prod: lots of little hacks to get things working on the prod server

single-dockerfile
Ubuntu 2 years ago
parent da94dbd1d5
commit b0384cf554
  1. 6
      Makefile
  2. 4
      env.production
  3. 5
      grafana.yaml
  4. 9
      hedgedoc.yaml
  5. 36
      keycloak.yaml
  6. 15
      keycloak/entrypoint-setup.sh
  7. 26
      mastodon.yaml
  8. 3
      mastodon/entrypoint.sh
  9. 2
      mastodon/env.production
  10. 13
      matrix.yaml
  11. 10
      mobilizon.yaml
  12. 9
      nextcloud.yaml
  13. 9
      nextcloud/setup.sh
  14. 8
      nginx.yaml

@ -41,6 +41,8 @@ mastodon-streaming-shell:
$(DOCKER) exec mastodon-streaming bash
matrix-shell:
$(DOCKER) exec matrix-synapse bash
nextcloud-shell:
$(DOCKER) exec nextcloud bash
matrix-logs:
$(DOCKER) logs -f matrix-synapse
nextcloud-logs:
@ -67,7 +69,7 @@ data/%/secrets:
echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)"
keycloak-setup: secrets-setup
$(DOCKER) run keycloak-setup
docker exec keycloak /setup.sh
certbot:
$(DOCKER) \
@ -88,6 +90,8 @@ certbot:
nginx-reload:
$(DOCKER) restart nginx
nextcloud-restart:
$(DOCKER) restart nextcloud
config:

@ -1,6 +1,6 @@
# Fill in with your top-level domain name and desired OAUTH realm name
DOMAIN_NAME=dev.v.st
REALM=hackerspace
DOMAIN_NAME=v.st
REALM=voidstar
# Fill in with your SMTP server, if you have one
SMTP_SERVER=

@ -36,8 +36,7 @@ services:
- ./grafana/nginx.conf:/etc/nginx/templates/grafana.conf.template:ro
# add the grafana client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/grafana/secrets
keycloak:
volumes:
- ./grafana/keycloak.sh:/keycloak-setup/grafana.sh:ro
- ./data/grafana/secrets:/run/secrets/grafana:ro

@ -1,4 +1,4 @@
version: '3.9'
version: '3'
services:
hedgedoc-db:
image: postgres:13.4-alpine
@ -35,7 +35,7 @@ services:
- CMD_OAUTH2_CLIENT_SECRET=${HEDGEDOC_CLIENT_SECRET}
- CMD_SESSION_SECRET=${HEDGEDOC_SESSION_SECRET}
env_file:
- env.production
- ./env.production
volumes:
- ./data/hedgedoc/uploads:/hedgedoc/public/uploads
# ports:
@ -51,8 +51,7 @@ services:
- ./hedgedoc/nginx.conf:/etc/nginx/templates/hedgedoc.conf.template:ro
# add the hedgedoc client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/hedgedoc/secrets
keycloak:
volumes:
- ./hedgedoc/keycloak.sh:/keycloak-setup/hedgedoc.sh:ro
- ./data/hedgedoc/secrets:/run/secrets/hedgedoc:ro

@ -1,4 +1,4 @@
version: '3.9'
version: '3'
services:
keycloak-db:
image: mysql:5.7
@ -13,7 +13,7 @@ services:
MYSQL_PASSWORD: password
keycloak:
image: quay.io/keycloak/keycloak:18.0.0
image: quay.io/keycloak/keycloak:18.0
restart: always
container_name: keycloak
entrypoint: /opt/keycloak/bin/kc.sh start --hostname="$${KEYCLOAK_HOSTNAME}.$${DOMAIN_NAME}" --proxy=edge
@ -23,9 +23,6 @@ services:
# timeout: 10s
# retries: 3
user: "0:0" # otherwise the persistent data directory is not writable
env_file:
- env.production
- data/keycloak/secrets
environment:
DB_VENDOR: MYSQL
DB_ADDR: keycloak-db
@ -33,35 +30,20 @@ services:
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_ADMIN: admin
KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
PROXY_ADDRESS_FORWARDING: 'true'
# KEYCLOAK_ADMIN_PASSWORD is set in env.secrets
env_file:
- ./env.production
volumes:
- ./data/keycloak/certs:/etc/x509/https
- ./data/keycloak/keycloak:/opt/keycloak/data
- ./keycloak/client-create:/bin/client-create:ro
- ./keycloak/entrypoint-setup.sh:/setup.sh:ro
- ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
- ./data/keycloak/secrets:/run/secrets/keycloak-secrets:ro
depends_on:
- keycloak-db
# all of the various subdomains can install files in
# /keycloak-setup/ to be executed during the setup phase
# to enable their clients using the client-create tool
keycloak-setup:
image: quay.io/keycloak/keycloak:18.0.0
container_name: keycloak-setup
profiles:
- setup
depends_on:
- keycloak
restart: never
env_file:
- env.production
- data/keycloak/secrets
entrypoint: /entrypoint.sh
volumes:
- ./keycloak/entrypoint-setup.sh:/entrypoint.sh:ro
- ./keycloak/mail-setup.sh:/keycloak-setup/mail-setup.sh:ro
- ./keycloak/client-create:/bin/client-create:ro
# add the keycloak nginx configuration into the nginx volume
nginx:
volumes:

