overhaul the env.production files, add more nginx wrappers, split things into setup scripts

.gitignore

@@ -0,0 +1,2 @@
+.*.swp
+data

env.production

@@ -0,0 +1,7 @@
+DOMAIN_NAME=example.com
+REALM=spacestation
+
+KEYCLOAK_HOSTNAME=login.${DOMAIN_NAME}
+HEDGEDOC_HOSTNAME=docs.${DOMAIN_NAME}
+MASTODON_HOSTNAME=social.${DOMAIN_NAME}
+NEXTCLOUD_HOSTNAME=cloud.${DOMAIN_NAME}

hedgedoc/docker-compose.yaml

@@ -7,35 +7,30 @@ services:
       - POSTGRES_PASSWORD=password
       - POSTGRES_DB=hedgedoc
     volumes:
-      - database:/var/lib/postgresql/data
+      - ./data/database:/var/lib/postgresql/data
     restart: always
   app:
     # Make sure to use the latest release from https://hedgedoc.org/latest-release
     image: quay.io/hedgedoc/hedgedoc:1.9.3
+    env_file:
+      - ../env.production
+      - env.production
     environment:
       - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
-      - CMD_DOMAIN=spacestation
-      - CMD_URL_ADDPORT=true
-      - CMD_OAUTH2_USER_PROFILE_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/userinfo
+      - CMD_DOMAIN=docs.example.com
+        #- CMD_URL_ADDPORT=true
+      - CMD_OAUTH2_USER_PROFILE_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/userinfo
       - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
       - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
       - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
-      - CMD_OAUTH2_TOKEN_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/token
-      - CMD_OAUTH2_AUTHORIZATION_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth
+      - CMD_OAUTH2_TOKEN_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/token
+      - CMD_OAUTH2_AUTHORIZATION_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/auth
       - CMD_OAUTH2_CLIENT_ID=hedgedoc
-      - CMD_OAUTH2_CLIENT_SECRET=abcdef1234
       - CMD_OAUTH2_PROVIDERNAME=Keycloak
-      - CMD_SESSION_SECRET=abcdef1234
-        # - CMD_DOMAIN=<hedgedoc.example.com>
-        # - CMD_PROTOCOL_USESSL=true
-        # - CMD_URL_ADDPORT=false
     volumes:
-      - uploads:/hedgedoc/public/uploads
+      - ./data/uploads:/hedgedoc/public/uploads
     ports:
       - "3000:3000"
     restart: always
     depends_on:
       - database
-volumes:
-  database:
-  uploads:

hedgedoc/env.production

@@ -0,0 +1,2 @@
+CMD_OAUTH2_CLIENT_SECRET=abcdef1234
+CMD_SESSION_SECRET=abcdef1234

hedgedoc/setup

@@ -0,0 +1,40 @@
+#!/bin/bash
+die() { echo >&2 "$@" ; exit 1 ; }
+
+DIRNAME="$(dirname $0)"
+cd "$DIRNAME"
+[ -r env.production ] && source env.production
+[ -r ../env.production ] && source ../env.production
+
+cd ../keycloak
+
+sudo docker-compose exec -T keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create clients \
+  -r "$REALM" \
+  -f - <<EOF || die "unable to create hedgedoc client"
+{
+	"clientId": "hedgedoc",
+	"rootUrl": "https://$HEDGEDOC_HOSTNAME",
+	"adminUrl": "https://$HEDGEDOC_HOSTNAME",
+	"redirectUris": [ "https://$HEDGEDOC_HOSTNAME/*" ],
+	"webOrigins": [ "https://$HEDGEDOC_HOSTNAME" ],
+	"clientAuthenticatorType": "client-secret",
+	"secret": "$CMD_OAUTH2_CLIENT_SECRET",
+	"defaultClientScopes": [
+		"web-origins",
+		"acr",
+		"profile",
+		"roles",
+		"id",
+		"email"
+	],
+	"optionalClientScopes": [
+		"address",
+		"phone",
+		"offline_access",
+		"microprofile-jwt"
+	]
+}
+EOF
+

keycloak/docker-compose.yaml

@@ -8,7 +8,7 @@ services:
   mysql:
       image: mysql:5.7
       volumes:
-        - ./mysql_data:/var/lib/mysql
+        - ./data/database:/var/lib/mysql
       environment:
         MYSQL_ROOT_PASSWORD: root
         MYSQL_DATABASE: keycloak
@@ -17,7 +17,10 @@ services:
 
   keycloak:
       image: quay.io/keycloak/keycloak:18.0.0
-      entrypoint: /opt/keycloak/bin/kc.sh start-dev
+      entrypoint: /opt/keycloak/bin/kc.sh start-dev --proxy=edge
+      env_file:
+        - ../env.production
+        - env.production
       environment:
         DB_VENDOR: MYSQL
         DB_ADDR: mysql
@@ -25,10 +28,9 @@ services:
         DB_USER: keycloak
         DB_PASSWORD: password
         KEYCLOAK_ADMIN: admin
-        KEYCLOAK_ADMIN_PASSWORD: admin
-        KEYCLOAK_HOSTNAME: spacestation
+        PROXY_ADDRESS_FORWARDING: 'true'
       volumes:
-        - ./certs:/etc/x509/https
+        - ./data/certs:/etc/x509/https
       ports:
         - 8080:8080
         - 8443:8443

keycloak/env.production

@@ -0,0 +1 @@
+KEYCLOAK_ADMIN_PASSWORD=abcd@1234!

