+##### (2019-05-08)
+
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+</details>
+
+
+### pinejs-10.13.3
+#### (2019-05-14)
+
+* Fix possible null error when using a parameter alias with no value [Pagan Gazzard]
+
+### pinejs-10.13.2
+#### (2019-05-08)
+
+* Add repo.yml for nested changelogs [Pagan Gazzard]
+
+### pinejs-10.13.1
+#### (2019-05-06)
+
+* Add node 12 to the circle tests [Pagan Gazzard]
+
+### pinejs-10.13.0
+#### (2019-05-06)
+
+* Expose odata-compiler as a bin script [Pagan Gazzard]
+
+### pinejs-10.12.0
+#### (2019-05-01)
+
+* Expose sbvr-compiler as a bin script [Pagan Gazzard]
+* Move odata-metadata-generator into odata-metadata directory [Pagan Gazzard]
+
+### pinejs-10.11.3
+#### (2019-05-01)
+
+* Update @types/lodash, avoiding `_.isObject` where necessary [Pagan Gazzard]
+
+### pinejs-10.11.2
+#### (2019-04-22)
+
+* Only validate the model if the query affected at least 1 row [Pagan Gazzard]
+
+### pinejs-10.11.1
+#### (2019-04-11)
+
+* Switch odata-metadata-generator to using an abstract sql model [Pagan Gazzard]
+</details>
+
+
+## open-balena-api-0.19.0
+### (2019-05-15)
+
+* Update target to es2018 [Pagan Gazzard]
+
+## open-balena-api-0.18.6
+### (2019-05-10)
+
+* bug: Resolve NPM dependency issues preventing startup [Rich Bayliss]
+
+## open-balena-api-0.18.5
+### (2019-05-08)
+
+* Add typed-error upstream to repo.yml [Pagan Gazzard]
+* Add open-balena-base upstream to repo.yml [Pagan Gazzard]
+
+## open-balena-api-0.18.4
+### (2019-05-06)
+
+* Disable the service start limit [Pagan Gazzard]
+* Update open-balena-base to v7.0.2 [Pagan Gazzard]
+
+## open-balena-api-0.18.3
+### (2019-05-01)
+
+* tests: Add test framework [Rich Bayliss]
+
+## open-balena-api-0.18.2
+### (2019-04-29)
+
+* Fix import ordering issue [Pagan Gazzard]
+
+## open-balena-api-0.18.1
+### (2019-04-29)
+
+* versionbot: add machine readable changelog [Gergely Imreh]
+
+## open-balena-api-0.18.0
+### (2019-04-29)
+
+* device-config: allow devices going back to v1.2.1 to use registry v2 [Gergely Imreh]
+
+## open-balena-api-0.17.4
+### (2019-04-26)
+
+* Handle requesting registry scopes with explicit indices above 20 [Pagan Gazzard]
+
+## open-balena-api-0.17.3
+### (2019-04-26)
+
+* Use more accurate `BadRequestError`s for invalid env var names [Pagan Gazzard]
+* Remove unnecessary `nameProp` argument from `addEnvHooks` [Pagan Gazzard]
+* Avoid unnecessary object creation on env var validation [Pagan Gazzard]
+
+## open-balena-api-0.17.2
+### (2019-04-24)
+
+* os-config: disable client-initiated vpn tls key renegotiation [Will Boyce]
+
+## open-balena-api-0.17.1
+### (2019-04-19)
+
+* Remove unused `DEVICE_CONFIG_OPENVPN_CONFIG` fron env backend [Pagan Gazzard]
+
+## open-balena-api-0.17.0
+### (2019-04-18)
+
+* Rename `env_var_name` to `name` to match cloud [Pagan Gazzard]
+
+## open-balena-api-0.16.1
+### (2019-04-18)
+
+* fix: Changes required to make `my_application` resource available [Rich Bayliss]
+
+## open-balena-api-0.16.0
+### (2019-04-17)
+
+* Handle `my_applications` within pinejs [Pagan Gazzard]
+
+## open-balena-api-0.15.2
+### (2019-04-17)
+
+* device-proxy: use `.balena` tld in favour of `.resin` [Will Boyce]
+
+## open-balena-api-0.15.1
+### (2019-04-17)
+
+* Update method-override to 3.x [Pagan Gazzard]
+
+## open-balena-api-0.15.0
+### (2019-04-15)
+
+* Rename `configPath` to `config` and make sure config.json is valid [Pagan Gazzard]
+
+## open-balena-api-0.14.0
+### (2019-04-11)
+
+* Whitelist the new RESIN_SUPERVISOR_INSTANT_UPDATE_TRIGGER configuration variable [Pablo Carranza Velez]
+
+## open-balena-api-0.13.3
+### (2019-04-02)
+
+* Fix `ResolvableReturnType` typing [Pagan Gazzard]
+
+## open-balena-api-0.13.2
+### (2019-04-01)
+
+* Add CODEOWNERS file [Pagan Gazzard]
+
+## open-balena-api-0.13.1
+### (2019-04-01)
+
+* Add an index for the vpn's service instance lookup [Pagan Gazzard]
+
+## open-balena-api-0.13.0
+### (2019-03-28)
+
+* Use a readTransaction for device state [Pagan Gazzard]
+* Remove runInTransaction wrapper to avoid unnecessary function creation [Pagan Gazzard]
+* Avoid need to repeateadly check for `readTransaction` existence [Pagan Gazzard]
+
+## open-balena-api-0.12.0
+### (2019-03-19)
+
+* Add build log to release resource [Stevche Radevski]
+</details>
+
+# v1.1.1
+## (2019-05-07)
+
+* docker: Update docker-compose version to latest [Heds Simons]
+
+# v1.1.0
+## (2019-05-07)
+
+* s3: Update to latest version with credentials [Heds Simons]
+
+# v1.0.2
+## (2019-04-17)
+
+* scripts: Handle missing coreutils on Mac [Roman Mazur]
+
+# v1.0.1
+## (2019-03-20)
+
+* vpn: Remove BALENA_ROOT_CA from the VPN trust chain [Rich Bayliss]
+
+# v1.0.0
+## (2019-03-15)
+
+* tags: Pin the image tags for the service stack [Rich Bayliss]
+
+# v0.2.2
+## (2019-03-08)
+
+* codeowners: Add CODEOWNERS file [Rich Bayliss]
+
+# v0.2.1
+## (2019-03-08)
+
+* certs: Add support for an ACME certificate provider [Rich Bayliss]
+
+# v0.2.0
+## (2019-01-25)
+
+* Do not publish DB and Redis ports to the host [Akis Kesoglou]
+
+# v0.1.4
+## (2019-01-10)
+
+* vagrant: Add missing Node dependency [Rich Bayliss]
+
+# v0.1.3
+## (2019-01-10)
+
+* vagrant: Improve the Vagrant file to make development easier [Rich Bayliss]
+
+# v0.1.2
+## (2018-12-20)
+
+* init: Make scripts macOS compatible [Rich Bayliss]
+
+# v0.1.1
+## (2018-12-17)
+
+* Ignore package-lock.json [Akis Kesoglou]
+* Print the proper path to root CA cert [Akis Kesoglou]
+
+# v0.1.0
+## (2018-11-20)
+
+* vagrant: Change into open-balena directory automatically [Will Boyce]
+* api: Pass full VPN CA chain to `os-config` [Will Boyce]
+* haproxy: Proxy port 3128 to vpn service [Will Boyce]
+
+# v0.0.7
+## (2018-11-14)
+
+* Update README [Akis Kesoglou]
+
 # v0.0.6
 ## (2018-11-10)

--- a/README.md
+++ b/README.md
@ -1,64 +1,143 @@
+<img alt="openBalena" src="docs/assets/openbalena-logo.svg" height="82">

-## Host requirements
+---

- Docker >= 18.05.0
- Docker Compose >= 1.11
- OpenSSL >= 1.0.0
- Python >= 2.7 or >=3.4
- NodeJS >= 4.0
+OpenBalena is a platform to deploy and manage connected devices. Devices run
+[balenaOS][balena-os-website], a host operating system designed for running
+containers on IoT devices, and are managed via the [balena CLI][balena-cli],
+which you can use to configure your application containers, push updates, check
+status, view logs, and so forth. OpenBalena’s backend services, composed of
+battle-tested components that we’ve run in production on [balenaCloud][balena-cloud-website]
+for years, can store device information securely and reliably, allow remote
+management via a built-in VPN service, and efficiently distribute container
+images to your devices.

-## Installation
+To learn more about openBalena, visit [balena.io/open][open-balena-website].

-Make sure you have the software listed above installed.

-In a terminal, clone the project with:
+## Features

-    $ git clone https://github.com/balena-io/open-balena.git
+- **Simple provisioning**: Adding devices to your fleet is a breeze
+- **Easy updates**: Remotely update the software on your devices with a single command
+- **Container-based**: Benefit from the power of virtualization, optimized for the edge
+- **Scalable**: Deploy and manage one device, or one million
+- **Powerful API & SDK**: Extend openBalena to fit your needs
+- **Built-in VPN**: Access your devices regardless of their network environment

-Change into the `open-balena` directory and run the configuration script.
-This will create a new directory, `config`, and generate appropriate SSL
-certificates and configuration for the instance.

-    $ ./scripts/quickstart
+## Getting Started

-You may optionally configure the instance to run under a custom domain name.
-The default is `openbalena.local`. For example:
+Our [Getting Started guide][getting-started] is the most direct path to getting
+an openBalena installation up and running and successfully deploying your
+application to your device(s).

-    $ ./scripts/quickstart -d mydomain.com

-For more available options, see the script's help:
+## Compatibility

-    $ ./scripts/quickstart -h
+The current release of openBalena has the following minimum version requirements:

-Start the instance with:
+- balenaOS v2.58.3
+- balena CLI v12.38.5

-    $ ./scripts/compose up -d
+If you are updating from previous openBalena versions, ensure you update the balena
+CLI and reprovision any devices to at least the minimum required versions in order
+for them to be fully compatible with this release, as some features may not work.

-Stop the instance with:

-    $ ./scripts/compose stop
+## Documentation

-To remove all traces of the instance, run the following commands and finally
-delete the configuration folder.
+While we're still working on the project documentation, please refer to the
+[balenaCloud documentation][documentation]. BalenaCloud is built on top of
+openBalena, so the core concepts and functionality is identical. The following
+sections are of particular interest:

-**WARNING**: This will remove *all* data.
+- [Overview / A balena primer](https://balena.io/docs/learn/welcome/primer)
+- [Overview / Core Concepts](https://balena.io/docs/learn/welcome/concepts)
+- [Overview / Going to production](https://balena.io/docs/learn/welcome/production-plan)
+- [Develop / Define a container](https://balena.io/docs/learn/develop/dockerfile)
+- [Develop / Multiple containers](https://balena.io/docs/learn/develop/multicontainer)
+- [Develop / Runtime](https://balena.io/docs/learn/develop/runtime)
+- [Develop / Interact with hardware](https://balena.io/docs/learn/develop/hardware)
+- [Deploy / Optimize your builds](https://balena.io/docs/learn/deploy/build-optimization)
+- [Reference](https://balena.io/docs/reference)
+- [FAQ](https://balena.io/docs/faq/troubleshooting/faq)

-    $ ./scripts/compose kill
-    $ ./scripts/compose down
-    $ docker volume rm openbalena_s3 openbalena_redis openbalena_db openbalena_registry

-### macOS & Windows
+## Getting Help

-On macOS and Windows you need Vagrant. `open-balena` is not being tested with
-docker-machine. `open-balena` comes with an appropriate `Vagrantfile` for
-setting up the VM, installing dependencies and starting the platform.
+You are welcome to submit any questions, participate in discussions and request
+help with any issue in [openBalena forums][forums]. The balena team frequents
+these forums and will be happy to help. You can also ask other community members
+for help, or contribute by answering questions posted by fellow openBalena users.
+Please do not use the issue tracker for support-related questions.