@ -1,7 +1,11 @@
#!/bin/bash
#!/bin/bash -x
export PATH=/opt/keycloak/bin:$PATH
for file in /run/secrets/* ; do
. "$file"
done
# perform an authentication as admin so that all other scripts can
# use the cached credentials
@ -13,6 +17,15 @@ kcadm.sh \
--realm master \
|| exit 1
if ! kcadm.sh get realms/$REALM ; then
echo >&2 "***** Creating realm $REALM"
kcadm.sh \
create realms \
-s "realm=$REALM" \
-s enabled=true \
|| exit 1
fi
for file in /keycloak-setup/* ; do
echo >&2 "$file: running setup"
$file || exit 1

@ -11,12 +11,14 @@ services:
test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
volumes:
- ./data/mastodon/database:/var/lib/postgresql/data
- ../prod.dump:/prod.dump:ro
environment:
- POSTGRES_USER=mastodon
- POSTGRES_PASSWORD=mastodon
#- POSTGRES_DB=mastodon_production
- POSTGRES_DB=mastodon_production
env_file:
- mastodon/env.production
- ./env.production
- ./mastodon/env.production
mastodon-redis:
image: redis:6-alpine
@ -27,7 +29,8 @@ services:
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
env_file:
- mastodon/env.production
- ./env.production
- ./mastodon/env.production
volumes:
- ./data/mastodon/redis:/data
@ -41,7 +44,8 @@ services:
- "discovery.type=single-node"
- "bootstrap.memory_lock=true"
env_file:
- mastodon/env.production
- ./env.production
- ./mastodon/env.production
# networks:
# - internal_network
healthcheck:
@ -78,7 +82,8 @@ services:
- ./data/mastodon/system:/mastodon/public/system
- ./mastodon/entrypoint.sh:/entrypoint.sh:ro
env_file:
- mastodon/env.production
- ./env.production
- ./mastodon/env.production
environment:
- WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
- LOCAL_DOMAIN=$DOMAIN_NAME
@ -113,7 +118,8 @@ services:
- SMTP_PASSWORD=$SMTP_PASSWORD
- SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
env_file:
- mastodon/env.production
- ./env.production
- ./mastodon/env.production
command: node ./streaming
# networks:
# - external_network
@ -132,7 +138,8 @@ services:
restart: always
container_name: mastodon-sidekiq
env_file:
- mastodon/env.production
- ./env.production
- ./mastodon/env.production
environment:
- WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
- LOCAL_DOMAIN=$DOMAIN_NAME
@ -186,11 +193,10 @@ services:
- ./data/mastodon/system/accounts:/mastodon/system/accounts:ro
# add the subdomain client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/mastodon/secrets
keycloak:
volumes:
- ./mastodon/keycloak.sh:/keycloak-setup/mastodon.sh:ro
- ./data/mastodon/secrets:/run/secrets/mastodon:ro
#networks:
# external_network:

@ -6,7 +6,10 @@ export MASTODON_DIR=/mastodon/public/system
export VAPID_KEY="$MASTODON_DIR/vapid_key"
export DB_SETUP="$MASTODON_DIR/db_done"
if [ ! -r "$DB_SETUP" ]; then
echo >&2 "*** Setting permissions on $MASTODON_DIR"
chown -R mastodon:mastodon "$MASTODON_DIR"
fi
exec su mastodon <<EOF

@ -25,8 +25,8 @@ REDIS_PORT=6379
# PostgreSQL
# ----------
DB_HOST=mastodon-db
DB_USER=mastodon
DB_NAME=mastodon_production
DB_USER=mastodon
DB_PASS=mastodon
DB_PORT=5432

@ -15,11 +15,11 @@ services:
image: vectorim/element-web:latest
restart: unless-stopped
container_name: matrix-element
env_file:
- env.production
volumes:
- ./matrix/10-envsubst-config.sh:/docker-entrypoint.d/10-envsubst-config.sh:ro
- ./matrix/config.sample.json:/app/config.sample.json:ro
env_file:
- ./env.production
depends_on:
- matrix-synapse
# ports:
@ -33,10 +33,10 @@ services:
- ./data/matrix/synapse:/data
- ./matrix/entrypoint-synapse.sh:/entrypoint.sh:ro
entrypoint: ["/entrypoint.sh"]
env_file:
- env.production
environment:
- MATRIX_CLIENT_SECRET=${MATRIX_CLIENT_SECRET}
env_file:
- ./env.production
depends_on:
- keycloak
- nginx
@ -49,8 +49,7 @@ services:
- ./matrix/nginx.conf:/etc/nginx/templates/matrix.conf.template:ro
# add the client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/matrix/secrets
keycloak:
volumes:
- ./matrix/keycloak.sh:/keycloak-setup/matrix.sh:ro
- ./data/matrix/secrets:/run/secrets/matrix:ro

