Deployment Overview of NATS on Server¶

Prerequisites and Basic Requirements¶

The deployment of the NATS server requires the following environment specifications:

• Operating System: Ubuntu (as indicated by the ubuntu.yml task file).

• Privileges: Root access is required to install Docker, manage systemd services, and configure the reverse proxy.

• Domain: The server utilizes the hostkey.in zone for external access.

• Ports:

• Port 8222 is used internally for the NATS HTTP monitoring endpoint.

• Port 443 is used externally for secure HTTPS access via the reverse proxy.

• Port 4222 is available for direct client connections.

FQDN of the Final Panel¶

The NATS monitoring interface is accessible via the Fully Qualified Domain Name (FQDN) in the following format:

• nats<Server ID>.hostkey.in

The service listens on port 443 (HTTPS) externally. The specific <Server ID> is dynamically assigned based on the host configuration.

File and Directory Structure¶

The application utilizes the following directory structure for configuration and data storage:

• Base Directory: /opt/nats

• Configuration Directory: /opt/nats/conf

  • Main configuration file: /opt/nats/conf/nats-server.conf

• Data Directory: /opt/nats/data

  • Used for persistent storage if JetStream is enabled (mapped to /data inside the container).

• Proxy Configuration:

• Nginx user configurations are located at /data/nginx/user_conf.d.

• The specific virtual host configuration is named <prefix><Server ID>.hostkey.in.conf.

Application Installation Process¶

The NATS server is deployed as a Docker container managed by the systemd service manager.

• Docker Image: nats:latest

• Container Name: nats

• Installation Method: The application is installed by pulling the latest Docker image and configuring a systemd unit file to manage its lifecycle. The configuration file is copied to the host and mounted into the container.

Access Rights and Security¶

Security and access control are implemented through the following measures:

• Authentication Mode: The default configuration sets nats_auth_mode to none.

• If token-based authentication is enabled, the token is defined as nats_tk_pzTg6dE4y0hFQwN7cJv1sLr2mX9aK4bH8uV3qR5sY1.

• If user/password authentication is enabled, the credentials are user: nats and password: <ansible_ssh_pass>.

• Reverse Proxy: Access to the monitoring interface is secured via an Nginx reverse proxy using Let's Encrypt SSL certificates.

• Network Isolation: The NATS container runs with specific port mappings, and the reverse proxy is configured with network_mode: host to handle external traffic on standard ports.

Databases¶

NATS does not utilize an external SQL or NoSQL database in this configuration.

• Storage Location: If JetStream is enabled, data is stored persistently in the /data directory inside the container, which maps to /opt/nats/data on the host.

• Settings:

• Store Directory: /data

• Max Memory Store: 1G

• Max File Store: 100G

• Current Status: JetStream is currently disabled (nats_enable_jetstream: false).

Docker Containers and Their Deployment¶

Two main containers are involved in the deployment: the NATS server and the Nginx proxy.

NATS Container¶

• Image: nats:latest

• Name: nats

• Port Mappings:

• 4222:4222 (Client port)

• 8222:8222 (HTTP monitoring port)

• Volume Mounts:

• Configuration: /opt/nats/conf/nats-server.conf mounted to /etc/nats/nats-server.conf (read-only).

• Data: /opt/nats/data mounted to /data.

Nginx Proxy Container¶

• Image: jonasal/nginx-certbot:latest

• Management: Managed via Docker Compose in /root/nginx.

• Volumes:

• nginx_secrets (external volume) mapped to /etc/letsencrypt.

• /data/nginx/user_conf.d mapped to /etc/nginx/user_conf.d.

• Environment:

• CERTBOT_EMAIL: [email protected]

Proxy Servers¶

The reverse proxy is implemented using Nginx with Certbot integration for automatic SSL certificate management.

• Software: Nginx (via jonasal/nginx-certbot image).

• SSL/TLS: Enabled automatically via Certbot for the domain nats<Server ID>.hostkey.in.

• Routing Configuration:

• The proxy forwards requests from the external HTTPS endpoint to the internal NATS monitoring service.

• Target: http://127.0.0.1:8222

• Location block: location /

• Configuration File Location: /root/nginx/compose.yml and specific server blocks in /data/nginx/user_conf.d.

Permission Settings¶

File and directory permissions are set as follows during the installation process:

• NATS Directories:

• /opt/nats/conf: 0755

• /opt/nats/data: 0755

• Configuration file /opt/nats/conf/nats-server.conf: 0644

• Systemd Unit File:

• /etc/systemd/system/nats.service: 0644

• Proxy Directories:

• /root/nginx: 0755, owned by root:root.

• Compose file /root/nginx/compose.yml: 0644, owned by root:root.

Location of Configuration Files and Data¶

• NATS Server Configuration: /opt/nats/conf/nats-server.conf

• NATS Data Storage: /opt/nats/data

• Systemd Service Unit: /etc/systemd/system/nats.service

• Nginx Docker Compose: /root/nginx/compose.yml

• Nginx Virtual Host Configuration: /data/nginx/user_conf.d/nats<Server ID>.hostkey.in.conf

Available Ports for Connection¶

• 4222: NATS Client Protocol (direct connection).

• 8222: NATS HTTP Monitoring API (internal, accessible via proxy).

• 443: HTTPS (external access to NATS Monitoring via Nginx).

Starting, Stopping, and Updating¶

The NATS service is managed via systemd. The Nginx proxy is managed via docker compose.

NATS Service Commands¶

• Start the service:

  systemctl start nats
  

• Stop the service:

  systemctl stop nats
  

• Restart the service:

  systemctl restart nats
  

• Enable auto-start on boot:

  systemctl enable nats
  

• Reload daemon configuration:

  systemctl daemon-reload
  

Nginx Proxy Commands¶

• Start or Update the proxy stack:

  docker compose up -d
  

  (Execute from /root/nginx)