data: relocate all data volumes to separate directory

grafana/docker-compose.yaml

@@ -16,7 +16,7 @@ services:
       # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET is in env.secrets
       # auth URLs are in the env.secrets since they have hostname expansion
     volumes:
-      - ./data/grafana:/var/lib/grafana
+      - ../data/grafana:/var/lib/grafana
     restart: unless-stopped
     ports:
       - 8000:3000

hedgedoc/docker-compose.yaml

@@ -7,7 +7,7 @@ services:
       - POSTGRES_PASSWORD=password
       - POSTGRES_DB=hedgedoc
     volumes:
-      - ./data/database:/var/lib/postgresql/data
+      - ../data/hedgedoc/database:/var/lib/postgresql/data
     restart: always
   hedgedoc:
     # Make sure to use the latest release from https://hedgedoc.org/latest-release
@@ -32,7 +32,7 @@ services:
       - CMD_OAUTH2_CLIENT_ID=hedgedoc
       - CMD_OAUTH2_PROVIDERNAME=Keycloak
     volumes:
-      - ./data/uploads:/hedgedoc/public/uploads
+      - ../data/hedgedoc/uploads:/hedgedoc/public/uploads
     ports:
       - "3000:3000"
     restart: always

keycloak/docker-compose.yaml

@@ -8,7 +8,7 @@ services:
   mysql:
       image: mysql:5.7
       volumes:
-        - ./data/database:/var/lib/mysql
+        - ../data/keycloak/database:/var/lib/mysql
       environment:
         MYSQL_ROOT_PASSWORD: root
         MYSQL_DATABASE: keycloak
@@ -33,8 +33,8 @@ services:
         # KEYCLOAK_ADMIN_PASSWORD should be set in env.secrets
         PROXY_ADDRESS_FORWARDING: 'true'
       volumes:
-        - ./data/certs:/etc/x509/https
+        - ../data/keycloak/certs:/etc/x509/https
-        - ./data/keycloak:/opt/keycloak/data
+        - ../data/keycloak/keycloak:/opt/keycloak/data
       ports:
         - 8080:8080
       depends_on:

mastodon/docker-compose.yaml

@@ -9,7 +9,7 @@ services:
     healthcheck:
       test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
     volumes:
-      - ./data/database:/var/lib/postgresql/data
+      - ../data/mastodon/database:/var/lib/postgresql/data
     environment:
       - POSTGRES_USER=mastodon
       - POSTGRES_PASSWORD=mastodon
@@ -23,7 +23,7 @@ services:
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
     volumes:
-      - ./data/redis:/data
+      - ../data/mastodon/redis:/data
 
   es:
     restart: always
@@ -38,7 +38,7 @@ services:
     healthcheck:
        test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
     volumes:
-       - ./data/elasticsearch:/usr/share/elasticsearch/data
+       - ../data/mastodon/elasticsearch:/usr/share/elasticsearch/data
     # fixup the permissions on the data directory since they are created as root on host
     entrypoint: /bin/sh -c "chown -R elasticsearch:elasticsearch data && /usr/local/bin/docker-entrypoint.sh eswrapper"
     ulimits:
@@ -67,7 +67,7 @@ services:
       - redis
       - es
     volumes:
-      - ./data/system:/mastodon/public/system
+      - ../data/mastodon/system:/mastodon/public/system
 
   streaming:
     image: tootsuite/mastodon
@@ -104,7 +104,7 @@ services:
       - external_network
       - internal_network
     volumes:
-      - ./data/system:/mastodon/public/system
+      - ../data/mastodon/system:/mastodon/public/system
     healthcheck:
       test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
 

mastodon/setup

@@ -7,8 +7,8 @@ cd "$DIRNAME"
 source ../env.production
 source ./env.production
 
-mkdir -p data/system
+mkdir -p ../data/mastodon/system
-chmod 777 data/system
+chmod 777 ../data/mastodon/system
 
 if [ -r "./env.secrets" ]; then
 	docker-compose up -d || die "unable to restart mastodon"

matrix/docker-compose.yaml

@@ -4,7 +4,7 @@ services:
     image: postgres:13.4-alpine
     restart: unless-stopped
     volumes:
-     - ./data/postgresdata:/var/lib/postgresql/data
+     - ../data/matrix/postgresdata:/var/lib/postgresql/data
     environment:
      - POSTGRES_DB=synapse
      - POSTGRES_USER=synapse
@@ -22,6 +22,6 @@ services:
     image: matrixdotorg/synapse:latest
     restart: unless-stopped
     volumes:
-     - ./data/synapse:/data
+     - ../data/matrix/synapse:/data
     ports:
       - "5008:8008"

matrix/setup

@@ -6,9 +6,9 @@ cd "$DIRNAME"
 source ../env.production || die "no top levle env?"
 source env.production || die "no local env?"
 
