cel
/
hackerspace-zone-mirror
mirror of https://github.com/osresearch/hackerspace-zone
1
0
Fork 0
Code Issues 16 Packages Projects Releases Wiki Activity

collapse everything into one docker-compose environment and enable prometheus logging

Browse Source
single-dockerfile
Ubuntu 3 years ago
parent 250030fe7a
commit 7a0a530add
53 changed files with 1038 additions and 879 deletions
Show Stats Download Patch File Download Diff File

3
.gitignore vendored
Unescape View File

@ -2,3 +2,6 @@
data
*.secrets
env.smtp
*.old
*.log
test

87
Makefile
Unescape View File

@ -0,0 +1,87 @@
MODULES += nginx
MODULES += keycloak
MODULES += hedgedoc
MODULES += grafana
MODULES += prometheus
MODULES += mastodon
#MODULES += pixelfed
include env.production
domain_name := $(DOMAIN_NAME)
help:
@echo "usage: make run"
UC = $(shell echo '$1' | tr '[:lower:]' '[:upper:]')
DOCKER = \
$(foreach m,$(MODULES),. data/$m/secrets && ) \
docker-compose \
--env-file env.production \
$(foreach m,$(MODULES),--file ./$m.yaml) \
run:
$(DOCKER) up
down:
$(DOCKER) down
nginx-shell:
$(DOCKER) exec nginx sh
grafana-shell:
$(DOCKER) exec grafana bash
hedgedoc-shell:
$(DOCKER) exec hedgedoc sh
keycloak-shell:
$(DOCKER) exec keycloak sh
mastodon-shell:
$(DOCKER) exec mastodon bash
mastodon-streaming-shell:
$(DOCKER) exec mastodon-streaming bash
nginx-build: data/nginx/secrets
$(DOCKER) build nginx
certdir = ./data/certbot/conf/live/${DOMAIN_NAME}
run: secrets-setup
secrets-setup: $(foreach m,$(MODULES),data/$m/secrets)
# Create the per-subdomain secrets if they don't exist
# not every service requires all of these features, but create them anyway
GET_MODULE = $(call UC,$(word 2,$(subst /, ,$@)))
RAND = $$(openssl rand -hex $1)
data/%/secrets:
mkdir -p $(dir $@)
echo >$@ "# DO NOT CHECK IN"
echo >>$@ "export $(GET_MODULE)_ADMIN_PASSWORD=$(call RAND,8)"
echo >>$@ "export $(GET_MODULE)_CLIENT_SECRET=$(call RAND,20)"
echo >>$@ "export $(GET_MODULE)_SESSION_SECRET=$(call RAND,20)"
keycloak-setup: secrets-setup
$(DOCKER) run keycloak-setup
certbot:
$(DOCKER) \
run --entrypoint '/bin/sh -c "\
rm -rf /etc/letsencrypt ; \
certbot certonly \
--webroot \
--webroot-path /var/www/certbot \
--email "admin@$(DOMAIN_NAME)" \
--rsa-key-size "2048" \
--agree-tos \
--no-eff-email \
--force-renewal \
-d $(DOMAIN_NAME) \
$(foreach m,$(MODULES),\
-d $($(call UC,$m)_HOSTNAME).$(DOMAIN_NAME)) \
"' certbot
nginx-reload:
$(DOCKER) restart nginx
config:
$(DOCKER) config
FORCE:

1
README.md
Unescape View File

@ -8,6 +8,7 @@ Infrastructure for the self-hosted, single-sign-on, community-run services.
```
apt install jq docker-compose
apt install prometheus
```
* Setup each of the services. `keycloak` and `nginx` are required to start the others:

34
env.production
Unescape View File

@ -1,12 +1,26 @@
DOMAIN_NAME=hackerspace.zone
# Fill in with your top-level domain name and desired OAUTH realm name
DOMAIN_NAME=dev.v.st
REALM=hackerspace
KEYCLOAK_HOSTNAME=login.hackerspace.zone
HEDGEDOC_HOSTNAME=docs.hackerspace.zone
MASTODON_HOSTNAME=social.hackerspace.zone
NEXTCLOUD_HOSTNAME=cloud.hackerspace.zone
GRAFANA_HOSTNAME=dashboard.hackerspace.zone
GITEA_HOSTNAME=git.hackerspace.zone
MATRIX_HOSTNAME=matrix.hackerspace.zone
MOBILIZON_HOSTNAME=events.hackerspace.zone
PIXELFED_HOSTNAME=pixelfed.hackerspace.zone
# Fill in with your SMTP server, if you have one
SMTP_SERVER=
SMTP_USER=
SMTP_PASSWORD=
SMTP_PORT=
# You can leave these as is or change them if you like
NGINX_HOSTNAME=www
KEYCLOAK_HOSTNAME=login
HEDGEDOC_HOSTNAME=docs
MASTODON_HOSTNAME=social
NEXTCLOUD_HOSTNAME=cloud
GRAFANA_HOSTNAME=dashboard
GITEA_HOSTNAME=git
MATRIX_HOSTNAME=matrix
MOBILIZON_HOSTNAME=events
PIXELFED_HOSTNAME=pixelfed
PROMETHEUS_HOSTNAME=metrics
AUTH_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/protocol/openid-connect/auth
TOKEN_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/protocol/openid-connect/token
USERINFO_URL=https://${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME}/realms/${REALM}/protocol/openid-connect/userinfo

41
grafana.yaml
Unescape View File

@ -0,0 +1,41 @@
version: "3"
services:
grafana:
image: grafana/grafana-oss:8.5.1
container_name: grafana
user: "0:0"
environment:
GF_AUTH_GENERIC_OAUTH_ENABLED: 'True'
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'True' # otherwise no login is possible
#GF_AUTH_GENERIC_OAUTH_TEAM_IDS: ''
#GF_AUTH_GENERIC_OAUTH_ALLOWED_ORGANIZATIONS: ''
#GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: '<domains>'
#GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD} # ignored?
GF_AUTH_GENERIC_OAUTH_NAME: Keycloak
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
GF_SERVER_ROOT_URL: https://${GRAFANA_HOSTNAME}.${DOMAIN_NAME}/
GF_SERVER_DOMAIN: ${GRAFANA_HOSTNAME}.${DOMAIN_NAME}
GF_AUTH_GENERIC_OAUTH_AUTH_URL: ${AUTH_URL}
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: ${TOKEN_URL}
GF_AUTH_GENERIC_OAUTH_API_URL: ${USERINFO_URL}
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ${GRAFANA_CLIENT_SECRET}
# reset the admin password on every run, since otherwise it defaults to admin/admin
entrypoint: ["sh", "-c", "grafana-cli admin reset-admin-password ${GRAFANA_ADMIN_PASSWORD} && /run.sh"]
volumes:
- ./data/grafana:/var/lib/grafana
restart: always
# ports:
# - 3000:3000
# add the grafana nginx configuration into the nginx volume
nginx:
volumes:
- ./grafana/nginx.conf:/etc/nginx/templates/grafana.conf.template:ro
# add the grafana client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/grafana/secrets
volumes:
- ./grafana/keycloak.sh:/keycloak-setup/grafana.sh:ro

26
grafana/docker-compose.yaml
Unescape View File

@ -1,26 +0,0 @@
version: "3"
services:
grafana:
image: grafana/grafana-oss:8.5.1
user: "0:0"
environment:
GF_AUTH_GENERIC_OAUTH_ENABLED: 'True'
GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: 'True' # otherwise no login is possible
#GF_AUTH_GENERIC_OAUTH_TEAM_IDS: ''
#GF_AUTH_GENERIC_OAUTH_ALLOWED_ORGANIZATIONS: ''
#GF_AUTH_GENERIC_OAUTH_ALLOWED_DOMAINS: '<domains>'
GF_AUTH_GENERIC_OAUTH_NAME: Keycloak
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: grafana
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
# GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET is in env.secrets
# auth URLs are in the env.secrets since they have hostname expansion
volumes:
- ../data/grafana:/var/lib/grafana
restart: always
ports:
- 8000:3000
env_file:
- ../env.production
- env.production
- ../data/grafana/env.secrets

0
grafana/env.production
Unescape View File

4
grafana/keycloak.sh
Unescape View File

@ -0,0 +1,4 @@
#!/bin/bash -x
# Setup the grafana client connection
client-create grafana "$GRAFANA_HOSTNAME.$DOMAIN_NAME" "$GRAFANA_CLIENT_SECRET" </dev/null

6
nginx/nginx/templates/dashboard.conf.template → grafana/nginx.conf
Unescape View File

@ -4,7 +4,7 @@ map $http_upgrade $connection_upgrade {
}
server {
server_name ${GRAFANA_HOSTNAME};
server_name ${GRAFANA_HOSTNAME} ${GRAFANA_HOSTNAME}.${DOMAIN_NAME};
client_max_body_size 128m;
sendfile on;
@ -24,7 +24,7 @@ server {
chunked_transfer_encoding on;
location / {
proxy_pass http://host.docker.internal:8000;
proxy_pass http://grafana:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -32,7 +32,7 @@ server {
}
location /socket.io/ {
proxy_pass http://host.docker.internal:8000;
proxy_pass http://grafana:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

50
grafana/setup
Unescape View File

@ -1,50 +0,0 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production || die "no top level env?"
source env.production || die "no local env?"
BASE="https://$KEYCLOAK_HOSTNAME/realms/$REALM/protocol/openid-connect"
SECRETS="../data/grafana/env.secrets"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "grafana: unable to start container"
exit 0
fi
docker-compose down 2>/dev/null
GRAFANA_CLIENT_SECRET="$(openssl rand -hex 32)"
GRAFANA_ADMIN_PASSWORD="$(openssl rand -hex 4)"
echo "Generating secrets: admin password $GRAFANA_ADMIN_PASSWORD"
mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# Do not check in!
GF_SECURITY_ADMIN_PASSWORD=$GRAFANA_ADMIN_PASSWORD
GF_SERVER_ROOT_URL=https://$GRAFANA_HOSTNAME/
GF_SERVER_DOMAIN=$GRAFANA_HOSTNAME
GF_AUTH_GENERIC_OAUTH_AUTH_URL=$BASE/auth
GF_AUTH_GENERIC_OAUTH_TOKEN_URL=$BASE/token
GF_AUTH_GENERIC_OAUTH_API_URL=$BASE/userinfo
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$GRAFANA_CLIENT_SECRET
EOF
../keycloak/client-delete 'grafana' 2>/dev/null
../keycloak/client-create << EOF || die "unable to create client id"
{
"clientId": "grafana",
"rootUrl": "https://$GRAFANA_HOSTNAME/",
"adminUrl": "https://$GRAFANA_HOSTNAME/",
"redirectUris": [ "https://$GRAFANA_HOSTNAME/*" ],
"webOrigins": [ "https://$GRAFANA_HOSTNAME" ],
"clientAuthenticatorType": "client-secret",
"secret": "$GRAFANA_CLIENT_SECRET"
}
EOF
docker-compose up -d || die "grafana: unable to bring up container"

58
hedgedoc.yaml
Unescape View File

@ -0,0 +1,58 @@
version: '3.9'
services:
hedgedoc-db:
image: postgres:13.4-alpine
container_name: hedgedoc-db
environment:
- POSTGRES_USER=hedgedoc
- POSTGRES_PASSWORD=password
- POSTGRES_DB=hedgedoc
volumes:
- ./data/hedgedoc/database:/var/lib/postgresql/data
restart: always
hedgedoc:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.9.4
container_name: hedgedoc
environment:
#- CMD_CSP_ENABLE=false
- CMD_DB_URL=postgres://hedgedoc:password@hedgedoc-db:5432/hedgedoc
- CMD_PROTOCOL_USESSL=true
- CMD_ALLOW_ANONYMOUS=false # anonymous user's can't create notes
- CMD_ALLOW_ANONYMOUS_EDITS=true # but they can be invited to edit notes
- CMD_ALLOW_FREEURL=true # users can create arbitrary names
- CMD_EMAIL=false # only oauth logins
- CMD_DOMAIN=${HEDGEDOC_HOSTNAME}.${DOMAIN_NAME}
- CMD_OAUTH2_AUTHORIZATION_URL=${AUTH_URL}
- CMD_OAUTH2_TOKEN_URL=${TOKEN_URL}
- CMD_OAUTH2_USER_PROFILE_URL=${USERINFO_URL}
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
- CMD_OAUTH2_CLIENT_ID=hedgedoc
- CMD_OAUTH2_PROVIDERNAME=Keycloak
- CMD_OAUTH2_CLIENT_SECRET=${HEDGEDOC_CLIENT_SECRET}
- CMD_SESSION_SECRET=${HEDGEDOC_SESSION_SECRET}
env_file:
- env.production
volumes:
- ./data/hedgedoc/uploads:/hedgedoc/public/uploads
# ports:
#- "3000:3000"
restart: always
depends_on:
- hedgedoc-db
- keycloak
# add the hedgedoc nginx configuration into the nginx volume
nginx:
volumes:
- ./hedgedoc/nginx.conf:/etc/nginx/templates/hedgedoc.conf.template:ro
# add the hedgedoc client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/hedgedoc/secrets
volumes:
- ./hedgedoc/keycloak.sh:/keycloak-setup/hedgedoc.sh:ro

34
hedgedoc/docker-compose.yaml
Unescape View File

@ -1,34 +0,0 @@
version: '3'
services:
database:
image: postgres:13.4-alpine
environment:
- POSTGRES_USER=hedgedoc
- POSTGRES_PASSWORD=password
- POSTGRES_DB=hedgedoc
volumes:
- ../data/hedgedoc/database:/var/lib/postgresql/data
restart: always
hedgedoc:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.9.3
env_file:
- ../env.production
- env.production
- ../data/hedgedoc/env.secrets
environment:
#- CMD_CSP_ENABLE=false
- CMD_DB_URL=postgres://hedgedoc:password@database:5432/hedgedoc
- CMD_PROTOCOL_USESSL=true
- CMD_ALLOW_ANONYMOUS=false # anonymous user's can't create notes
- CMD_ALLOW_ANONYMOUS_EDITS=true # but they can be invited to edit notes
- CMD_ALLOW_FREEURL=true # users can create arbitrary names
- CMD_EMAIL=false # only oauth logins
# DOMAIN and OAUTH2 variables are now in env.secret
volumes:
- ../data/hedgedoc/uploads:/hedgedoc/public/uploads
ports:
- "3000:3000"
restart: always
depends_on:
- database