- Install Vagrant >= 2.0
- `$ vagrant plugin install vagrant-docker-compose`
- `$ vagrant up`

-When provisioning completes and the VM has started, `open-balena` services
-should be running inside the VM. You will need to expose these services to
-the outside in order for them to be reachable by devices. To do so, you must
-setup DNS for the domain name you've deployed the instance as to point to the
-VM's IP address.
+## Contributing
+
+Everyone is welcome to contribute to openBalena. There are many different ways
+to get involved apart from submitting pull requests, including helping other
+users on the [forums][forums], reporting or triaging [issues][issue-tracker],
+reviewing and discussing [pull requests][pulls], or just spreading the word.
+
+All of openBalena is hosted on GitHub. Apart from its constituent components,
+which are the [API][open-balena-api], [VPN][open-balena-vpn], [Registry][open-balena-registry],
+[S3 storage service][open-balena-s3], and [Database][open-balena-db], contributions
+are also welcome to its client-side software such as the [balena CLI][balena-cli],
+the [balena SDK][balena-sdk], [balenaOS][balena-os] and [balenaEngine][balena-engine].
+
+
+## Roadmap
+
+OpenBalena is currently in beta. While fully functional, it lacks features we
+consider important before we can comfortably call it production-ready. During
+this phase, don’t be alarmed if things don’t work as expected just yet (and
+please let us know about any bugs or errors you encounter!). The following
+improvements and new functionality is planned:
+
+- Full documentation
+- Full test suite
+- Simplified deployment
+- Remote host OS updates
+- Support for custom device types
+
+
+## Differences between openBalena and balenaCloud
+
+| openBalena                                          | balenaCloud                                                                                                                                                                                                                                                             |
+| -----                                               | ----                                                                                                                                                                                                                                                                    |
+| Device updates using full images                    | Device updates using [delta images](https://www.balena.io/docs/learn/deploy/delta/)                                                                                                                                                                                     |
+| Support for a single user                           | Support for [multiple users](https://www.balena.io/docs/learn/manage/account/#application-members)                                                                                                                                                                      |
+| Self-hosted deployment and scaling                  | balena-managed scaling and deployment |
+| Community support via [forums][forums]              | Private support on [paid plans](https://www.balena.io/pricing/)                                                                                                                                           |
+| Deploy via `balena deploy` only                     | Build remotely with native builders using [`balena push`](https://www.balena.io/docs/learn/deploy/deployment/#balena-push) or  [`git push`](https://www.balena.io/docs/learn/deploy/deployment/#git-push) |
+| No support for building via `git push`              | Use the same CI workflow with [`git push`](https://www.balena.io/docs/learn/deploy/deployment/#git-push)                                                                                                  |
+| No public URL support                               | Serve websites directly from device with [public device URLs](https://www.balena.io/docs/learn/manage/actions/#enable-public-device-url)                                                                  |
+| Management via `balena-cli` only                    | Cloud-based device management dashboard                                                                                                                                                                   |
+| Download images from [balena.io][balena-os-website] | Download preconfigured images directly from the dashboard                                                                                                                                                 |
+| No supported remote diagnostics                     | Remote device diagnostics                                                                                                                                                                                 |
+
+Additionally, refer back to the [roadmap](#roadmap) above for planned but not yet implemented features.
+
+
+## License
+
+OpenBalena is licensed under the terms of AGPL v3. See [LICENSE](LICENSE) for details.
+
+
+[balena-cli]: https://github.com/balena-io/balena-cli
+[balena-cloud-website]: https://balena.io/cloud
+[balena-engine]: https://github.com/balena-os/balena-engine
+[balena-os-website]: https://balena.io/os
+[balena-os]: https://github.com/balena-os/meta-balena
+[balena-sdk]: https://github.com/balena-io/balena-sdk
+[documentation]: https://balena.io/docs/learn/welcome/introduction/
+[forums]: https://forums.balena.io/c/open-balena
+[getting-started]: https://balena.io/open/docs/getting-started
+[issue-tracker]: https://github.com/balena-io/open-balena/issues
+[open-balena-api]: https://github.com/balena-io/open-balena-api
+[open-balena-db]: https://github.com/balena-io/open-balena-db
+[open-balena-registry]: https://github.com/balena-io/open-balena-registry
+[open-balena-s3]: https://github.com/balena-io/open-balena-s3
+[open-balena-vpn]: https://github.com/balena-io/open-balena-vpn
+[open-balena-website]: https://balena.io/open
+[pulls]: https://github.com/balena-io/open-balena/pulls
--- a/2
+++ b/2
@ -1 +1 @@
-0.0.6
+3.1.2
--- a/34
+++ b/34
@ -7,22 +7,36 @@ Vagrant.require_version '>= 2.0.0'
 end

 Vagrant.configure('2') do |config|
-  config.vm.define 'openbalenavm'
-  config.vm.box = 'bento/ubuntu-16.04'
-  config.vm.box_url = 'https://vagrantcloud.com/bento/boxes/ubuntu-16.04/versions/201808.24.0/providers/virtualbox.box'
+  config.vm.define 'openbalena'
+  config.vm.hostname = 'openbalena-vagrant'
+  config.vm.box = 'bento/ubuntu-18.04'
+
+  config.vm.network "public_network",
+    use_dhcp_assigned_default_route: true

  config.vm.synced_folder '.', '/vagrant', disabled: true
-  config.vm.synced_folder '.', '/home/vagrant/open-balena'
-  config.vm.network 'public_network', bridge: ENV.fetch('OPENBALENA_BRIDGE', '')
+  config.vm.synced_folder '.', '/home/vagrant/openbalena'

  config.ssh.forward_agent = true

  config.vm.provision :docker
-  config.vm.provision :docker_compose

-  # FIXME: remove node
-  config.vm.provision :shell, inline: 'apt-get update && apt-get install -y nodejs && rm -rf /var/lib/apt/lists/*'
+  $provision = <<-SCRIPT
+    DOCKER_COMPOSE_VERSION=1.24.0
+
+    touch /home/vagrant/.bashrc
+    grep -Fxq 'source /home/vagrant/openbalena/.openbalenarc' /home/vagrant/.bashrc || echo 'source /home/vagrant/openbalena/.openbalenarc' >> /home/vagrant/.bashrc
+
+    curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.34.0/install.sh | bash
+    source "/home/vagrant/.nvm/nvm.sh" # This loads nvm
+    nvm install 10.15.0 && nvm use 10.15.0
+
+    # Install a newer version of docker-compose
+    (cd /usr/local/bin; \
+    sudo curl -o docker-compose --silent --location https://github.com/docker/compose/releases/download/$DOCKER_COMPOSE_VERSION/docker-compose-Linux-x86_64; \
+    sudo chmod a+x docker-compose)
+  SCRIPT
+
+  config.vm.provision :shell, privileged: false, inline: $provision

-  config.vm.provision :shell, privileged: false,
-    inline: "cd /home/vagrant/open-balena && ./scripts/quickstart -p -d #{ENV.fetch('OPENBALENA_DOMAIN', 'openbalena.local')}"
 end
--- a/compose/common.yml
+++ b/compose/common.yml
@ -1,4 +1,4 @@
-version: '2.1'
+version: "2.0"

 services:
  component:
--- a/compose/mdns.yml
+++ b/compose/mdns.yml
@ -0,0 +1,31 @@
+version: "2.0"
+
+services:
+  balena-mdns-publisher:
+    image: balena/balena-mdns-publisher:${OPENBALENA_MDNS_PUBLISHER_VERSION_TAG}
+    network_mode: "host"
+    cap_add:
+        - SYS_RESOURCE
+        - SYS_ADMIN
+    security_opt:
+        - apparmor:unconfined
+    tmpfs:
+        - /run
+        - /sys/fs/cgroup
+    # balenaOS - Required for host DBus comms. Not required for standalone Linux
+    labels:
+        io.balena.features.dbus: '1'
+        io.balena.features.supervisor-api: '1'
+    environment:
+        CONFD_BACKEND: ENV
+        # The name of the TLD to use. This *must* match certificates used for the rest of
+        # the resin backend (eg. that for BALENA_ROOT_CA if present).
+        MDNS_TLD: ${OPENBALENA_HOST_NAME}
+        # List of subdomains to advertise. This must include all required hosts.
+        MDNS_SUBDOMAINS: '["api", "db", "registry", "s3", "tunnel", "vpn"]'
+        # The expectation is the DBus socket to use is always at the following location.
+        DBUS_SESSION_BUS_ADDRESS: "unix:path=/host/run/dbus/system_bus_socket"
+        # Selects the interface used for incoming connections from the wider subnet.
+        # For NUCs, this is `eno1`. If running natively, pick the appropriate interface.
+        # Alternatively, keep the default commented out to autoselect.
+        #INTERFACE: "eno1"
--- a/compose/services.yml
+++ b/compose/services.yml
@ -1,17 +1,19 @@
-version: '2.1'
+version: "2.0"

 volumes:
-  db:
-  registry:
-  s3:
-  redis:
+  certs: {}
+  cert-provider: {}
+  db: {}
+  redis: {}
+  registry: {}
+  s3: {}

 services:
  api:
    extends:
      file: ./common.yml
      service: component
-    image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG:-master}
+    image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG}
    depends_on:
      - db
      - s3
@ -20,36 +22,35 @@ services:
      API_VPN_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY}
      BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
      COOKIE_SESSION_SECRET: ${OPENBALENA_COOKIE_SESSION_SECRET}
-      DB_HOST: db.${OPENBALENA_HOST_NAME}
+      DB_HOST: db
      DB_PASSWORD: docker
      DB_PORT: 5432
      DB_USER: docker
      DELTA_HOST: delta.${OPENBALENA_HOST_NAME}
-      DEVICE_CONFIG_OPENVPN_CONFIG: ${OPENBALENA_VPN_CONFIG}
-      DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA}
+      DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA_CHAIN}
      DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: ${OPENBALENA_SSH_AUTHORIZED_KEYS}
      HOST: api.${OPENBALENA_HOST_NAME}
      IMAGE_MAKER_URL: img.${OPENBALENA_HOST_NAME}
      IMAGE_STORAGE_BUCKET: resin-production-img-cloudformation
-      IMAGE_STORAGE_PREFIX: resinos
+      IMAGE_STORAGE_PREFIX: images
      IMAGE_STORAGE_ENDPOINT: s3.amazonaws.com
      JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080
      JSON_WEB_TOKEN_SECRET: ${OPENBALENA_JWT_SECRET}
      MIXPANEL_TOKEN: __unused__
-      PRODUCTION_MODE: '${OPENBALENA_PRODUCTION_MODE}'
+      PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
      PUBNUB_PUBLISH_KEY: __unused__
      PUBNUB_SUBSCRIBE_KEY: __unused__
-      REDIS_HOST: redis.${OPENBALENA_HOST_NAME}
+      REDIS_HOST: redis
      REDIS_PORT: 6379
      REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
      REGISTRY_HOST: registry.${OPENBALENA_HOST_NAME}
-      SENTRY_DSN:
+      SENTRY_DSN: ""
      TOKEN_AUTH_BUILDER_TOKEN: ${OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN}
      TOKEN_AUTH_CERT_ISSUER: api.${OPENBALENA_HOST_NAME}
      TOKEN_AUTH_CERT_KEY: ${OPENBALENA_TOKEN_AUTH_KEY}
      TOKEN_AUTH_CERT_KID: ${OPENBALENA_TOKEN_AUTH_KID}
      TOKEN_AUTH_CERT_PUB: ${OPENBALENA_TOKEN_AUTH_PUB}
-      TOKEN_AUTH_JWT_ALGO: 'ES256'
+      TOKEN_AUTH_JWT_ALGO: "ES256"
      VPN_HOST: vpn.${OPENBALENA_HOST_NAME}
      VPN_PORT: 443
      VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY}
@ -60,9 +61,8 @@ services:
    extends:
      file: ./common.yml
      service: component
-    image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG:-master}
+    image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG}
    depends_on:
-      - api
      - s3
      - redis
    volumes:
@ -73,10 +73,16 @@ services:
      BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
      BALENA_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME}
      BALENA_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token
-      COMMON_REGION: 
-      REGISTRY2_S3_BUCKET: 
-      REGISTRY2_S3_KEY: 
-      REGISTRY2_S3_SECRET: 
+      COMMON_REGION: ${OPENBALENA_S3_REGION}
+      REGISTRY2_CACHE_ENABLED: "false"
+      REGISTRY2_CACHE_ADDR: 127.0.0.1:6379
+      REGISTRY2_CACHE_DB: 0
+      REGISTRY2_CACHE_MAXMEMORY_MB: 1024 # megabytes
+      REGISTRY2_CACHE_MAXMEMORY_POLICY: allkeys-lru
+      REGISTRY2_S3_REGION_ENDPOINT: ${OPENBALENA_S3_ENDPOINT}
+      REGISTRY2_S3_BUCKET: ${OPENBALENA_REGISTRY2_S3_BUCKET}
+      REGISTRY2_S3_KEY: ${OPENBALENA_S3_ACCESS_KEY}
+      REGISTRY2_S3_SECRET: ${OPENBALENA_S3_SECRET_KEY}
      REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY}
      REGISTRY2_STORAGEPATH: /data