-HOMESERVER_YAML="data/synapse/homeserver.yaml"
+SYNAPSE_DIR="../data/matrix/synapse"
+HOMESERVER_YAML="$SYNAPSE_DIR/homeserver.yaml"
 if [  -r "$HOMESERVER_YAML" ]; then
-	echo "home server already configured? delete data directory to force reconfig"
 	docker-compose up -d || die "matrix: unable to restart"
 	exit 0
 fi
@@ -21,7 +21,7 @@ docker-compose down 2>/dev/null
 # the syntax here is confusing and it is not clear in
 # the docs *which* have to be updated.
 docker run -it --rm \
-	-v "`pwd`/data/synapse:/data" \
+	-v "`pwd`/$SYNAPSE_DIR:/data" \
 	-e "SYNAPSE_SERVER_NAME=$DOMAIN_NAME" \
 	-e SYNAPSE_REPORT_STATS=yes \
 	matrixdotorg/synapse:latest generate \

nextcloud/docker-compose.yaml

@@ -8,7 +8,7 @@ services:
       - POSTGRES_PASSWORD=nextcloud
       - POSTGRES_DB=nextcloud
     volumes:
-      - ./data/database:/var/lib/postgresql/data
+      - ../data/nextcloud/database:/var/lib/postgresql/data
     restart: always
 
   nextcloud:
@@ -30,7 +30,7 @@ services:
       # NEXTCLOUD_ADMIN_PASSWORD in env.secrets
       # NEXTCLOUD_TRUSTED_DOMAINS also set in env.secrets
     volumes:
-      - ./data/nextcloud:/var/www/html
+      - ../data/nextcloud/nextcloud:/var/www/html
     depends_on:
       - database
 

nginx/certbot-renew

@@ -14,9 +14,9 @@ set -x
 
 # move the temp live directory away if
 # this is the first time we've run anything here
-if [ ! -d "data/certbot/conf/accounts" ]; then
+if [ ! -d "../data/certbot/conf/accounts" ]; then
 	echo "deleting temp keys"
-	rm -rf data/certbot/conf/live
+	rm -rf ../data/certbot/conf/live
 fi
 
 docker-compose run --rm certbot \

nginx/docker-compose.yaml

@@ -10,8 +10,8 @@ services:
       - ./nginx/templates:/etc/nginx/templates
       - ./nginx/includes:/etc/nginx/includes
       - ../html:/var/www
-      - ./data/certbot/www:/var/www/certbot
+      - ../data/certbot/www:/var/www/certbot
-      - ./data/certbot/conf:/etc/letsencrypt
+      - ../data/certbot/conf:/etc/letsencrypt
     env_file:
       -  ../env.production
       -  env.production
@@ -21,5 +21,5 @@ services:
   certbot:
     image: certbot/certbot
     volumes:
-      - ./data/certbot/conf:/etc/letsencrypt
+      - ../data/certbot/conf:/etc/letsencrypt
-      - ./data/certbot/www:/var/www/certbot
+      - ../data/certbot/www:/var/www/certbot

nginx/setup

@@ -11,23 +11,25 @@ if [ -z "${DOMAIN_NAME}" ]; then
 	die "DOMAIN_NAME not set"
 fi
 
-docker-compose down
+certdir="../data/certbot/conf/live/${DOMAIN_NAME}"
+
+if [ -r "$certdir/privkey.pem" ]; then
+	docker-compose up -d || die "nginx: unable to start"
+	exit 0
+fi
 
-certdir="data/certbot/conf/live/${DOMAIN_NAME}"
 mkdir -p "$certdir" || die "$certdir: unable to make"
 
-if [ ! -r "$certdir/privkey.pem" ]; then
+openssl req \
-	openssl req \
+	-x509 \
-		-x509 \
+	-newkey rsa:2048 \
-		-newkey rsa:2048 \
+	-keyout "$certdir/privkey.pem" \
-		-keyout "$certdir/privkey.pem" \
+	-out "$certdir/fullchain.pem" \
-		-out "$certdir/fullchain.pem" \
+	-sha256 \
-		-sha256 \
+	-nodes \
-		-nodes \
+	-days 365 \
-		-days 365 \
+	-subj "/CN=${DOMAIN_NAME}'" \
-		-subj "/CN=${DOMAIN_NAME}'" \
+|| die "$certdir/privkey.pem: unable to create temp key"
-	|| die "$certdir/privkey.pem: unable to create temp key"
-fi
 
 docker-compose up -d || die "unable to bring up nginx"
 
@@ -35,5 +37,3 @@ echo "SLEEPING..."
 sleep 10
 
 ./certbot-renew || die "unable to create certs"
-
-

start-all

@@ -0,0 +1,13 @@
+#!/bin/bash
+die() { echo >&2 "$@" ; exit 1 ; }
+
+source ./env.production || die "no production env?"
+
+if [ -z "$DOMAIN_NAME" ]; then
+	die "\$DOMAIN_NAME not set; things will break"
+fi
+
+for service in keycloak nginx hedgedoc nextcloud mastodon grafana matrix ; do
+	echo "$service: starting"
+	./$service/setup || die "$server: failed to start"
+done