Installation Guide

Quick Start

Docker Build

docker build -t moat .

Docker Run

docker run --cap-add=SYS_ADMIN --cap-add=BPF --cap-add=NET_ADMIN \
  moat --iface eth0 \
  --arxignis-api-key="your-key" \
  --upstream "http://127.0.0.1:8081"

Docker Compose

Basic Setup

services:
  moat:
    build: .
    cap_add:
      - SYS_ADMIN
      - BPF
      - NET_ADMIN
    ports:
      - "80:80"
      - "443:443"
      - "127.0.0.1:8080:8080"  # Health check port
    environment:
      - AX_SERVER_HEALTH_CHECK_ENABLED=true
      - AX_SERVER_HEALTH_CHECK_PORT=0.0.0.0:8080
      - AX_SERVER_HEALTH_CHECK_ENDPOINT=/health
      - AX_SERVER_HEALTH_CHECK_ALLOWED_CIDRS=127.0.0.0/8,::1/128
    command: ["--iface", "eth0", "--arxignis-api-key", "your-key", "--upstream", "http://backend:8081"]
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

Kubernetes Deployment

Deployment Manifest

apiVersion: apps/v1
kind: Deployment
metadata:
  name: moat
spec:
  replicas: 3
  selector:
    matchLabels:
      app: moat
  template:
    metadata:
      labels:
        app: moat
    spec:
      containers:
      - name: moat
        image: moat:latest
        ports:
        - containerPort: 80
          name: http
        - containerPort: 443
          name: https
        - containerPort: 8080
          name: health
        env:
        - name: AX_SERVER_HEALTH_CHECK_ENABLED
          value: "true"
        - name: AX_SERVER_HEALTH_CHECK_PORT
          value: "0.0.0.0:8080"
        - name: AX_SERVER_HEALTH_CHECK_ENDPOINT
          value: "/health"
        - name: AX_ARXIGNIS_API_KEY
          valueFrom:
            secretKeyRef:
              name: moat-secrets
              key: arxignis-api-key
        args:
        - "--iface"
        - "eth0"
        - "--upstream"
        - "http://backend-service:8081"
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
        securityContext:
          capabilities:
            add:
            - SYS_ADMIN
            - BPF
            - NET_ADMIN
---
apiVersion: v1
kind: Service
metadata:
  name: moat-service
spec:
  selector:
    app: moat
  ports:
  - name: http
    port: 80
    targetPort: 80
  - name: https
    port: 443
    targetPort: 443
  - name: health
    port: 8080
    targetPort: 8080
  type: LoadBalancer

TLS Configuration

Custom TLS

# Generate certificate
openssl req -x509 -nodes -newkey rsa:2048 \
    -keyout server.key -out server.crt -days 365 \
    -subj "/CN=localhost"

# Build & run
cargo build --release
sudo bash -c 'ulimit -l unlimited && target/release/moat \
    --iface lo \
    --tls-addr 0.0.0.0:8443 \
    --tls-mode custom \
    --tls-cert-path server.crt \
    --tls-key-path server.key \
    --upstream http://127.0.0.1:8081'

# Test
curl -vk https://localhost:8443/

ACME/Let's Encrypt

# Build & run
cargo build --release
sudo bash -c 'ulimit -l unlimited && target/release/moat \
    --iface eth0 \
    --tls-addr 0.0.0.0:443 \
    --tls-mode acme \
    --acme-domains your-domain.com \
    --acme-contacts [email protected] \
    --redis-url redis://127.0.0.1:6379/0 \
    --redis-prefix moat:acme \
    --acme-accept-tos \
    --acme-use-prod \
    --upstream http://127.0.0.1:8081'

# Test
curl -v https://your-domain.com/

Configuration File

Copy the example configuration and customize:

cp config_example.yaml config.yaml

Basic configuration:

server:
  upstream: "http://localhost:8080"
  http_addr: "0.0.0.0:80"
  tls_addr: "0.0.0.0:443"
  health_check:
    enabled: true
    endpoint: "/health"
    port: "0.0.0.0:8080"

tls:
  mode: "acme"  # or "custom" or "disabled"
  only: false

acme:
  domains:
    - "example.com"
  contacts:
    - "[email protected]"
  use_prod: true

redis:
  url: "redis://127.0.0.1/0"
  prefix: "ax:moat"

network:
  iface: "eth0"
  disable_xdp: false

arxignis:
  api_key: "your-api-key"
  base_url: "https://api.arxignis.com/v1"

Environment Variables

All configuration options can be overridden using environment variables:

# Server configuration
export AX_SERVER_UPSTREAM="http://localhost:8080"
export AX_SERVER_HTTP_ADDR="0.0.0.0:80"
export AX_SERVER_TLS_ADDR="0.0.0.0:443"

# TLS configuration
export AX_TLS_MODE="acme"
export AX_TLS_ONLY="false"

# ACME configuration
export AX_ACME_DOMAINS="example.com,www.example.com"
export AX_ACME_CONTACTS="[email protected]"
export AX_ACME_USE_PROD="true"

# Redis configuration
export AX_REDIS_URL="redis://127.0.0.1/0"
export AX_REDIS_PREFIX="ax:moat"

# Network configuration
export AX_NETWORK_IFACE="eth0"
export AX_NETWORK_DISABLE_XDP="false"

# Arxignis configuration
export AX_ARXIGNIS_API_KEY="your-api-key"
export AX_ARXIGNIS_BASE_URL="https://api.arxignis.com/v1"

# Health check configuration
export AX_SERVER_HEALTH_CHECK_ENABLED="true"
export AX_SERVER_HEALTH_CHECK_PORT="0.0.0.0:8080"
export AX_SERVER_HEALTH_CHECK_ENDPOINT="/health"

# Logging
export AX_LOGGING_LEVEL="info"

Verification

After installation, verify that Moat is running correctly:

# Check health endpoint
curl http://localhost:8080/health

# Expected response:
{
  "status": "healthy",
  "timestamp": "2024-01-01T12:00:00Z",
  "service": "moat"
}

# Test proxy functionality
curl https://your-domain.com/

# Check logs
tail -f /var/log/moat.out

Next Steps

• Configure Moat - Detailed configuration options
• Run as Daemon - Background service setup
• Test Your Setup - Validate your installation