2
hedgedoc/env.production
Unescape View File

@ -1,2 +0,0 @@
CMD_OAUTH2_CLIENT_SECRET=abcdef1234
CMD_SESSION_SECRET=abcdef1234

50
hedgedoc/keycloak.sh
Unescape View File

@ -0,0 +1,50 @@
#!/bin/bash -x
# Setup the hedgedoc client connection
# this might fail; we'll ignore it if we have already created it
# https://github.com/hedgedoc/hedgedoc/issues/56
kcadm.sh \
create client-scopes \
-r "$REALM" \
-f - <<EOF || echo "whatever"
{
"name": "id",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "id",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"user.attribute": "id",
"id.token.claim": "true",
"access.token.claim": "true",
"jsonType.label": "String",
"userinfo.token.claim": "true"
}
}
]
}
EOF
client-create hedgedoc "$HEDGEDOC_HOSTNAME.$DOMAIN_NAME" "$HEDGEDOC_CLIENT_SECRET" <<EOF
,"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"id",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
EOF

8
nginx/nginx/templates/docs.conf.template → hedgedoc/nginx.conf
Unescape View File

@ -4,7 +4,7 @@ map $http_upgrade $connection_upgrade {
}
server {
server_name ${HEDGEDOC_HOSTNAME};
server_name ${HEDGEDOC_HOSTNAME} ${HEDGEDOC_HOSTNAME}.${DOMAIN_NAME};
client_max_body_size 128m;
sendfile on;
@ -28,7 +28,7 @@ server {
chunked_transfer_encoding on;
location / {
proxy_pass http://host.docker.internal:3000;
proxy_pass http://hedgedoc:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -38,7 +38,7 @@ server {
# allow the fonts to be used by anything
location ~* \.(eot|otf|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
proxy_pass http://host.docker.internal:3000;
proxy_pass http://hedgedoc:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -47,7 +47,7 @@ server {
# websocket traffic with extra headers for upgrading the connection
location /socket.io/ {
proxy_pass http://host.docker.internal:3000;
proxy_pass http://hedgedoc:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

69
hedgedoc/setup
Unescape View File

@ -1,69 +0,0 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production || die "no top levle env?"
source env.production || die "no local env?"
DATA="../data/hedgedoc"
SECRETS="$DATA/env.secrets"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "hedgedoc: unable to start"
exit 0
fi
docker-compose down 2>/dev/null
# regenerate the client secrets
CLIENT_SECRET="$(openssl rand -hex 20)"
SESSION_SECRET="$(openssl rand -hex 20)"
mkdir -p "$DATA/uploads"
chmod 666 "$DATA/uploads"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN
CMD_OAUTH2_CLIENT_SECRET=$CLIENT_SECRET
CMD_SESSION_SECRET=$SESSION_SECRET
CMD_DOMAIN=${HEDGEDOC_HOSTNAME}
CMD_OAUTH2_AUTHORIZATION_URL=https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/protocol/openid-connect/auth
CMD_OAUTH2_TOKEN_URL=https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/protocol/openid-connect/token
CMD_OAUTH2_USER_PROFILE_URL=https://${KEYCLOAK_HOSTNAME}/realms/${REALM}/protocol/openid-connect/userinfo
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
CMD_OAUTH2_CLIENT_ID=hedgedoc
CMD_OAUTH2_PROVIDERNAME=Keycloak
EOF
../keycloak/client-delete hedgedoc
../keycloak/client-create <<EOF || die "unable to create hedgedoc client"
{
"clientId": "hedgedoc",
"rootUrl": "https://$HEDGEDOC_HOSTNAME",
"adminUrl": "https://$HEDGEDOC_HOSTNAME",
"redirectUris": [ "https://$HEDGEDOC_HOSTNAME/*" ],
"webOrigins": [ "https://$HEDGEDOC_HOSTNAME" ],
"clientAuthenticatorType": "client-secret",
"secret": "$CLIENT_SECRET",
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"id",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}
EOF
docker-compose up -d || die "hedgedoc: unable to start container"

63
keycloak.yaml
Unescape View File

@ -0,0 +1,63 @@
version: '3.9'
services:
keycloak-db:
image: mysql:5.7
restart: always
container_name: keycloak-db
volumes:
- ./data/keycloak/database:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: password
keycloak:
image: quay.io/keycloak/keycloak:18.0.0
restart: always
container_name: keycloak
entrypoint: /opt/keycloak/bin/kc.sh start --hostname="$${KEYCLOAK_HOSTNAME}.$${DOMAIN_NAME}" --proxy=edge
# healthcheck:
# test: ["CMD", "curl", "-f", "http://localhost:8080"]
# interval: 30s
# timeout: 10s
# retries: 3
user: "0:0" # otherwise the persistent data directory is not writable
env_file:
- env.production
- data/keycloak/secrets
environment:
DB_VENDOR: MYSQL
DB_ADDR: keycloak-db
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_ADMIN: admin
KEYCLOAK_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
PROXY_ADDRESS_FORWARDING: 'true'
# KEYCLOAK_ADMIN_PASSWORD is set in env.secrets
volumes:
- ./data/keycloak/certs:/etc/x509/https
- ./data/keycloak/keycloak:/opt/keycloak/data
depends_on:
- keycloak-db
keycloak-setup:
image: quay.io/keycloak/keycloak:18.0.0
profiles:
- setup
depends_on:
- keycloak
restart: never
env_file:
- env.production
- data/keycloak/secrets
entrypoint: /keycloak-setup.sh
volumes:
- ./keycloak/setup:/keycloak-setup.sh:ro
- ./keycloak/client-create:/bin/client-create:ro
# add the keycloak nginx configuration into the nginx volume
nginx:
volumes:
- ./keycloak/nginx.conf:/etc/nginx/templates/keycloak.conf.template:ro

5
keycloak/README.md
Unescape View File

@ -1,7 +1,6 @@
# Keycloak
Keycloak is the single-sign-on user authentication provider.
You must set the `KEYCLOAK_ADMIN_PASSWORD` in the `env.secrets` file.
This is the most important secret: it allows user accounts to be created
for all the other services.
In order to login to create the first account, use `admin` and
the password stored in `data/keycloak/secrets`

44
keycloak/client-create
Unescape View File

@ -1,20 +1,34 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
client_name="$1"
hostname="$2"
secret="$3"
source ../env.production || die "no top levle env?"
source env.production || die "no local env?"
source "../data/keycloak/env.secrets" || die "no local secrets?"
client_id="$(kcadm.sh get clients \
-r "$REALM" \
--fields id \
-q clientId="$client_name" \
--format csv \
--noquotes \
)"
docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create clients \
--server http://localhost:8080/ \
--user admin \
--realm master \
--password "$KEYCLOAK_ADMIN_PASSWORD" \
-r "$REALM" \
-f - \
|| die "create client failed"
if [ -n "$client_id" ]; then
kcadm.sh delete "clients/$client_id" -r "$REALM" || die "$client_id: unable to delete"
fi
# remember to add a leading , if adding extra data
extra="$(cat -)"
kcadm.sh create clients -r "$REALM" -f - <<EOF || die "$client_id: unable to create"
{
"clientId": "$client_name",
"rootUrl": "https://$hostname",
"adminUrl": "https://$hostname",
"redirectUris": [ "https://$hostname/*" ],
"webOrigins": [ "https://$hostname" ],
"clientAuthenticatorType": "client-secret",
"secret": "$secret"
$extra
}
EOF

40
keycloak/client-delete
Unescape View File

@ -1,40 +0,0 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production || die "no top levle env?"
source env.production || die "no local env?"
source "../data/keycloak/env.secrets" || die "no local secrets?"
# try to get the clients by name
CLIENT_NAME="$1"
if [ -z "$CLIENT_NAME" ]; then
die "usage: $0 clientName"
fi
CLIENT_ID="$(docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
get clients \
--server http://localhost:8080/ \
--user admin \
--password "$KEYCLOAK_ADMIN_PASSWORD" \
--realm master \
-r "$REALM" \
| jq -r ".[] | select( .clientId == \"$CLIENT_NAME\" ).id")"
if [ -z "$CLIENT_ID" ]; then
die "$CLIENT_NAME: no such client"
fi
echo "$0: $CLIENT_NAME = $CLIENT_ID"
docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
delete "clients/$CLIENT_ID" \
--server http://localhost:8080/ \
--user admin \
--realm master \
--password "$KEYCLOAK_ADMIN_PASSWORD" \
-r "$REALM" \
|| die "$CLIENT_NAME($CLIENT_ID): unable to remove"

43
keycloak/docker-compose.yaml
Unescape View File

@ -1,43 +0,0 @@
version: '3'
volumes:
mysql_data:
driver: local
services:
mysql:
image: mysql:5.7
restart: always
volumes:
- ../data/keycloak/database:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: keycloak
MYSQL_USER: keycloak
MYSQL_PASSWORD: password
keycloak:
image: quay.io/keycloak/keycloak:18.0.0
restart: always
entrypoint: /opt/keycloak/bin/kc.sh start --hostname="$${KEYCLOAK_HOSTNAME}" --proxy=edge
user: "0:0" # otherwise the persistent data directory is not writable
env_file:
- ../env.production
- env.production
- ../data/keycloak/env.secrets
environment:
DB_VENDOR: MYSQL
DB_ADDR: mysql
DB_DATABASE: keycloak
DB_USER: keycloak
DB_PASSWORD: password
KEYCLOAK_ADMIN: admin
# KEYCLOAK_ADMIN_PASSWORD should be set in env.secrets
PROXY_ADDRESS_FORWARDING: 'true'
volumes:
- ../data/keycloak/certs:/etc/x509/https
- ../data/keycloak/keycloak:/opt/keycloak/data
ports:
- 8080:8080
depends_on:
- mysql

0
keycloak/env.production
Unescape View File

4
nginx/nginx/templates/login.conf.template → keycloak/nginx.conf
Unescape View File

@ -1,9 +1,9 @@
server {
server_name login.${DOMAIN_NAME};
server_name ${KEYCLOAK_HOSTNAME} ${KEYCLOAK_HOSTNAME}.${DOMAIN_NAME};
client_max_body_size 128m;
location / {
proxy_pass http://host.docker.internal:8080;
proxy_pass http://keycloak:8080;
proxy_pass_header Set-Cookie;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;

119
keycloak/setup
Unescape View File

@ -1,119 +0,0 @@
#!/bin/bash
die() { echo >&2 "keycloak: ERROR: $@" ; exit 1 ; }
info() { echo >&2 "keycloak: $@" ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production
source "../env.smtp" 2>/dev/null
SECRETS="../data/keycloak/env.secrets"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "keycloak: unable to start container"
exit 0
fi
docker-compose down 2>/dev/null
KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 8)"
echo "Keycloak admin password $KEYCLOAK_ADMIN_PASSWORD"
mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN
KEYCLOAK_ADMIN_PASSWORD=$KEYCLOAK_ADMIN_PASSWORD
EOF
docker-compose up -d || die "unable to start keycloak"
echo "sleeping a minute while keycloak initializes..."
sleep 30
info "logging into server"
docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
config credentials \
--server http://localhost:8080/ \
--user admin \
--password "$KEYCLOAK_ADMIN_PASSWORD" \
--realm master \
|| die "unable to login"
info "Create a new realm for '$REALM'"
docker-compose exec keycloak \
/opt/keycloak/bin/kcadm.sh \
create realms \
-s "realm=$REALM" \
-s enabled=true \
|| die "unable to create realm"
# https://github.com/hedgedoc/hedgedoc/issues/56
info "Fix up a id bug"
docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create client-scopes \
-r "$REALM" \
-f - <<EOF || die "unable to create mapping"
{
"name": "id",
"protocol": "openid-connect",
"attributes": {
"include.in.token.scope": "true",
"display.on.consent.screen": "true"
},
"protocolMappers": [
{
"name": "id",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-property-mapper",
"consentRequired": false,
"config": {
"user.attribute": "id",
"id.token.claim": "true",
"access.token.claim": "true",
"jsonType.label": "String",
"userinfo.token.claim": "true"
}
}
]
}
EOF
if [ -n "$SMTP_SERVER" ]; then
info "configuring email"
docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh update "realms/$REALM" \
-f - <<EOF || die "unable to configure email"
{
"resetPasswordAllowed": "true",
"smtpServer" : {
"auth" : "true",
"starttls" : "true",
"user" : "$SMTP_USER",
"password" : "$SMTP_PASSWORD",
"port" : "$SMTP_PORT",
"host" : "$SMTP_SERVER",
"from" : "keycloak@$DOMAIN_NAME",
"fromDisplayName" : "Keycloak @ $DOMAIN_NAME",
"ssl" : "false"
}
}
EOF
fi
info "Create an admin user in realm"
docker-compose exec -T keycloak \
/opt/keycloak/bin/kcadm.sh \
create users \
-o \
--fields id,username \
-r "$REALM" \
-s username=admin \
-s enabled=true \
-s 'credentials=[{"type":"'$KEYCLOAK_ADMIN_PASSWORD'","value":"admin","temporary":false}]' \
|| die "$REALM: unable to create admin user"

