From edff997f264fd893b2a25d00c4cb349ba3de857c Mon Sep 17 00:00:00 2001
From: Adam Reif <adam@packer-output-5a7b01ba-a7a7-45aa-b03b-3f1b088ea32a>
Date: Thu, 19 Mar 2026 22:35:23 -0400
Subject: [PATCH 1/2] feat: add dstack-ingress service for custom domain TLS
 (CPL-118)

Add dstack-ingress to docker-compose.phala.yml behind a `custom-domain`
profile so it is opt-in and does not affect current deployments. When
activated, dstack-ingress terminates TLS inside the TEE with an
attestation-bound certificate covering both the per-node domain and the
shared api.dev.litprotocol.com ALIAS_DOMAIN (SAN). Uses Route 53 for
DNS-01 ACME challenges.

Blocked on dstack-examples PR #83 (ALIAS_DOMAIN support).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.phala.yml | 43 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/docker-compose.phala.yml b/docker-compose.phala.yml
index abad41b8..6a356134 100644
--- a/docker-compose.phala.yml
+++ b/docker-compose.phala.yml
@@ -14,6 +14,12 @@
 # Required secrets (set as encrypted Phala CVM environment variables):
 #   GCP_SERVICE_ACCOUNT_JSON  - GCP service account key (raw JSON or base64-encoded)
 #   GCP_PROJECT_ID            - GCP project ID (e.g. "my-gcp-project")
+#
+# Additional secrets required for custom-domain profile (dstack-ingress):
+#   NODE_DOMAIN               - Per-node domain (e.g. "node1.api.dev.litprotocol.com")
+#   CERTBOT_EMAIL             - Email for Let's Encrypt certificate notifications
+#   AWS_ACCESS_KEY_ID         - AWS IAM key for Route 53 DNS-01 ACME challenges
+#   AWS_SECRET_ACCESS_KEY     - AWS IAM secret for Route 53 DNS-01 ACME challenges
 
 # RUST_LOG filter shared by lit-actions and lit-api-server.
 # App code stays at trace; per-module overrides suppress low-value internals:
@@ -104,5 +110,42 @@ services:
       ROCKET_PORT: "8001"
     restart: unless-stopped
 
+  # dstack-ingress — TLS termination + attestation cert for custom domain (CPL-5).
+  # Activated with: docker compose --profile custom-domain up
+  #
+  # Issues a cert with both NODE_DOMAIN and ALIAS_DOMAIN as SANs via DNS-01
+  # (Route 53). The cert contains the CVM attestation identity, proving TLS is
+  # controlled exclusively by the TEE. NLB does TCP passthrough on :443.
+  #
+  # Automatically handles:
+  #   - Per-node DNS record (NODE_DOMAIN → Phala gateway CNAME)
+  #   - Shared attestation TXT append (_dstack-app-address.ALIAS_DOMAIN)
+  #   - nginx server_name for both domains
+  #
+  # Requires ALIAS_DOMAIN support: https://github.com/Dstack-TEE/dstack-examples/pull/83
+  # ROUTE53_INITIAL_WEIGHT intentionally NOT set — NLB handles traffic routing.
+  dstack-ingress:
+    profiles: ["custom-domain"]
+    image: dstacktee/dstack-ingress:latest
+    ports:
+      - "443:443"
+    environment:
+      DOMAIN: "${NODE_DOMAIN}"
+      ALIAS_DOMAIN: "api.dev.litprotocol.com"
+      DNS_PROVIDER: "route53"
+      TARGET_ENDPOINT: "http://lit-api-server:8000"
+      CERTBOT_EMAIL: "${CERTBOT_EMAIL}"
+      SET_CAA: "true"
+      AWS_ACCESS_KEY_ID: "${AWS_ACCESS_KEY_ID}"
+      AWS_SECRET_ACCESS_KEY: "${AWS_SECRET_ACCESS_KEY}"
+    volumes:
+      - /var/run/dstack.sock:/var/run/dstack.sock
+      - cert-data:/etc/letsencrypt
+    depends_on:
+      lit-api-server:
+        condition: service_started
+    restart: unless-stopped
+
 volumes:
   lit-socket:
+  cert-data:

From 6a5c8a356d5ee3a7a0982bfbc30d92ac2b230940 Mon Sep 17 00:00:00 2001
From: Adam Reif <adam@packer-output-5a7b01ba-a7a7-45aa-b03b-3f1b088ea32a>
Date: Mon, 23 Mar 2026 11:44:45 -0400
Subject: [PATCH 2/2] =?UTF-8?q?fix:=20correct=20ticket=20ref=20(CPL-5=20?=
 =?UTF-8?q?=E2=86=92=20CPL-118)=20and=20pin=20dstack-ingress=20image?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The inline comment referenced the wrong ticket. The :latest tag
didn't exist on Docker Hub and violated the file's own immutable-image
policy — pin to 1.4@sha256 instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker-compose.phala.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker-compose.phala.yml b/docker-compose.phala.yml
index 6a356134..dd99fcd4 100644
--- a/docker-compose.phala.yml
+++ b/docker-compose.phala.yml
@@ -110,7 +110,7 @@ services:
       ROCKET_PORT: "8001"
     restart: unless-stopped
 
-  # dstack-ingress — TLS termination + attestation cert for custom domain (CPL-5).
+  # dstack-ingress — TLS termination + attestation cert for custom domain (CPL-118).
   # Activated with: docker compose --profile custom-domain up
   #
   # Issues a cert with both NODE_DOMAIN and ALIAS_DOMAIN as SANs via DNS-01
@@ -126,7 +126,7 @@ services:
   # ROUTE53_INITIAL_WEIGHT intentionally NOT set — NLB handles traffic routing.
   dstack-ingress:
     profiles: ["custom-domain"]
-    image: dstacktee/dstack-ingress:latest
+    image: dstacktee/dstack-ingress:1.4@sha256:11c0481ca1e2ef9c959187ff3c01c7f59c26d631c7717a571ad994b96203bb0b
     ports:
       - "443:443"
     environment: