-
Notifications
You must be signed in to change notification settings - Fork 8
Docker setup
This is a step-by-step guide to setting up a running Mobistudy server with Docker. It assumes a good understanding of Docker, but it is also meant to be used by those who are learning. As there is a not a solution that will satisfy all possible requirements, here we show some possible setups.
Mobistudy comes with 2 Docker images, one for MobistudyAPI and one for MobistudyWeb. In addition, it needs ArangoDB to be running and accessible from MobistudyAPI and, depending on the cases, a reverse proxy for serving both the web and the API.
We suppose that the server has some Debian-like Linux installed. Different instructions are needed for other environments.
This is a summary of https://docs.docker.com/install/linux/docker-ce/ubuntu/. On other opearting systems, follow Docker's official guides.
Uninstall older versions:
sudo apt-get remove docker docker-engine docker.io containerd runcAdd dependencies:
sudo apt-get update
sudo apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg-agent \
software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -install docker, stable release:
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.ioCheck that it's installed:
docker run hello-worldRun Docker on boot:
sudo systemctl enable dockerAllow non root users to run Docker (see https://docs.docker.com/install/linux/linux-postinstall/). Create the docker group
sudo groupadd dockeradd your user to the group
sudo usermod -aG docker USERYou can check with
id USERNow logout and login again and run:
docker run hello-worldYou should be good to go.
We assume git is installed as command line tool. If not, install it. See this guide for Ubuntu.
git clone https://github.com/Mobistudy/MobistudyAPI.git ./API
git clone https://github.com/Mobistudy/MobistudyWeb.git ./WEBDownload veracrypt console from: https://www.veracrypt.fr/en/Downloads.html
Install the package if it exists (sudo apt install ./name.deb), or use the manual installation process otherwise.
Follow the instructions here.
Create an encrypted volume with:
veracrypt -t -cNext:
- Choose 1: normal.
- Enter a path, for example ./mobidata
- Enter size of the volume: for example 10G
- Encryptiuon algorithm: AES
- Hash algorithm: SHA-512
- Filesystem: Ext4
- Leave PIM and keyfile path emtpy.
Create a folder where to mount the encrypted volume, for example:
sudo mkdir ./datamntNext, mount the encrypted volume:
veracrypt PATH_TO_VOLUME_FILE ./datamntEnter the password and skip PIM andd keyfile.
This will likely mount the folder as root and you won't be able to write in it, so change the owner and group back to the current user:
chown USER datamnt
chown :GROUP datamntNow you should be able to cd into datamnt and read and write files there.
This approach treats a large file as if it were a separate physical disk, links it using a Linux loop device, and then encrypts it using the highly secure Linux Unified Key Setup (LUKS).
Install the kernel modules:
sudo apt update
sudo apt install cryptsetup -yCreate a file of 5GB for your data (this can take time):
sudo dd if=/dev/urandom of=/home/USER/mobistudy/encrypted_vault.img bs=1G count=5Format the container with LUKS and make sure to write down the password. Choose a strong password.
sudo cryptsetup luksFormat /home/USER/mobistudy/encrypted_vault.imgLink the file to a virtual device:
sudo cryptsetup luksOpen /home/USER/mobistudy/encrypted_vault.img mobivaultNow the device is accessible at /dev/mapper/mobivault Add a file system on top:
sudo mkfs.ext4 /dev/mapper/mobivaultCreate a mount point:
sudo mkdir /mnt/mobidataMount the volume:
sudo mount /dev/mapper/mobivault /mnt/mobidataGive USER access to the data:
sudo chown -R USER:USER /mnt/mobidataNow, to open the volume after reboot, you can use something like the following script:
#!/bin/bash
# --- Configuration ---
CONTAINER_FILE="/home/USER/mobistudy/encrypted_vault.img"
MAPPED_NAME="mobivault"
MOUNT_POINT="/mnt/mobidata"
VAULT_USER="USER"
echo "=== 🔒 Opening Encrypted Vault ==="
# 1. Open the LUKS container
echo "Enter LUKS Passphrase for $MAPPED_NAME:"
sudo cryptsetup luksOpen $CONTAINER_FILE $MAPPED_NAME
# Check if the luksOpen command was successful
if [ $? -eq 0 ]; then
echo "LUKS container opened successfully. Mapping at /dev/mapper/$MAPPED_NAME."
# 2. Mount the decrypted device
echo "Mounting volume to $MOUNT_POINT..."
sudo mount /dev/mapper/$MAPPED_NAME $MOUNT_POINT
# 3. Correct ownership for user access
sudo chown -R $VAULT_USER:$VAULT_USER $MOUNT_POINT
echo "Volume mounted and ownership set for user $VAULT_USER."
echo "Vault is ready for use at $MOUNT_POINT"
else
echo "ERROR: Failed to open LUKS container. Check your passphrase or file path."
exit 1
fiThis may be needed if you want to keep data into containers or volumes.