198
mastodon.yaml
Unescape View File

@ -0,0 +1,198 @@
version: '3'
services:
mastodon-db:
image: postgres:13.4-alpine
restart: always
container_name: mastodon-db
#shm_size: 256mb
# networks:
# - internal_network
healthcheck:
test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
volumes:
- ./data/mastodon/database:/var/lib/postgresql/data
environment:
- POSTGRES_USER=mastodon
- POSTGRES_PASSWORD=mastodon
#- POSTGRES_DB=mastodon_production
env_file:
- mastodon/env.production
mastodon-redis:
image: redis:6-alpine
restart: always
container_name: mastodon-redis
# networks:
# - internal_network
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
env_file:
- mastodon/env.production
volumes:
- ./data/mastodon/redis:/data
mastodon-es:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
restart: always
container_name: mastodon-es
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- "cluster.name=es-mastodon"
- "discovery.type=single-node"
- "bootstrap.memory_lock=true"
env_file:
- mastodon/env.production
# networks:
# - internal_network
healthcheck:
test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
volumes:
- ./data/mastodon/elasticsearch:/usr/share/elasticsearch/data
# fixup the permissions on the data directory since they are created as root on host
entrypoint: ["/bin/sh", "-c", "chown -R elasticsearch:elasticsearch data && exec /usr/local/bin/docker-entrypoint.sh eswrapper"]
ulimits:
memlock:
soft: -1
hard: -1
mastodon:
image: tootsuite/mastodon
container_name: mastodon
restart: always
#command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
user: "0:0"
command: ["/entrypoint.sh"]
# networks:
# - external_network
# - internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:6001/health || exit 1']
# ports:
#- '6001:6001'
depends_on:
- mastodon-db
- mastodon-redis
- mastodon-es
volumes:
- ./data/mastodon/system:/mastodon/public/system
- ./mastodon/entrypoint.sh:/entrypoint.sh:ro
env_file:
- mastodon/env.production
environment:
- WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
- LOCAL_DOMAIN=$DOMAIN_NAME
- OIDC_DISPLAY_NAME=$REALM
- OIDC_ISSUER=https://$KEYCLOAK_HOSTNAME.$DOMAIN_NAME/realms/$REALM
- OIDC_REDIRECT_URI=https://$MASTODON_HOSTNAME.$DOMAIN_NAME/auth/auth/openid_connect/callback
- OIDC_CLIENT_SECRET=${MASTODON_CLIENT_SECRET}
- SECRET_KEY_BASE=${MASTODON_ADMIN_PASSWORD}
- OTP_SECRET=${MASTODON_SESSION_SECRET}
- SMTP_SERVER=$SMTP_SERVER
- SMTP_PORT=$SMTP_PORT
- SMTP_LOGIN=$SMTP_USER
- SMTP_PASSWORD=$SMTP_PASSWORD
- SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
mastodon-streaming:
image: tootsuite/mastodon
restart: always
container_name: mastodon-streaming
environment:
- WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
- LOCAL_DOMAIN=$DOMAIN_NAME
- OIDC_DISPLAY_NAME=$REALM
- OIDC_ISSUER=https://$KEYCLOAK_HOSTNAME.$DOMAIN_NAME/realms/$REALM
- OIDC_REDIRECT_URI=https://$MASTODON_HOSTNAME.$DOMAIN_NAME/auth/auth/openid_connect/callback
- OIDC_CLIENT_SECRET=${MASTODON_CLIENT_SECRET}
- SECRET_KEY_BASE=${MASTODON_ADMIN_PASSWORD}
- OTP_SECRET=${MASTODON_SESSION_SECRET}
- SMTP_SERVER=$SMTP_SERVER
- SMTP_PORT=$SMTP_PORT
- SMTP_LOGIN=$SMTP_USER
- SMTP_PASSWORD=$SMTP_PASSWORD
- SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
env_file:
- mastodon/env.production
command: node ./streaming
# networks:
# - external_network
# - internal_network
volumes:
- ./data/mastodon/system:/mastodon/public/system
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
depends_on:
- mastodon-db
- mastodon-redis
mastodon-sidekiq:
image: tootsuite/mastodon
restart: always
container_name: mastodon-sidekiq
env_file:
- mastodon/env.production
environment:
- WEB_DOMAIN=$MASTODON_HOSTNAME.$DOMAIN_NAME
- LOCAL_DOMAIN=$DOMAIN_NAME
- OIDC_DISPLAY_NAME=$REALM
- OIDC_ISSUER=https://$KEYCLOAK_HOSTNAME.$DOMAIN_NAME/realms/$REALM
- OIDC_REDIRECT_URI=https://$MASTODON_HOSTNAME.$DOMAIN_NAME/auth/auth/openid_connect/callback
- OIDC_CLIENT_SECRET=${MASTODON_CLIENT_SECRET}
- SECRET_KEY_BASE=${MASTODON_ADMIN_PASSWORD}
- OTP_SECRET=${MASTODON_SESSION_SECRET}
- SMTP_SERVER=$SMTP_SERVER
- SMTP_PORT=$SMTP_PORT
- SMTP_LOGIN=$SMTP_USER
- SMTP_PASSWORD=$SMTP_PASSWORD
- SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
command: bundle exec sidekiq
depends_on:
- mastodon-db
- mastodon-redis
# networks:
# - external_network
# - internal_network
volumes:
- ./data/mastodon/system:/mastodon/public/system
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
## Uncomment to enable federation with tor instances along with adding the following ENV variables
## http_proxy=http://privoxy:8118
## ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
# tor:
# image: sirboops/tor
# networks:
# - external_network
# - internal_network
#
# privoxy:
# image: sirboops/privoxy
# volumes:
# - ./priv-config:/opt/config
# networks:
# - external_network
# - internal_network
# add the subdomain nginx configuration into the nginx volume
# as well as the cache directory so that nginx can send files directly from it
nginx:
volumes:
- ./mastodon/nginx.conf:/etc/nginx/templates/mastodon.conf.template:ro
- ./data/mastodon/system/cache:/mastodon/system/cache:ro
- ./data/mastodon/system/media_attachments:/mastodon/system/media_attachments:ro
- ./data/mastodon/system/accounts:/mastodon/system/accounts:ro
# add the subdomain client secrets to the keycloak-setup volume
keycloak-setup:
env_file:
- data/mastodon/secrets
volumes:
- ./mastodon/keycloak.sh:/keycloak-setup/mastodon.sh:ro
#networks:
# external_network:
# internal_network:
# internal: true

3
mastodon/README.md
Unescape View File

@ -1,4 +1,5 @@
# Mastodon
This is the vanilla version with Elastic Search and Single-Sign-On enabled.
No other user accounts are allowed to join.
No other user accounts are allowed to join - you must use the Keycloak
server to create accounts and login.

131
mastodon/docker-compose.yaml
Unescape View File

@ -1,131 +0,0 @@
version: '3'
services:
database:
image: postgres:13.4-alpine
restart: always
#shm_size: 256mb
networks:
- internal_network
healthcheck:
test: ['CMD', 'pg_isready', '-U', "mastodon", "-d", "mastodon_production"]
volumes:
- ../data/mastodon/database:/var/lib/postgresql/data
environment:
- POSTGRES_USER=mastodon
- POSTGRES_PASSWORD=mastodon
#- POSTGRES_DB=mastodon_production
redis:
image: redis:6-alpine
restart: always
networks:
- internal_network
healthcheck:
test: ['CMD', 'redis-cli', 'ping']
volumes:
- ../data/mastodon/redis:/data
es:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
restart: always
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- "cluster.name=es-mastodon"
- "discovery.type=single-node"
- "bootstrap.memory_lock=true"
networks:
- internal_network
healthcheck:
test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
volumes:
- ../data/mastodon/elasticsearch:/usr/share/elasticsearch/data
# fixup the permissions on the data directory since they are created as root on host
entrypoint: /bin/sh -c "chown -R elasticsearch:elasticsearch data && /usr/local/bin/docker-entrypoint.sh eswrapper"
ulimits:
memlock:
soft: -1
hard: -1
mastodon:
image: tootsuite/mastodon
restart: always
env_file:
- ../env.production
- env.production
- ../data/mastodon/env.secrets
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 6001"
networks:
- external_network
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:6001/health || exit 1']
ports:
- '6001:6001'
depends_on:
- database
- redis
- es
volumes:
- ../data/mastodon/system:/mastodon/public/system
streaming:
image: tootsuite/mastodon
restart: always
env_file:
- ../env.production
- env.production
- ../data/mastodon/env.secrets
command: node ./streaming
networks:
- external_network
- internal_network
healthcheck:
# prettier-ignore
test: ['CMD-SHELL', 'wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1']
ports:
- '4000:4000'
depends_on:
- database
- redis
sidekiq:
image: tootsuite/mastodon
restart: always
env_file:
- ../env.production
- env.production
- ../data/mastodon/env.secrets
command: bundle exec sidekiq
depends_on:
- database
- redis
networks:
- external_network
- internal_network
volumes:
- ../data/mastodon/system:/mastodon/public/system
healthcheck:
test: ['CMD-SHELL', "ps aux | grep '[s]idekiq\ 6' || false"]
## Uncomment to enable federation with tor instances along with adding the following ENV variables
## http_proxy=http://privoxy:8118
## ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
# tor:
# image: sirboops/tor
# networks:
# - external_network
# - internal_network
#
# privoxy:
# image: sirboops/privoxy
# volumes:
# - ./priv-config:/opt/config
# networks:
# - external_network
# - internal_network
networks:
external_network:
internal_network:
internal: true

