Docker installation

Docker setup recommended for JSON-RPC via TCP only (DBus won’t work in this image).

Run container

docker run -d \
  --name signal-cli \
  --publish 7583:7583 \
  --volume /some/local/dir/signal-cli-config:/var/lib/signal-cli \
  --tmpfs /tmp:exec \
  registry.gitlab.com/packaging/signal-cli/signal-cli-<variant>:latest \
  daemon --tcp 0.0.0.0:7583

<variant>: native or jre.

version: "3"
services:
  signal-cli:
    image: registry.gitlab.com/packaging/signal-cli/signal-cli-<variant>:latest
    command: daemon --tcp 0.0.0.0:7583
    ports:
      - "7583:7583"
    volumes:
      - "/some/local/dir/signal-cli-config:/var/lib/signal-cli"
    tmpfs:
      - "/tmp:exec"

<variant>: native or jre.

Secure containers

If you’re not running a secured reverse proxy already and just want to secure the traffic to the signal-cli JSON-RPC (you should!), we can use traefik and step-ca, to easily add self-signed ssl certs and basic authentication.

version: "3"
services:
  signal-cli:
    image: registry.gitlab.com/packaging/signal-cli/signal-cli-<variant>:latest
    command: daemon --tcp 0.0.0.0:7583
    volumes:
      - signal-cli-config:/var/lib/signal-cli
    networks:
      - traefik
    tmpfs:
      - "/tmp:exec"
    labels:
      traefik.enable: true
      traefik.http.routers.signal-cli-https.rule: PathPrefix(`/`)
      traefik.http.routers.signal-cli-https.entrypoints: websecure
      traefik.http.routers.signal-cli-https.service: signal-cli-https
      traefik.http.services.signal-cli-https.loadbalancer.server.port: 7583
      traefik.http.services.signal-cli-https.loadbalancer.server.scheme: http
  step-ca:
    image: smallstep/step-ca:0.25.2
    volumes:
      - step-ca:/home/step
    environment:
      DOCKER_STEPCA_INIT_NAME: "Step CA"
      DOCKER_STEPCA_INIT_DNS_NAMES: "localhost,step-ca"
      DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT: "true"
      DOCKER_STEPCA_INIT_ACME: "true"
    networks:
      - traefik
  traefik:
    depends_on:
      - step-ca
    image: traefik:2.10
    command:
      - '--providers.docker=true'
      - '--providers.docker.network=traefik'
      - '--providers.docker.exposedByDefault=false'
      - '--api.dashboard=true'
      - '--api.insecure=true'
      - '--accesslog=true'
      - '--pilot.dashboard=false'
      - '--entryPoints.web.address=:80'
      - '--entryPoints.web.http.redirections.entryPoint.to=websecure'
      - '--entrypoints.web.http.redirections.entryPoint.scheme=https'
      - '--entrypoints.web.http.redirections.entrypoint.permanent=true'
      - '--entryPoints.websecure.address=:443'
      - '--entrypoints.websecure.http.tls.certResolver=step-ca'
      - '--certificatesresolvers.step-ca.acme.caserver=https://step-ca:9000/acme/acme/directory'
      - '--certificatesresolvers.step-ca.acme.email=traefik@localhost.localdomain'
      - '--certificatesresolvers.step-ca.acme.tlsChallenge=true'
    environment:
      LEGO_CA_CERTIFICATES: /home/step/certs/root_ca.crt
    networks:
      - traefik
    ports:
      - target: 80
        published: 80
        mode: host
      - target: 443
        published: 443
        mode: host
    volumes:
      - step-ca:/home/step
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      traefik.enable: true
      traefik.http.routers.traefik-https.rule: Host(`traefik.localhost`)
      traefik.http.routers.traefik-https.entrypoints: websecure
      traefik.http.routers.traefik-https.service: api@internal
networks:
  traefik: {}
volumes:
  step-ca: {}
  signal-cli-config: {}

<variant>: native or jre.