@ -84,7 +90,7 @@ services:
    extends:
      file: ./common.yml
      service: component
-    image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG:-master}
+    image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG}
    depends_on:
      - api
    cap_add:
@ -94,10 +100,10 @@ services:
      BALENA_API_HOST: api.${OPENBALENA_HOST_NAME}
      BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
      BALENA_VPN_PORT: 443
-      PRODUCTION_MODE: '${OPENBALENA_PRODUCTION_MODE}'
+      PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
      RESIN_VPN_GATEWAY: 10.2.0.1
-      SENTRY_DSN: 
-      VPN_HAPROXY_USEPROXYPROTOCOL: 'true'
+      SENTRY_DSN: ""
+      VPN_HAPROXY_USEPROXYPROTOCOL: "true"
      VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA}
      VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT}
      VPN_OPENVPN_SERVER_DH: ${OPENBALENA_VPN_SERVER_DH}
@ -108,17 +114,21 @@ services:
    extends:
      file: ./common.yml
      service: system
-    image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG:-master}
+    image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG}
    volumes:
      - db:/var/lib/postgresql/data

  s3:
    extends:
      file: ./common.yml
-      service: system
-    image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG:-master}
+      service: component
+    image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG}
    volumes:
      - s3:/export
+    environment:
+      S3_MINIO_ACCESS_KEY: ${OPENBALENA_S3_ACCESS_KEY}
+      S3_MINIO_SECRET_KEY: ${OPENBALENA_S3_SECRET_KEY}
+      BUCKETS: ${OPENBALENA_S3_BUCKETS}

  redis:
    extends:
@ -132,20 +142,23 @@ services:
    extends:
      file: ./common.yml
      service: system
-    build: ../haproxy
+    build: ../src/haproxy
    depends_on:
      - api
-      - registry
-      - vpn
+      - cert-provider
      - db
      - s3
      - redis
+      - registry
+      - vpn
    ports:
      - "80:80"
-      - "222:222"
      - "443:443"
-      - "5432:5432"
-      - "6379:6379"
+      - "3128:3128"
+    expose:
+      - "222"
+      - "5432"
+      - "6379"
    networks:
      default:
        aliases:
@ -155,8 +168,21 @@ services:
          - db.${OPENBALENA_HOST_NAME}
          - s3.${OPENBALENA_HOST_NAME}
          - redis.${OPENBALENA_HOST_NAME}
+          - tunnel.${OPENBALENA_HOST_NAME}
    environment:
      BALENA_HAPROXY_CRT: ${OPENBALENA_ROOT_CRT}
      BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY}
      BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
      HAPROXY_HOSTNAME: ${OPENBALENA_HOST_NAME}
+    volumes:
+      - certs:/certs:ro
+
+  cert-provider:
+    build: ../src/cert-provider
+    volumes:
+      - certs:/certs
+      - cert-provider:/usr/src/app/certs
+    environment:
+      ACTIVE: ${OPENBALENA_ACME_CERT_ENABLED}
+      DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME},tunnel.${OPENBALENA_HOST_NAME}"
+      OUTPUT_PEM: /certs/open-balena.pem
--- a/compose/template.yml
+++ b/compose/template.yml
@ -7,4 +7,4 @@
 # `compose/services.yml` as the "base" config.
 #
 # You may view the effective config with `scripts/compose config`.
-version: '2.1'
+version: "2.0"
--- a/compose/versions
+++ b/compose/versions
@ -0,0 +1,6 @@
+export OPENBALENA_API_VERSION_TAG=v0.109.2
+export OPENBALENA_DB_VERSION_TAG=v4.1.0
+export OPENBALENA_MDNS_PUBLISHER_VERSION_TAG=v1.7.9
+export OPENBALENA_REGISTRY_VERSION_TAG=v2.13.11
+export OPENBALENA_S3_VERSION_TAG=v2.9.9
+export OPENBALENA_VPN_VERSION_TAG=v9.16.1
--- a/docs/assets/openbalena-logo.svg
+++ b/docs/assets/openbalena-logo.svg
@ -0,0 +1,8 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="228" height="42" viewBox="0 0 228 42">
+    <g fill="none" fill-rule="evenodd">
+        <path fill="#00D2EA" d="M57.231 23.086c0 2.186 1.667 3.8 3.635 3.8 1.968 0 3.635-1.614 3.635-3.828 0-2.213-1.667-3.826-3.635-3.826-1.968 0-3.635 1.613-3.635 3.826v.028zm-4.537-.055c0-3.69 2.651-8.035 8.172-8.035 5.521 0 8.172 4.346 8.172 8.062 0 3.718-2.65 8.063-8.172 8.063-5.52 0-8.172-4.345-8.172-8.063v-.027zM83.55 23.059c0-1.776-1.312-3.854-3.8-3.854-1.093 0-2.05.437-2.732 1.148-.657.684-1.067 1.667-1.067 2.76 0 1.067.41 2.023 1.094 2.706a3.82 3.82 0 0 0 2.706 1.12c2.378 0 3.799-1.94 3.799-3.853v-.027zm-11.944-7.57h4.264v1.666c.984-1.147 2.487-2.186 4.81-2.186 5.384 0 7.407 4.728 7.407 8.253 0 4.374-3.061 7.954-7.38 7.954-2.733 0-4.018-1.312-4.564-1.886v6.424h-4.537V15.488zM101.204 21.2c-.11-.71-1.038-2.405-3.389-2.405-2.35 0-3.28 1.695-3.389 2.405h6.778zm-6.833 3.444c.191 1.612 1.722 2.678 3.499 2.678 1.448 0 2.214-.628 2.76-1.42h4.647c-.738 1.694-1.804 3.006-3.088 3.88a7.373 7.373 0 0 1-4.32 1.367c-4.344 0-8.035-3.526-8.035-8.036 0-4.236 3.335-8.144 7.954-8.144 2.323 0 4.318.902 5.74 2.405 1.913 2.05 2.487 4.482 2.131 7.27H94.371zM108.31 15.488h4.235v1.613c.52-.738 1.476-2.132 4.182-2.132 5.111 0 5.63 4.154 5.63 6.204v9.484h-4.537v-8.282c0-1.667-.355-3.143-2.377-3.143-2.241 0-2.597 1.613-2.597 3.17v8.255h-4.537V15.488zM33.85 15.174v11.583c0 1.704-.918 3.29-2.395 4.139l-10.1 5.807c-.27.155-.55.277-.839.372v4.636c.49-.128.96-.312 1.396-.564l13.117-7.542a5.92 5.92 0 0 0 2.962-5.118V13.444c0-.512-.077-1.017-.213-1.513l-4.015 2.382c.054.281.087.568.087.86M2.955 8.323c-.515.297-.98.682-1.385 1.128l3.986 2.365c.29-.298.605-.57.974-.783L16.59 5.23a4.79 4.79 0 0 1 4.766-.003l10.1 5.808c.303.174.573.388.823.621l3.967-2.353c-.368-.377-.764-.717-1.216-.978L21.913.783a5.927 5.927 0 0 0-5.895.004L2.955 8.323zM16.588 36.7L6.53 30.898a4.787 4.787 0 0 1-2.39-4.136V15.17c0-.21.027-.417.056-.623L.163 12.154A5.72 5.72 0 0 0 0 13.437v15.056a5.918 5.918 0 0 0 2.955 5.114l13.063 7.537c.454.262.943.452 1.456.582v-4.643a4.517 4.517 0 0 1-.886-.382"/>
+        <g fill="#2A506F">
+            <path d="M132.219 20.286c-.995.804-1.492 1.83-1.492 3.077 0 1.32.458 2.426 1.372 3.321.915.895 2.118 1.342 3.609 1.342 1.411 0 2.554-.426 3.43-1.279.874-.85 1.311-1.912 1.311-3.181 0-1.25-.437-2.315-1.312-3.194-.875-.88-2.018-1.32-3.43-1.32-1.332.019-2.495.43-3.488 1.234zM127 11h3.966v6.588h.06c.437-.578 1.018-1.025 1.745-1.342a8.611 8.611 0 0 1 2.251-.637c.199-.018.387-.031.567-.04.178-.01.358-.014.536-.014 2.426 0 4.414.805 5.965 2.413 1.55 1.609 2.326 3.47 2.326 5.584 0 .308-.02.629-.06.963a5.71 5.71 0 0 1-.209.99 8.547 8.547 0 0 1-.716 1.898 7.322 7.322 0 0 1-1.132 1.626 7.133 7.133 0 0 1-2.714 1.857 9 9 0 0 1-3.34.638c-1.134 0-2.182-.196-3.147-.584-.965-.388-1.764-1.025-2.4-1.911l-.06-.027v2.033H127V11zM159.655 23.499c0-1.247-.443-2.3-1.328-3.16-.885-.858-2.033-1.278-3.444-1.26-1.452-.018-2.64.416-3.564 1.302-.924.886-1.386 1.988-1.386 3.307 0 1.23.481 2.264 1.446 3.104.964.84 2.112 1.253 3.444 1.234 1.432.019 2.595-.407 3.49-1.274.894-.868 1.342-1.943 1.342-3.226v-.027zm3.757 7.536h-3.638v-2.033h-.06c-.497.65-1.154 1.184-1.969 1.6a8.656 8.656 0 0 1-2.534.84l-.551.054c-.19.018-.374.027-.552.027-1.273 0-2.427-.222-3.46-.664a7.556 7.556 0 0 1-2.624-1.83 7.805 7.805 0 0 1-1.52-2.494 8.312 8.312 0 0 1-.538-2.983c0-1.048.164-2.014.492-2.9.329-.885.87-1.717 1.625-2.494.836-.886 1.764-1.541 2.789-1.966 1.024-.424 2.141-.637 3.355-.637 1.133 0 2.177.222 3.13.664a6.44 6.44 0 0 1 2.417 1.939v-2.142h3.638v15.019zM166.364 31.035h3.966V11h-3.966zM186.046 21.926c-.319-.886-.895-1.582-1.73-2.087a5.247 5.247 0 0 0-2.773-.76h-.24a5.695 5.695 0 0 0-2.683.847c-.835.51-1.391 1.176-1.67 2h9.096zm-9.036 3.2c.298.885.85 1.59 1.655 2.113a4.842 4.842 0 0 0 2.699.787c.755 0 1.465-.118 2.131-.352.666-.236 1.189-.552 1.567-.95l4.384-.027c-.498 1.356-1.506 2.5-3.027 3.43-1.521.93-3.157 1.396-4.906 1.396-2.406 0-4.458-.763-6.158-2.29-1.7-1.527-2.55-3.385-2.55-5.572 0-2.223.845-4.13 2.535-5.72 1.69-1.59 3.767-2.386 6.232-2.386 2.366 0 4.37.789 6.01 2.366 1.64 1.576 2.46 3.41 2.46 5.5 0 .235-.015.465-.045.69-.03.225-.065.446-.105.662-.02.073-.035.136-.044.19a.888.888 0 0 0-.015.162H177.01zM192.607 16.016h3.668V17.4h.06c.456-.56 1.058-.994 1.804-1.302a7.395 7.395 0 0 1 2.34-.542h.597c.079 0 .16.01.239.027a6.924 6.924 0 0 1 2.31.57c.747.325 1.388.75 1.924 1.273l.224.204c.07.063.134.14.194.23.635.814 1.014 1.682 1.133 2.603.12.922.18 1.862.18 2.82v7.753h-3.967v-7.781c0-.253-.01-.505-.03-.759a7.26 7.26 0 0 0-.21-1.152c-.099-.37-.248-.709-.446-1.017a2.753 2.753 0 0 0-1.06-.868 3.827 3.827 0 0 0-1.385-.379h-.373c-.07 0-.144.01-.224.027a3.904 3.904 0 0 0-1.342.421 2.63 2.63 0 0 0-1.014.88c-.198.29-.348.629-.447 1.018-.1.388-.16.781-.18 1.179-.02.235-.029.47-.029.705v7.726h-3.966V16.016zM223.472 23.499c0-1.247-.443-2.3-1.327-3.16-.885-.858-2.034-1.278-3.444-1.26-1.453-.018-2.64.416-3.564 1.302-.924.886-1.388 1.988-1.388 3.307 0 1.23.483 2.264 1.447 3.104.964.84 2.113 1.253 3.445 1.234 1.431.019 2.594-.407 3.489-1.274.894-.868 1.342-1.943 1.342-3.226v-.027zm3.758 7.536h-3.64v-2.033h-.058c-.498.65-1.154 1.184-1.969 1.6a8.666 8.666 0 0 1-2.535.84l-.551.054c-.19.018-.373.027-.552.027-1.272 0-2.426-.222-3.46-.664a7.548 7.548 0 0 1-2.623-1.83 7.796 7.796 0 0 1-1.521-2.494 8.312 8.312 0 0 1-.538-2.983c0-1.048.165-2.014.492-2.9.33-.885.87-1.717 1.626-2.494.835-.886 1.764-1.541 2.788-1.966 1.024-.424 2.142-.637 3.355-.637 1.133 0 2.177.222 3.131.664a6.44 6.44 0 0 1 2.416 1.939v-2.142h3.639v15.019z"/>
+        </g>
+    </g>
+</svg>
--- a/haproxy/Dockerfile
+++ b/haproxy/Dockerfile
@ -1,6 +0,0 @@
-FROM haproxy:1.8-alpine
-
-COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
-COPY entry.sh /open-balena-entry
-
-CMD /open-balena-entry
--- a/haproxy/entry.sh
+++ b/haproxy/entry.sh
@ -1,11 +0,0 @@
-#!/bin/sh
-set -e
-
-HAPROXY_CHAIN=/etc/ssl/private/open-balena.pem
-mkdir -p "$(dirname "${HAPROXY_CHAIN}")"
-(
-    echo "${BALENA_HAPROXY_CRT}" | base64 -d
-    echo "${BALENA_HAPROXY_KEY}" | base64 -d
-    echo "${BALENA_ROOT_CA}" | base64 -d
-) > "${HAPROXY_CHAIN}"
-exec haproxy -f /usr/local/etc/haproxy/haproxy.cfg
--- a/package-lock.json
+++ b/package-lock.json
@ -1,3 +0,0 @@
-{
-  "lockfileVersion": 1
-}
--- a/repo.yml
+++ b/repo.yml
@ -1,2 +1,15 @@
-type: 'generic'
+type: "generic"
 reviewers: 1
+upstream:
+  - repo: open-balena-api
+    url: https://github.com/balena-io/open-balena-api
+  - repo: open-balena-vpn
+    url: https://github.com/balena-io/open-balena-vpn
+  - repo: open-balena-registry
+    url: https://github.com/balena-io/open-balena-registry
+  - repo: open-balena-db
+    url: https://github.com/balena-io/open-balena-db
+  - repo: open-balena-s3
+    url: https://github.com/balena-io/open-balena-s3
+  - repo: balena-mdns-publisher
+    url: https://github.com/balena-io/balena-mdns-publisher
--- a/scripts/_realpath
+++ b/scripts/_realpath
@ -0,0 +1,35 @@
+#!/bin/bash -e
+
+echo_error() {
+    local RED=`tput setaf 1`
+    local RESET=`tput sgr0`
+    echo "${RED}ERROR: ${1}${RESET}"
+}
+
+REALPATH=
+REALPATHS=(
+    'realpath'
+    'grealpath'
+    'greadlink -f'
+)
+for cmd in "${REALPATHS[@]}"; do
+if command -v "${cmd%% *}" &>/dev/null; then
+    REALPATH="${cmd}"
+    break
+fi
+done
+
+if [ -z "${REALPATH}" ]; then
+    echo_error 'Unable to find suitable command for realpath.'
+    if [ $(uname) == 'Darwin' ]; then
+        echo 'GNU coreutils are required to build openBalena on macOS. To install with brew, run'
+        echo ''
+        echo '    brew install coreutils'
+        echo ''
+    fi
+    exit 1
+fi
+
+realpath() {
+  echo $(command ${REALPATH} "$@")
+}
--- a/scripts/compose
+++ b/scripts/compose
@ -1,5 +1,7 @@
 #!/bin/bash -e

