vst
/
env
2
1
Fork 0
Code Issues 19 Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'single-dockerfile' of ssh://git.v.st/vst/env into single-dockerfile

Browse Source
single-dockerfile
Ubuntu 2 years ago
parent 6e016d2c88 e31bf0ae41
commit e26c1fa637
8 changed files with 123 additions and 149 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      .gitignore
  2. 16
      Makefile
  3. 78
      pixelfed.yaml
  4. 55
      pixelfed/app.php
  5. 73
      pixelfed/docker-compose.yaml
  6. 21
      pixelfed/env.production
  7. 2
      pixelfed/keycloak.sh
  8. 26
      pixelfed/nginx.conf

1
.gitignore vendored
Unescape View File

@ -5,3 +5,4 @@ env.smtp
*.old *.old
*.log *.log
test test
secrets

16
Makefile
Unescape View File

@ -9,7 +9,7 @@ MODULES += nextcloud
MODULES += mobilizon MODULES += mobilizon
MODULES += gitea MODULES += gitea
MODULES += nitter MODULES += nitter
#MODULES += pixelfed MODULES += pixelfed
include env.production include env.production
domain_name := $(DOMAIN_NAME) domain_name := $(DOMAIN_NAME)
@ -20,7 +20,7 @@ help:
UC = $(shell echo '$1' | tr '[:lower:]' '[:upper:]') UC = $(shell echo '$1' | tr '[:lower:]' '[:upper:]')
DOCKER = \ DOCKER = \
$(foreach m,$(MODULES),. data/$m/secrets && ) \ $(foreach m,$(MODULES),. secrets/$m && ) \
docker-compose \ docker-compose \
--env-file env.production \ --env-file env.production \
$(foreach m,$(MODULES),--file ./$m.yaml) \ $(foreach m,$(MODULES),--file ./$m.yaml) \
@ -59,33 +59,37 @@ matrix-logs:
$(DOCKER) logs --tail 100 -f matrix-synapse $(DOCKER) logs --tail 100 -f matrix-synapse
nextcloud-logs: nextcloud-logs:
$(DOCKER) logs -f nextcloud $(DOCKER) logs -f nextcloud
nginx-build: data/nginx/secrets nginx-build: secrets/nginx
$(DOCKER) build nginx $(DOCKER) build nginx
certdir = ./data/certbot/conf/live/${DOMAIN_NAME} certdir = ./data/certbot/conf/live/${DOMAIN_NAME}
run: secrets-setup run: secrets-setup
secrets-setup: $(foreach m,$(MODULES),data/$m/secrets) secrets-setup: $(foreach m,$(MODULES),secrets/$m)
# Create the per-subdomain secrets if they don't exist # Create the per-subdomain secrets if they don't exist
# not every service requires all of these features, but create them anyway # not every service requires all of these features, but create them anyway
GET_MODULE = $(call UC,$(word 2,$(subst /, ,$@))) GET_MODULE = $(call UC,$(word 2,$(subst /, ,$@)))
RAND = $$(openssl rand -hex $1) RAND = $$(openssl rand -hex $1)
data/%/secrets: secrets/%:
mkdir -p $(dir $@) mkdir -p $(dir $@)
echo >$@ "# DO NOT CHECK IN" echo >$@ "# DO NOT CHECK IN"
echo >>$@ "export $(GET_MODULE)_ADMIN_PASSWORD=$(call RAND,8)" echo >>$@ "export $(GET_MODULE)_ADMIN_PASSWORD=$(call RAND,8)"
echo >>$@ "export $(GET_MODULE)_CLIENT_SECRET=$(call RAND,20)" echo >>$@ "export $(GET_MODULE)_CLIENT_SECRET=$(call RAND,20)"
echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)" echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)"
data/gitea/secrets: data/gitea/host-setup.done secrets/gitea: data/gitea/host-setup.done
data/gitea/host-setup.done: data/gitea/host-setup.done:
sudo ./gitea/host-setup.sh sudo ./gitea/host-setup.sh
mkdir -p $(dir $@) mkdir -p $(dir $@)
touch $@ touch $@
secrets/pixelfed: secrets/pixelfed.app
secrets/pixelfed.app:
echo 'APP_KEY=base64:$(shell openssl rand -base64 32)' > $@
keycloak-setup: secrets-setup keycloak-setup: secrets-setup
docker exec keycloak /setup.sh docker exec keycloak /setup.sh

78
pixelfed.yaml
Unescape View File

@ -0,0 +1,78 @@
version: "3"
services:
pixelfed-app:
image: osresearch/pixelfed:latest
container_name: pixelfed-app
restart: always
volumes:
- ./data/pixelfed/storage:/var/www/storage
environment:
- APP_NAME="${DOMAIN_NAME} Pixelfed"
- INSTANCE_DESCRIPTION="${DOMAIN_NAME} Pixelfed"
- OIDC_CLIENT_ID=pixelfed
- OIDC_CLIENT_SECRET=${PIXELFED_CLIENT_SECRET}
- OIDC_PROVIDER_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}
- OIDC_ENABLED=true
- OIDC_PROVIDER_NAME=Keycloak
- APP_URL="https://${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
- APP_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
- ADMIN_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
- SESSION_DOMAIN="${PIXELFED_HOSTNAME}.${DOMAIN_NAME}"
- MAIL_DRIVER=log
- MAIL_HOST=${SMTP_SERVER}
- MAIL_PORT=${SMTP_PORT}
- MAIL_FROM_ADDRESS="pixelfed@${DOMAIN_NAME}"
- MAIL_FROM_NAME="Pixelfed"
- MAIL_USERNAME="${SMTP_USER}"
- MAIL_PASSWORD="${SMTP_PASSWORD}"
env_file:
- ./pixelfed/env.production
- ./secrets/pixelfed.app
depends_on:
- pixelfed-db
- pixelfed-redis
pixelfed-worker:
image: osresearch/pixelfed:latest
container_name: pixelfed-worker
restart: unless-stopped
volumes:
- ./data/pixelfed/storage:/var/www/storage
env_file:
- ./pixelfed/env.production
- ./secrets/pixelfed.app
command: gosu www-data php artisan horizon
depends_on:
- pixelfed-db
- pixelfed-redis
## DB and Cache
pixelfed-db:
image: mysql:8.0
container_name: pixelfed-db
restart: unless-stopped
command: --default-authentication-plugin=mysql_native_password
volumes:
- ./data/pixelfed/db-data:/var/lib/mysql
env_file:
- ./pixelfed/env.production
pixelfed-redis:
image: redis:5-alpine
container_name: pixelfed-redis
restart: unless-stopped
volumes:
- ./data/pixelfed/redis-data:/data
env_file:
- ./pixelfed/env.production
# add the subdomain nginx configuration into the nginx volume
nginx:
volumes:
- ./pixelfed/nginx.conf:/etc/nginx/templates/pixelfed.conf.template:ro
# add the subdomain client secrets to the keycloak-setup volume
keycloak:
volumes:
- ./pixelfed/keycloak.sh:/keycloak-setup/pixelfed.sh:ro
- ./secrets/pixelfed:/run/secrets/pixelfed:ro

55
pixelfed/app.php
Unescape View File

@ -1,55 +0,0 @@
<?php
/*
|--------------------------------------------------------------------------
| Create The Application
|--------------------------------------------------------------------------
|
| The first thing we will do is create a new Laravel application instance
| which serves as the "glue" for all the components of Laravel, and is
| the IoC container for the system binding all of the various parts.
|
*/
$app = new Illuminate\Foundation\Application(
realpath(__DIR__.'/../')
);
/*
|--------------------------------------------------------------------------
| Bind Important Interfaces
|--------------------------------------------------------------------------
|
| Next, we need to bind some important interfaces into the container so
| we will be able to resolve them when needed. The kernels serve the
| incoming requests to this application from both the web and CLI.
|
*/
$app->singleton(
Illuminate\Contracts\Http\Kernel::class,
App\Http\Kernel::class
);
$app->singleton(
Illuminate\Contracts\Console\Kernel::class,
App\Console\Kernel::class
);
$app->singleton(
Illuminate\Contracts\Debug\ExceptionHandler::class,
App\Exceptions\Handler::class
);
/*
|--------------------------------------------------------------------------
| Return The Application
|--------------------------------------------------------------------------
|
| This script returns the application instance. The instance is given to
| the calling script so we can separate the building of the instances
| from the actual running of the application and sending responses.
|
*/
return $app;

