cel
/
hackerspace-zone-mirror
mirror of https://github.com/osresearch/hackerspace-zone
1
0
Fork 0
Code Issues 16 Packages Projects Releases Wiki Activity

overhaul the env.production files, add more nginx wrappers, split things into setup scripts

Browse Source
gitea
Ubuntu 3 years ago
parent 45cae54638
commit 05e87eb945
18 changed files with 279 additions and 37 deletions
Show Stats Download Patch File Download Diff File

2
.gitignore vendored
Unescape View File

@ -0,0 +1,2 @@
.*.swp
data

7
env.production
Unescape View File

@ -0,0 +1,7 @@
DOMAIN_NAME=example.com
REALM=spacestation
KEYCLOAK_HOSTNAME=login.${DOMAIN_NAME}
HEDGEDOC_HOSTNAME=docs.${DOMAIN_NAME}
MASTODON_HOSTNAME=social.${DOMAIN_NAME}
NEXTCLOUD_HOSTNAME=cloud.${DOMAIN_NAME}

25
hedgedoc/docker-compose.yaml
Unescape View File

@ -7,35 +7,30 @@ services:
- POSTGRES_PASSWORD=password
- POSTGRES_DB=hedgedoc
volumes:
- database:/var/lib/postgresql/data
- ./data/database:/var/lib/postgresql/data
restart: always
app:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.9.3
env_file:
- ../env.production
- env.production
environment:
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- CMD_DOMAIN=spacestation
- CMD_URL_ADDPORT=true
- CMD_OAUTH2_USER_PROFILE_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/userinfo
- CMD_DOMAIN=docs.example.com
#- CMD_URL_ADDPORT=true
- CMD_OAUTH2_USER_PROFILE_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/userinfo
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
- CMD_OAUTH2_TOKEN_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/token
- CMD_OAUTH2_AUTHORIZATION_URL=http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth
- CMD_OAUTH2_TOKEN_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/token
- CMD_OAUTH2_AUTHORIZATION_URL=https://login.example.com/realms/spacestation/protocol/openid-connect/auth
- CMD_OAUTH2_CLIENT_ID=hedgedoc
- CMD_OAUTH2_CLIENT_SECRET=abcdef1234
- CMD_OAUTH2_PROVIDERNAME=Keycloak
- CMD_SESSION_SECRET=abcdef1234
# - CMD_DOMAIN=<hedgedoc.example.com>
# - CMD_PROTOCOL_USESSL=true
# - CMD_URL_ADDPORT=false
volumes:
- uploads:/hedgedoc/public/uploads
- ./data/uploads:/hedgedoc/public/uploads
ports:
- "3000:3000"
restart: always
depends_on:
- database
volumes:
database:
uploads:

2
hedgedoc/env.production
Unescape View File

@ -0,0 +1,2 @@
CMD_OAUTH2_CLIENT_SECRET=abcdef1234
CMD_SESSION_SECRET=abcdef1234

40
hedgedoc/setup
Unescape View File

@ -0,0 +1,40 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
[ -r env.production ] && source env.production
[ -r ../env.production ] && source ../env.production
cd ../keycloak
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create clients \
-r "$REALM" \
-f - <<EOF || die "unable to create hedgedoc client"
{
"clientId": "hedgedoc",
"rootUrl": "https://$HEDGEDOC_HOSTNAME",
"adminUrl": "https://$HEDGEDOC_HOSTNAME",
"redirectUris": [ "https://$HEDGEDOC_HOSTNAME/*" ],
"webOrigins": [ "https://$HEDGEDOC_HOSTNAME" ],
"clientAuthenticatorType": "client-secret",
"secret": "$CMD_OAUTH2_CLIENT_SECRET",
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"id",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
EOF

12
keycloak/docker-compose.yaml
Unescape View File

@ -8,7 +8,7 @@ services:
mysql:
image: mysql:5.7
volumes:
- ./mysql_data:/var/lib/mysql
- ./data/database:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak
@ -17,7 +17,10 @@ services:
keycloak:
image: quay.io/keycloak/keycloak:18.0.0
entrypoint: /opt/keycloak/bin/kc.sh start-dev
entrypoint: /opt/keycloak/bin/kc.sh start-dev --proxy=edge
env_file:
- ../env.production
- env.production
environment:
DB_VENDOR: MYSQL
DB_ADDR: mysql
@ -25,10 +28,9 @@ services:
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
KEYCLOAK_HOSTNAME: spacestation
PROXY_ADDRESS_FORWARDING: 'true'
volumes:
- ./certs:/etc/x509/https
- ./data/certs:/etc/x509/https
ports:
- 8080:8080
- 8443:8443

1
keycloak/env.production
Unescape View File

@ -0,0 +1 @@
KEYCLOAK_ADMIN_PASSWORD=abcd@1234!

