overhaul the env.production files, add more nginx wrappers, split things into setup scripts

single-dockerfile
Ubuntu 3 years ago
parent 45cae54638
commit 05e87eb945
  1. 2
      .gitignore
  2. 7
      env.production
  3. 25
      hedgedoc/docker-compose.yaml
  4. 2
      hedgedoc/env.production
  5. 40
      hedgedoc/setup
  6. 12
      keycloak/docker-compose.yaml
  7. 1
      keycloak/env.production
  8. 73
      keycloak/setup
  9. 5
      mastodon/README.md
  10. 16
      mastodon/docker-compose.yaml
  11. 1
      mastodon/env.production
  12. 14
      mastodon/setup
  13. 35
      nextcloud/README.md
  14. 8
      nextcloud/docker-compose.yaml
  15. 1
      nextcloud/env.production
  16. 59
      nginx/data/nginx/templates/docs.conf.template
  17. 4
      nginx/data/nginx/templates/login.conf.template
  18. 11
      nginx/setup

2
.gitignore vendored

@ -0,0 +1,2 @@
.*.swp
data

@ -0,0 +1,7 @@
DOMAIN_NAME=example.com
REALM=spacestation
KEYCLOAK_HOSTNAME=login.${DOMAIN_NAME}
HEDGEDOC_HOSTNAME=docs.${DOMAIN_NAME}
MASTODON_HOSTNAME=social.${DOMAIN_NAME}
NEXTCLOUD_HOSTNAME=cloud.${DOMAIN_NAME}

@ -7,35 +7,30 @@ services:
- POSTGRES_PASSWORD=password - POSTGRES_PASSWORD=password
- POSTGRES_DB=hedgedoc - POSTGRES_DB=hedgedoc
volumes: volumes:
- database:/var/lib/postgresql/data - ./data/database:/var/lib/postgresql/data
restart: always restart: always
app: app:
# Make sure to use the latest release from https://hedgedoc.org/latest-release # Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.9.3 image: quay.io/hedgedoc/hedgedoc:1.9.3
env_file:
- ../env.production
- env.production
environment: environment:
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- CMD_DOMAIN=spacestation - CMD_DOMAIN=docs.example.com
- CMD_URL_ADDPORT=true #- CMD_URL_ADDPORT=true
- CMD_OAUTH2_USER_PROFILE_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/userinfo - CMD_OAUTH2_USER_PROFILE_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/userinfo
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
- CMD_OAUTH2_TOKEN_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/token - CMD_OAUTH2_TOKEN_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/token
- CMD_OAUTH2_AUTHORIZATION_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth - CMD_OAUTH2_AUTHORIZATION_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/auth
- CMD_OAUTH2_CLIENT_ID=hedgedoc - CMD_OAUTH2_CLIENT_ID=hedgedoc
- CMD_OAUTH2_CLIENT_SECRET=abcdef1234
- CMD_OAUTH2_PROVIDERNAME=Keycloak - CMD_OAUTH2_PROVIDERNAME=Keycloak
- CMD_SESSION_SECRET=abcdef1234
# - CMD_DOMAIN=<hedgedoc.example.com>
# - CMD_PROTOCOL_USESSL=true
# - CMD_URL_ADDPORT=false
volumes: volumes:
- uploads:/hedgedoc/public/uploads - ./data/uploads:/hedgedoc/public/uploads
ports: ports:
- "3000:3000" - "3000:3000"
restart: always restart: always
depends_on: depends_on:
- database - database
volumes:
database:
uploads:

@ -0,0 +1,2 @@
CMD_OAUTH2_CLIENT_SECRET=abcdef1234
CMD_SESSION_SECRET=abcdef1234

@ -0,0 +1,40 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
[ -r env.production ] && source env.production
[ -r ../env.production ] && source ../env.production
cd ../keycloak
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create clients \
-r "$REALM" \
-f - <<EOF || die "unable to create hedgedoc client"
{
"clientId": "hedgedoc",
"rootUrl": "https://$HEDGEDOC_HOSTNAME",
"adminUrl": "https://$HEDGEDOC_HOSTNAME",
"redirectUris": [ "https://$HEDGEDOC_HOSTNAME/*" ],
"webOrigins": [ "https://$HEDGEDOC_HOSTNAME" ],
"clientAuthenticatorType": "client-secret",
"secret": "$CMD_OAUTH2_CLIENT_SECRET",
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"id",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
EOF

