Deploying to Production
Deploy a single node cluster to production.
This page walks you through deploying a single node cluster for production use, which requires a few additional steps compared to development use.
License Keys
If your organization has an enterprise license for Synnax, you’ll need to provide your
license key on startup. The easiest way to do this is using the --license-key flag
when starting the node. Here’s an example:
synnax start --listen=localhost:9090 --license-key=000000-00000000-0000000000In production, we recommend using an environment variable or configuration file to store your license key. This is more secure than passing the key as a command line argument. The following example shows how to set the license key using an environment variable:
export SYNNAX_LICENSE_KEY=000000-00000000-0000000000
synnax start --listen=localhost:9090To see the full list of command line options, environment variables, and configuration file parameters, see this page.
Configuring TLS
We recommend using TLS for securing all communications with your cluster. In fact, TLS is required for connecting to a remote cluster with the Synnax Console.
TLS Certificate Options
There are four important command line options for configuring TLS:
| Option | Description | Default |
|---|---|---|
--certs-dir | The path to a directory containing the necessary certificates for the cluster to use. | /usr/local/synnax/certs |
--ca-cert | The path relative to --certs-dir to the certificate authority (CA) certificate. This is only required if you're using a self-signed certificate. Certificates generated by public CA's like Let's Encrypt are already trusted, so you don't need to specify this option. | ca.crt |
--node-cert | The path relative to --certs-dir to the node's public certificate file. | node.crt |
--node-key | The path relative to --certs-dir to the node's private key file. | node.key |
Starting the Cluster with TLS
When starting the cluster with TLS, you’ll need to specify the correct options and start
the node with the correct hostname in the --listen option. The hostname must match
the hostname in the node certificate. Here’s an example for a let’s encrypt
certificate:
synnax start \
--listen=synnax.example.com:9090
--mem \
--certs-dir=/etc/letsencrypt/live/synnax.example.com/ \
--node-cert=fullchain.pem \
--node-key=privkey.pem \Generating Certificates
Using Synnax’s Auto-Cert Feature
The easiest way to start a secure cluster using self-signed certificates is to use the
--auto-cert command line flag when starting the cluster. This will automatically
generate all of the relevant certificates and keys for you. Here’s an example for a
local cluster:
synnax start --listen=localhost:9090 --auto-certPlease note that the --auto-cert option will require you to install the generated CA
certificate on your client machine in order to trust the self-signed certificate
authority. We have a guide on
deploying Synnax with self-signed certificates.
Using Let’s Encrypt with Certbot
The easiest way to get started with a trusted certificate is to use
Certbot to generate a certificate for your domain. Please
note that this requires your domain to be publicly accessible and have a valid DNS
record. Once you have a certificate, you can use the --certs-dir option to specify the
directory containing the certificate and key files. See the example above for a
reference on how to do this.
Important caveats when using Docker
Certbot generates symlinked certificates and keys in
/etc/letsencrypt/live/yourdomain.com/. When using Docker, you’ll need to mount the
entire /etc/letsencrypt directory into the container, as the live directory contains
symlinks to the actual certificate and key files. Here’s an example of how to do this:
docker run -v /etc/letsencrypt:/usr/local/synnax/certs \
-p 9090:9090 \
synnaxlabs/synnax \
-l localhost:9090 \
-vm \
--certs-dir=/usr/local/synnax/certs/live/demo.synnaxlabs.com \
--node-cert=fullchain.pem \
--node-key=privkey.pemUsing Your Own Certificates
When using your own certificates, you’ll need to specify the --certs-dir option and
provide the necessary certificates and keys in that directory.