Marlin DNS Management

aniket · April 11, 2025, 2:23pm

Confidential computing unlocks powerful data‑protection guarantees, but wiring them up for production traffic—complete with domain names, HTTPS, and automatic certificate management—can be tricky. In this guide, we’ll walk you through how to:

Package your enclave‑hosted service behind Caddy, a zero‑config HTTPS server.
Auto‑assign a subdomain (e.g. xyz.hostedapp.work) via Marlin’s DNS service.
Swap in your own custom domain and Caddyfile when needed.

Why This Matters

Seamless TLS: Caddy obtains and renews Let’s Encrypt certificates automatically—no manual certbot steps.

Easy DNS: Marlin’s auto‑DNS service instantly binds a *.hostedapp.work subdomain to your enclave’s IP.

Secure Enclaves: AWS Nitro Enclaves isolate your application and data from the host OS, minimizing attack surface.

Prerequisites

Before you begin, ensure you have:

The oyster-cvm CLI installed and configured with your wallet private key. See Marlin CVM Quickstart.

Deploy Enclave with a domain name

Create the Docker Compose File

For amd64

cat > dockerfile <<EOF 
services:
  caddy-server:
    image: aniket711/dns_caddy_service:amd64
    init: true
    network_mode: host
    restart: unless-stopped

  http-server:
    image: aniket711/http_server:amd64
    init: true
    network_mode: host
    restart: unless-stopped 
EOF

For arm64

cat > dockerfile <<EOF 
services:
  caddy-server:
    image: aniket711/dns_caddy_service:arm64
    init: true
    network_mode: host
    restart: unless-stopped

  http-server:
    image: aniket711/http_server:arm64
    init: true
    network_mode: host
    restart: unless-stopped 
EOF

You can replace http-server with any server of your choice. Caddy will act as a reverse proxy to route traffic to the enclave’s server running on port 8080.

Deploy the enclave

For amd64

oyster-cvm deploy --wallet-private-key private_key \
  --docker-compose ./docker-compose.yml \
  --instance-type c6a.2xlarge \
  --duration-in-minutes 20 \
  --pcr-preset base/blue/v1.0.0/amd64 \
  --image-url https://artifacts.marlin.org/oyster/eifs/base-blue_v1.0.0_linux_amd64.eif \
EOF

For arm64
Fetch the pcr’s

wget https://artifacts.marlin.org/oyster/eifs/base-blue_v1.0.1-beta_linux_arm64.json

then deploy the enclave

oyster-cvm deploy --wallet-private-key private_key \
--duration-in-minutes 15 --docker-compose docker-compose.yml \
--operator 0x673de4c6775bdf941a8937764bafe16c5e6352e7 \
--instance-type r6g.large \ 
--image-url https://artifacts.marlin.org/oyster/eifs/base-blue_v1.0.1-beta_linux_arm64.eif \
--pcr-json base-blue_v1.0.1-beta_linux_arm64.json \
EOF

This command will deploy the enclave and return its public IP once the deployment is complete.

Fetching the Subdomain

To retrieve the assigned subdomain, use the following command:

curl -X GET http://65.0.18.159:3030/subdomain/<ENCLAVE_IP>

replace IP with the IP of your enclave

After enclave is deployed,wait for 1 min for caddy to be configured and start. You can then test the server in your browser

https://{subdomain}.hostedapp.work

This URL will redirect to the enclave-hosted server.