micro
/
woodbine.nyc
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity

Initial zulip config

Browse Source
bookstack
micro 4 days ago
parent 6d2e0b514b
commit f30f251322
7 changed files with 269 additions and 12 deletions
Show Stats Download Patch File Download Diff File

4
env.production
Unescape View File

@ -8,5 +8,7 @@ NEXTCLOUD_HOSTNAME=cloud.woodbine.nyc
GITEA_HOSTNAME=git.woodbine.nyc
MATRIX_HOSTNAME=chat.woodbine.nyc
MOBILIZON_HOSTNAME=events.woodbine.nyc
LIBIB_HOSTNAME=library.woodbine.nyc
#LIBIB_HOSTNAME=library.woodbine.nyc
BOOKSTACK_HOSTNAME=wiki.woodbine.nyc
#MANYFOLD_HOSTNAME=things.woodbine.nyc
ZULIP_HOSTNAME=library.woodbine.nyc

2
nginx/certbot-renew
Unescape View File

@ -7,7 +7,7 @@ cd "$DIRNAME"
source ../env.production
source ./env.production
domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$MATRIX_HOSTNAME,$GITEA_HOSTNAME,$MOBILIZON_HOSTNAME,$BOOKSTACK_HOSTNAME"
domain_args="-d $DOMAIN_NAME,$KEYCLOAK_HOSTNAME,$HEDGEDOC_HOSTNAME,$MASTODON_HOSTNAME,$NEXTCLOUD_HOSTNAME,$MATRIX_HOSTNAME,$GITEA_HOSTNAME,$MOBILIZON_HOSTNAME,$BOOKSTACK_HOSTNAME,$ZULIP_HOSTNAME"
rsa_key_size=2048
set -x

1
nginx/docker-compose.yaml
Unescape View File

@ -1,4 +1,3 @@
version: '3'
services:
nginx:
image: nginx:1.25-alpine

26
nginx/nginx/templates/library.conf.template
Unescape View File

@ -1,4 +1,26 @@
server {
server_name ${LIBIB_HOSTNAME};
return 301 https://www.libib.com/u/woodbinelibrary;
listen 80;
listen [::]:80;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${ZULIP_HOSTNAME};
ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_buffering off;
proxy_read_timeout 20m;
proxy_pass https://host.docker.internal:8774;
}
}

20
start-all
Unescape View File

@ -15,24 +15,30 @@ SERVICES+=\ keycloak
SERVICES+=\ hedgedoc
SERVICES+=\ nextcloud
SERVICES+=\ mastodon
SERVICES+=\ grafana
SERVICES+=\ matrix
SERVICES+=\ gitea
SERVICES+=\ mobilizon
SERVICES+=\ libib
SERVICES+=\ bookstack
SERVICES+=\ diun
SERVICES+=\ zulip
#SERVICES+=\ grafana
#SERVICES+=\ mobilizon
#SERVICES+=\ libib
#SERVICES+=\ manyfold
#SERVICES+=\ diun
HOSTS+=\ $KEYCLOAK_HOST
HOSTS+=\ $HEDGEDOC_HOST
HOSTS+=\ $NEXTCLOUD_HOST
HOSTS+=\ $MASTODON_HOST
HOSTS+=\ $GRAFANA_HOST
HOSTS+=\ $MATRIX_HOST
HOSTS+=\ $GITEA_HOST
HOSTS+=\ $MOBILIZON_HOST
HOSTS+=\ $LIBIB_HOST
HOSTS+=\ $BOOKSTACK_HOST
HOSTS+=\ $ZULIP_HOST
#HOSTS+=\ $MANYFOLD_HOST
#HOSTS+=\ $LIBIB_HOST
#HOSTS+=\ $MOBILIZON_HOST
#HOSTS+=\ $GRAFANA_HOST
for host in $HOSTS ; do
host $host > /dev/null || die "$host: DNS entry not present?"