Create a directory inside datamnt called docker
mkdir dockerInstructions taken from here:
sudo service docker stopAdd a file named daemon.json under the directory /etc/docker. The file should have this content:
{
"data-root": "/path/to/your/docker"
}Copy the content of the old folder:
sudo rsync -aP /var/lib/docker/ /path/to/your/dockerStart docker:
sudo service docker startWe need a virtual network, let's call it mobinet
docker network create mobinetFirst create either a volume or a folder inside the encrypted partition where to store the database data permanently
Run a Docker container with ArangoDB, make sure the root password is well set:
docker run -e ARANGO_ROOT_PASSWORD=xxxxxxxxx -d \
-v path/to/folder/or/volume:/var/lib/arangodb3 \
--name mobidb \
--net=mobinet \
arangodb:3.10.3Check that it's runninng with:
docker psIf it's the first time you run it, you need to initialise the database. Open the arango shell with:
docker exec -it mobidb arangosh --server.password xxxxxxxxx And then run the following script:
db._createDatabase("mobistudy");
var users = require("@arangodb/users");
users.save("mobistudy", "xxxxxxxxx");
users.grantDatabase("mobistudy", "mobistudy");Exit with exit.
First create either a volume or a folder inside the encrypted partition where to store the server logs data permanently.
Compile the mobistudy API:
docker build -t mobistudyapi .Then you run the API with the following. Make sure to set all passwords correctly
docker run -d \
--net=mobinet \
-v path/to/folder/or/volume:/usr/src/app/logs \
-v path/to/folder/or/volume:/usr/src/app/tmp \
-v path/to/folder/or/volume:/usr/src/app/tasksuploads \
-e WEB_CLUSTER=true \
-e WEB_PORT=80 \
-e CERT_KEY=path/to/pem.file \
-e CERT_FILE=path/to/cert.file \
-e LOGS_FOLDER=logs \
-e LOGS_ROTATIONSIZE=5M \
-e LOGS_LEVEL=30 \
-e LOGS_CONSOLE=true \
-e LOGHTTP=false \
-e VALIDATE_SCHEMA=false \
-e AUTH_SECRET="xxxxxx" \
-e AUTH_TOKEN_EXPIRES="30 days" \
-e AUTH_ADMIN_EMAIL="[email protected]" \
-e AUTH_ADMIN_PASSWORD="aaaaaaaa" \
-e DB_HOST="mobidb" \
-e DB_PORT=8529 \
-e DB_NAME="mobistudy" \
-e DB_USER="mobistudy" \
-e DB_PASSWORD="xxxxxxxxx" \
-e SMTP_DISABLED=false \
-e SMTP_SERVER="smtp.xxxx.com" \
-e SMTP_EMAIL="[email protected]"\
-e SMTP_USER="UUUUUUU" \
-e SMTP_PASSWORD="zzzzzzzz" \
-e ENVAPIS_DISABLED=false \
-e ENVAPIS_OWP_API_KEY="qqqqqqqqq" \
-e ENVAPIS_AMBEE_API_KEY="ppppppppp" \
--name mobiapi \
mobistudyapiIf you connect to host/api you should now see a reply.
Notice that we did specify the DB host as mobidb, which is automatically created by Docker within the network.
There are 3 folders where data is stored:
- /usr/src/app/logs
- /usr/src/app/tmp
- /usr/src/app/tasksuploads
You can mount them on a local folder or a Docker volume. Make sure those are in an encrypted disk or folder!
If you use Docker volumes and want to look into them, you can list the files with:
docker run --rm -i -v=volumeName:/tmp/myvolume busybox find /tmp/myvolumeAnd open one file with:
docker run --rm -i -v=volumeName:/tmp/myvolume busybox cat /tmp/myvolume/app.logWe will use Caddy as reverse proxy also because it support Letsencrypt certificates.
Compile the web interface container:
docker build -t mobistudyweb .Then create a caddyfile somewhere on your system, like the following:
# Simple HTTP (not secure)
:80
root * /var/www
reverse_proxy /api/* mobiapi:80 {
header_up Host {http.reverse_proxy.upstream.hostport}
}
reverse_proxy /datadownload/* mobiapi:80 {
header_up Host {http.reverse_proxy.upstream.hostport}
}
file_server
encode zstd gzip
Run it:
docker run -d \
-p 80:80 \
-v path/to/folder/or/volume:/etc/caddy/ \
-v path/to/folder/or/volume:/data \
--net=mobinet \
--name mobiweb \
mobistudywebTo support Letsencrypt (assuming youor DNS is configured to app.mobistudy.org):
app.mobistudy.org
root * /var/www
reverse_proxy /api/* mobiapi:80 {
header_up Host {http.reverse_proxy.upstream.hostport}
}
reverse_proxy /datadownload/* mobiapi:80 {
header_up Host {http.reverse_proxy.upstream.hostport}
}
file_server
encode zstd gzip
and run it on the HTTPS port instead
docker run -d \
-p 443:443 \
-v path/to/Caddyfile:/etc/caddy/Caddyfile \
-v path/to/folder/or/volume:/data \
--net=mobinet \
--name mobiweb \
mobistudywebTBD
If you need to cleanup docker stuff:
docker rm $(docker ps -a -q)
docker rmi $(docker images -q)
docker system prune -a
docker system prune --volumes
Be aware that removing the docker instances will remove also the persistent files, therefore the DB and the logfiles unless you have placed these outside of the containers.
If you need to restart the machine, once you've logged onto it:
Mount the Veracrypt volume:
veracrypt PATH_TO_VOLUME_FILE ./datamntskip PIM and keyfile, say No to "Protect hidden volume" and use the current user's password when asked for "Enter your user password or administrator password"
Then restart the Docker containers:
docker start mobidb
docker start mobiapi
docker start mobiweb