73
keycloak/setup
Unescape View File

@ -0,0 +1,73 @@
#!/bin/bash
die() { echo >&2 "ERROR: $@" ; exit 1 ; }
info() { echo >&2 "$@" ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production
info "logging into server"
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
config credentials \
--server http://localhost:8080/ \
--user admin \
--password "$KEYCLOAK_ADMIN_PASSWORD" \
--realm master \
|| die "unable to login"
info "Create a new realm for '$REALM'"
sudo docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
create realms \
-s "realm=$REALM" \
-s enabled=true \
|| die "unable to create realm"
# https://github.com/hedgedoc/hedgedoc/issues/56
info "Fix up a id bug"
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create client-scopes \
-r "$REALM" \
-f - <<EOF || die "unable to create mapping"
{
"name": "id",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "id",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"user.attribute": "id",
"id.token.claim": "true",
"access.token.claim": "true",
"jsonType.label": "String",
"userinfo.token.claim": "true"
}
}
]
}
EOF
info "Create an admin user in realm"
sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create users \
-o \
--fields id,username \
-r "$REALM" \
-s username=admin \
-s enabled=true \
-s 'credentials=[{"type":"'$KEYCLOAK_ADMIN_PASSWORD'","value":"admin","temporary":false}]' \
|| die "$REALM: unable to create admin user"

5
mastodon/README.md
Unescape View File

@ -1,3 +1,8 @@
This needs setup run *first* and then `docker-compose up`
---
Notes from https://gist.github.com/TrillCyborg/84939cd4013ace9960031b803a0590c4
elastic search needs hacks to set permissions on data directory

16
mastodon/docker-compose.yaml
Unescape View File

@ -9,11 +9,11 @@ services:
healthcheck:
test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
volumes:
- ./database:/var/lib/postgresql/data
- ./data/database:/var/lib/postgresql/data
environment:
- POSTGRES_USER=mastodon
- POSTGRES_PASSWORD=mastodon
- POSTGRES_DB=mastodon_production
#- POSTGRES_DB=mastodon_production
redis:
restart: always
@ -23,7 +23,7 @@ services:
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
volumes:
- ./redis:/data
- ./data/redis:/data
es:
restart: always
@ -38,7 +38,7 @@ services:
healthcheck:
test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
volumes:
- ./elasticsearch:/usr/share/elasticsearch/data
- ./data/elasticsearch:/usr/share/elasticsearch/data
# fixup the permissions on the data directory since they are created as root on host
entrypoint: /bin/sh -c "chown -R elasticsearch:elasticsearch data && /usr/local/bin/docker-entrypoint.sh eswrapper"
ulimits:
@ -50,7 +50,9 @@ services:
# build: .
image: tootsuite/mastodon
restart: always
env_file: env.production
env_file:
- ../env.production
- env.production
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
networks:
- external_network
@ -65,7 +67,7 @@ services:
- redis
- es
volumes:
- ./public/system:/mastodon/public/system
- ./data/system:/mastodon/public/system
streaming:
build: .
@ -98,7 +100,7 @@ services:
- external_network
- internal_network
volumes:
- ./public/system:/mastodon/public/system
- ./data/system:/mastodon/public/system
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]

1
mastodon/env.production
Unescape View File

@ -16,7 +16,6 @@
# ----------
LOCAL_DOMAIN=social.example.com
#WEB_DOMAIN=social.example.com
TRUSTED_PROXY_IP=10.1.0.142
# Redis
# -----

14
mastodon/setup
Unescape View File

@ -0,0 +1,14 @@
#!/bin/bash
die() { echo >&2 "ERROR: $@" ; exit 1 ; }
info() { echo >&2 "$@" ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production
info "configuring mastodon"
sudo docker-compose run web \
rails db:setup \
|| die "unable to login"

