Skip to content

feat: add dstack-ingress for custom domain TLS (CPL-118) #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cl4wb0t wants to merge 2 commits into from
Closed

feat: add dstack-ingress for custom domain TLS (CPL-118) #153

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
edff997
feat: add dstack-ingress service for custom domain TLS (CPL-118)
Mar 20, 2026
6a5c8a3
fix: correct ticket ref (CPL-5 → CPL-118) and pin dstack-ingress image
Mar 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions docker-compose.phala.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@
# Required secrets (set as encrypted Phala CVM environment variables):
# GCP_SERVICE_ACCOUNT_JSON - GCP service account key (raw JSON or base64-encoded)
# GCP_PROJECT_ID - GCP project ID (e.g. "my-gcp-project")
#
# Additional secrets required for custom-domain profile (dstack-ingress):
# NODE_DOMAIN - Per-node domain (e.g. "node1.api.dev.litprotocol.com")
# CERTBOT_EMAIL - Email for Let's Encrypt certificate notifications
# AWS_ACCESS_KEY_ID - AWS IAM key for Route 53 DNS-01 ACME challenges
# AWS_SECRET_ACCESS_KEY - AWS IAM secret for Route 53 DNS-01 ACME challenges

# RUST_LOG filter shared by lit-actions and lit-api-server.
# App code stays at trace; per-module overrides suppress low-value internals:
Expand Down Expand Up @@ -104,5 +110,42 @@ services:
ROCKET_PORT: "8001"
restart: unless-stopped

# dstack-ingress — TLS termination + attestation cert for custom domain (CPL-118).
# Activated with: docker compose --profile custom-domain up
#
# Issues a cert with both NODE_DOMAIN and ALIAS_DOMAIN as SANs via DNS-01
# (Route 53). The cert contains the CVM attestation identity, proving TLS is
# controlled exclusively by the TEE. NLB does TCP passthrough on :443.
#
# Automatically handles:
# - Per-node DNS record (NODE_DOMAIN → Phala gateway CNAME)
# - Shared attestation TXT append (_dstack-app-address.ALIAS_DOMAIN)
# - nginx server_name for both domains
#
# Requires ALIAS_DOMAIN support: https://github.com/Dstack-TEE/dstack-examples/pull/83
# ROUTE53_INITIAL_WEIGHT intentionally NOT set — NLB handles traffic routing.
dstack-ingress:
profiles: ["custom-domain"]
image: dstacktee/dstack-ingress:1.4@sha256:11c0481ca1e2ef9c959187ff3c01c7f59c26d631c7717a571ad994b96203bb0b
ports:
- "443:443"
environment:
DOMAIN: "${NODE_DOMAIN}"
ALIAS_DOMAIN: "api.dev.litprotocol.com"
DNS_PROVIDER: "route53"
TARGET_ENDPOINT: "http://lit-api-server:8000"
CERTBOT_EMAIL: "${CERTBOT_EMAIL}"
SET_CAA: "true"
AWS_ACCESS_KEY_ID: "${AWS_ACCESS_KEY_ID}"
AWS_SECRET_ACCESS_KEY: "${AWS_SECRET_ACCESS_KEY}"
volumes:
- /var/run/dstack.sock:/var/run/dstack.sock
- cert-data:/etc/letsencrypt
depends_on:
lit-api-server:
condition: service_started
restart: unless-stopped

volumes:
lit-socket:
cert-data: