hedgedoc: static site serving setup

* allow users to choose file names * route top level requests to the docs/s/filename path * fixup csp headers for hosted things * ics calendar view for the main page * set perms on upload directory during creation
2 years ago · 8e0a8b7304
parent d50f9e26af
commit 8e0a8b7304
7 changed files with 112 additions and 17 deletions
--- a/hedgedoc/docker-compose.yaml
+++ b/hedgedoc/docker-compose.yaml
@ -17,10 +17,12 @@ services:
      - env.production
      - ../data/hedgedoc/env.secrets
    environment:
+      #- CMD_CSP_ENABLE=false
      - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
      - CMD_PROTOCOL_USESSL=true
      - CMD_ALLOW_ANONYMOUS=false  # anonymous user's can't create notes
      - CMD_ALLOW_ANONYMOUS_EDITS=true # but they can be invited to edit notes
+      - CMD_ALLOW_FREEURL=true # users can create arbitrary names
      - CMD_EMAIL=false # only oauth logins
      # DOMAIN and OAUTH2 variables are now in env.secret
    volumes:
--- a/hedgedoc/setup
+++ b/hedgedoc/setup
@ -6,7 +6,8 @@ cd "$DIRNAME"
 source ../env.production || die "no top levle env?"
 source env.production || die "no local env?"

-SECRETS="../data/hedgedoc/env.secrets"
+DATA="../data/hedgedoc"
+SECRETS="$DATA/env.secrets"

 if [ -r "$SECRETS" ]; then
 	docker-compose up -d || die "hedgedoc: unable to start"
@ -19,7 +20,9 @@ docker-compose down 2>/dev/null
 CLIENT_SECRET="$(openssl rand -hex 20)"
 SESSION_SECRET="$(openssl rand -hex 20)"

-mkdir -p "$(dirname "$SECRETS")"
+mkdir -p "$DATA/uploads"
+chmod 666 "$DATA/uploads"
+
 cat <<EOF > "$SECRETS"
 # DO NOT CHECK IN
 CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
--- a/html/calview.html
+++ b/html/calview.html
@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset='utf-8' />
+<meta http-equiv="Content-Security-Policy" content="frame-src '*'">
+  <title>
+    Hackerspace.Zone calendar viewer
+  </title>
+  <style>
+    html, body {
+      margin: 0;
+      padding: 0;
+      font-family: Arial, Helvetica Neue, Helvetica, sans-serif;
+      font-size: 14px;
+    }
+    #calendar {
+      max-width: 800px;
+      margin: 00px auto;
+    }
+  </style>
+<link href='https://cdn.jsdelivr.net/npm/fullcalendar@5.11.0/main.min.css' rel='stylesheet' />
+<script src='https://cdn.jsdelivr.net/npm/fullcalendar@5.11.0/main.min.js'></script>
+<script src='https://github.com/mozilla-comm/ical.js/releases/download/v1.4.0/ical.js'></script>
+<script src='https://cdn.jsdelivr.net/npm/@fullcalendar/icalendar@5.11.0/main.global.min.js'></script>
+<script>
+ // 'https://events.hackerspace.zone/@events/feed/ics',
+  const param = new URL(location).searchParams;
+  const ics = param.get("ics") || 'https://events.hackerspace.zone/@events/feed/ics';
+  const view = param.get("view") || "dayGridMonth";
+
+  document.addEventListener('DOMContentLoaded', function() {
+    var calendarEl = document.getElementById('calendar');
+    var calendar = new FullCalendar.Calendar(calendarEl, {
+      initialView: view,
+      headerToolbar: {
+        left: 'prev,next today',
+        center: 'title',
+        right: 'dayGridMonth,timeGridWeek,timeGridDay'
+      },
+      events: {
+        url: ics,
+        format: 'ics'
+      }
+    });
+    calendar.render();
+  });
+</script>
+
+</head>
+<body>
+  <div id='calendar'></div>
+</html>
+
--- a/html/index.html
+++ b/html/index.html
@ -13,6 +13,10 @@ An easy to install set of self-hosted, single-sign-on, open-source services.
 <li><a href="https://login.hackerspace.zone/">keycloak</a>: user management and single sign on for the domain
 </ul>