+source "${BASH_SOURCE%/*}/_realpath"
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 BASE_DIR="$(dirname "${DIR}")"
@ -9,6 +11,16 @@ echo_bold() {
  printf "\\033[1m%s\\033[0m\\n" "$@"
 }

+echo_bold_stderr() {
+  printf "\\033[1m%s\\033[0m\\n" "$@" 1>&2
+}
+
+VERSIONS_FILE="${BASE_DIR}/compose/versions"
+if [ ! -f "$VERSIONS_FILE" ]; then
+  echo_bold "No service versions defined in ${VERSIONS_FILE}"
+  exit 1
+fi
+
 ENV_FILE="${CONFIG_DIR}/activate"
 if [ ! -f "$ENV_FILE" ]; then
  echo_bold 'No configuration found; please create one first with: ./scripts/quickstart'
@ -16,9 +28,20 @@ if [ ! -f "$ENV_FILE" ]; then
  exit 1
 fi

+source "${ENV_FILE}"
+
+# only include the MDNS publisher IF the domain is valid...
+if [ ${OPENBALENA_HOST_NAME: -6} == ".local" ]; then
+  INCLUDE_MDNS="-f ${BASE_DIR}/compose/mdns.yml"
+fi
+
+# show a warning to update your balena CLI tool...
+echo_bold_stderr "IMPORTANT: Please update your Balena CLI installation to version v12.38.5"
+
 # shellcheck source=/dev/null
-source "${ENV_FILE}"; docker-compose \
+source "${VERSIONS_FILE}"; docker-compose \
  --project-name 'openbalena' \
  -f "${BASE_DIR}/compose/services.yml" \
+  ${INCLUDE_MDNS} \
  -f "${CONFIG_DIR}/docker-compose.yml" \
  "$@"
--- a/scripts/create-superuser
+++ b/scripts/create-superuser
@ -18,6 +18,8 @@ echo_bold() {
  printf "\\033[1m%s\\033[0m\\n" "${@}"
 }

+source "${BASH_SOURCE%/*}/_realpath"
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 FIG="${DIR}/compose"
--- a/scripts/gen-root-ca
+++ b/scripts/gen-root-ca
@ -22,12 +22,14 @@ OUT="$(realpath "${2:-.}")"
 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"

-# Create a secret key and CA file for the self-signed CA
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" init-pki 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="ca.${CN}" build-ca nopass 2>/dev/null
 ROOT_CA="${ROOT_PKI}/ca.crt"
-echo "ROOT_CA=${ROOT_CA//$OUT/\$OUT}"

-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+if [ ! -f $ROOT_CA ]; then
+  # Create a secret key and CA file for the self-signed CA
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" init-pki 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="ca.${CN}" build-ca nopass 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+fi
--- a/scripts/gen-root-cert
+++ b/scripts/gen-root-cert
@ -22,13 +22,15 @@ OUT="$(realpath "${2:-.}")"
 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"

-# generate default CSR and sign (root + wildcard)
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
 ROOT_CRT="${ROOT_PKI}"'/issued/*.'"${CN}"'.crt'
 ROOT_KEY="${ROOT_PKI}"'/private/*.'"${CN}"'.key'
-echo "ROOT_CRT=${ROOT_CRT//$OUT/\$OUT}"
-echo "ROOT_KEY=${ROOT_KEY//$OUT/\$OUT}"

-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+if [ ! -f $ROOT_CRT ] || [ ! -f $ROOT_KEY ]; then
+  rm -f $ROOT_CRT $ROOT_KEY
+  # generate default CSR and sign (root + wildcard)
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" --days="${CRT_EXPIRY_DAYS}" --subject-alt-name="DNS:*.${CN}" build-server-full "*.${CN}" nopass 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
+fi;
--- a/scripts/gen-token-auth-cert
+++ b/scripts/gen-token-auth-cert
@ -42,13 +42,12 @@ JWT_CRT="${CERT_FILE}.crt"
 JWT_KEY="${CERT_FILE}.pem"
 JWT_KID="${CERT_FILE}.kid"

-mkdir -p "${CERT_DIR}"
-openssl ecparam -name prime256v1 -genkey -noout -out "${JWT_KEY}" 2>/dev/null
-openssl req -x509 -new -nodes -days "${CRT_EXPIRY_DAYS}" -key "${JWT_KEY}" -subj "/CN=api.${CN}" -out "${JWT_CRT}" 2>/dev/null
-openssl ec -in "${JWT_KEY}" -pubout -outform DER -out "${CERT_FILE}.der" 2>/dev/null
-keyid "${CERT_FILE}.der" >"${JWT_KID}"
-rm "${CERT_FILE}.der"
-
-echo "JWT_CRT=${JWT_CRT//$OUT/\$OUT}"
-echo "JWT_KEY=${JWT_KEY//$OUT/\$OUT}"
-echo "JWT_KID=${JWT_KID//$OUT/\$OUT}"
+if [ ! -f $JWT_CRT ] || [ ! -f $JWT_KEY ] || [ ! -f $JWT_KID ]; then
+  rm -f $JWT_CRT $JWT_KEY $JWT_KID
+  mkdir -p "${CERT_DIR}"
+  openssl ecparam -name prime256v1 -genkey -noout -out "${JWT_KEY}" 2>/dev/null
+  openssl req -x509 -new -nodes -days "${CRT_EXPIRY_DAYS}" -key "${JWT_KEY}" -subj "/CN=api.${CN}" -out "${JWT_CRT}" 2>/dev/null
+  openssl ec -in "${JWT_KEY}" -pubout -outform DER -out "${CERT_FILE}.der" 2>/dev/null
+  keyid "${CERT_FILE}.der" >"${JWT_KID}"
+  rm "${CERT_FILE}.der"
+fi
--- a/scripts/gen-vpn-certs
+++ b/scripts/gen-vpn-certs
@ -21,33 +21,28 @@ OUT="$(realpath "${2:-.}")"

 # shellcheck source=scripts/ssl-common.sh
 source "${DIR}/ssl-common.sh"
+
 VPN_PKI="$(realpath "${OUT}/vpn")"
-
-# generate VPN sub-CA
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" init-pki 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass subca 2>/dev/null
-
-# import sub-CA CSR into root PKI, sign, and copy back to vpn PKI
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" import-req "${VPN_PKI}/reqs/ca.req" "vpn-ca" 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" sign-req ca "vpn-ca" 2>/dev/null
-cp "${ROOT_PKI}/issued/vpn-ca.crt" "${VPN_PKI}/ca.crt"
 VPN_CA="${VPN_PKI}/ca.crt"
-echo "VPN_CA=${VPN_CA//$OUT/\$OUT}"
-
-# generate and sign vpn server certificate
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CRT_EXPIRY_DAYS}" build-server-full "vpn.${CN}" nopass 2>/dev/null
 VPN_CRT="${VPN_PKI}/issued/vpn.${CN}.crt"
 VPN_KEY="${VPN_PKI}/private/vpn.${CN}.key"
-echo "VPN_CRT=${VPN_CRT//$OUT/\$OUT}"
-echo "VPN_KEY=${VPN_KEY//$OUT/\$OUT}"
-
-# generate vpn dhparams (keysize of 2048 will do, 4096 can wind up taking hours to generate)
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" --keysize=2048 gen-dh 2>/dev/null
 VPN_DH="${VPN_PKI}/dh.pem"
-echo "VPN_DH=${VPN_DH//$OUT/\$OUT}"

-# update indexes and generate CRLs
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" update-db 2>/dev/null
-"$easyrsa_bin" --pki-dir="${ROOT_PKI}" gen-crl 2>/dev/null
-"$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-crl 2>/dev/null
+if [ ! -f $VPN_CA ] || [ ! -f $VPN_CRT ] || [ ! -f $VPN_KEY ] || [ ! -f $VPN_DH ]; then
+
+  rm -f $VPN_CA $VPN_CRT $VPN_DH $VPN_KEY
+
+  # generate VPN CA
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" init-pki &>/dev/null
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CA_EXPIRY_DAYS}" --req-cn="vpn-ca.${CN}" build-ca nopass 2>/dev/null
+
+  # generate and sign vpn server certificate
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --days="${CRT_EXPIRY_DAYS}" build-server-full "vpn.${CN}" nopass 2>/dev/null
+
+  # generate vpn dhparams (keysize of 2048 will do, 4096 can wind up taking hours to generate)
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" --keysize=2048 gen-dh 2>/dev/null
+
+  # update indexes and generate CRLs
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" update-db 2>/dev/null
+  "$easyrsa_bin" --pki-dir="${VPN_PKI}" gen-crl 2>/dev/null
+fi
--- a/scripts/logger.sh
+++ b/scripts/logger.sh
@ -0,0 +1,62 @@
+#!/bin/sh
+
+BLACK=`tput setaf 0`
+RED=`tput setaf 1`
+GREEN=`tput setaf 2`
+YELLOW=`tput setaf 3`
+BLUE=`tput setaf 4`
+MAGENTA=`tput setaf 5`
+CYAN=`tput setaf 6`
+WHITE=`tput setaf 7`
+
+BOLD=`tput bold`
+RESET=`tput sgr0`
+
+log_raw () {
+    local COLOR="${WHITE}"
+    local LEVEL="${1}"
+    local MESSAGE="${2}"
+    case "${LEVEL}" in
+        info)
+            COLOR="${BLUE}"
+            ;;
+        warn)
+            COLOR="${YELLOW}"
+            ;;
+        fatal)
+            COLOR="${RED}"
+            ;;
+        *)
+            LEVEL="debug"
+            ;;
+    esac
+    LEVEL="${LEVEL}     "
+    echo "[$(date +%T)] ${COLOR}$(echo "${LEVEL:0:5}" | tr '[:lower:]' '[:upper:]')${RESET} ${MESSAGE}";
+}
+
+log () {
+    log_raw "debug" "${1}"
+}
+
+info () {
+    log_raw "info" "${1}";
+}
+
+warn () {
+    log_raw "warn" "${1}";
+}
+
+die () {
+    log_raw "fatal" "${1}";
+    exit 1;
+}
+
+die_unless_forced () {
+    if [ ! -z "$1" ]; then
+        log_raw "warn" "$2";
+        return;
+    fi
+    
+    log_raw "fatal" "$2";
+    die "Use -f to forcibly upgrade.";
+}
--- a/scripts/make-env
+++ b/scripts/make-env
@ -12,10 +12,12 @@ usage() {
  echo "  JWT_CRT    Path to Token Auth certificate"
  echo "  JWT_KEY    Path to Token Auth private key"
  echo "  JWT_KID    Path to KeyID for the Token Auth certificate"
-  echo "  VPN_CA     Path to the VPN sub-CA certificate"
+  echo "  VPN_CA     Path to the VPN CA certificate"
  echo "  VPN_CRT    Path to the VPN server certificate"
  echo "  VPN_KEY    Path to the VPN server private key"
  echo "  VPN_DH     Path to the VPN server Diffie Hellman parameters"
+  echo "  SUPERUSER_EMAIL     Email address of the superuser"
+  echo "  SUPERUSER_PASSWORD  Password of the superuser"
  echo
 }