@ -8,7 +8,7 @@ services:
mysql: mysql:
image: mysql:5.7 image: mysql:5.7
volumes: volumes:
- ./mysql_data:/var/lib/mysql - ./data/database:/var/lib/mysql
environment: environment:
MYSQL_ROOT_PASSWORD: root MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak MYSQL_DATABASE: keycloak
@ -17,7 +17,10 @@ services:
keycloak: keycloak:
image: quay.io/keycloak/keycloak:18.0.0 image: quay.io/keycloak/keycloak:18.0.0
entrypoint: /opt/keycloak/bin/kc.sh start-dev entrypoint: /opt/keycloak/bin/kc.sh start-dev --proxy=edge
env_file:
- ../env.production
- env.production
environment: environment:
DB_VENDOR: MYSQL DB_VENDOR: MYSQL
DB_ADDR: mysql DB_ADDR: mysql
@ -25,10 +28,9 @@ services:
DB_USER: keycloak DB_USER: keycloak
DB_PASSWORD: password DB_PASSWORD: password
KEYCLOAK_ADMIN: admin KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin PROXY_ADDRESS_FORWARDING: 'true'
KEYCLOAK_HOSTNAME: spacestation
volumes: volumes:
- ./certs:/etc/x509/https - ./data/certs:/etc/x509/https
ports: ports:
- 8080:8080 - 8080:8080
- 8443:8443 - 8443:8443

@ -0,0 +1 @@
KEYCLOAK_ADMIN_PASSWORD=abcd@1234!

@ -0,0 +1,73 @@
#!/bin/bash
die() { echo >&2 "ERROR: $@" ; exit 1 ; }
info() { echo >&2 "$@" ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production
info "logging into server"
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
config credentials \
--server http://localhost:8080/ \
--user admin \
--password "$KEYCLOAK_ADMIN_PASSWORD" \
--realm master \
|| die "unable to login"
info "Create a new realm for '$REALM'"
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
create realms \
-s "realm=$REALM" \
-s enabled=true \
|| die "unable to create realm"
# https://github.com/hedgedoc/hedgedoc/issues/56
info "Fix up a id bug"
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create client-scopes \
-r "$REALM" \
-f - <<EOF || die "unable to create mapping"
{
"name": "id",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "id",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"user.attribute": "id",
"id.token.claim": "true",
"access.token.claim": "true",
"jsonType.label": "String",
"userinfo.token.claim": "true"
}
}
]
}
EOF
info "Create an admin user in realm"
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create users \
-o \
--fields id,username \
-r "$REALM" \
-s username=admin \
-s enabled=true \
-s 'credentials=[{"type":"'$KEYCLOAK_ADMIN_PASSWORD'","value":"admin","temporary":false}]' \
|| die "$REALM: unable to create admin user"

@ -1,3 +1,8 @@
This needs setup run *first* and then `docker-compose up`
---
Notes from https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4 Notes from https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4
elastic search needs hacks to set permissions on data directory elastic search needs hacks to set permissions on data directory

@ -9,11 +9,11 @@ services:
healthcheck: healthcheck:
test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"] test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
volumes: volumes:
- ./database:/var/lib/postgresql/data - ./data/database:/var/lib/postgresql/data
environment: environment:
- POSTGRES_USER=mastodon - POSTGRES_USER=mastodon
- POSTGRES_PASSWORD=mastodon - POSTGRES_PASSWORD=mastodon
- POSTGRES_DB=mastodon_production #- POSTGRES_DB=mastodon_production
redis: redis:
restart: always restart: always
@ -23,7 +23,7 @@ services:
healthcheck: healthcheck:
test: ['CMD', 'redis-cli', 'ping'] test: ['CMD', 'redis-cli', 'ping']
volumes: volumes:
- ./redis:/data - ./data/redis:/data
es: es:
restart: always restart: always
@ -38,7 +38,7 @@ services:
healthcheck: healthcheck:
test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"] test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
volumes: volumes:
- ./elasticsearch:/usr/share/elasticsearch/data - ./data/elasticsearch:/usr/share/elasticsearch/data
# fixup the permissions on the data directory since they are created as root on host # fixup the permissions on the data directory since they are created as root on host
entrypoint: /bin/sh -c "chown -R elasticsearch:elasticsearch data && /usr/local/bin/docker-entrypoint.sh eswrapper" entrypoint: /bin/sh -c "chown -R elasticsearch:elasticsearch data && /usr/local/bin/docker-entrypoint.sh eswrapper"
ulimits: ulimits:
@ -50,7 +50,9 @@ services:
# build: . # build: .
image: tootsuite/mastodon image: tootsuite/mastodon
restart: always restart: always
env_file: env.production env_file:
- ../env.production
- env.production
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001" command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
networks: networks:
- external_network - external_network
@ -65,7 +67,7 @@ services:
- redis - redis
- es - es
volumes: volumes:
- ./public/system:/mastodon/public/system - ./data/system:/mastodon/public/system
streaming: streaming:
build: . build: .
@ -98,7 +100,7 @@ services:
- external_network - external_network
- internal_network - internal_network
volumes: volumes:
- ./public/system:/mastodon/public/system - ./data/system:/mastodon/public/system
healthcheck: healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"] test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]

@ -16,7 +16,6 @@
# ---------- # ----------
LOCAL_DOMAIN=social.example.com LOCAL_DOMAIN=social.example.com
#WEB_DOMAIN=social.example.com #WEB_DOMAIN=social.example.com
TRUSTED_PROXY_IP=10.1.0.142
# Redis # Redis
# ----- # -----