38
mastodon/entrypoint.sh
Unescape View File

@ -0,0 +1,38 @@
#!/bin/bash -x
id
export
pwd
rm -f /mastodon/tmp/pids/server.pid
export MASTODON_DIR=/mastodon/public/system
export VAPID_KEY="$MASTODON_DIR/vapid_key"
export DB_SETUP="$MASTODON_DIR/db_done"
which rails
chown -R mastodon:mastodon "$MASTODON_DIR"
#exec su mastodon /bin/bash - <<EOF
exec su mastodon <<EOF
export PATH="$PATH:/opt/ruby/bin:/opt/node/bin:/opt/mastodon/bin"
if [ ! -r "$VAPID_KEY" ]; then
rails mastodon:webpush:generate_vapid_key > "$VAPID_KEY" \
|| exit 1
fi
. "$VAPID_KEY"
if [ ! -r "$DB_SETUP" ]; then
rails db:setup \
|| exit 1
touch "$DB_SETUP"
fi
exec bundle exec rails s -p 6001
EOF

9
mastodon/env.production
Unescape View File

@ -19,12 +19,12 @@
# Redis
# -----
REDIS_HOST=redis
REDIS_HOST=mastodon-redis
REDIS_PORT=6379
# PostgreSQL
# ----------
DB_HOST=database
DB_HOST=mastodon-db
DB_USER=mastodon
DB_NAME=mastodon_production
DB_PASS=mastodon
@ -33,7 +33,7 @@ DB_PORT=5432
# Elasticsearch (optional)
# ------------------------
ES_ENABLED=true
ES_HOST=es
ES_HOST=mastodon-es
ES_PORT=9200
# Authentication for ES (optional)
ES_USER=elastic
@ -67,6 +67,9 @@ ES_PASS=password
#AWS_SECRET_ACCESS_KEY=
#S3_ALIAS_HOST=files.example.com
# Do not use sendfile since this is fronted by nginx
RAILS_SERVE_STATIC_FILES=false
# do not allow normal logins
OMNIAUTH_ONLY=true

3
mastodon/keycloak.sh
Unescape View File

@ -0,0 +1,3 @@
#!/bin/bash -x
client-create mastodon "$MASTODON_HOSTNAME.$DOMAIN_NAME" "$MASTODON_CLIENT_SECRET" </dev/null

154
mastodon/nginx.conf
Unescape View File

@ -0,0 +1,154 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream mastodon-backend {
server mastodon:6001 fail_timeout=0;
}
upstream mastodon-streaming {
server mastodon-streaming:4000 fail_timeout=0;
}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
server {
listen 443 ssl http2;
server_name ${MASTODON_HOSTNAME} ${MASTODON_HOSTNAME}.${DOMAIN_NAME};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
include /etc/nginx/includes/challenge.conf;
# Uncomment these lines once you acquire a certificate:
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
keepalive_timeout 70;
sendfile on;
client_max_body_size 80m;
root /mastodon;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
location / {
try_files $uri @proxy;
}
# If Docker is used for deployment and Rails serves static files,
# then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
location = /sw.js {
add_header Cache-Control "public, max-age=604800, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
#try_files $uri =404;
try_files $uri @proxy;
}
location ~ ^/assets/ {
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
try_files $uri @proxy;
}
location ~ ^/avatars/ {
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
try_files $uri @proxy;
}
location ~ ^/emoji/ {
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
try_files $uri @proxy;
}
location ~ ^/headers/ {
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
try_files $uri @proxy;
}
location ~ ^/packs/ {
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
try_files $uri @proxy;
}
location ~ ^/shortcuts/ {
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
try_files $uri @proxy;
}
location ~ ^/sounds/ {
add_header Cache-Control "public, max-age=2419200, must-revalidate";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
try_files $uri @proxy;
}
location ~ ^/system/ {
add_header Cache-Control "public, max-age=2419200, immutable";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
try_files $uri @proxy;
}
location ^~ /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass http://mastodon-streaming;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
tcp_nodelay on;
}
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://mastodon-backend;
proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache CACHE;
proxy_cache_valid 200 7d;
proxy_cache_valid 410 24h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cached $upstream_cache_status;
tcp_nodelay on;
}
error_page 404 500 501 502 503 504 /500.html;
}

78
mastodon/setup
Unescape View File

@ -1,78 +0,0 @@
#!/bin/bash
die() { echo >&2 "ERROR: $@" ; exit 1 ; }
info() { echo >&2 "$@" ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production
source "../env.smtp" 2>/dev/null
mkdir -p ../data/mastodon/system
chmod 777 ../data/mastodon/system
SECRETS="../data/mastodon/env.secrets"
if [ -r "$SECRETS" ]; then
docker-compose up -d || die "unable to restart mastodon"
exit 0
fi
# have to bring it all down before we touch the files
docker-compose down
OIDC_CLIENT_SECRET="$(openssl rand -hex 32)"
# create the secrets file,
# along with some parameters that should be in the environment
mkdir -p "$(dirname "$SECRETS")"
cat <<EOF > "$SECRETS"
# DO NOT CHECK IN
WEB_DOMAIN=$MASTODON_HOSTNAME
LOCAL_DOMAIN=$DOMAIN_NAME
OIDC_DISPLAY_NAME=$REALM
OIDC_ISSUER=https://$KEYCLOAK_HOSTNAME/realms/$REALM
OIDC_REDIRECT_URI=https://$MASTODON_HOSTNAME/auth/auth/openid_connect/callback
OIDC_CLIENT_SECRET=$OIDC_CLIENT_SECRET
SECRET_KEY_BASE=$(openssl rand -hex 32)
OTP_SECRET=$(openssl rand -hex 32)
EOF
if [ -n "$SMTP_SERVER" ]; then
cat <<EOF >> "$SECRETS"
SMTP_SERVER=$SMTP_SERVER
SMTP_PORT=$SMTP_PORT
SMTP_LOGIN=$SMTP_USER
SMTP_PASSWORD=$SMTP_PASSWORD
SMTP_FROM_ADDRESS=mastodon@$DOMAIN_NAME
EOF
fi
info "mastodon: creating push keys"
docker-compose run --rm mastodon \
rails mastodon:webpush:generate_vapid_key \
>> "$SECRETS" \
|| die "unable to generate vapid key"
info "mastodon: setting up database"
docker-compose run --rm mastodon \
rails db:setup \
|| die "unable to login"
source "$SECRETS"
info "mastodon: creating keycloak interface"
../keycloak/client-delete mastodon
../keycloak/client-create <<EOF || die "Unable to create keycloak client"
{
"clientId": "mastodon",
"rootUrl": "https://$MASTODON_HOSTNAME/",
"adminUrl": "https://$MASTODON_HOSTNAME/",
"redirectUris": [ "https://$MASTODON_HOSTNAME/*" ],
"webOrigins": [ "https://$MASTODON_HOSTNAME" ],
"clientAuthenticatorType": "client-secret",
"secret": "$OIDC_CLIENT_SECRET"
}
EOF
docker-compose up -d || die "mastodon: unable to start container"

