hedgedoc: static site serving setup

* allow users to choose file names
* route top level requests to the docs/s/filename path
* fixup csp headers for hosted things
* ics calendar view for the main page
* set perms on upload directory during creation
single-dockerfile
Trammell Hudson 3 years ago
parent d50f9e26af
commit 8e0a8b7304
  1. 2
      hedgedoc/docker-compose.yaml
  2. 7
      hedgedoc/setup
  3. 53
      html/calview.html
  4. 4
      html/index.html
  5. 13
      nginx/docker-compose.yaml
  6. 37
      nginx/nginx/templates/000-default.conf.template
  7. 13
      nginx/nginx/templates/docs.conf.template

@ -17,10 +17,12 @@ services:
- env.production - env.production
- ../data/hedgedoc/env.secrets - ../data/hedgedoc/env.secrets
environment: environment:
#- CMD_CSP_ENABLE=false
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc - CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- CMD_PROTOCOL_USESSL=true - CMD_PROTOCOL_USESSL=true
- CMD_ALLOW_ANONYMOUS=false # anonymous user's can't create notes - CMD_ALLOW_ANONYMOUS=false # anonymous user's can't create notes
- CMD_ALLOW_ANONYMOUS_EDITS=true # but they can be invited to edit notes - CMD_ALLOW_ANONYMOUS_EDITS=true # but they can be invited to edit notes
- CMD_ALLOW_FREEURL=true # users can create arbitrary names
- CMD_EMAIL=false # only oauth logins - CMD_EMAIL=false # only oauth logins
# DOMAIN and OAUTH2 variables are now in env.secret # DOMAIN and OAUTH2 variables are now in env.secret
volumes: volumes:

@ -6,7 +6,8 @@ cd "$DIRNAME"
source ../env.production || die "no top levle env?" source ../env.production || die "no top levle env?"
source env.production || die "no local env?" source env.production || die "no local env?"
SECRETS="../data/hedgedoc/env.secrets" DATA="../data/hedgedoc"
SECRETS="$DATA/env.secrets"
if [ -r "$SECRETS" ]; then if [ -r "$SECRETS" ]; then
docker-compose up -d || die "hedgedoc: unable to start" docker-compose up -d || die "hedgedoc: unable to start"
@ -19,7 +20,9 @@ docker-compose down 2>/dev/null
CLIENT_SECRET="$(openssl rand -hex 20)" CLIENT_SECRET="$(openssl rand -hex 20)"
SESSION_SECRET="$(openssl rand -hex 20)" SESSION_SECRET="$(openssl rand -hex 20)"
mkdir -p "$(dirname "$SECRETS")" mkdir -p "$DATA/uploads"
chmod 666 "$DATA/uploads"
cat <<EOF > "$SECRETS" cat <<EOF > "$SECRETS"
# DO NOT CHECK IN # DO NOT CHECK IN
CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET

@ -0,0 +1,53 @@
<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8' />
<meta http-equiv="Content-Security-Policy" content="frame-src '*'">
<title>
Hackerspace.Zone calendar viewer
</title>
<style>
html, body {
margin: 0;
padding: 0;
font-family: Arial, Helvetica Neue, Helvetica, sans-serif;
font-size: 14px;
}
#calendar {
max-width: 800px;
margin: 00px auto;
}
</style>
<link href='https://cdn.jsdelivr.net/npm/fullcalendar@5.11.0/main.min.css' rel='stylesheet' />
<script src='https://cdn.jsdelivr.net/npm/fullcalendar@5.11.0/main.min.js'></script>
<script src='https://github.com/mozilla-comm/ical.js/releases/download/v1.4.0/ical.js'></script>
<script src='https://cdn.jsdelivr.net/npm/@fullcalendar/icalendar@5.11.0/main.global.min.js'></script>
<script>
// 'https://events.hackerspace.zone/@events/feed/ics',
const param = new URL(location).searchParams;
const ics = param.get("ics") || 'https://events.hackerspace.zone/@events/feed/ics';
const view = param.get("view") || "dayGridMonth";
document.addEventListener('DOMContentLoaded', function() {
var calendarEl = document.getElementById('calendar');
var calendar = new FullCalendar.Calendar(calendarEl, {
initialView: view,
headerToolbar: {
left: 'prev,next today',
center: 'title',
right: 'dayGridMonth,timeGridWeek,timeGridDay'
},
events: {
url: ics,
format: 'ics'
}
});
calendar.render();
});
</script>
</head>
<body>
<div id='calendar'></div>
</html>

@ -13,6 +13,10 @@ An easy to install set of self-hosted, single-sign-on, open-source services.
<li><a href="https://login.hackerspace.zone/">keycloak</a>: user management and single sign on for the domain <li><a href="https://login.hackerspace.zone/">keycloak</a>: user management and single sign on for the domain
</ul> </ul>
<h2>Upcoming events</h2>
<iframe src="calview.html?ics=https://events.hackerspace.zone/@events/feed/ics" width=600 height=600 style="border:0"></iframe>
<h2>Source code</h2>
Source code for building the environments and configuring them: Source code for building the environments and configuring them:
<a href="https://github.com/osresearch/hackerspace-zone"><tt>github.com/osresearch/hackerspace-zone</tt></a> <a href="https://github.com/osresearch/hackerspace-zone"><tt>github.com/osresearch/hackerspace-zone</tt></a>
There is <a href="https://github.com/osresearch/hackerspace-zone/issues/1">probably a better way to do this</a>. There is <a href="https://github.com/osresearch/hackerspace-zone/issues/1">probably a better way to do this</a>.

@ -7,12 +7,13 @@ services:
- "80:80" - "80:80"
- "443:443" - "443:443"
volumes: volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/templates:/etc/nginx/templates - ./nginx/templates:/etc/nginx/templates:ro
- ./nginx/includes:/etc/nginx/includes - ./nginx/includes:/etc/nginx/includes:ro
- ../html:/var/www - ../html:/var/www/html:ro
- ../data/certbot/www:/var/www/certbot - ../data/certbot/www:/var/www/certbot:ro
- ../data/certbot/conf:/etc/letsencrypt - ../data/certbot/conf:/etc/letsencrypt:ro
- /home:/home:ro
env_file: env_file:
- ../env.production - ../env.production
- env.production - env.production

@ -26,10 +26,6 @@ server {
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486) # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on; chunked_transfer_encoding on;
location / {
root /var/www;
}
# delegated Matrix server # delegated Matrix server
location /.well-known/matrix { location /.well-known/matrix {
proxy_pass https://${MATRIX_HOSTNAME}; proxy_pass https://${MATRIX_HOSTNAME};
@ -37,7 +33,36 @@ server {
# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN # separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
location = /.well-known/host-meta { location = /.well-known/host-meta {
return 301 https://${MASTODON_HOSTNAME}$request_uri; return 302 https://${MASTODON_HOSTNAME}$request_uri;
}
# tilde club home directories
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
}
# /html files are served from the static html site
location /html {
root /var/www;
autoindex off;
}
# default home page goes to hedgedoc document "Main_Page"; please add your own content!
location = / {
return 302 https://${DOMAIN_NAME}/Main_Page;
}
# normal pages go to hedgedoc static site (need to define ports in the env)
# need to rewrite the CSP so that it allows reframing from the main site
location / {
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.${DOMAIN_NAME}; frame-src 'self' *.${DOMAIN_NAME}; object-src 'self'; base-uri 'self' *.${DOMAIN_NAME}";
proxy_pass http://host.docker.internal:3000/s$request_uri;
}
# while javascript and config stuff goes to non-static hedgedoc site
location ~ ^/(js|build|config) {
proxy_pass http://host.docker.internal:3000$request_uri;
} }
listen 443 ssl default_server; listen 443 ssl default_server;
@ -48,5 +73,3 @@ server {
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
} }

@ -31,6 +31,17 @@ server {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
# allow the fonts to be used by anything
location ~* \.(eot|otf|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
proxy_pass http://host.docker.internal:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# websocket traffic with extra headers for upgrading the connection
location /socket.io/ { location /socket.io/ {
proxy_pass http://host.docker.internal:3000; proxy_pass http://host.docker.internal:3000;
proxy_set_header Host $host; proxy_set_header Host $host;
@ -48,5 +59,3 @@ server {
include /etc/nginx/includes/challenge.conf; include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem; ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
} }

Loading…
Cancel
Save