The Open Energy Playground is great to get started fast with prototyping and experimenting.
But it is also made to be used out in the real world! What is sometimes also called production.
This page is a collections of thoughts and recommendations regarding Open Energy in production. Though we try to keep the list updated, it should not be regarded as a complete list of everything you need to do to secure your production environment.
This page is targeted to more experienced developers and power users, and assumes that you have the playground running on a linux server.
By default, the playground exposes a number of ports to the wild dangerous internet. This should be reconfigured so that the containers can still access each other, but they cannot be reached from the outside.
To do this, in docker-compose.yml, change ports to expose. For example, you might not want to expose the influxDB web admin port. Change it from:
ports: - "8083:8083"
expose: - 8083
InfluxDB has authentication turned off by default. Either you can stop exposing the port and only access it from behind a firewall, or you can enable authentication.
Like this: Set up authentication
If you have a service accessing InfluxDB directly, consider creating a read-only user.
Make sure to change the login credentials for the admin.
And disable user signup with:
environment: - GF_USERS_ALLOW_SIGN_UP=false
Don't forget to secure node-red, as it gives direct execution priviledges to anyone.
Load Balancing & SSL
You can easily add load balancing and SSL termination by running this container https://github.com/jwilder/nginx-proxy.
To combine it with letsencrypt free SSL certs, use this companion container https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion.
Example configuration for running Grafana on hostname.com, with load balancing and ssl termination by nginx and automatic certs by letsencrypt:
letsencrypt: image: 'jrcs/letsencrypt-nginx-proxy-companion' restart: always volumes_from: - nginx volumes: - /certs:/etc/nginx/certs:rw - /var/run/docker.sock:/var/run/docker.sock:ro nginx: image: jwilder/nginx-proxy restart: always ports: - '80:80' - '443:443' volumes: - '/certs:/etc/nginx/certs:ro' - '/etc/nginx/vhost.d' - '/usr/share/nginx/html' - '/var/run/docker.sock:/tmp/docker.sock:ro' grafana: image: grafana/grafana volumes: - ./data/grafana:/var/lib/grafana expose: - 3000 restart: always environment: - VIRTUAL_HOST=hostname.com - LETSENCRYPT_HOST=hostname.com - LETSENCRYPT_EMAILemail@example.com