@ -2,7 +2,7 @@ version: "3"
services:
mobilizon:
image: framasoft/mobilizon
image: framasoft/mobilizon:2.1.0
container_name: mobilizon
restart: always
volumes:
@ -11,7 +11,6 @@ services:
environment:
- KEYCLOAK_HOSTNAME=${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}
- REALM=${REALM}
- MOBILIZON_INSTANCE_NAME=${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}
- MOBILIZON_INSTANCE_HOST=${MOBILIZON_HOSTNAME}.${DOMAIN_NAME}
- MOBILIZON_INSTANCE_SECRET_KEY_BASE=${MOBILIZON_ADMIN_PASSWORD}
- MOBILIZON_INSTANCE_SECRET_KEY=${MOBILIZON_SESSION_SECRET}
@ -29,6 +28,8 @@ services:
- MOBILIZON_DATABASE_HOST=mobilizon-db
- MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=false
- MOBILIZON_INSTANCE_PORT=7000
env_file:
- ./env.production
user: root
entrypoint:
- "/bin/sh"
@ -55,8 +56,7 @@ services:
- ./mobilizon/nginx.conf:/etc/nginx/templates/mobilizon.conf.template:ro
# add the client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/mobilizon/secrets
keycloak:
volumes:
- ./mobilizon/keycloak.sh:/keycloak-setup/mobilizon.sh:ro
- ./data/mobilizon/secrets:/run/secrets/mobilizon:ro

@ -16,8 +16,6 @@ services:
image: nextcloud:25.0.1-apache
container_name: nextcloud
restart: always
env_file:
- env.production
environment:
POSTGRES_HOST: nextcloud-db
POSTGRES_DB: nextcloud
@ -28,6 +26,8 @@ services:
NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
NEXTCLOUD_CLIENT_SECRET: ${NEXTCLOUD_CLIENT_SECRET}
NEXTCLOUD_TRUSTED_DOMAINS: ${NEXTCLOUD_HOSTNAME}.${DOMAIN_NAME}
env_file:
- ./env.production
volumes:
- ./data/nextcloud/nextcloud:/var/www/html
- ./nextcloud/setup.sh:/setup.sh:ro
@ -41,8 +41,7 @@ services:
- ./nextcloud/nginx.conf:/etc/nginx/templates/nextcloud.conf.template:ro
# add the grafana client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/nextcloud/secrets
keycloak:
volumes:
- ./nextcloud/keycloak.sh:/keycloak-setup/nextcloud.sh:ro
- ./data/nextcloud/secrets:/run/secrets/nextcloud:ro

@ -6,11 +6,18 @@ if [ -r "$CANARY" ]; then
exec "/entrypoint.sh" "$SERVER"
fi
# Wrapper to run OwnCloudConsole (occ) as www-data user
occ() { su -p www-data -s /bin/sh -c "php /var/www/html/occ $*" ; }
echo >&2 "**** installing nextcloud"
NEXTCLOUD_UPDATE=1 bash /entrypoint.sh date || exit 1
echo >&2 "***** Waiting for nextcloud for ${DOMAIN_NAME}"
sleep 10
occ status
echo >&2 "***** Setting up nextcloud for ${DOMAIN_NAME}"
occ() { su -p www-data -s /bin/sh -c "php /var/www/html/occ $*" ; }
#occ maintenance:install || exit 1
PROVIDER="$(cat <<EOF

@ -1,4 +1,4 @@
version: '3.9'
version: '3'
services:
nginx:
# image: nginx:1.21-alpine
@ -12,6 +12,8 @@ services:
- "80:80"
- "443:443"
- "8448:8448"
env_file:
- ./env.production
volumes:
- ./nginx/etc/includes:/etc/nginx/includes:ro
- ./nginx/etc/nginx.conf:/etc/nginx/nginx.conf:ro
@ -20,12 +22,12 @@ services:
- ./data/nginx/certbot/www:/var/www/certbot:ro
- ./data/nginx/certbot/conf:/etc/letsencrypt:rw
- /home:/home:ro
env_file:
- env.production
certbot:
image: certbot/certbot
container_name: certbot
env_file:
- ./env.production
volumes:
- ./data/nginx/certbot/conf:/etc/letsencrypt
- ./data/nginx/certbot/www:/var/www/certbot

Loading…
Cancel
Save