chore: release v0.1.0 · danieldaum.net/spindle-docker@640ad78

danieldaum.net / spindle-docker

fork atom

configuration for self hosting a spindle in docker

fork atom

chore: release v0.1.0

danieldaum.net 1 week ago 640ad786 7b27f90e

+22 -15

2 changed files

expand all

CHANGELOG.md

README.md

+6 -6

CHANGELOG.md

··· 9 9 10 10 ## [0.1.0] - 2026-04-02 11 11 12 - Initial release of the spindle-docker stack. 12 + First working release. Tested on Ubuntu Linux. 13 13 14 14 ### Added 15 15 - Docker Compose stack with OpenBao (vault), OpenBao proxy (AppRole sidecar), and Spindle (CI runner) 16 16 - One-time vault bootstrap script (`init-openbao.sh`) with interactive AppRole Secret ID TTL prompt 17 17 - `.env`-based configuration with documented variables and defaults; Compose loads it automatically 18 - - All images pinned to versioned SHA256 digests (OpenBao `2.5.2`, Go `1.23.12-alpine3.22`, Alpine `3.23.3`) 19 - - Spindle source pinned to `v1.13.0-alpha` with commit SHA verification at build time (`go mod verify` included) 18 + - All images pinned to versioned SHA256 digests (OpenBao `2.5.2`, Go `1.25.8-alpine3.23`, Alpine `3.23.3`) 19 + - Spindle source pinned to `v1.13.0-alpha` (commit `c3f60dc1`) with SHA verification at build time 20 + - CGO enabled in builder with `gcc`/`musl-dev` for go-sqlite3 support 20 21 - OpenBao port bound to `127.0.0.1` only — not reachable from the network 21 22 - `IPC_LOCK` capability on both OpenBao and OpenBao proxy to prevent secrets from swapping to disk 22 - - AppRole token file permissions hardened to `0600` 23 - - Pinned versions table in README 24 - - Early development warning in README 23 + - AppRole credentials owned by OpenBao user (uid 100) with `640` permissions; volume mounted `:ro` 24 + - AppRole credential handling documented in README (`:ro` tradeoff and alternative setup) 25 25 26 26 [Unreleased]: https://tangled.org/daniel.gay/spindle-docker/compare/v0.1.0...HEAD 27 27 [0.1.0]: https://tangled.org/daniel.gay/spindle-docker/releases/tag/v0.1.0

+16 -9

README.md

··· 1 1 # spindle-docker 2 2 3 - > **Early development / personal project** — This stack was built for personal use and has not been tested across a wide range of environments. It may have rough edges or undocumented assumptions. Use it at your own risk. 3 + > **Early development / personal project** — This stack was built for personal use and tested on Ubuntu Linux. It has not been tested across a wide range of environments and may have rough edges or undocumented assumptions. Use it at your own risk. 4 4 5 5 Docker Compose stack for self-hosting a [Tangled](https://tangled.org) spindle (CI runner) with [OpenBao](https://openbao.org) for secrets management. 6 6 ··· 57 57 docker compose up -d openbao 58 58 ``` 59 59 60 + Wait until you see the following line in the logs before continuing (`docker compose logs -f openbao`): 61 + 62 + ``` 63 + core: seal configuration missing, not initialized 64 + ``` 65 + 60 66 **3. Initialize the vault** (once only) 61 67 62 68 ```bash ··· 64 70 ./init-openbao.sh 65 71 ``` 66 72 67 - The script fixes permissions, initialises the vault, and configures AppRole automatically. When prompted, choose a Secret ID TTL or press enter for no expiry. 73 + The script fixes permissions, initialises the vault, and configures AppRole automatically. It will print an **unseal key** and **root token** — save both somewhere safe, they are not stored anywhere and cannot be recovered. You will also be prompted to choose a Secret ID TTL (press enter for no expiry). 68 74 69 - Save the **unseal key** and **root token** printed to stdout — they are not stored anywhere. 75 + **4. Start the full stack** 70 76 71 - **4. Start the full stack** 77 + Once the init script completes successfully: 72 78 73 79 ```bash 74 80 docker compose up -d ··· 76 82 77 83 ## After a restart 78 84 79 - OpenBao seals itself on every restart. Unseal it before the proxy and spindle can start: 85 + OpenBao seals itself on every restart. Run the unseal command once OpenBao is running (you can confirm it's ready when `docker compose logs openbao` shows `core: seal configuration missing, not initialized` or the container is healthy): 80 86 81 87 ```bash 82 88 docker compose exec openbao bao operator unseal <unseal_key> 83 89 ``` 84 90 91 + The proxy and Spindle will start automatically once OpenBao is unsealed and healthy. 92 + 85 93 ## Verify 86 94 87 95 ```bash 88 - curl http://localhost:8201/v1/sys/health # OpenBao proxy 89 - curl http://localhost:6555/ # Spindle 96 + curl http://localhost:6555/ # Spindle (should return the spindle welcome page) 90 97 ``` 91 98 92 99 ## Architecture ··· 107 114 | Component | Version | Where | 108 115 |-----------|---------|--------| 109 116 | OpenBao | `2.5.2` | `docker-compose.yml` | 110 - | Go (builder) | `1.23.12-alpine3.22` | `Dockerfile` | 117 + | Go (builder) | `1.25.8-alpine3.23` | `Dockerfile` | 111 118 | Alpine (runtime) | `3.23.3` | `Dockerfile` | 112 - | Spindle source | `v1.13.0-alpha` (`3572988`) | `Dockerfile` | 119 + | Spindle source | `v1.13.0-alpha` (`c3f60dc1`) | `Dockerfile` | 113 120 114 121 To upgrade any component, update the tag/version and its corresponding `@sha256:...` digest (or commit SHA for Spindle). All versions are currently alpha — there are no stable Spindle releases yet. 115 122