Skip to main content

Install xx Network Haven

· 6 min read
ArmchairAncap
ArmchairAncap
info

For an updated how-to, see xx Haven Container.

The article below is still usable, but the repository is updated, while the article below is kept for archive purposes.

Containerized or non-containerized Haven

It's probably easier to run Haven in a container. If you have Docker or Postman and want to run Haven in a container, try this.

In the case you want to self-host a non-containerized Haven, read on!

Home or cloud

You may install Speakeasy at home or in the cloud.

Haven Web server doesn't hold any data but its OS and Node.js logs may store client IPs, that's all.

With that in mind, some high-level considerations would be:

  • We don't want our Speakeasy Web app or underlying OS to get compromised
  • If your Haven is not open to public, or is accessed "by invite" (maybe with basic authentication or VPN, for your family and friends), you may run it at home
  • If your Haven is located in the cloud, that's acceptable as long as you can protect it from getting compromised so that application code doesn't get replaced, OS compromised, or visitors' IPs leaked.

Regarding this last point, if you feel comfortable hosting your Haven server in a small (1G RAM) VM, it is better to open it to public to have the Web server accessed by a variety of addresses. As long as you know how to protect the VM.

tip

Each participant in a conversation can use a different Speakeasy Web server, so many deployment combinations are possible.

Software and hardware requirements

Use a Linux OS or VM, x86_64 or ARM64 architecture. Haven's hardware requirements are minimal:

  • 1 vCPU
  • 1 GB RAM
  • 3 GB disk

All Haven app/web server does is serve the app to the client(s) and that's one-time download from each client (around 100 MB download).

One vCPU is enough and won't be significantly utilized except when Node.js builds the application or when container image is updated - that takes a long time (15 minutes), but has to be done only when Haven code is updated or rebuilt.

Install Node.js

On generic Linux OS, follow installation instructions for Node.js version 16.14 or above.

This post was prototyped on DietPi Linux, which currently uses Node.js 20. On DietPi, you may install Node.js as follows:

sudo dietpi-software install 9

Or, run dietpi-software, select Search software, search for Node.js, and proceed with installation.

Deploy and run Speakeasy

We need to pick a directory for the application, clone the source to that directory, change some parameters and install.

sudo mkdir -p /usr/src/app/speakeasy/.next

If your username is joe, you could run it as such. Otherwise, create a non-sudoer account and use that.

sudo chown -R joe:joe /usr/src/app/speakeasy

That should allow you to run the rest without using sudo.

Next, clone the Haven source code, change configuration parameters and run it.

git clone https://git.xx.network/elixxir/speakeasy-web /usr/src/app/speakeasy
cd /usr/src/app/speakeasy

Pick Haven Web application port

Most Node.js apps traditionally use port 3000, but you'll need something else if you have another app using that port.

Pick a port for Haven, such as 7080, and use it consistently later:

sed -i 's/next start/next start -p 7080/g' package.json
sed -i 's/const nextConfig = {/const nextConfig ={\\n  productionBrowserSourceMaps: true,/g' next.config.js
rm -rf node_modules && npm install -g npm@9.6.5 && npm install && npx next telemetry disable && npx next build

If that went well, you can try to start it from the same directory.

npm start

Check if Haven is up and running by going to http://${SERVER_IP}:7080. You may need to open OS firewall for that. Example for Ubuntu:

sudo ufw allow 7080/tcp

Since that port doesn't need to be exposed when Speakeasy is running behind HTTPS proxy, it is advisable to delete the rule after testing the application.

sudo ufw status numbered

You won't be able to do much with Speakeasy running at http://host:7080 because there's no reverse HTTPS proxy in front of Speakeasy. If you attempt to create an identity you will get stuck at the Find your Codename step.

Assuming the rules for 7080/tcp are number 7 and 8, and your HTTPS reverse proxy will run on the same host, you can delete the rules: sudo ufw delete 7 ; sudo ufw delete 8.

The right firewall port to open on the host would be whatever port is used by your HTTPS reverse proxy (e.g. 14443).

tip

To be fully functional, Haven must be accessed through an HTTPS reverse proxy.

Reverse HTTPS proxy

Deploy reverse HTTPS proxy in front of Speakeasy so that external port is forwarded to Speakeasy's application port (example: https://fqdn:14443 -> http://localhost:7080). To use 14443/tcp, open that firewall port on external network.

sudo ufw allow 14443/tcp

Now configure HTTPS reverse proxy to forward incoming 14443/tcp to 7080/tcp, and if you wish make HTTPS reverse proxy and Speakeasy Web app start (npm start) automatically.

For that you may use Caddy, Traefik, NGINX or other.

There are many ways to deploy each reverse proxy and at the same time there are no Speakeasy-specific steps here, so the details are an exercise for the reader. Find and try the official or community examples for your proxy and Node.js.

Custom port, host or path

In the case Speakeasy is the only application proxied by HTTPS reverse proxy, it is most convenient to expose it at https://host:443.

In the case the same HTTPS reverse proxy is used for several applications, Speakeasy can be hosted in a directory (or, more complicated, at a dedicated virtual host name or FQDN).

TLS certificate

In any and all cases, your reverse HTTPS proxy would need a TLS certificate.

If your reverse proxy integrates with Let's Encrypt, you could expose reverse proxy (and indirectly Speakeasy) to the Internet rather than use internal or even self-signed TLS certificate - it's more secure, especially if you additionally protect HTTPS proxy with firewall rules or basic (or other) authentication.

Haven Web server doesn't host any account or chat data. If you expose Speakeasy to the Internet, the main concern is to prevent NodeJS from application server take-over and tampering, so it can be advantageous to run it using a limited local account, and optionally add some form of authentication to your HTTPS proxy.

Once a TLS-enabled proxy is functional, you can access Haven, create a new codename or import existing, and start using Haven.

Update Haven

As mentioned before, Haven can be simply wiped and re-installed because only serves the application code and does not store any client data.

The official instance (haven.xx.network) normally runs the latest version, so visit that site from time to time, or watch the Speakeasy repository for new releases, or follow xx Network on Twitter.