Installing and Configuring Sandstorm on Nethserver

oneitonitram · October 6, 2018, 7:08am

Hello everyone.

Has anyone had a look or heard of sandstorm.

It is an open source platform for self hosted web application https://sandstorm.io/

More like what portainer is, but its for collaborative applications
here is the link for the demo https://oasis.sandstorm.io/apps

here is the documentation regarding setting up ldap https://docs.sandstorm.io/en/latest/administering/for-work/

The installation instructions is on their web-page. Under https://sandstorm.io/install

Incase you are doubting support for Centos since they mostly mention Ubuntu
here is official https://sandstorm.io/news/2016-11-10-rhel-centos-arch-support
Could we make a simple effective way to install the solution on Nethserver, while also making use of the Ldap server offered.

mrmarkuz · October 6, 2018, 9:59am

Seems really easy to install:

curl https://install.sandstorm.io | bash

The setup questions could be answered with default values or “none”.
After this you get a link to connect like http://testserver.domain.local:6080/setup/token/7c4d41c8482da0ae44e10c2bd2887…
but you have to setup firewall first, better way would be to use some reverse proxy but for now just open the port and apply the config:

config set fw_sandstorm service status enabled TCPPort 6080 access green
signal-event firewall-adjust

That’s it, now you may setup sandstorm (including ldap connector) via web browser…

EDIT:

Working settings for local LDAP server (you may get the settings with account-provider-test dump)

Hm, the apps are not working, maybe you need a resolvable hostname or certificate…

oneitonitram · October 6, 2018, 6:21pm

thats the challenge now

mrmarkuz · October 6, 2018, 8:33pm

You need a wildcard dns entry, dynu for example provides free wildcard dns:

https://docs.sandstorm.io/en/latest/administering/wildcard/

Open port 6080 for red and green:

config set fw_sandstorm service status enabled TCPPort 6080 access red,green
signal-event firewall-adjust

Edit BASE_URL and WILDCARD_HOST in /opt/sandstorm.conf:

BASE_URL=http://yourdomain.net:6080
WILDCARD_HOST=*.yourdomain.net:6080

Restart service:

systemctl restart sandstorm

Browse to http://yourdomain.net:6080

Looks really nice but some improvements still need to be made:

reverse proxy
HTTPS with certificate

EDIT:

sandstorm HTTPS needs a wildcard ssl cert, we may use acme-dns provided by @danb35

They recommend nginx, with apache reverse proxy I had no success.

https://docs.sandstorm.io/en/latest/administering/ssl/

danb35 · October 6, 2018, 10:56pm

Pretty much everyone who does static DNS will let you do wildcards. If you need dynamic DNS, I don’t know–it’s been decades since I’ve used dynamic DNS. But if you don’t need dynamic DNS, just pick a DNS host with a supported API and use acme.sh to get your cert. Or, as you suggest, use acme-dns instead.

mrmarkuz · October 6, 2018, 11:14pm

In this case a wildcard SSL certificate is needed and I thought the cheapest way to accomplish this is acme-dns.

danb35 · October 6, 2018, 11:22pm

acme-dns is free, and you definitely can’t beat the price of that. But unless dynamic DNS is needed, there are also other free options (Cloudflare is one) that don’t require installing anything other than a simple script (can’t say there aren’t free alternatives if you do need dynamic DNS; I just don’t know that field well enough).

acme-dns is more secure, in that it doesn’t carry the risk of exposing credentials that could let an attacker steal your domain. OTOH, it requires running a new server process on your server, which no doubt introduces other (as-yet-unknown) vulnerabilities.

As is often the case, lots of ways to skin this cat.