@ -31,60 +33,45 @@ randstr() {
 }

 b64encode() {
-  cat "$@" | base64 --wrap=0 2>/dev/null || cat "$@" | base64 --break=0
+    echo "$@" | base64 --wrap=0 2>/dev/null || echo "$@" | base64 --break=0 2>/dev/null
 }

-VPN_CONFIG=$(b64encode <<STR
-client
-remote vpn.$DOMAIN 443
-resolv-retry infinite
+b64file() {
+  b64encode "$(cat "$@")"
+}

-remote-cert-tls server
-ca /etc/openvpn/ca.crt
-auth-user-pass /var/volatile/vpn-auth
-auth-retry none
-script-security 2
-up /etc/openvpn-misc/upscript.sh
-up-restart
-down /etc/openvpn-misc/downscript.sh
-
-comp-lzo
-dev resin-vpn
-dev-type tun
-proto tcp
-nobind
-
-persist-key
-persist-tun
-verb 3
-user openvpn
-group openvpn
-STR
-)
+# buckets to create in the S3 service...
+REGISTRY2_S3_BUCKET="registry-data"

 cat <<STR
 export OPENBALENA_PRODUCTION_MODE=false
 export OPENBALENA_COOKIE_SESSION_SECRET=$(randstr 32)
 export OPENBALENA_HOST_NAME=$DOMAIN
 export OPENBALENA_JWT_SECRET=$(randstr 32)
+export OPENBALENA_REGISTRY2_S3_BUCKET=${REGISTRY2_S3_BUCKET}
 export OPENBALENA_RESINOS_REGISTRY_CODE=$(randstr 32)
-export OPENBALENA_ROOT_CA=$(b64encode "$ROOT_CA")
-export OPENBALENA_ROOT_CRT=$(b64encode "${ROOT_CRT}")
-export OPENBALENA_ROOT_KEY=$(b64encode "${ROOT_KEY}")
+export OPENBALENA_ROOT_CA=$(b64file "${ROOT_CA}")
+export OPENBALENA_ROOT_CRT=$(b64file "${ROOT_CRT}")
+export OPENBALENA_ROOT_KEY=$(b64file "${ROOT_KEY}")
 export OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN=$(randstr 64)
-export OPENBALENA_TOKEN_AUTH_PUB=$(b64encode "$JWT_CRT")
-export OPENBALENA_TOKEN_AUTH_KEY=$(b64encode "$JWT_KEY")
-export OPENBALENA_TOKEN_AUTH_KID=$(b64encode "$JWT_KID")
-export OPENBALENA_VPN_CA=$(b64encode "$VPN_CA")
-export OPENBALENA_VPN_CONFIG=$VPN_CONFIG
-export OPENBALENA_VPN_SERVER_CRT=$(b64encode "$VPN_CRT")
-export OPENBALENA_VPN_SERVER_KEY=$(b64encode "$VPN_KEY")
-export OPENBALENA_VPN_SERVER_DH=$(b64encode "$VPN_DH")
+export OPENBALENA_TOKEN_AUTH_PUB=$(b64file "$JWT_CRT")
+export OPENBALENA_TOKEN_AUTH_KEY=$(b64file "$JWT_KEY")
+export OPENBALENA_TOKEN_AUTH_KID=$(b64file "$JWT_KID")
+export OPENBALENA_VPN_CA=$(b64file "$VPN_CA")
+export OPENBALENA_VPN_CA_CHAIN=$(b64file "$VPN_CA")
+export OPENBALENA_VPN_SERVER_CRT=$(b64file "$VPN_CRT")
+export OPENBALENA_VPN_SERVER_KEY=$(b64file "$VPN_KEY")
+export OPENBALENA_VPN_SERVER_DH=$(b64file "$VPN_DH")
 export OPENBALENA_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_API_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_REGISTRY_SECRET_KEY=$(randstr 32)
+export OPENBALENA_S3_ACCESS_KEY=$(randstr 32)
+export OPENBALENA_S3_BUCKETS="${REGISTRY2_S3_BUCKET}"
+export OPENBALENA_S3_ENDPOINT="https://s3.${DOMAIN}"
+export OPENBALENA_S3_REGION=us-east-1
+export OPENBALENA_S3_SECRET_KEY=$(randstr 32)
 export OPENBALENA_SSH_AUTHORIZED_KEYS=
-export NODE_EXTRA_CA_CERTS="$ROOT_CA"
 export OPENBALENA_SUPERUSER_EMAIL=$SUPERUSER_EMAIL
-export OPENBALENA_SUPERUSER_PASSWORD=$SUPERUSER_PASSWORD
+export OPENBALENA_SUPERUSER_PASSWORD=$(printf "%q" "${SUPERUSER_PASSWORD}")
+export OPENBALENA_ACME_CERT_ENABLED=${ACME_CERT_ENABLED:-false}
 STR
--- a/scripts/migrate-registry-storage
+++ b/scripts/migrate-registry-storage
@ -0,0 +1,29 @@
+#!/bin/sh
+
+migrate_data_to_s3 () {
+  BUCKET="${1:-registry-data}"
+
+  if [ -z "${BUCKET}" ]; then return 1; fi
+
+  if [ -n "${DOCKER_HOST}" ]; then
+      log "Using docker host: ${DOCKER_HOST}"
+      export DOCKER_HOST="${DOCKER_HOST}"
+  fi
+
+  REGISTRY_CONTAINER="$(docker ps | grep registry_ | awk '{print $1}')"
+  S3_CONTAINER="$(docker ps | grep s3_ | awk '{print $1}')"
+
+  if [ -z "${REGISTRY_CONTAINER}" ] || [ -z "${S3_CONTAINER}" ]; then return 2; fi
+
+  REGISTRY_VOLUME="$(docker inspect "${REGISTRY_CONTAINER}" | jq -r '.[].Mounts | map(select(.Destination=="/data")) | .[0].Source')"
+  S3_VOLUME=$(docker inspect "${S3_CONTAINER}" | jq -r '.[].Mounts | map(select(.Destination=="/export")) | .[0].Source')
+
+  if [ -z "${REGISTRY_VOLUME}" ] || [ -z "${S3_VOLUME}" ]; then return 3; fi
+
+  # run the S3 container image, and copy the data partition into S3...
+  docker run -it --rm \
+      -v "${REGISTRY_VOLUME}:/data" \
+      -v "${S3_VOLUME}:/s3" \
+      --name "migrate-registry" alpine \
+      sh -c "mkdir -p /s3/${BUCKET}/data && cp -r /data/docker /s3/${BUCKET}/data/"
+}
--- a/scripts/quickstart
+++ b/scripts/quickstart
@ -1,5 +1,36 @@
 #!/bin/bash -e

+BLACK=`tput setaf 0`
+RED=`tput setaf 1`
+GREEN=`tput setaf 2`
+YELLOW=`tput setaf 3`
+BLUE=`tput setaf 4`
+MAGENTA=`tput setaf 5`
+CYAN=`tput setaf 6`
+WHITE=`tput setaf 7`
+
+BOLD=`tput bold`
+RESET=`tput sgr0`
+
+# for macos machines, we need proper OpenSSL...
+OPENSSL_VERSION=$(openssl version -v)
+if [[ "${OPENSSL_VERSION}" =~ ^LibreSSL.*$ ]]; then
+  echo -e "${RED}ERROR: You may not have a compatible OpenSSL version (${OPENSSL_VERSION}). Please install OpenSSL version 1.0.2q or above.${RESET}"
+  if [ $(uname) == 'Darwin' ]; then
+        echo 'OpenSSL is required to build openBalena on macOS. To install with brew, run'
+        echo ''
+        echo '    brew install openssl'
+        echo ''
+    fi
+  exit 1
+fi
+
+source "${BASH_SOURCE%/*}/_realpath"
+
+domainResolves() {
+  getent hosts "$1" > /dev/null 2>&1
+}
+
 CMD="$(realpath "$0")"
 DIR="$(dirname "${CMD}")"
 BASE_DIR="$(dirname "${DIR}")"
@ -9,8 +40,9 @@ CERTS_DIR="${CONFIG_DIR}/certs"
 DOMAIN=openbalena.local

 usage() {
-  echo "usage: $0 [-h] [-p] [-d DOMAIN] -U EMAIL -P PASSWORD"
+  echo "usage: $0 [-c] [-h] [-p] [-d DOMAIN] -U EMAIL -P PASSWORD"
  echo
+  echo "  -c           enable the ACME certificate service in staging or production mode."
  echo "  -p           patch hosts - patch the host /etc/hosts file"
  echo "  -d DOMAIN    the domain name this deployment will run as, eg. example.com. Default is 'openbalena.local'"
  echo "  -U EMAIL     the email address of the superuser account, used to login to your install from the Balena CLI"
@ -20,13 +52,15 @@ usage() {

 show_help=false
 patch_hosts=false
-while getopts ":hpd:U:P:" opt; do
+while getopts ":chpxd:U:P:" opt; do
  case "${opt}" in
    h) show_help=true;;
    p) patch_hosts=true;;
+    x) set -x;;
    d) DOMAIN="${OPTARG}";;
    U) SUPERUSER_EMAIL="${OPTARG}";;
    P) SUPERUSER_PASSWORD="${OPTARG}";;
+    c) ACME_CERT_ENABLED="true";;
    *)
      echo "Invalid argument: -${OPTARG}"
      usage
@ -46,18 +80,25 @@ if [ "$show_help" = "true" ]; then
  exit 1
 fi

-echo_bold() {
-  printf "\\033[1m%s\\033[0m\\n" "${@}"
-}
-
-if [ -d "$CONFIG_DIR" ]; then
-  echo 'Configuration directory already exists; please remove it first.'
-  exit 1
+if [ ! -z "$ACME_CERT_ENABLED" ]; then
+  echo "${BLUE}[INFO]${RESET} ACME Certificate request is ${BOLD}ENABLED${RESET}."
+  
+  if ! domainResolves "api.${DOMAIN}"; then
+    echo "${YELLOW}[WARN]${RESET} Unable to resolve \"api.${DOMAIN}\"!"
+    echo "${YELLOW}[WARN]${RESET} This might mean that you cannot use an ACME issued certificate."
+  fi
 fi

+echo_bold() {
+  echo "${BOLD}${@}${RESET}"
+}
+
 echo_bold "==> Creating new configuration at: $CONFIG_DIR"
 mkdir -p "$CONFIG_DIR" "$CERTS_DIR"