73
pixelfed/docker-compose.yaml
Unescape View File

@ -1,73 +0,0 @@
---
version: '3'
services:
## App and Worker
app:
image: osresearch/pixelfed
restart: unless-stopped
env_file:
- ../env.production
- env.production
- ../data/pixelfed/env.secrets
volumes:
- ../data/pixelfed/app-storage:/var/www/storage
- ../data/pixelfed/app-bootstrap:/var/www/bootstrap
- ../data/pixelfed/env.secrets:/var/www/.env
networks:
- external
- internal
ports:
- "8090:80"
depends_on:
- db
- redis
worker:
image: osresearch/pixelfed
restart: unless-stopped
env_file:
- ../env.production
- env.production
- ../data/pixelfed/env.secrets
volumes:
- ../data/pixelfed/app-storage:/var/www/storage
- ../data/pixelfed/app-bootstrap:/var/www/bootstrap
- ../data/pixelfed/env.secrets:/var/www/.env
networks:
- external
- internal
command: gosu www-data php artisan horizon
depends_on:
- db
- redis
## DB and Cache
db:
image: mysql:8.0
restart: unless-stopped
networks:
- internal
command: --default-authentication-plugin=mysql_native_password
env_file:
- ../env.production
- env.production
volumes:
- "../data/pixelfed/db-data:/var/lib/mysql"
redis:
image: redis:5-alpine
restart: unless-stopped
env_file:
- ../env.production
- env.production
volumes:
- "../data/pixelfed/redis-data:/data"
networks:
- internal
networks:
internal:
internal: true
external:
driver: bridge

21
pixelfed/env.production
Unescape View File

@ -1,21 +1,16 @@
## Crypto ## Crypto
# APP_KEY is set env.secrets # APP_KEY is set in secrets/pixelfed.app
## General Settings ## General Settings
APP_ENV=production APP_ENV=production
APP_DEBUG=false APP_DEBUG=false
# domain name specifics are passed in env.secrets # domain name specifics are passed in pixelfed.yaml
# APP_NAME="Pixelfed Prod (Testing)"
# APP_URL="https://pixelfed.hackerspace.zone"
# APP_DOMAIN="pixelfed.hackerspace.zone"
# ADMIN_DOMAIN="pixelfed.hackerspace.zone"
# SESSION_DOMAIN="pixelfed.hackerspace.zone"
OPEN_REGISTRATION=true OPEN_REGISTRATION=true
ENFORCE_EMAIL_VERIFICATION=false ENFORCE_EMAIL_VERIFICATION=false
PF_MAX_USERS=1000 PF_MAX_USERS=1000
OAUTH_ENABLED=false OAUTH_ENABLED=true # necessary for mobile app
APP_TIMEZONE=UTC APP_TIMEZONE=UTC
APP_LOCALE=en APP_LOCALE=en
@ -60,7 +55,7 @@ RESTRICTED_INSTANCE=false
## Databases (MySQL) ## Databases (MySQL)
DB_CONNECTION=mysql DB_CONNECTION=mysql
DB_DATABASE=pixelfed_prod DB_DATABASE=pixelfed_prod
DB_HOST=db DB_HOST=pixelfed-db
DB_PASSWORD=pixelfed_db_pass DB_PASSWORD=pixelfed_db_pass
DB_PORT=3306 DB_PORT=3306
DB_USERNAME=pixelfed DB_USERNAME=pixelfed
@ -81,7 +76,7 @@ MYSQL_USER=pixelfed
## Cache (Redis) ## Cache (Redis)
REDIS_CLIENT=phpredis REDIS_CLIENT=phpredis
REDIS_SCHEME=tcp REDIS_SCHEME=tcp
REDIS_HOST=redis REDIS_HOST=pixelfed-redis
REDIS_PASSWORD=redis_password REDIS_PASSWORD=redis_password
REDIS_PORT=6379 REDIS_PORT=6379
REDIS_DATABASE=0 REDIS_DATABASE=0
@ -151,8 +146,4 @@ TRUST_PROXIES="*"
#PASSPORT_PRIVATE_KEY= #PASSPORT_PRIVATE_KEY=
#PASSPORT_PUBLIC_KEY= #PASSPORT_PUBLIC_KEY=
## OIDC for logins passed in in env.secrets ## OIDC config is passed in pixelfed.yaml
# OIDC_CLIENT_ID, OIDC_CLIENT_SECRET
# OIDC provider URL must include realm
# OIDC_PROVIDER_URL=https://login.hackerspace.zone/realms/hackerspace
OIDC_PROVIDER_NAME=oidc

2
pixelfed/keycloak.sh
Unescape View File

@ -0,0 +1,2 @@
#!/bin/bash -x
client-create pixelfed "$PIXELFED_HOSTNAME.$DOMAIN_NAME" "$PIXELFED_CLIENT_SECRET" </dev/null

26
pixelfed/nginx.conf
Unescape View File

@ -0,0 +1,26 @@
server {
server_name ${PIXELFED_HOSTNAME} ${PIXELFED_HOSTNAME}.${DOMAIN_NAME};
client_max_body_size 128m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
gzip on;
gzip_disable "msie6";
proxy_read_timeout 1800s;
location / {
proxy_pass http://pixelfed-app/;
#proxy_pass http://172.17.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
include /etc/nginx/includes/ssl.conf;
}
Write Preview
Loading…
Cancel
Save