Dokku on Aws

I’m setting up dokku as a personal infrastructure PaaS for running services like the personal indexing service.

This was a confusing affair so I’m writing these notes to reference later if I ever need to set it up again.

Notes:

Create an EC2 instance and setup dokku

• Has to be 2gb or more to avoid issues with dokku installation
• Has to be Ubuntu (the default Amazon Linux distro will not work)
• When you ssh into the newly created instance, you have to use the ubuntu default user ubuntu@ec2-address-here.region.compute.amazonaws.com
• Make sure to add the .pem key to ssh-agent on your local machine or git push dokku main won’t succeed
• Set up a domain by running dokku domains:set-global mydomain.com and setting up a Route53 CNAME record to point to the public domain name of the AWS EC2 instance (note: this will break if the EC2 instance is restarted, use an AWS Elastic IP to avoid this)

Create a dokku app

1. SSH into the dokku host server and run dokku apps:create my-project
2. On local run git remote add dokku dokku@mydomain.com:my-project
3. Push git push dokku main and trigger the build/deploy (this just works if you have a Dockerfile at the root of the project)

Tailscale

I followed the Tailscale app connector setup instructions to limit traffic to the dokku domain to my tailnet. That means I’m the only one that can access it and I must have tailscale running on my device to access dokku.

On the dokku EC2 instance

• Install tailscale curl -fsSL https://tailscale.com/install.sh | sh
• Run the app connector sudo tailscale up --advertise-connector --advertise-tags=tag:indexer-app-connector
• Now traffic to the domain is restricted to only go through tailscale

Using GitHub deploy keys

I sometimes need access to a GitHub repo at runtime from an application (e.g. pulling the latest from a repo, making a commit, etc.). GitHub has deploy keys for this (single repo key, read-only by default). Putting secret keys into a docker image would be insecure so instead, we can use dokku volume mounts to make them available to the app that needs it.

1. Make the directory on the dokku EC2 instance that will become the mounted volume mkdir /var/lib/dokku/data/storage/my-app
2. Copy or generate the deployment key to the directory that was just made
3. Mount the volume dokku storage:mount my-app /var/lib/dokku/data/storage/my-app:/storage/path
4. Access it from the running app under /storage/path

Links to this note

• Using Github Actions to Access Tailnet

  I want to access a private network behind Tailscale network so that I can make an API call to update my personal indexing service when a GitHub repo changes.