+<h2>Upcoming events</h2>
+<iframe src="calview.html?ics=https://events.hackerspace.zone/@events/feed/ics" width=600 height=600 style="border:0"></iframe>
+
+<h2>Source code</h2>
 Source code for building the environments and configuring them:
 <a href="https://github.com/osresearch/hackerspace-zone"><tt>github.com/osresearch/hackerspace-zone</tt></a>
 There is <a href="https://github.com/osresearch/hackerspace-zone/issues/1">probably a better way to do this</a>.
--- a/nginx/docker-compose.yaml
+++ b/nginx/docker-compose.yaml
@ -7,12 +7,13 @@ services:
      - "80:80"
      - "443:443"
    volumes:
-      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
-      - ./nginx/templates:/etc/nginx/templates
-      - ./nginx/includes:/etc/nginx/includes
-      - ../html:/var/www
-      - ../data/certbot/www:/var/www/certbot
-      - ../data/certbot/conf:/etc/letsencrypt
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/templates:/etc/nginx/templates:ro
+      - ./nginx/includes:/etc/nginx/includes:ro
+      - ../html:/var/www/html:ro
+      - ../data/certbot/www:/var/www/certbot:ro
+      - ../data/certbot/conf:/etc/letsencrypt:ro
+      - /home:/home:ro
    env_file:
      -  ../env.production
      -  env.production
--- a/nginx/nginx/templates/000-default.conf.template
+++ b/nginx/nginx/templates/000-default.conf.template
@ -26,10 +26,6 @@ server {
 	# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
 	chunked_transfer_encoding on;

-	location / {
-		root /var/www;
-	}
-
 	# delegated Matrix server
 	location /.well-known/matrix {
 		proxy_pass https://${MATRIX_HOSTNAME};
@ -37,7 +33,36 @@ server {

 	# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
 	location = /.well-known/host-meta {
-		return 301 https://${MASTODON_HOSTNAME}$request_uri;
+		return 302 https://${MASTODON_HOSTNAME}$request_uri;
+	}
+
+	# tilde club home directories
+	location ~ ^/~(.+?)(/.*)?$ {
+		alias /home/$1/public_html$2;
+		index index.html index.htm;
+		autoindex on;
+	}
+
+	# /html files are served from the static html site
+	location /html {
+		root /var/www;
+		autoindex off;
+	}
+
+	# default home page goes to hedgedoc document "Main_Page"; please add your own content!
+	location = / {
+		return 302 https://${DOMAIN_NAME}/Main_Page;
+	}
+	# normal pages go to hedgedoc static site (need to define ports in the env)
+	# need to rewrite the CSP so that it allows reframing from the main site
+	location / {
+		proxy_hide_header Content-Security-Policy;
+		add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.${DOMAIN_NAME}; frame-src 'self' *.${DOMAIN_NAME}; object-src 'self'; base-uri 'self' *.${DOMAIN_NAME}";
+		proxy_pass http://host.docker.internal:3000/s$request_uri;
+	}
+	# while javascript and config stuff goes to non-static hedgedoc site
+	location ~ ^/(js|build|config) {
+		proxy_pass http://host.docker.internal:3000$request_uri;
 	}

 	listen 443 ssl default_server;
@ -48,5 +73,3 @@ server {
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;

 }
-
-
--- a/nginx/nginx/templates/docs.conf.template
+++ b/nginx/nginx/templates/docs.conf.template
@ -31,6 +31,17 @@ server {
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}

+	# allow the fonts to be used by anything
+	location ~* \.(eot|otf|ttf|woff|woff2)$ {
+		add_header Access-Control-Allow-Origin *;
+		proxy_pass http://host.docker.internal:3000;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	# websocket traffic with extra headers for upgrading the connection
        location /socket.io/ {
                proxy_pass http://host.docker.internal:3000;
                proxy_set_header Host $host; 
@ -48,5 +59,3 @@ server {
 	include /etc/nginx/includes/challenge.conf;
 	ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
 }
-
-