@ -0,0 +1,14 @@
#!/bin/bash
die() { echo >&2 "ERROR: $@" ; exit 1 ; }
info() { echo >&2 "$@" ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production
info "configuring mastodon"
sudo docker-compose run web \
rails db:setup \
|| die "unable to login"

@ -0,0 +1,35 @@
Enable SSO:
```
( cd ../keycloak ; sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create clients \
--realm master --user admin --password admin \
-r spacestation \
-f - ) <<EOF
{
"clientId": "nextcloud",
"rootUrl": "http://spacestation:9000/",
"adminUrl": "http://spacestation:9000/",
"redirectUris": [ "http://spacestation:9000/*" ],
"webOrigins": [ "http://spacestation:9000" ],
"clientAuthenticatorType": "client-secret",
"secret": "nextcloud-secret"
}
EOF
```
and configure the social login app:
```
sudo docker-compose exec -u www-data -T nextcloud \
./occ app:install sociallogin \
&& sudo docker-compose exec -u www-data -T nextcloud \
./occ config:app:set sociallogin prevent_create_email_exists --value=1 \
&& sudo docker-compose exec -u www-data -T nextcloud \
./occ config:app:set sociallogin update_profile_on_login --value=1 \
&& sudo docker-compose exec -u www-data -T nextcloud \
./occ config:app:set \
sociallogin custom_providers \
--value='{"custom_oidc":[{"name":"keycloak","title":"Keycloak","authorizeUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth","tokenUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/token","displayNameClaim":"","userInfoUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/userinfo","logoutUrl":"","clientId":"nextcloud","clientSecret":"nextcloud-secret","scope":"openid","groupsClaim":"roles","style":"keycloak","defaultGroup":""}]}'
```

@ -8,7 +8,7 @@ services:
- POSTGRES_PASSWORD=nextcloud - POSTGRES_PASSWORD=nextcloud
- POSTGRES_DB=nextcloud - POSTGRES_DB=nextcloud
volumes: volumes:
- ./database:/var/lib/postgresql/data - ./data/database:/var/lib/postgresql/data
restart: always restart: always
nextcloud: nextcloud:
@ -16,6 +16,9 @@ services:
restart: unless-stopped restart: unless-stopped
ports: ports:
- 9000:80 - 9000:80
env_file:
- ../env.production
- env.production
environment: environment:
- POSTGRES_HOST=database - POSTGRES_HOST=database
- POSTGRES_DB=nextcloud - POSTGRES_DB=nextcloud
@ -23,9 +26,8 @@ services:
- POSTGRES_PASSWORD=nextcloud - POSTGRES_PASSWORD=nextcloud
- NEXTCLOUD_TRUSTED_DOMAINS=spacestation - NEXTCLOUD_TRUSTED_DOMAINS=spacestation
- NEXTCLOUD_ADMIN_USER=admin - NEXTCLOUD_ADMIN_USER=admin
- NEXTCLOUD_ADMIN_PASSWORD=admin
volumes: volumes:
- ./nextcloud:/var/www/html - ./data/nextcloud:/var/www/html
depends_on: depends_on:
- database - database

@ -0,0 +1 @@
NEXTCLOUD_ADMIN_PASSWORD=admin

@ -0,0 +1,59 @@
server {
listen 80;
server_name ${HEDGEDOC_HOSTNAME};
location / {
return 301 https://$host$request_uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name ${HEDGEDOC_HOSTNAME}
client_max_body_size 128m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
proxy_read_timeout 1800s;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
proxy_pass http://spacestation:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /socket.io/ {
proxy_pass http://spacestation:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

@ -12,8 +12,10 @@ server {
location / { location / {
proxy_pass http://spacestation:8080; proxy_pass http://spacestation:8080;
proxy_pass_header Set-Cookie;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
} }
listen 443 ssl; listen 443 ssl;

@ -1,19 +1,19 @@
#!/bin/bash #!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
ENV=env.production ENV=env.production
if [ ! -r "$ENV" ]; then if [ ! -r "$ENV" ]; then
echo >&2 "$ENV: not found?" die "$ENV: not found?"
exit 1
fi fi
source env.production source env.production
if [ -z "${DOMAIN_NAME}" ]; then if [ -z "${DOMAIN_NAME}" ]; then
echo >&2 "DOMAIN_NAME not set" die "DOMAIN_NAME not set"
exit 1
fi fi
certdir="data/certbot/conf/live/${DOMAIN_NAME}" certdir="data/certbot/conf/live/${DOMAIN_NAME}"
mkdir -p "$certdir" mkdir -p "$certdir" || die "$certdir: unable to make"
openssl req \ openssl req \
-x509 \ -x509 \
@ -24,3 +24,4 @@ openssl req \
-nodes \ -nodes \
-days 365 \ -days 365 \
-subj "/CN=${DOMAIN_NAME}'" \ -subj "/CN=${DOMAIN_NAME}'" \
|| die "$certdir/privkey.pem: unable to create temp key"

Loading…
Cancel
Save