keycloak/setup

@@ -0,0 +1,73 @@
+#!/bin/bash
+die() { echo >&2 "ERROR: $@" ; exit 1 ; }
+info() { echo >&2 "$@" ; }
+
+DIRNAME="$(dirname $0)"
+cd "$DIRNAME"
+source ../env.production
+source ./env.production
+
+info "logging into server"
+sudo docker-compose exec keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  config credentials \
+  --server http://localhost:8080/ \
+  --user admin \
+  --password "$KEYCLOAK_ADMIN_PASSWORD" \
+  --realm master \
+|| die "unable to login"
+
+
+info "Create a new realm for '$REALM'"
+sudo docker-compose exec keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create realms \
+  -s "realm=$REALM" \
+  -s enabled=true \
+|| die "unable to create realm"
+
+
+# https://github.com/hedgedoc/hedgedoc/issues/56
+info "Fix up a id bug"
+sudo docker-compose exec -T keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create client-scopes \
+  -r "$REALM" \
+  -f - <<EOF || die "unable to create mapping"
+ {
+      "name": "id",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true"
+      },
+      "protocolMappers": [
+        {
+          "name": "id",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "id",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "jsonType.label": "String",
+            "userinfo.token.claim": "true"
+          }
+        }
+      ]
+}
+EOF
+
+
+info "Create an admin user in realm"
+sudo docker-compose exec -T keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create users \
+  -o \
+  --fields id,username \
+  -r "$REALM" \
+  -s username=admin \
+  -s enabled=true \
+  -s 'credentials=[{"type":"'$KEYCLOAK_ADMIN_PASSWORD'","value":"admin","temporary":false}]' \
+|| die "$REALM: unable to create admin user"

mastodon/README.md

@@ -1,3 +1,8 @@
+This needs setup run *first* and then `docker-compose up`
+
+---
+
+
 Notes from https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4
 
 elastic search needs hacks to set permissions on data directory

mastodon/docker-compose.yaml

@@ -9,11 +9,11 @@ services:
     healthcheck:
       test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
     volumes:
-      - ./database:/var/lib/postgresql/data
+      - ./data/database:/var/lib/postgresql/data
     environment:
       - POSTGRES_USER=mastodon
       - POSTGRES_PASSWORD=mastodon
-      - POSTGRES_DB=mastodon_production
+        #- POSTGRES_DB=mastodon_production
 
   redis:
     restart: always
@@ -23,7 +23,7 @@ services:
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
     volumes:
-      - ./redis:/data
+      - ./data/redis:/data
 
   es:
     restart: always
@@ -38,7 +38,7 @@ services:
     healthcheck:
        test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
     volumes:
-       - ./elasticsearch:/usr/share/elasticsearch/data
+       - ./data/elasticsearch:/usr/share/elasticsearch/data
     # fixup the permissions on the data directory since they are created as root on host
     entrypoint: /bin/sh -c "chown -R elasticsearch:elasticsearch data && /usr/local/bin/docker-entrypoint.sh eswrapper"
     ulimits:
@@ -50,7 +50,9 @@ services:
           #    build: .
     image: tootsuite/mastodon
     restart: always
-    env_file: env.production
+    env_file:
+      - ../env.production
+      - env.production
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
     networks:
       - external_network
@@ -65,7 +67,7 @@ services:
       - redis
       - es
     volumes:
-      - ./public/system:/mastodon/public/system
+      - ./data/system:/mastodon/public/system
 
   streaming:
     build: .
@@ -98,7 +100,7 @@ services:
       - external_network
       - internal_network
     volumes:
-      - ./public/system:/mastodon/public/system
+      - ./data/system:/mastodon/public/system
     healthcheck:
       test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
 

mastodon/env.production

@@ -16,7 +16,6 @@
 # ----------
 LOCAL_DOMAIN=social.example.com
 #WEB_DOMAIN=social.example.com
-TRUSTED_PROXY_IP=10.1.0.142
 
