Skip to content

Setting up Pangolin to Proxy through a Private Network

For traffic to reach the application servers without a virtual private cloud (VPC), we forward that traffic though a Wireguard tunnel managed by Pangolin.

This automated deployment is based on the guide at https://docs.pangolin.net/self-host/manual/docker-compose.

Deploying Pangolin Management Server

Prerequisites

You will need to create a DNS record for a new subdomain on your domain. These steps will be unique to your domain registrar, but it should be simple to create an A record with the desired subdomain pointed to your server's IP address.

In this example the we'll choose pangolin as the subdomain, so the URL for the server will be pangolin.example.org

1. Edit Inventory file

The host group for web proxies is [pangolin]. Place the following information under that group.

The standard vaules:

  • The server's IP address.
  • server_tag= - This could be "pangolin"
  • ansible_user= - The non-root user
  • ansible_become_pass="{{ pangolin_become_pass }}" - or change variable to the appropriate value in the Vault.
  • ansible_ssh_private_key_file="~/.ssh/id_ed25519_<server_tag>_<nonroot_user>" - The SSH key used to authenticate onto the server.

Extra values:

  • pangolin_domain - the domain for the Pangolin management server
  • pangolin_letsencrypt_email - the email address used to regsiter for the SSL certificate.

Example:

[pangolin]
203.0.113.73 server_tag=pangolin ansible_user=serveradmin ansible_become_pass="{{ pangolin_become_pass }}" ansible_ssh_private_key_file="~/.ssh/id_ed25519_pangolin_serveradmin" pangolin_domain="pangolin.example.com" pangolin_letsencrypt_email="serveradmin@domain.com"

2. Edit Ansible Vault variables

Edit the Ansible Vault file: 

ansible-vault edit group_vars/all/vaulted_vars.yml

Include the following settings:

# Pangolin
# If you have a unique credentials for this server.
pangolin_become_pass: <sudo password for non-root user>

The basic setup under the quickstart guide for Pangolin only needs a domain which and SSL registration email which are included in the inventory file, so there are no additional sensitive variables for this playbook.

3. Run Ansible playbook command

ansible-playbook sts-deploy.yml --ask-vault-pass --tags pangolin

Post-deployment setup

4. Connect to the Pangolin management interface

After a few minutes, you can continue to set up your Pangolin instance by going to https://your-domain.com/auth/initial-setup.

You will need to enter a setup token from the Panolin container logs to move forward. This token is shown at the end of the Ansible output. It should look like this.

        === SETUP TOKEN EXISTS ===
        Token: 729cmtowm2lql84hy9ti6jdqci9vjeuo
        Use this token on the initial setup page
        ================================

If you accidentally close or clear your terminal, you can grab the token from the file ~/pangolin/container_log.txt.

Advanced Configuration

You can configure many other options described in the Advanced Configuration guide. These include:

  • Port numbers for all services,
  • Traefik proxy settings,
  • DNS nameservers.

Updating the containers

ansible-playbook sts-deploy.yml --ask-vault-pass --tags pangolin-update -vv

Connecting your services through Netbird - LEFT OFF HERE

1. Create Netbird Setup Key

2. Add management URL and Setup Key to vaulted_vars.yml

After creating the setup key, add the management URL and setup key to your vaulted_vars.yml file.

```

Netbird

netbird_become_pass:

Netbird Agent Setup

netbird_management_url: https://netbird.example.com netbird_setup_key: