132 lines
3.2 KiB
Markdown
132 lines
3.2 KiB
Markdown
# Docker Compose Deployment
|
|
|
|
The Compose stack contains two services:
|
|
|
|
- `rmm-server`: Go API, web UI, and persistent SQLite database.
|
|
- `tunnel-ssh`: SSH endpoint used by routers for reverse SSH tunnels.
|
|
|
|
Published ports:
|
|
|
|
- `18080/tcp`: RMM API and web UI.
|
|
- `2222/tcp`: router-to-server SSH tunnel connection.
|
|
- `22000-22099/tcp`: temporary operator endpoints created by remote sessions.
|
|
- `22100-22199/tcp`: internal LuCI proxy forwards; these are not published by Compose.
|
|
|
|
## 1. Configure Secrets
|
|
|
|
Create the local environment file:
|
|
|
|
```powershell
|
|
Copy-Item .env.example .env
|
|
notepad .env
|
|
```
|
|
|
|
Replace `RMM_ENROLLMENT_TOKEN` and `RMM_OPERATOR_TOKEN` before exposing the server outside a trusted network.
|
|
|
|
## 2. Start The Stack
|
|
|
|
```powershell
|
|
docker compose up -d --build
|
|
docker compose ps
|
|
docker compose logs --tail 100
|
|
```
|
|
|
|
Open:
|
|
|
|
```text
|
|
http://127.0.0.1:18080
|
|
```
|
|
|
|
The SQLite database and SSH keys are stored in named Docker volumes.
|
|
|
|
For HTTPS and domain-based access, use [npmplus.md](npmplus.md) or the optional Caddy overlay described in [reverse-proxy.md](reverse-proxy.md).
|
|
|
|
## 3. Generate And Install The Tunnel Key
|
|
|
|
Generate the router tunnel key before starting Compose:
|
|
|
|
```sh
|
|
mkdir -p secrets
|
|
ssh-keygen -t ed25519 -N '' -C rmm-router-tunnel -f secrets/router_tunnel_key
|
|
chmod 600 secrets/router_tunnel_key
|
|
```
|
|
|
|
Compose mounts only `secrets/router_tunnel_key.pub` into the SSH sidecar. The private key remains on the deployment host and must be installed on approved routers.
|
|
|
|
OpenWrt 25 uses `apk`. Install the OpenSSH client:
|
|
|
|
```sh
|
|
apk add openssh-client
|
|
```
|
|
|
|
Install the key without `scp` or SFTP:
|
|
|
|
```powershell
|
|
Get-Content -Raw .\secrets\router_tunnel_key | ssh root@10.10.10.1 "umask 077; mkdir -p /etc/rmm-agent; cat > /etc/rmm-agent/tunnel_key; chmod 600 /etc/rmm-agent/tunnel_key"
|
|
```
|
|
|
|
Update `/etc/rmm-agent.conf`:
|
|
|
|
```sh
|
|
TUNNEL_IDENTITY_FILE="/etc/rmm-agent/tunnel_key"
|
|
```
|
|
|
|
Deploy the latest agent and restart it:
|
|
|
|
```powershell
|
|
Get-Content -Raw .\agent\openwrt\rmm-agent.sh | ssh root@10.10.10.1 "cat > /usr/bin/rmm-agent; chmod +x /usr/bin/rmm-agent; /etc/init.d/rmm-agent restart"
|
|
```
|
|
|
|
## 4. Open A Remote Session
|
|
|
|
In the device Remote access panel use:
|
|
|
|
- Tunnel server: the Docker host IP reachable by the router, for example `10.10.10.2`.
|
|
- Server SSH port: `2222`.
|
|
- Remote port: leave empty for automatic selection.
|
|
- Router SSH port: `22`.
|
|
- Duration: `15 min`.
|
|
|
|
After the agent reports success, connect using the command shown in the UI:
|
|
|
|
```sh
|
|
ssh -p 22022 root@10.10.10.2
|
|
```
|
|
|
|
The actual port is selected per session.
|
|
|
|
## Operations
|
|
|
|
View logs:
|
|
|
|
```powershell
|
|
docker compose logs -f rmm-server
|
|
docker compose logs -f tunnel-ssh
|
|
```
|
|
|
|
Restart:
|
|
|
|
```powershell
|
|
docker compose restart
|
|
```
|
|
|
|
Stop without deleting data:
|
|
|
|
```powershell
|
|
docker compose down
|
|
```
|
|
|
|
Back up the SQLite database:
|
|
|
|
```powershell
|
|
docker compose cp rmm-server:/data/rmm.db .\tmp\rmm-backup.db
|
|
```
|
|
|
|
## Security Notes
|
|
|
|
- Restrict ports `18080`, `2222`, and `22000-22999` with the host firewall.
|
|
- Port `2222` must be reachable by managed routers.
|
|
- Ports `22000-22099` should only be reachable by trusted operators or VPN clients.
|
|
- Use long random enrollment/operator tokens.
|
|
- Current MVP uses one persistent router tunnel key. Per-device or per-session keys are the next hardening step.
|