+echo_bold "==> Bootstrapping easy-rsa..."
+source "${DIR}/ssl-common.sh"
+
 echo_bold "==> Generating root CA cert..."
 # shellcheck source=scripts/gen-root-ca
 source "${DIR}/gen-root-ca" "${DOMAIN}" "${CERTS_DIR}"
@ -90,5 +131,25 @@ fi
 echo_bold "==> Success!"
 echo '  - Start the instance with: ./scripts/compose up -d'
 echo '  - Stop the instance with: ./scripts/compose stop'
-echo '  - To create the superuser, see: ./scripts/create-superuser -h'
-echo "  - Use the following certificate with Balena CLI: ${CONFIG_DIR}/root/ca.crt"
+echo '  - To create a single, flat, docker-compose.yml file, run:'
+echo ''
+echo '      ./scripts/compose config > docker-compose.yml'
+echo ''
+
+if [ -z "${ACME_CERT_ENABLED}" ]; then
+  echo "  - Use the following certificate with Balena CLI: ${CERTS_DIR}/root/ca.crt"
+
+  case $(uname) in
+    Darwin)
+      echo ''
+      printf '    On macOS:\n\n'
+      printf '      sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "%s/root/ca.crt"\n' "${CERTS_DIR}"
+      echo ''
+      ;;
+    *)
+      ;;
+  esac
+
+  echo -e "    ${YELLOW}IMPORTANT:${RESET} You will need to restart your Docker daemon after trusting this certificate to allow your workstation to push images to the registry."
+  echo ''
+fi
--- a/scripts/ssl-common.sh
+++ b/scripts/ssl-common.sh
@ -7,6 +7,7 @@ if [ -z "${easyrsa_bin-}" ] || [ ! -x "${easyrsa_bin}" ]; then
    if [ -z "${easyrsa_bin}" ]; then
        easyrsa_dir="$(mktemp -dt easyrsa.XXXXXXXX)"
        easyrsa_url="https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz"
+        echo "  - Downloading easy-rsa..."
        (cd "${easyrsa_dir}"; curl -sL "${easyrsa_url}" | tar xz --strip-components=1)
        easyrsa_bin="${easyrsa_dir}/easyrsa"
        # shellcheck disable=SC2064
--- a/scripts/upgrade-1.x-to-2.0
+++ b/scripts/upgrade-1.x-to-2.0
@ -0,0 +1,78 @@
+#!/bin/sh
+
+source "${BASH_SOURCE%/*}/logger.sh"
+source "${BASH_SOURCE%/*}/migrate-registry-storage"
+
+# This script takes a v1.x.x install and updates the compose stack to use S3 as your
+# registry storage.
+
+source "${BASH_SOURCE%/*}/_realpath"
+
+DIR="$(dirname $(realpath "$0"))"
+BASE_DIR="$(dirname "${DIR}")"
+CONFIG_DIR="${BASE_DIR}/config"
+CONFIG_FILE="${CONFIG_DIR}/activate"
+
+# Step 1. Make sure a config exists...
+[ -f "${CONFIG_FILE}" ] || die "Unable to find existing config!";
+
+info "Preparing to upgrade..."
+source "${CONFIG_FILE}"
+
+while getopts "f" opt; do
+  case "${opt}" in
+    f) 
+        warn "Forcing upgrade! I hope you know what you're doing..."
+        FORCE_UPGRADE=1
+        ;;
+    *)
+      echo "Invalid argument: ${OPTARG}"
+      exit 1
+      ;;
+  esac
+done
+shift $((OPTIND-1))
+
+# Step 2. Check if the S3 configuration already exists...
+upgrade_required () {
+    [ -z "${OPENBALENA_REGISTRY2_S3_BUCKET}" ] || return 1;
+    [ -z "${OPENBALENA_S3_ACCESS_KEY}" ] || return 1;
+    [ -z "${OPENBALENA_S3_ENDPOINT}" ] || return 1;
+    [ -z "${OPENBALENA_S3_REGION}" ] || return 1;
+    [ -z "${OPENBALENA_S3_SECRET_KEY}" ] || return 1;
+}
+upgrade_required || die_unless_forced "${FORCE_UPGRADE}" "Configuration may already be using S3 for Registry storage!"
+
+# Step 3. Create missing S3 configuration...
+randstr() {
+  LC_CTYPE=C tr -dc A-Za-z0-9 < /dev/urandom | fold -w "${1:-32}" | head -n 1
+}
+
+upsert_config () {
+    var="${1}"
+    value="${2}"
+
+    if [ -z "${!var}" ]; then
+        echo "export ${1}=${2}" >> "${CONFIG_FILE}"
+    else
+        sed -i '' "s~export ${1}=.*~export ${1}=${2}~" "${CONFIG_FILE}"
+    fi
+}
+
+upsert_config "OPENBALENA_REGISTRY2_S3_BUCKET" "registry-data" || warn "Failed to update config value OPENBALENA_REGISTRY2_S3_BUCKET"
+upsert_config "OPENBALENA_S3_ACCESS_KEY" "$(randstr 32)" || warn "Failed to update config value OPENBALENA_S3_ACCESS_KEY"
+upsert_config "OPENBALENA_S3_ENDPOINT" "https://s3.${OPENBALENA_HOST_NAME}" || warn "Failed to update config value OPENBALENA_S3_ENDPOINT"
+upsert_config "OPENBALENA_S3_REGION" "us-east-1" || warn "Failed to update config value OPENBALENA_S3_REGION"
+upsert_config "OPENBALENA_S3_SECRET_KEY" "$(randstr 32)" || warn "Failed to update config value OPENBALENA_S3_SECRET_KEY"
+
+# Step 4. Migrate Registry data to S3...
+info "Copying data from the Registry volume to the S3 volume..."
+migrate_data_to_s3 "registry-data"
+case $? in
+    1)  die "Invalid bucket name";;
+    2)  die "Unable to find the running Registry or S3 containers";;
+    3)  die "Unable to determine the data volumes for the Registry or S3 containers";;
+    *)  info "Registry data copied"
+        ;;
+esac
+info "Upgrade complete"
--- a/src/cert-provider/Dockerfile
+++ b/src/cert-provider/Dockerfile
@ -0,0 +1,22 @@
+FROM alpine
+
+EXPOSE 80
+WORKDIR /usr/src/app
+VOLUME [ "/usr/src/app/certs" ]
+
+RUN apk add --update bash curl git openssl ncurses socat
+
+# from https://github.com/Neilpang/acme.sh/releases/tag/2.8.5
+RUN git clone https://github.com/Neilpang/acme.sh.git && \
+    cd acme.sh && \
+    git fetch && git fetch --tags && \
+    git checkout 2.8.5 . && \
+    ./acme.sh --install  \
+    --cert-home /usr/src/app/certs
+
+COPY entry.sh /entry.sh
+COPY cert-provider.sh ./cert-provider.sh
+COPY fake-le-bundle.pem ./
+
+ENTRYPOINT [ "/entry.sh" ]
+CMD [ "/usr/src/app/cert-provider.sh" ]
--- a/src/cert-provider/cert-provider.sh
+++ b/src/cert-provider/cert-provider.sh
@ -0,0 +1,190 @@
+#!/usr/bin/env bash
+
+# the acme.sh client script, installed via Git in the Dockerfile...
+ACME_BIN="$(realpath ~/.acme.sh/acme.sh)"
+
+# the path to a bundle of certs to verify a LetsEncrypt staging certificate until Apr 2036...
+ACME_STAGING_CA="/usr/src/app/fake-le-bundle.pem"
+
+# the path to a file which stores the last successful mode of certificate we acquired...
+ACME_MODE_FILE="/usr/src/app/certs/last_run_mode"
+
+# colour output helpers...
+reset=$(tput -T xterm sgr0)
+red=$(tput -T xterm setaf 1)
+green=$(tput -T xterm setaf 2)
+yellow=$(tput -T xterm setaf 3)
+blue=$(tput -T xterm setaf 4)
+
+logError() {
+    echo "${red}[Error]${reset} $1"
+}
+
+logWarn() {
+    echo "${yellow}[Warn]${reset} $1"
+}
+
+logInfo() {
+    echo "${blue}[Info]${reset} $1"
+}
+
+logSuccess() {
+    echo "${green}[Success]${reset} $1"
+}
+
+logErrorAndStop() {
+    logError "$1 [Stopping]"
+    while true; do
+        # do nothing forever...
+        sleep 60
+    done
+}
+
+retryWithDelay() {
+    RETRIES=${2:-3}
+    DELAY=${3:-5}
+
+    local ATTEMPT=0
+    while [ "$RETRIES" -gt "$ATTEMPT" ]; do
+        (( ATTEMPT++ ))
+        logInfo "($ATTEMPT/$RETRIES) Connecting..."
+        if $1; then
+            logInfo "($ATTEMPT/$RETRIES) Success!"
+            return $?
+        fi
+
+        if [ "$RETRIES" -gt "$ATTEMPT" ]; then
+            logInfo "($ATTEMPT/$RETRIES) Failed. Retrying in ${DELAY} seconds..."
+            sleep "$DELAY"
+        else
+            logInfo "($ATTEMPT/$RETRIES) Failed!"
+        fi
+    done
+
+    return 1
+}
+
+waitForOnline() {
+    ADDRESS="${1,,}"
+
+    logInfo "Waiting for ${ADDRESS} to be available via HTTP..."
+    retryWithDelay "curl --output /dev/null --silent --head --fail --max-time 5 http://${ADDRESS}"
+}
+
+isUsingStagingCert() {
+    HOST="${1,,}"
+    echo "" | openssl s_client -host "$HOST" -port 443 -showcerts 2>/dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | openssl verify -CAfile "$ACME_STAGING_CA" > /dev/null 2>&1
+}
+
+pre-flight() {
+    case "$ACTIVE" in
+        "true"|"yes")
+            ;;
+        *)
+            logError "ACTIVE variable is not enabled. Value should be \"true\" or \"yes\" to continue."
+            return 1
+            ;;
+    esac
+
+    if [ -z "$DOMAINS" ]; then
+        logError "DOMAINS must be set. Value should be a comma-delimited string of domains."
+        return 1
+    else
+        IFS=, read -r -a ACME_DOMAINS <<< "$DOMAINS"
+        IFS=' ' read -r -a ACME_DOMAIN_ARGS <<< "${ACME_DOMAINS[@]/#/-d }"
+    fi
+
+    if [ -z "$VALIDATION" ]; then
+        logInfo "VALIDATION not set. Using default: http-01"
+        VALIDATION="http-01"
+    else
+        case "$VALIDATION" in
+            "http-01")
+                logInfo "Using validation method: $VALIDATION"
+                ;;
+            *)
+                logError "VALIDATION is invalid. Use a valid value: http-01"
+                return 1
+                ;;
+        esac
+    fi
+
+    if [ -z "$OUTPUT_PEM" ]; then
+        logError "OUTPUT_PEM must be set. Value should be the path to install your certificate to."
+        return 1
+    fi
+}
+
+waitToSeeStagingCert() {
+    logInfo "Waiting for ${ACME_DOMAINS[0]} to use a staging certificate..."
+    retryWithDelay "isUsingStagingCert ${ACME_DOMAINS[0]}" 3 5
+}
+
+lastAcquiredCertFor() {
+    ACME_MODE="${1:-none}"
+    ACME_LAST_MODE="$(cat $ACME_MODE_FILE || echo '')"
+    logInfo "Last acquired certificate for ${ACME_LAST_MODE^^}"
+    [ "${ACME_LAST_MODE,,}" == "${ACME_MODE,,}" ]
+}
+
+acquireCertificate() {
+    ACME_MODE="${1:-staging}"
+    ACME_FORCE="${2:-false}"
+    ACME_OPTS=()
+
+    if [ "${ACME_FORCE,,}" == "true" ];then ACME_OPTS+=("--force"); fi
+    case "$ACME_MODE" in
+        "production")
+            logInfo "Using PRODUCTION mode"
+            ;;
+        *)
+            logInfo "Using STAGING mode"
+            ACME_OPTS+=("--staging")
+            ;;
+    esac
+
+    case "$VALIDATION" in
+        "http-01")
+            ACME_OPTS+=("--standalone")
+            ;;
+        *)
+            logError "VALIDATION is invalid. Use a valid value: http-01"
+            return 1
+            ;;
+    esac
+
+    if ! waitForOnline "${ACME_DOMAINS[0]}"; then
+        logError "Unable to access site over HTTP"
+        return 1
+    fi
+
+    logInfo "Issuing certificates..."
+    "$ACME_BIN" --issue "${ACME_OPTS[@]}" "${ACME_DOMAIN_ARGS[@]}"
+
+    logInfo "Installing certificates..." && \
+    "$ACME_BIN" --install-cert "${ACME_DOMAIN_ARGS[@]}" \
+    --cert-file      /tmp/cert.pem  \
+    --key-file       /tmp/key.pem  \
+    --fullchain-file /tmp/fullchain.pem \
+    --reloadcmd     "cat /tmp/fullchain.pem /tmp/key.pem > $OUTPUT_PEM" && \
+
+    echo "${ACME_MODE}" > "${ACME_MODE_FILE}"
+}
+
+pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above."
+
+while ! waitForOnline "${ACME_DOMAINS[0]}"; do
+    logInfo "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation. Retrying in 30 seconds..."
+    sleep 30
+done
+
+if ! lastAcquiredCertFor "production"; then
+    acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate."
+    waitToSeeStagingCert || logErrorAndStop "Unable to detect certificate change over. Cannot issue a production certificate."
+    acquireCertificate "production" "true" || logErrorAndStop "Unable to acquire a production certificate."
+fi
+
+logSuccess "Done!"
+
+logInfo "Running cron..."
+crond -f -d 7
--- a/src/cert-provider/entry.sh
+++ b/src/cert-provider/entry.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec "$@"
--- a/src/cert-provider/fake-le-bundle.pem
+++ b/src/cert-provider/fake-le-bundle.pem
@ -0,0 +1,56 @@
+-----BEGIN CERTIFICATE-----
+MIIFATCCAumgAwIBAgIRAKc9ZKBASymy5TLOEp57N98wDQYJKoZIhvcNAQELBQAw
+GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTM0NloXDTM2
+MDMyMzIyNTM0NlowGjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+pYHvQw5iU3v2b3iNuYNKYgsWD6KU7aJ
+diddtZQxSWYzUI3U0I1UsRPTxnhTifs/M9NW4ZlV13ZfB7APwC8oqKOIiwo7IwlP
+xg0VKgyz+kT8RJfYr66PPIYP0fpTeu42LpMJ+CKo9sbpgVNDZN2z/qiXrRNX/VtG
+TkPV7a44fZ5bHHVruAxvDnylpQxJobtCBWlJSsbIRGFHMc2z88eUz9NmIOWUKGGj
+EmP76x8OfRHpIpuxRSCjn0+i9+hR2siIOpcMOGd+40uVJxbRRP5ZXnUFa2fF5FWd
+O0u0RPI8HON0ovhrwPJY+4eWKkQzyC611oLPYGQ4EbifRsTsCxUZqyUuStGyp8oa
+aoSKfF6X0+KzGgwwnrjRTUpIl19A92KR0Noo6h622OX+4sZiO/JQdkuX5w/HupK0
+A0M0WSMCvU6GOhjGotmh2VTEJwHHY4+TUk0iQYRtv1crONklyZoAQPD76hCrC8Cr
+IbgsZLfTMC8TWUoMbyUDgvgYkHKMoPm0VGVVuwpRKJxv7+2wXO+pivrrUl2Q9fPe
+Kk055nJLMV9yPUdig8othUKrRfSxli946AEV1eEOhxddfEwBE3Lt2xn0hhiIedbb
+Ftf/5kEWFZkXyUmMJK8Ra76Kus2ABueUVEcZ48hrRr1Hf1N9n59VbTUaXgeiZA50
+qXf2bymE6F8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
+Af8wHQYDVR0OBBYEFMEmdKSKRKDm+iAo2FwjmkWIGHngMA0GCSqGSIb3DQEBCwUA
+A4ICAQBCPw74M9X/Xx04K1VAES3ypgQYH5bf9FXVDrwhRFSVckria/7dMzoF5wln
+uq9NGsjkkkDg17AohcQdr8alH4LvPdxpKr3BjpvEcmbqF8xH+MbbeUEnmbSfLI8H
+sefuhXF9AF/9iYvpVNC8FmJ0OhiVv13VgMQw0CRKkbtjZBf8xaEhq/YqxWVsgOjm
+dm5CAQ2X0aX7502x8wYRgMnZhA5goC1zVWBVAi8yhhmlhhoDUfg17cXkmaJC5pDd
+oenZ9NVhW8eDb03MFCrWNvIh89DDeCGWuWfDltDq0n3owyL0IeSn7RfpSclpxVmV
+/53jkYjwIgxIG7Gsv0LKMbsf6QdBcTjhvfZyMIpBRkTe3zuHd2feKzY9lEkbRvRQ
+zbh4Ps5YBnG6CKJPTbe2hfi3nhnw/MyEmF3zb0hzvLWNrR9XW3ibb2oL3424XOwc
+VjrTSCLzO9Rv6s5wi03qoWvKAQQAElqTYRHhynJ3w6wuvKYF5zcZF3MDnrVGLbh1
+Q9ePRFBCiXOQ6wPLoUhrrbZ8LpFUFYDXHMtYM7P9sc9IAWoONXREJaO08zgFtMp4
+8iyIYUyQAbsvx8oD2M8kRvrIRSrRJSl6L957b4AFiLIQ/GgV2curs0jje7Edx34c
+idWw1VrejtwclobqNMVtG3EiPUIpJGpbMcJgbiLSmKkrvQtGng==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
+GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
+MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
+8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
+oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
+ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
+xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
+dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
+AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
+BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
+Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
+hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
+UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
+AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
+DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
+IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
+zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
+PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
+SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
+2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
+WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
+n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
+-----END CERTIFICATE-----
--- a/src/haproxy/Dockerfile
+++ b/src/haproxy/Dockerfile
@ -0,0 +1,10 @@
+FROM haproxy:1.9-alpine
+
+VOLUME [ "/certs" ]
+
+RUN apk add --update inotify-tools
+
+COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
+COPY start-haproxy.sh /start-haproxy
+
+CMD /start-haproxy
--- a/src/haproxy/haproxy.cfg
+++ b/src/haproxy/haproxy.cfg
@ -2,9 +2,9 @@ global
  tune.ssl.default-dh-param 1024