30
nginx.yaml
Unescape View File

@ -0,0 +1,30 @@
version: '3.9'
services:
nginx:
# image: nginx:1.21-alpine
build:
context: nginx
dockerfile: Dockerfile
restart: always
#entrypoint: /bin/sh
container_name: nginx
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/etc/includes:/etc/nginx/includes:ro
- ./nginx/etc/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/default.conf:/etc/nginx/templates/default.conf.template:ro
- ./html:/var/www/html:ro
- ./data/nginx/certbot/www:/var/www/certbot:ro
- ./data/nginx/certbot/conf:/etc/letsencrypt:rw
- /home:/home:ro
env_file:
- env.production
certbot:
image: certbot/certbot
container_name: certbot
volumes:
- ./data/nginx/certbot/conf:/etc/letsencrypt
- ./data/nginx/certbot/www:/var/www/certbot

30
nginx/Dockerfile
Unescape View File

@ -0,0 +1,30 @@
FROM alpine
RUN apk update
RUN echo "building" \
&& apk add \
nginx \
collectd \
collectd-nginx \
nginx-mod-http-vts \
gettext \
curl \
openssl \
&& mkdir -p \
/etc/nginx/modules-enabled \
/etc/nginx/conf.d \
/docker-entrypoint.d \
&& ln -sf /etc/nginx/modules/10_http_vts.conf /etc/nginx/modules-enabled \
# forward request and error logs to docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
&& echo "Done"
COPY ["docker-entrypoint.d/*", "/docker-entrypoint.d/" ]
COPY ["docker-entrypoint.sh", "/" ]
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 80
STOPSIGNAL SIGQUIT
CMD ["nginx", "-g", "daemon off;"]

34
nginx/certbot-renew
Unescape View File

@ -1,34 +0,0 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production
source ./env.production
domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$GRAFANA_HOSTNAME,$MATRIX_HOSTNAME,$GITEA_HOSTNAME,$MOBILIZON_HOSTNAME,$PIXELFED_HOSTNAME"
rsa_key_size=2048
set -x
# move the temp live directory away if
# this is the first time we've run anything here
if [ ! -d "../data/certbot/conf/accounts" ]; then
echo "deleting temp keys"
rm -rf ../data/certbot/conf/live
fi
docker-compose run --rm certbot \
certonly \
--webroot \
--webroot-path /var/www/certbot \
--email "admin@$DOMAIN_NAME" \
--rsa-key-size "$rsa_key_size" \
--agree-tos \
--no-eff-email \
--force-renewal \
$domain_args \
|| die "unable to renew!"
docker-compose exec nginx nginx -s reload

41
nginx/nginx/templates/000-default.conf.template → nginx/default.conf
Unescape View File

@ -1,6 +1,30 @@
# Redirect *all* port 80 traffic to the same thing on port 443
vhost_traffic_status_zone;
server {
listen 80 default_server;
# this works on the docker container with http_stub built in
# only allow from localhost
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# this works with the vts module
location /status {
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
access_log off;
#allow 127.0.0.1;
#deny all;
}
# forward certbot challenges to the certbot directory
include /etc/nginx/includes/challenge.conf;
# Redirect *all other* port 80 traffic to the same thing on port 443
location / {
return 301 https://$host$request_uri;
}
@ -27,13 +51,16 @@ server {
chunked_transfer_encoding on;
# delegated Matrix server
location /.well-known/matrix {
proxy_pass https://${MATRIX_HOSTNAME};
}
# location /.well-known/matrix {
# proxy_pass https://${MATRIX_HOSTNAME}.${DOMAIN_NAME};
# }
# separate Mastodon WEB_DOMAIN and LOCAL_DOMAIN
location = /.well-known/host-meta {
return 302 https://${MASTODON_HOSTNAME}$request_uri;
return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
}
location = /.well-known/webfinger {
return 302 https://${MASTODON_HOSTNAME}.${DOMAIN_NAME}$request_uri;
}
# tilde club home directories
@ -66,7 +93,7 @@ server {
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.${DOMAIN_NAME}; frame-src 'self' *.${DOMAIN_NAME}; object-src 'self'; base-uri 'self' *.${DOMAIN_NAME}";
proxy_pass http://host.docker.internal:3000/s$request_uri;
proxy_pass http://hedgedoc:3000/s$request_uri;
proxy_cache_valid any 1m;
}
@ -77,7 +104,7 @@ server {
proxy_ignore_headers Cache-Control;
proxy_cache_valid any 1m;
proxy_pass http://host.docker.internal:3000$request_uri;
proxy_pass http://hedgedoc:3000$request_uri;
}
listen 443 ssl default_server;

28
nginx/docker-compose.yaml
Unescape View File

@ -1,28 +0,0 @@
version: '3'
services:
nginx:
image: nginx:1.21-alpine
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./nginx/templates:/etc/nginx/templates:ro
- ./nginx/includes:/etc/nginx/includes:ro
- ../html:/var/www/html:ro
- ../data/certbot/www:/var/www/certbot:ro
- ../data/certbot/conf:/etc/letsencrypt:ro
- ../data/nginx/cache:/data/nginx/cache:rw
- /home:/home:ro
env_file:
- ../env.production
- env.production
extra_hosts:
- "host.docker.internal:host-gateway"
certbot:
image: certbot/certbot
volumes:
- ../data/certbot/conf:/etc/letsencrypt
- ../data/certbot/www:/var/www/certbot

12
nginx/docker-entrypoint.d/01-collectd.sh
Unescape View File

@ -0,0 +1,12 @@
#!/bin/sh -x
touch /started
#cat >> /etc/collectd/collectd.conf <<EOF
cat /etc/collectd/collectd.conf - > /tmp/conf <<EOF
LoadPlugin nginx
<Plugin "nginx">
URL "http://localhost:80/nginx_status"
</Plugin>
EOF
#collectd

31
nginx/docker-entrypoint.d/10-createkey.sh
Unescape View File

@ -0,0 +1,31 @@
#!/bin/sh
mkdir -p /data/nginx/cache
if [ -z "$DOMAIN_NAME" ]; then
DOMAIN_NAME="example.com"
fi
certdir="/etc/letsencrypt/live/${DOMAIN_NAME}"
if [ -r "$certdir/fullchain.pem" ]; then
exit 0
fi
mkdir -p "$certdir"
echo >&2 "$certdir: Creating temporary keys"
openssl req \
-x509 \
-newkey rsa:2048 \
-keyout "$certdir/privkey.pem" \
-out "$certdir/fullchain.pem" \
-sha256 \
-nodes \
-days 365 \
-subj "/CN=$DOMAIN_NAME'" \
|| exit 1
echo >&2 "$certdir: Generated temporary keys -- certbot needs to request real ones"
exit 0

