From 8e0a8b73043ed73b9b2e57d06b207f6357f83589 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Sat, 7 May 2022 17:21:48 +0000 Subject: [PATCH] hedgedoc: static site serving setup * allow users to choose file names * route top level requests to the docs/s/filename path * fixup csp headers for hosted things * ics calendar view for the main page * set perms on upload directory during creation --- hedgedoc/docker-compose.yaml | 2 + hedgedoc/setup | 7 ++- html/calview.html | 53 +++++++++++++++++++ html/index.html | 4 ++ nginx/docker-compose.yaml | 13 ++--- .../nginx/templates/000-default.conf.template | 37 ++++++++++--- nginx/nginx/templates/docs.conf.template | 13 ++++- 7 files changed, 112 insertions(+), 17 deletions(-) create mode 100644 html/calview.html diff --git a/hedgedoc/docker-compose.yaml b/hedgedoc/docker-compose.yaml index 48c3e06..daf7342 100644 --- a/hedgedoc/docker-compose.yaml +++ b/hedgedoc/docker-compose.yaml @@ -17,10 +17,12 @@ services: - env.production - ../data/hedgedoc/env.secrets environment: + #- CMD_CSP_ENABLE=false - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_PROTOCOL_USESSL=true - CMD_ALLOW_ANONYMOUS=false # anonymous user's can't create notes - CMD_ALLOW_ANONYMOUS_EDITS=true # but they can be invited to edit notes + - CMD_ALLOW_FREEURL=true # users can create arbitrary names - CMD_EMAIL=false # only oauth logins # DOMAIN and OAUTH2 variables are now in env.secret volumes: diff --git a/hedgedoc/setup b/hedgedoc/setup index b38face..0255167 100755 --- a/hedgedoc/setup +++ b/hedgedoc/setup @@ -6,7 +6,8 @@ cd "$DIRNAME" source ../env.production || die "no top levle env?" source env.production || die "no local env?" -SECRETS="../data/hedgedoc/env.secrets" +DATA="../data/hedgedoc" +SECRETS="$DATA/env.secrets" if [ -r "$SECRETS" ]; then docker-compose up -d || die "hedgedoc: unable to start" @@ -19,7 +20,9 @@ docker-compose down 2>/dev/null CLIENT_SECRET="$(openssl rand -hex 20)" SESSION_SECRET="$(openssl rand -hex 20)" -mkdir -p "$(dirname "$SECRETS")" +mkdir -p "$DATA/uploads" +chmod 666 "$DATA/uploads" + cat < "$SECRETS" # DO NOT CHECK IN CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET diff --git a/html/calview.html b/html/calview.html new file mode 100644 index 0000000..2d2a384 --- /dev/null +++ b/html/calview.html @@ -0,0 +1,53 @@ + + + + + + + Hackerspace.Zone calendar viewer + + + + + + + + + + +
+ + diff --git a/html/index.html b/html/index.html index c3489a6..d988c9d 100644 --- a/html/index.html +++ b/html/index.html @@ -13,6 +13,10 @@ An easy to install set of self-hosted, single-sign-on, open-source services.
  • keycloak: user management and single sign on for the domain +

    Upcoming events

    + + +

    Source code

    Source code for building the environments and configuring them: github.com/osresearch/hackerspace-zone There is probably a better way to do this. diff --git a/nginx/docker-compose.yaml b/nginx/docker-compose.yaml index dff7618..b6c48c4 100644 --- a/nginx/docker-compose.yaml +++ b/nginx/docker-compose.yaml @@ -7,12 +7,13 @@ services: - "80:80" - "443:443" volumes: - - ./nginx/nginx.conf:/etc/nginx/nginx.conf - - ./nginx/templates:/etc/nginx/templates - - ./nginx/includes:/etc/nginx/includes - - ../html:/var/www - - ../data/certbot/www:/var/www/certbot - - ../data/certbot/conf:/etc/letsencrypt + - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro + - ./nginx/templates:/etc/nginx/templates:ro + - ./nginx/includes:/etc/nginx/includes:ro + - ../html:/var/www/html:ro + - ../data/certbot/www:/var/www/certbot:ro + - ../data/certbot/conf:/etc/letsencrypt:ro + - /home:/home:ro env_file: - ../env.production - env.production diff --git a/nginx/nginx/templates/000-default.conf.template b/nginx/nginx/templates/000-default.conf.template index 503d1dd..83d9b9d 100644 --- a/nginx/nginx/templates/000-default.conf.template +++ b/nginx/nginx/templates/000-default.conf.template @@ -26,10 +26,6 @@ server { # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) chunked_transfer_encoding on; - location / { - root /var/www; - } - # delegated Matrix server location /.well-known/matrix { proxy_pass https://${MATRIX_HOSTNAME}; @@ -37,7 +33,36 @@ server { # separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN location = /.well-known/host-meta { - return 301 https://${MASTODON_HOSTNAME}$request_uri; + return 302 https://${MASTODON_HOSTNAME}$request_uri; + } + + # tilde club home directories + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/public_html$2; + index index.html index.htm; + autoindex on; + } + + # /html files are served from the static html site + location /html { + root /var/www; + autoindex off; + } + + # default home page goes to hedgedoc document "Main_Page"; please add your own content! + location = / { + return 302 https://${DOMAIN_NAME}/Main_Page; + } + # normal pages go to hedgedoc static site (need to define ports in the env) + # need to rewrite the CSP so that it allows reframing from the main site + location / { + proxy_hide_header Content-Security-Policy; + add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.${DOMAIN_NAME}; frame-src 'self' *.${DOMAIN_NAME}; object-src 'self'; base-uri 'self' *.${DOMAIN_NAME}"; + proxy_pass http://host.docker.internal:3000/s$request_uri; + } + # while javascript and config stuff goes to non-static hedgedoc site + location ~ ^/(js|build|config) { + proxy_pass http://host.docker.internal:3000$request_uri; } listen 443 ssl default_server; @@ -48,5 +73,3 @@ server { ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; } - - diff --git a/nginx/nginx/templates/docs.conf.template b/nginx/nginx/templates/docs.conf.template index c5e8241..9601aba 100644 --- a/nginx/nginx/templates/docs.conf.template +++ b/nginx/nginx/templates/docs.conf.template @@ -31,6 +31,17 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } + # allow the fonts to be used by anything + location ~* \.(eot|otf|ttf|woff|woff2)$ { + add_header Access-Control-Allow-Origin *; + proxy_pass http://host.docker.internal:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # websocket traffic with extra headers for upgrading the connection location /socket.io/ { proxy_pass http://host.docker.internal:3000; proxy_set_header Host $host; @@ -48,5 +59,3 @@ server { include /etc/nginx/includes/challenge.conf; ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; } - -