Hello,
A few notes:
- The official Sandstorm installer is written as an interactive script, and it deliberately fails if run from a script instead of the terminal. (Actually, if one passes the "-d" flag to the script, one can get a default setup without interaction; unfortunately, this default setup results in a development server, not a production server.) For now, I am invoking the official, interactive script by calling it using empty-expect. This package is available on Ubuntu 18.04 but not 20.04, so for this reason alone the install currently uses Ubuntu 18.04 as its base image. Ideally, the official Sandstorm install script should be modified to allow a non-interactive production install by passing it environment variables. However, waiting for this would have prevented me from having working code today; hence, empty-expect as a stopgap measure.
- Once the script finishes, it is necessary to ssh to the server and run 'sandstorm admin-token' to get the login URL.
- Ideally, it would also be possible to skip Sandcats and use a domain of one's choosing, now that Let's Encrypt allows wildcard certificates. However, use of Sandcats seems baked into the install script, at least on the surface. When I typed "none" at the prompt to decline Sandcats on a production server, it suggested
http://localhost:6080 (i.e., http on a non-standard port) as a potential install URL. I admit that the script might have worked fine if I just typed in my own domain name after setting up the DNS appropriately, but it didn't look promising, and I didn't try further, in part because... Even if the Sandstorm install script is able to work with custom domains, there is a bit of a chicken and egg problem: it is unclear what IP address one should set the DNS records to until the machine is created, but the Let's Encrypt challenge will error if the DNS records do not exist by the time the script reaches that point. So, to make this one-click install method work with a custom domain, it will be necessary to periodically check whether DNS is set up as expected and to wait until it is before invoking the Let's Encrypt challenge.
- Right now, the script does not use GPG to check that the Sandstorm install script has a valid signature, but it does fetch it over https. Also on the subject of trust, the StackScript requires one to trust me on some level, but Linode displays the entire contents of the script on the deployment page, so it is auditable there. The actual deployment script also exists on the new server at /root/StackScript.
Jim