Installation & Update
Installation
Prerequisites: Docker Engine 20.10+, Docker Compose v2, bash, git.
Configuration
Access:
- Dashboard:
https://<server-ip> - WireGuard: UDP port
51820 - Admin password:
cat container-data/secrets/production/.admin_password
Access from VPN
To access the dashboard while connected to the VPN, use the nginx container's Docker network address:
Accessible via https://<IPv4> or https://[<IPv6>] through
the tunnel. You can also remove the ports: "443:443" line from
docker-compose.yml to make the dashboard accessible only through the VPN tunnel.
Management
A convenient tool is available at ./tools/prod.sh for management.
|
Command
|
Description
|
|---|---|
setup |
Full Setup |
setup --terazi-ipv4-subnet=SUBNET |
Setup with custom subnet (e.g. 10.9.0.0/24) |
up |
Start |
down |
Stop |
restart [service] |
Restart (All or Specific Service) |
build |
Build Images |
rebuild |
Build Images from Scratch (no-cache) |
update |
Update (git pull + restart) |
compose lock |
Permanently lock docker-compose.yml |
compose unlock |
Unlock docker-compose.yml |
compose status |
Show current lock state |
logs [service] |
Log Tracking (All or Specific Service) |
status |
Docker Compose Status |
certbot <domain> |
Obtain Let's Encrypt TLS certificate |
show-versions |
Component Versions (Daemon, Vendor Packages) |
shell [service] |
Shell (default: daemon) |
exec <svc> <cmd> |
Execute Command |
hard-reset |
Delete All Data |
Setup
The setup command creates all required components during first-time installation:
-
Creates
.env.daemonand.env.auth-servicefiles from.exampletemplates. -
Generates WireGuard server key pair. (Curve25519 —
wg_private_key,wg_public_key) -
Auth-Service bootstrap cycle:
-
Generates Ed25519 signing key pair. (
auth_signing_key,auth_verify_key) - Creates auth database. (
auth.db— users, sessions, TOTP, audit log) - Creates admin account. (32-character random password encrypted with Argon2id hash)
-
Generates Ed25519 signing key pair. (
-
Generates self-signed TLS certificate for nginx. (
tls_cert,tls_key)
All of these operations take place within the container — no additional dependencies or tools need to be installed on the host.
Terazi requires a base subnet to create the IP pool. The default is 10.8.0.0/24 and
can be customized at setup with the --terazi-ipv4-subnet argument. This value is only
used when wallet.db is created — once the database exists, the subnet is stored there
and the argument is no longer needed. See the
Terazi documentation for details.
Update Mechanism
The daemon and auth-service source code is mounted read-only into containers
(phantom_daemon:/app/phantom_daemon:ro,
services/auth-service:/app/auth-service:ro). Dockerfiles provide only system
dependencies (Python, runtime packages) — application code is not baked into the image. This
enables:
-
Fast updates:
git pull+restartis sufficient, no image rebuild required -
Fast rollback:
git checkout <previous-version>+restartfor immediate rollback - Build independence: Code changes do not trigger a container build cycle
Compose Lock
If you have modified docker-compose.yml (ports, volumes, environment), updates may
overwrite your changes. Compose lock protects this file from git updates:
Rebuild
When system dependencies change (Dockerfile, requirements.txt), an image rebuild is required:
Let's Encrypt (Optional)
The default self-signed certificate can be replaced with a Let's Encrypt certificate. Uses HTTP-01 standalone challenge — the domain must have an A record pointing to the server and port 80 must be available.
Certificate files are written to container-data/secrets/production/tls_cert and
tls_key. Renewal is idempotent — run the same command again when the certificate is
near expiry.