 defaults
-  timeout connect 5000
-  timeout client 50000
-  timeout server 50000
+  timeout connect 5s
+  timeout client 50s
+  timeout server 50s

 frontend http-in
  mode http
@ -12,6 +12,9 @@ frontend http-in
  bind *:80
  reqadd X-Forwarded-Proto:\ http

+  acl is_cert_validation path -i -m beg "/.well-known/acme-challenge/"
+  use_backend cert-provider if is_cert_validation
+
  acl host_api hdr_dom(host) -i "api.${HAPROXY_HOSTNAME}"
  use_backend backend_api if host_api

@ -31,6 +34,10 @@ frontend ssl-in
  tcp-request content accept if { req.ssl_hello_type 1 }

  acl is_ssl req.ssl_ver 2:3.4
+
+  acl host_tunnel req_ssl_sni -i "tunnel.${HAPROXY_HOSTNAME}"
+  use_backend redirect-to-tunnel-in if host_tunnel
+
  use_backend redirect-to-https-in if is_ssl
  use_backend vpn-devices if !is_ssl

@ -39,6 +46,11 @@ backend redirect-to-https-in
  balance roundrobin
  server localhost 127.0.0.1:444 send-proxy-v2

+backend redirect-to-tunnel-in
+  mode tcp
+  balance roundrobin
+  server localhost 127.0.0.1:3129
+
 frontend https-in
  mode http
  option forwardfor
@ -61,28 +73,35 @@ backend backend_api
  mode http
  option forwardfor
  balance roundrobin
-  server resin_api_1 api:80 check port 80
+  server balena_api_1 api:80 check port 80

 backend backend_registry
  mode http
  option forwardfor
  balance roundrobin
-  server resin_registry_1 registry:80 check port 80
+  server balena_registry_1 registry:80 check port 80

 backend backend_vpn
  mode http
  option forwardfor
  balance roundrobin
-  server resin_vpn_1 vpn:80 check port 80
+  server balena_vpn_1 vpn:80 check port 80

 backend backend_s3
  mode http
  option forwardfor
  balance roundrobin
+  server balena_s3_1 s3:80 check port 80
+
+backend cert-provider
+  mode http
+  option forwardfor
+  balance roundrobin
+  server balena_cert-provider_1 cert-provider:80 no-check

 backend vpn-devices
  mode tcp
-  server resin_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
+  server balena_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443

 frontend db
  mode tcp
@ -92,7 +111,7 @@ frontend db

 backend backend_db
  mode tcp
-  server resin_db_1 db:5432 check port 5432
+  server balena_db_1 db:5432 check port 5432