 # Redis
 # -----

mastodon/setup

@@ -0,0 +1,14 @@
+#!/bin/bash
+die() { echo >&2 "ERROR: $@" ; exit 1 ; }
+info() { echo >&2 "$@" ; }
+
+DIRNAME="$(dirname $0)"
+cd "$DIRNAME"
+source ../env.production
+source ./env.production
+
+info "configuring mastodon"
+sudo docker-compose run web \
+  rails db:setup \
+|| die "unable to login"
+

nextcloud/README.md

@@ -0,0 +1,35 @@
+Enable SSO:
+
+```
+( cd ../keycloak ; sudo docker-compose exec -T keycloak \
+  /opt/keycloak/bin/kcadm.sh \
+  create clients \
+  --realm master --user admin --password admin \
+  -r spacestation \
+  -f - ) <<EOF
+{
+	"clientId": "nextcloud",
+	"rootUrl": "http://spacestation:9000/",
+	"adminUrl": "http://spacestation:9000/",
+	"redirectUris": [ "http://spacestation:9000/*" ],
+	"webOrigins": [ "http://spacestation:9000" ],
+	"clientAuthenticatorType": "client-secret",
+	"secret": "nextcloud-secret"
+}
+EOF
+```
+
+and configure the social login app:
+
+```
+sudo docker-compose exec -u www-data -T nextcloud \
+  ./occ app:install sociallogin \
+&& sudo docker-compose exec -u www-data -T nextcloud \
+  ./occ config:app:set sociallogin prevent_create_email_exists --value=1 \
+&& sudo docker-compose exec -u www-data -T nextcloud \
+  ./occ config:app:set sociallogin update_profile_on_login --value=1 \
+&& sudo docker-compose exec -u www-data -T nextcloud \
+  ./occ config:app:set \
+  sociallogin custom_providers \
+  --value='{"custom_oidc":[{"name":"keycloak","title":"Keycloak","authorizeUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth","tokenUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/token","displayNameClaim":"","userInfoUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/userinfo","logoutUrl":"","clientId":"nextcloud","clientSecret":"nextcloud-secret","scope":"openid","groupsClaim":"roles","style":"keycloak","defaultGroup":""}]}'
+```

nextcloud/docker-compose.yaml

@@ -8,7 +8,7 @@ services:
       - POSTGRES_PASSWORD=nextcloud
       - POSTGRES_DB=nextcloud
     volumes:
-      - ./database:/var/lib/postgresql/data
+      - ./data/database:/var/lib/postgresql/data
     restart: always
 
   nextcloud:
@@ -16,6 +16,9 @@ services:
     restart: unless-stopped
     ports:
       - 9000:80
+    env_file:
+      - ../env.production
+      - env.production
     environment:
       - POSTGRES_HOST=database
       - POSTGRES_DB=nextcloud
@@ -23,9 +26,8 @@ services:
       - POSTGRES_PASSWORD=nextcloud
       - NEXTCLOUD_TRUSTED_DOMAINS=spacestation
       - NEXTCLOUD_ADMIN_USER=admin
-      - NEXTCLOUD_ADMIN_PASSWORD=admin
     volumes:
-      - ./nextcloud:/var/www/html
+      - ./data/nextcloud:/var/www/html
     depends_on:
       - database
 

nextcloud/env.production

@@ -0,0 +1 @@
+NEXTCLOUD_ADMIN_PASSWORD=admin

nginx/data/nginx/templates/docs.conf.template

@@ -0,0 +1,59 @@
+server {
+	listen 80;
+	server_name ${HEDGEDOC_HOSTNAME};
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+}
+
+server {
+	server_name ${HEDGEDOC_HOSTNAME}
+	client_max_body_size 128m;
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	#include /etc/nginx/mime.types;
+	#default_type application/octet-stream;
+
+	gzip on;
+	gzip_disable "msie6";
+
+	proxy_read_timeout 1800s;
+
+	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
+	chunked_transfer_encoding on;
+
+	location / {
+		proxy_pass http://spacestation:3000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+        location /socket.io/ {
+                proxy_pass http://spacestation:3000;
+                proxy_set_header Host $host; 
+                proxy_set_header X-Real-IP $remote_addr; 
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection $connection_upgrade;
+        }
+
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+

nginx/data/nginx/templates/login.conf.template

@@ -12,8 +12,10 @@ server {
 
 	location / {
 		proxy_pass http://spacestation:8080;
+		proxy_pass_header Set-Cookie;
 		proxy_set_header Host $host;
-		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto https;
 	}
 
 	listen 443 ssl;

nginx/setup

@@ -1,19 +1,19 @@
 #!/bin/bash
+die() { echo >&2 "$@" ; exit 1 ; }
+
 ENV=env.production
 if [ ! -r "$ENV" ]; then
-	echo >&2 "$ENV: not found?"
-	exit 1
+	die "$ENV: not found?"
 fi
 
 source env.production
 
 if [ -z "${DOMAIN_NAME}" ]; then
-	echo >&2 "DOMAIN_NAME not set"
-	exit 1
+	die "DOMAIN_NAME not set"
 fi
 
 certdir="data/certbot/conf/live/${DOMAIN_NAME}"
-mkdir -p "$certdir"
+mkdir -p "$certdir" || die "$certdir: unable to make"
 
 openssl req \
 	-x509 \
@@ -24,3 +24,4 @@ openssl req \
 	-nodes \
 	-days 365 \
 	-subj "/CN=${DOMAIN_NAME}'" \
+|| die "$certdir/privkey.pem: unable to create temp key"