35
nextcloud/README.md
Unescape View File

@ -0,0 +1,35 @@
Enable SSO:
```
( cd ../keycloak ; sudo docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create clients \
--realm master --user admin --password admin \
-r spacestation \
-f - ) <<EOF
{
"clientId": "nextcloud",
"rootUrl": "http://spacestation:9000/",
"adminUrl": "http://spacestation:9000/",
"redirectUris": [ "http://spacestation:9000/*" ],
"webOrigins": [ "http://spacestation:9000" ],
"clientAuthenticatorType": "client-secret",
"secret": "nextcloud-secret"
}
EOF
```
and configure the social login app:
```
sudo docker-compose exec -u www-data -T nextcloud \
./occ app:install sociallogin \
&& sudo docker-compose exec -u www-data -T nextcloud \
./occ config:app:set sociallogin prevent_create_email_exists --value=1 \
&& sudo docker-compose exec -u www-data -T nextcloud \
./occ config:app:set sociallogin update_profile_on_login --value=1 \
&& sudo docker-compose exec -u www-data -T nextcloud \
./occ config:app:set \
sociallogin custom_providers \
--value='{"custom_oidc":[{"name":"keycloak","title":"Keycloak","authorizeUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/auth","tokenUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/token","displayNameClaim":"","userInfoUrl":"http://spacestation:8080/realms/spacestation/protocol/openid-connect/userinfo","logoutUrl":"","clientId":"nextcloud","clientSecret":"nextcloud-secret","scope":"openid","groupsClaim":"roles","style":"keycloak","defaultGroup":""}]}'
```

8
nextcloud/docker-compose.yaml
Unescape View File

@ -8,7 +8,7 @@ services:
- POSTGRES_PASSWORD=nextcloud
- POSTGRES_DB=nextcloud
volumes:
- ./database:/var/lib/postgresql/data
- ./data/database:/var/lib/postgresql/data
restart: always
nextcloud:
@ -16,6 +16,9 @@ services:
restart: unless-stopped
ports:
- 9000:80
env_file:
- ../env.production
- env.production
environment:
- POSTGRES_HOST=database
- POSTGRES_DB=nextcloud
@ -23,9 +26,8 @@ services:
- POSTGRES_PASSWORD=nextcloud
- NEXTCLOUD_TRUSTED_DOMAINS=spacestation
- NEXTCLOUD_ADMIN_USER=admin
- NEXTCLOUD_ADMIN_PASSWORD=admin
volumes:
- ./nextcloud:/var/www/html
- ./data/nextcloud:/var/www/html
depends_on:
- database

1
nextcloud/env.production
Unescape View File

@ -0,0 +1 @@
NEXTCLOUD_ADMIN_PASSWORD=admin

59
nginx/data/nginx/templates/docs.conf.template
Unescape View File

@ -0,0 +1,59 @@
server {
listen 80;
server_name ${HEDGEDOC_HOSTNAME};
location / {
return 301 https://$host$request_uri;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name ${HEDGEDOC_HOSTNAME}
client_max_body_size 128m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
gzip on;
gzip_disable "msie6";
proxy_read_timeout 1800s;
# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
chunked_transfer_encoding on;
location / {
proxy_pass http://spacestation:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /socket.io/ {
proxy_pass http://spacestation:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

4
nginx/data/nginx/templates/login.conf.template
Unescape View File

@ -12,8 +12,10 @@ server {
location / {
proxy_pass http://spacestation:8080;
proxy_pass_header Set-Cookie;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
listen 443 ssl;

11
nginx/setup
Unescape View File

@ -1,19 +1,19 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
ENV=env.production
if [ ! -r "$ENV" ]; then
echo >&2 "$ENV: not found?"
exit 1
die "$ENV: not found?"
fi
source env.production
if [ -z "${DOMAIN_NAME}" ]; then
echo >&2 "DOMAIN_NAME not set"
exit 1
die "DOMAIN_NAME not set"
fi
certdir="data/certbot/conf/live/${DOMAIN_NAME}"
mkdir -p "$certdir"
mkdir -p "$certdir" || die "$certdir: unable to make"
openssl req \
-x509 \
@ -24,3 +24,4 @@ openssl req \
-nodes \
-days 365 \
-subj "/CN=${DOMAIN_NAME}'" \
|| die "$certdir/privkey.pem: unable to create temp key"

Write Preview
Loading…
Cancel
Save