 frontend redis
  mode tcp
@ -102,4 +121,14 @@ frontend redis

 backend backend_redis
  mode tcp
-  server resin_redis_1 redis:6379 check port 6379
+  server balena_redis_1 redis:6379 check port 6379
+
+listen vpn-tunnel
+  mode tcp
+  bind *:3128
+  server balena_vpn vpn:3128 check port 3128
+
+listen vpn-tunnel-tls
+  mode tcp
+  bind *:3129 ssl crt /etc/ssl/private/open-balena.pem
+  server balena_vpn vpn:3128 check port 3128
--- a/src/haproxy/start-haproxy.sh
+++ b/src/haproxy/start-haproxy.sh
@ -0,0 +1,32 @@
+#!/bin/sh
+
+OPENBALENA_CERT=/etc/ssl/private/open-balena.pem
+mkdir -p "$(dirname "${OPENBALENA_CERT}")"
+
+if [ -f "/certs/open-balena.pem" ]; then
+    echo "Using certificate from cert-provider..."
+    cp /certs/open-balena.pem "${OPENBALENA_CERT}"
+else
+    echo "Building certificate from environment variables..."
+    (
+        echo "${BALENA_HAPROXY_CRT}" | base64 -d
+        echo "${BALENA_HAPROXY_KEY}" | base64 -d
+        echo "${BALENA_ROOT_CA}" | base64 -d
+    ) > "${OPENBALENA_CERT}"
+fi
+
+haproxy -f /usr/local/etc/haproxy/haproxy.cfg -W &
+HAPROXY_PID=$!
+
+while true; do
+    inotifywait -r -e create -e modify -e delete /certs
+    
+    if [ -f "/certs/open-balena.pem" ]; then
+        echo "Updating certificate from cert-provider..."
+        cp /certs/open-balena.pem "${OPENBALENA_CERT}"
+    fi
+    
+    echo "Certificate change detected. Reloading..."
+    kill -SIGUSR2 $HAPROXY_PID
+    sleep 1;
+done
Author	SHA1	Message	Date
Balena CI	cd98a0df3f	v3.1.2	2021-01-22 16:10:08 +02:00
bulldozer-balena[bot]	296a746e96	Merge pull request #101 from balena-io/switch-tunnel-to-tls tunnel: Expose tunnel service via TLS	2021-01-22 14:08:00 +00:00
Rich Bayliss	b3d184c13c	tunnel: Expose tunnel service via TLS In order to support the new CLI and balenaCloud deployment schemes for the tunnel service, the service is now exposed via the TLS port 443 on the `tunnel.{domain}` server name. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2021-01-22 11:55:33 +00:00
Balena CI	3b9433e9cc	v3.1.1	2020-11-10 17:59:55 +02:00
bulldozer-balena[bot]	763da0eb45	Merge pull request #97 from balena-io/update-versions Update open-balena-api	2020-11-10 15:57:48 +00:00
Akis Kesoglou	bfce474ff0	Update open-balena-api Fixes a bug with a migration that would keep obsolete DB columns around and prevent creation of applications and devices. See https://github.com/balena-io/open-balena-api/pull/507 Fixes #94 #95 Change-type: patch	2020-11-10 17:54:33 +02:00
Balena CI	308322f774	v3.1.0	2020-11-03 18:22:26 +02:00
bulldozer-balena[bot]	c2077e5037	Merge pull request #96 from balena-io/set-default-bucket-prefix-images Change S3 OS images folder from resinos to images	2020-11-03 16:20:37 +00:00
Stevche Radevski	7790290d0e	Change S3 OS images folder from resinos to images Change-type: minor Signed-off-by: Stevche Radevski <stevche@balena.io>	2020-11-03 17:15:14 +01:00
Balena CI	857e6b3bd7	v3.0.1	2020-10-29 13:43:03 +02:00
bulldozer-balena[bot]	cbee20731b	Merge pull request #93 from balena-io/update-api Update the API fixing an issue with migrations	2020-10-29 11:41:04 +00:00
Akis Kesoglou	eec16b843d	Update the API fixing an issue with migrations When updating from previous versions, the API will fail to execute the database migrations. This updates the API version to include a fix for this. Change-type: patch	2020-10-29 13:35:30 +02:00
Balena CI	a3126359e0	v3.0.0	2020-10-28 14:17:36 +02:00
bulldozer-balena[bot]	6438da8498	Merge pull request #88 from balena-io/v3 Update versions of services	2020-10-28 12:16:01 +00:00
Akis Kesoglou	1f7ed769c0	Update versions of services Change-type: major	2020-10-28 14:06:47 +02:00
Akis Kesoglou	41b1800166	Reorder README sections to bring “Getting Started” further up	2020-10-28 13:10:18 +02:00
Balena CI	77e3cfcdb6	v2.0.5	2020-10-12 14:42:08 +03:00
bulldozer-balena[bot]	d3f11819ce	Merge pull request #89 from balena-io/comparison-table docs: add table comparing features of openBalena and balenaCloud	2020-10-12 11:40:27 +00:00
Balena CI	3816f09bc4	v2.0.4	2020-10-08 23:23:24 +03:00
bulldozer-balena[bot]	7154c5903f	Merge pull request #90 from balena-io/cli-incompatibility docs: note that balenaCLI is incompatible >12.2.2	2020-10-08 20:21:43 +00:00
Matthew McGinn	71a692b28b	docs: note that balenaCLI is incompatible >12.2.2 Connects-to: #85 Change-type: patch Signed-off-by: Matthew McGinn <matthew@balena.io>	2020-10-08 15:35:02 -04:00
Matthew McGinn	feeb830405	docs: add table comparing features of openBalena and balenaCloud Connects-to: #62 Change-type: patch Signed-off-by: Matthew McGinn <matthew@balena.io>	2020-10-08 17:11:56 +00:00
Balena CI	eb262fe9a2	v2.0.3	2020-06-01 12:41:28 +03:00
bulldozer-balena[bot]	6db5e59958	Merge pull request #79 from balena-io/add-balenaos-version docs: Add PSA about balenaOS version breakage	2020-06-01 09:39:28 +00:00
Rich Bayliss	d33560755f	docs: Add PSA about balenaOS version breakage Due to a change in the balena-supervisor codebase, only balenaOS versions <= 2.49.0 are working with open-balena. This documentation change is a band-aid while we resolve the issue. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2020-06-01 10:35:00 +01:00
Balena CI	f427982714	v2.0.2	2020-04-03 16:56:38 +03:00
dfunckt	b99e497ac9	Merge pull request #75 from Langhalsdino/patch-1 Add units to the default timeouts in haproxy.cfg	2020-04-03 16:54:57 +03:00
Frederic Tausch	de0293563f	Added units to haproxy.cfg default timeouts I added unit 's' (second) to the default timeouts in order to make them more readable. Change-type: patch	2020-03-27 15:43:11 +01:00
Balena CI	17419557a5	v2.0.1	2020-01-17 12:30:31 +02:00
Rich Bayliss	c58ee37f17	Merge pull request #65 from balena-io/cert-provider-update cert-provider: Update to support ACMEv2 on staging provider	2020-01-17 10:28:43 +00:00
Rich Bayliss	d67e29223f	cert-provider: Update to support ACMEv2 on staging provider Acquiring a staging certificiate from LetsEncrypt was failing, so acme.sh was updated to version 2.8.5, which includes support for using ACMEv2 on the LetsEncrypt servers. Changes to the state flow to make access retries infinite as it became apparent that in some scenarios the certificate acquisition could fail to occur due to containers taking longer to become accessible. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2020-01-17 10:24:43 +00:00
Balena CI	08a990d32d	v2.0.0	2019-09-02 13:39:55 +03:00
Rich Bayliss	d70c2177ff	Merge pull request #60 from balena-io/use-s3 feature: Use S3 bucket for Registry service backend	2019-09-02 11:38:03 +01:00
Rich Bayliss	2a7d0687a2	feature: Use S3 bucket for Registry service backend Update open-balena-s3 to 2.8.3 This makes new installations of openBalena use the S3 container as a storage backend for the Registry service by default. Existing installs should not be affected. Change-type: major Signed-off-by: Rich Bayliss <rich@balena.io>	2019-09-02 10:30:15 +01:00
Resin CI	e6c865e383	v1.3.0	2019-07-30 14:21:49 +03:00
Rich Bayliss	617209dc9e	Merge pull request #59 from balena-io/use-bob feature: Support deployment via balena push to local-mode balenaOS devices	2019-07-30 12:20:02 +01:00
Rich Bayliss	853ffb33e8	services: Update Registry service version Update open-balena-registry to 2.11.1 This allows the registry to use an S3 bucket for storing images. Change-type: minor Signed-off-by: Rich Bayliss <rich@balena.io>	2019-07-30 12:10:06 +01:00
Rich Bayliss	a029160caf	feature: Support deployment via balena push to local-mode balenaOS devices - remove some `.gitignore` entries as this is also honoured by `balena push` - added a step to `scripts/quickstart` to produce a single, flat `docker-compose.yml` after running - set the compose file versions to `2.0` to ensure only supported terms are used in the `docker-compose.yml` file output - quoted empty env values as these need to be passed in as blank, and not ommitted - include the MDNS publisher service IF the domain being used is a .local one - corrected spelling of macOS in script messages - move sidecar container source into ./src as per convention Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-07-30 12:10:01 +01:00
Resin CI	bb1328e27e	v1.2.0	2019-05-21 18:00:07 +03:00
Rich Bayliss	395613af57	Merge pull request #53 from balena-io/service-updates Update service versions	2019-05-21 15:58:07 +01:00
Rich Bayliss	199d8eb4a4	tidy: Remove unused DEVICE_CONFIG_OPENVPN_CONFIG variable Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-05-21 15:47:57 +01:00
Akis Kesoglou	6fdc554e43	services: Update Registry service version Update open-balena-registry to 2.7.0 This allows registry to be configured to use its internal Redis instance for caching. It is still disabled by default though. Change-type: minor	2019-05-21 14:45:54 +01:00
Rich Bayliss	f8b8a1589a	services: Update API service version Update open-balena-api from 0.11.8 to 0.19.5 This brings in the latest bugfixes and changes. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-05-21 14:01:38 +01:00
Resin CI	3bf14a2140	v1.1.1	2019-05-10 18:22:12 +03:00
Heds Simons	fef145f993	Merge pull request #51 from balena-io/50-update-docker-compose docker: Update docker-compose version to latest	2019-05-10 16:20:42 +01:00
Heds Simons	e068f8058f	docker: Update docker-compose version to latest Connects-to: #50 Change-type: patch Signed-off-by: Heds Simons <heds@balena.io>	2019-05-07 17:15:19 +01:00
Resin CI	c1ee146f0d	v1.1.0	2019-05-07 14:38:17 +03:00
Heds Simons	9ad92596b9	Merge pull request #49 from balena-io/48-s3-credential-changes s3: Update to latest version with credentials	2019-05-07 12:36:26 +01:00
Heds Simons	56de2d20bb	s3: Update to latest version with credentials Credentials for S3 can now be specified using the following docker-compose based envvars: * S3_MINIO_ACCESS_KEY * S3_MINIO_SECRET_KEY Connects-to: #48 Change-type: minor Signed-off-by: Heds Simons <heds@balena.io>	2019-05-07 11:18:48 +01:00
Resin CI	290c90c262	v1.0.2	2019-04-18 15:30:38 +03:00
dfunckt	98b6100fed	Merge pull request #45 from roman-mazur/roman/fix-build scripts: Handle missing coreutils on Mac	2019-04-18 15:28:19 +03:00
Roman Mazur	e1bfb7f7b0	scripts: Handle missing coreutils on Mac For convenience, also add instructions what to install. Tha change also addresses invalid usage of 'local' outside of a function. Change-type: patch Signed-off-by: Roman Mazur <mazur.roman@gmail.com>	2019-04-16 18:05:16 +03:00
Resin CI	35ab5300e6	v1.0.1	2019-03-20 11:24:21 +02:00
Rich Bayliss	fd031ad3a4	Merge pull request #42 from balena-io/prevent-root-ca-signing-vpn-ca vpn: Remove BALENA_ROOT_CA from the VPN trust chain	2019-03-20 09:22:11 +00:00
Rich Bayliss	95d53993bc	vpn: Remove BALENA_ROOT_CA from the VPN trust chain The VPN CA shouldn't need to be signed by the same CA that the HAproxy service certificate is signed by. By removing this chain we are able to use a different CA for the HTTPS services without impacting on the VPN service. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-20 09:13:19 +00:00
Resin CI	1721728794	v1.0.0	2019-03-15 17:29:55 +02:00
Rich Bayliss	061440f109	Merge pull request #43 from balena-io/pin-service-tags tags: Pin the image tags for the service stack	2019-03-15 15:28:08 +00:00
Rich Bayliss	2f0fb27145	tags: Pin the image tags for the service stack In order to have concrete releases of openBalena we should pin each service to a given version. This PR is the start of this and marks the first version of openBalena with known service tags. Change-type: major Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-15 15:14:57 +00:00
Resin CI	210bdcda37	v0.2.2	2019-03-08 15:44:55 +02:00
Rich Bayliss	fac66040c8	Merge pull request #39 from balena-io/add-codeowners codeowners: Add CODEOWNERS file	2019-03-08 13:42:59 +00:00
Rich Bayliss	85a69c1ef1	codeowners: Add CODEOWNERS file Add a CODEOWNERS file which includes the main repo owners. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-08 13:38:49 +00:00
Resin CI	e37a61e5f0	v0.2.1	2019-03-08 14:31:30 +02:00
Rich Bayliss	0fc85ff5b6	Merge pull request #38 from balena-io/add-acme-support certs: Add support for an ACME certificate provider	2019-03-08 12:29:44 +00:00
Rich Bayliss	99dd615e55	certs: Add support for an ACME certificate provider Add a service which will acquire certificates from an ACME cert provider, such as LetsEncrypt (), to allow an openBalena instance to use a publicly trusted certificate instead of the self-signed one it wil generate on setup. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-03-08 12:23:46 +00:00
Resin CI	d3b021a1cb	v0.2.0	2019-01-28 20:38:12 +01:00
Rich Bayliss	b9b9b65ce6	Merge pull request #35 from balena-io/hide-db-redis Do not publish DB and Redis ports to the host	2019-01-28 19:36:27 +00:00
Akis Kesoglou	9fb3f76858	Do not publish DB and Redis ports to the host We are currently exposing the DB and Redis ports to the host, making the services externally accessible, which is very useful for a development environment. `docker-compose` is however the only deployment method we currently support, and our Getting Started guide uses the very same configuration to guide users through the process of deploying open-balena on a public server (mostly because it’s easier with regards to DNS). This means we’re effectively guiding users to deploy open-balena in a very insecure way. This commit removes host port bindings for the database and Redis services, effectively making them externally inaccessible. Fixes #34 Change-type: minor	2019-01-25 15:34:58 +02:00
Resin CI	52fb653223	v0.1.4	2019-01-10 12:03:32 +01:00
Rich Bayliss	7332b6971e	Merge pull request #33 from balena-io/improve-vagrant vagrant: Add missing Node dependency	2019-01-10 11:01:42 +00:00
Rich Bayliss	011f3a35f9	vagrant: Add missing Node dependency Signed-off-by: Rich Bayliss <rich@balena.io> Change-type: patch	2019-01-10 10:57:53 +00:00
Resin CI	0842b7b4ae	v0.1.3	2019-01-10 10:47:30 +01:00
Rich Bayliss	37ecfb8996	Merge pull request #32 from balena-io/improve-vagrant vagrant: Improve the Vagrant file to make development easier	2019-01-10 09:45:45 +00:00
Rich Bayliss	bd638ac409	vagrant: Improve the Vagrant file to make development easier Vagrant machine is based on Ubuntu 18.04 including: - docker - docker-compose Provisions some helper functions to the CLI: - dc (shortcut to ./scripts/compose) - enter {service} (opens a terminal in the service's container) - logs {service} (access the journal of the service) Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>	2019-01-10 09:41:11 +00:00
Resin CI	cec371f0b8	v0.1.2	2018-12-20 11:54:47 +01:00
Rich Bayliss	eb1db83058	Merge pull request #29 from balena-io/make-macos-compatible Make scripts macOS compatible	2018-12-20 10:53:00 +00:00
Rich Bayliss	709d00b898	init: Make scripts macOS compatible The quickstart script should be able to run on macOS machines and not just Linux ones. Signed-off-by: Rich Bayliss <rich@balena.io> Change-type: patch	2018-12-20 10:42:50 +00:00
Resin CI	6f56ee8fbd	v0.1.1	2018-12-17 15:22:53 +02:00
dfunckt	9d48debca6	Merge pull request #27 from balena-io/fix-quickstart-paths Fix quickstart paths	2018-12-17 15:21:06 +02:00
Akis Kesoglou	254fd3b499	Ignore package-lock.json Change-type: patch	2018-12-17 14:58:07 +02:00
Akis Kesoglou	5bc74c3f75	Print the proper path to root CA cert Change-type: patch	2018-12-17 14:57:49 +02:00
Resin CI	93d51fcdd5	v0.1.0	2018-12-17 14:45:53 +02:00
Will Boyce	b2ec80fbdb	Merge pull request #14 from balena-io/vpn vpn requirements	2018-12-17 12:44:15 +00:00
Will Boyce	ed077b5722	vagrant: Change into open-balena directory automatically Change-type: patch Signed-off-by: Will Boyce <will@balena.io>	2018-11-20 16:04:04 +00:00
Will Boyce	a50910ca83	api: Pass full VPN CA chain to `os-config` Change-type: patch Signed-off-by: Will Boyce <will@balena.io>	2018-11-20 16:04:04 +00:00
Will Boyce	318362cc25	haproxy: Proxy port 3128 to vpn service Change-type: minor Signed-off-by: Will Boyce <will@balena.io>	2018-11-20 16:04:04 +00:00
Resin CI	acd40a79e6	v0.0.7	2018-11-15 10:30:31 +01:00
dfunckt	627867aec4	Merge pull request #20 from balena-io/update-readme Update README	2018-11-15 11:28:13 +02:00
Akis Kesoglou	2e4064fab7	Update README Change-type: patch	2018-11-14 14:22:37 +02:00
 @ -1 +1 @@
 .0.6
 .1.2