39
nginx/docker-entrypoint.d/20-envsubst-on-templates.sh
Unescape View File

@ -0,0 +1,39 @@
#!/bin/sh
set -e
ME=$(basename $0)
entrypoint_log() {
if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
echo "$@"
fi
}
auto_envsubst() {
local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}"
local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}"
local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}"
local filter="${NGINX_ENVSUBST_FILTER:-}"
local template defined_envs relative_path output_path subdir
defined_envs=$(printf '${%s} ' $(awk "END { for (name in ENVIRON) { print ( name ~ /${filter}/ ) ? name : \"\" } }" < /dev/null ))
[ -d "$template_dir" ] || return 0
if [ ! -w "$output_dir" ]; then
entrypoint_log "$ME: ERROR: $template_dir exists, but $output_dir is not writable"
return 0
fi
find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do
relative_path="${template#$template_dir/}"
output_path="$output_dir/${relative_path%$suffix}"
subdir=$(dirname "$relative_path")
# create a subdirectory where the template file exists
mkdir -p "$output_dir/$subdir"
entrypoint_log "$ME: Running envsubst on $template to $output_path"
envsubst "$defined_envs" < "$template" > "$output_path"
done
}
auto_envsubst
exit 0

47
nginx/docker-entrypoint.sh
Unescape View File

@ -0,0 +1,47 @@
#!/bin/sh
# vim:sw=4:ts=4:et
set -e
entrypoint_log() {
if [ -z "${NGINX_ENTRYPOINT_QUIET_LOGS:-}" ]; then
echo "$@"
fi
}
if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then
if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
entrypoint_log "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration"
entrypoint_log "$0: Looking for shell scripts in /docker-entrypoint.d/"
find "/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
case "$f" in
*.envsh)
if [ -x "$f" ]; then
entrypoint_log "$0: Sourcing $f";
. "$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*.sh)
if [ -x "$f" ]; then
entrypoint_log "$0: Launching $f";
"$f"
else
# warn on shell scripts without exec bit
entrypoint_log "$0: Ignoring $f, not executable";
fi
;;
*) entrypoint_log "$0: Ignoring $f";;
esac
done
entrypoint_log "$0: Configuration complete; ready for start up"
else
entrypoint_log "$0: No files found in /docker-entrypoint.d/, skipping configuration"
fi
fi
exec "$@"

0
nginx/env.production
Unescape View File

0
nginx/nginx/includes/challenge.conf → nginx/etc/includes/challenge.conf
Unescape View File

0
nginx/nginx/includes/options-ssl-nginx.conf → nginx/etc/includes/options-ssl-nginx.conf
Unescape View File

0
nginx/nginx/includes/ssl-dhparams.pem → nginx/etc/includes/ssl-dhparams.pem
Unescape View File

25
nginx/nginx/nginx.conf → nginx/etc/nginx.conf
Unescape View File

@ -70,26 +70,9 @@ http {
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
include /tmp/sites-enabled/*;
}
log_format main 'XXXX $http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $request_time';
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
}

30
nginx/nginx/templates/pixelfed.conf.template
Unescape View File

@ -1,30 +0,0 @@
server {
server_name ${PIXELFED_HOSTNAME};
client_max_body_size 128m;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
gzip on;
gzip_disable "msie6";
proxy_read_timeout 1800s;
location / {
proxy_pass http://host.docker.internal:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
}

41
nginx/nginx/templates/social.conf.template
Unescape View File

@ -1,41 +0,0 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name social.${DOMAIN_NAME};
client_max_body_size 128m;
location / {
proxy_pass http://host.docker.internal:6001;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
location /api/v1/streaming {
proxy_pass http://host.docker.internal:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
tcp_nodelay on;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
include /etc/nginx/includes/options-ssl-nginx.conf;
include /etc/nginx/includes/challenge.conf;
ssl_dhparam /etc/nginx/includes/ssl-dhparams.pem;
}

39
nginx/setup
Unescape View File

@ -1,39 +0,0 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production || die "no top level env"
source env.production || die "no local env"
if [ -z "${DOMAIN_NAME}" ]; then
die "DOMAIN_NAME not set"
fi
certdir="../data/certbot/conf/live/${DOMAIN_NAME}"
if [ -r "$certdir/privkey.pem" ]; then
docker-compose up -d || die "nginx: unable to start"
exit 0
fi
mkdir -p "$certdir" || die "$certdir: unable to make"
openssl req \
-x509 \
-newkey rsa:2048 \
-keyout "$certdir/privkey.pem" \
-out "$certdir/fullchain.pem" \
-sha256 \
-nodes \
-days 365 \
-subj "/CN=${DOMAIN_NAME}'" \
|| die "$certdir/privkey.pem: unable to create temp key"
docker-compose up -d || die "unable to bring up nginx"
echo "SLEEPING..."
sleep 10
./certbot-renew || die "unable to create certs"

18
prometheus.yaml
Unescape View File

@ -0,0 +1,18 @@
version: '3'
services:
prometheus:
image: prom/prometheus
container_name: prometheus
volumes:
- ./data/prometheus/storage:/prometheus
- ./prometheus/prometheus.yaml:/etc/prometheus/prometheus.yml:ro
cadvisor:
image: gcr.io/cadvisor/cadvisor:latest
container_name: cadvisor
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro

21
prometheus/prometheus.yaml
Unescape View File

@ -0,0 +1,21 @@
global:
scrape_interval: 15s
external_labels:
monitor: 'codelab-monitor'
scrape_configs:
# nginx vts data
- job_name: 'nginx'
scrape_interval: 5s
metrics_path: "/status/format/prometheus"
static_configs:
- targets: ['nginx:80']
- job_name: 'metrics'
scrape_interval: 5s
static_configs:
# grafana data from /metrics
- targets: ['dashboard:3000']
# host running the docker-compose
- targets: ['172.17.0.1:9100']
# cadvisor system
- targets: ['cadvisor:8080']

39
start-all
Unescape View File

@ -1,39 +0,0 @@
#!/bin/bash
die() { echo >&2 "$@" ; exit 1 ; }
which jq > /dev/null || die "jq not installed?"
which docker-compose > /dev/null || die "docker-compose not installed?"
source ./env.production || die "no production env?"
if [ -z "$DOMAIN_NAME" ]; then
die "\$DOMAIN_NAME not set; things will break"
fi
SERVICES=nginx # there is no host
SERVICES+=\ keycloak
SERVICES+=\ hedgedoc
SERVICES+=\ nextcloud
SERVICES+=\ mastodon
SERVICES+=\ grafana
SERVICES+=\ matrix
SERVICES+=\ gitea
SERVICES+=\ mobilizon
HOSTS+=\ $KEYCLOAK_HOST
HOSTS+=\ $HEDGEDOC_HOST
HOSTS+=\ $NEXTCLOUD_HOST
HOSTS+=\ $MASTODON_HOST
HOSTS+=\ $GRAFANA_HOST
HOSTS+=\ $MATRIX_HOST
HOSTS+=\ $GITEA_HOST
HOSTS+=\ $MOBILIZON_HOST
for host in $HOSTS ; do
host $host > /dev/null || die "$host: DNS entry not present?"
done
for service in $SERVICES ; do
echo "$service: starting"
./$service/setup || die "$server: failed to start"
done

7
stop-all
Unescape View File

@ -1,7 +0,0 @@
#!/bin/bash
for file in */docker-compose.yaml ; do
dir="$(dirname "$file")"
echo "$dir"
( cd "$dir" ; docker-compose down )
done
Write Preview
Loading…
Cancel
Save