139
zulip/docker-compose.yaml
Unescape View File

@ -0,0 +1,139 @@
services:
database:
image: "zulip/zulip-postgresql:14"
restart: unless-stopped
env_file:
- ../env.production
- env.production
- ../data/zulip/env.secrets.postgres
environment:
POSTGRES_DB: "zulip"
POSTGRES_USER: "zulip"
DISABLE_HTTPS: true
LOADBALANCER_IPS: 172.16.0.0/20
volumes:
- ../data/zulip/postgres:/var/lib/postgresql/data
- ../data/certbot/conf/live/woodbine.nyc:/opt/docker/zulip/zulip/certs
memcached:
image: "memcached:1.6.38-alpine3.22"
restart: unless-stopped
command:
- "sh"
- "-euc"
- |
echo 'mech_list: plain' > "$$SASL_CONF_PATH"
echo "zulip@$$HOSTNAME:$$MEMCACHED_PASSWORD" > "$$MEMCACHED_SASL_PWDB"
echo "zulip@localhost:$$MEMCACHED_PASSWORD" >> "$$MEMCACHED_SASL_PWDB"
exec memcached -S
environment:
SASL_CONF_PATH: "/home/memcache/memcached.conf"
MEMCACHED_SASL_PWDB: "/home/memcache/memcached-sasl-db"
env_file:
- ../data/zulip/env.secrets.memcached
rabbitmq:
image: "rabbitmq:4.0.7"
restart: unless-stopped
environment:
RABBITMQ_DEFAULT_USER: "zulip"
env_file:
- ../data/zulip/env.secrets.rabbitmq
volumes:
- ../data/zulip/rabbitmq:/var/lib/rabbitmq/data
redis:
image: "redis:alpine"
restart: unless-stopped
command:
- "sh"
- "-euc"
- |
echo "requirepass '$$REDIS_PASSWORD'" > /etc/redis.conf
exec redis-server /etc/redis.conf
env_file:
- ../data/zulip/env.secrets.redis
volumes:
- ../data/zulip/redis:/data
#debug:
#image: "zulip/zulip-postgresql:14"
#env_file:
#- ../data/zulip/env.secrets.postgres
#- env.production
#environment:
## See https://github.com/zulip/docker-zulip#configuration for
## details on this section and how to discover the many
## additional settings that are supported here.
# DB_HOST: "database"
# DB_HOST_PORT: "5432"
# DB_USER: "zulip"
# POSTGRES_DB: "zulip"
# POSTGRES_USER: "zulip"
zulip:
image: "zulip/docker-zulip:10.3-0"
restart: unless-stopped
build:
context: .
args:
## Change these if you want to build zulip from a different repo/branch
ZULIP_GIT_URL: https://github.com/zulip/zulip.git
ZULIP_GIT_REF: "10.3"
## Set this up if you plan to use your own CA certificate bundle for building
# CUSTOM_CA_CERTIFICATES:
ports:
- "8777:80"
- "8774:443"
env_file:
- ../data/zulip/env.secrets.zulip
- env.production
environment:
## See https://github.com/zulip/docker-zulip#configuration for
## details on this section and how to discover the many
## additional settings that are supported here.
DB_HOST: "database"
DB_HOST_PORT: "5432"
DB_USER: "zulip"
SSL_CERTIFICATE_GENERATION: "self-signed"
SETTING_MEMCACHED_LOCATION: "memcached:11211"
SETTING_RABBITMQ_HOST: "rabbitmq"
SETTING_REDIS_HOST: "redis"
SETTING_EMAIL_HOST: "" # e.g. smtp.example.com
SETTING_EMAIL_HOST_USER: "noreply@example.com"
SETTING_EMAIL_PORT: "587"
## It seems that the email server needs to use ssl or tls and can't be used without it
SETTING_EMAIL_USE_SSL: "False"
SETTING_EMAIL_USE_TLS: "True"
ZULIP_AUTH_BACKENDS: "GenericOpenIdConnectBackend"
SOCIAL_AUTH_OIDC_PROVIDER_NAME: "keycloak"
SOCIAL_AUTH_OIDC_KEY: "zulip"
SOCIAL_AUTH_OIDC_ENABLED: true
## Uncomment this when configuring the mobile push notifications service
# SETTING_ZULIP_SERVICE_PUSH_NOTIFICATIONS: "True"
# SETTING_ZULIP_SERVICE_SUBMIT_USAGE_STATISTICS: "True"
## If you're using a reverse proxy, you'll want to provide the
## comma-separated set of IP addresses to trust here.
# LOADBALANCER_IPS: ""
## By default, files uploaded by users and profile pictures are
## stored directly on the Zulip server. You can configure files
## to be stored in Amazon S3 or a compatible data store
## here. See docs at:
##
## https://zulip.readthedocs.io/en/latest/production/upload-backends.html
##
## If you want to use the S3 backend, you must set
## SETTING_LOCAL_UPLOADS_DIR to None as well as configuring the
## other fields.
# SETTING_LOCAL_UPLOADS_DIR: "None"
# SETTING_S3_AUTH_UPLOADS_BUCKET: ""
# SETTING_S3_AVATAR_BUCKET: ""
# SETTING_S3_ENDPOINT_URL: "None"
# SETTING_S3_REGION: "None"
volumes:
- ../data/zulip/zulip:/data
ulimits:
nofile:
soft: 1000000
hard: 1048576

89
zulip/setup
Unescape View File

@ -0,0 +1,89 @@
#!/bin/bash
die() { echo >&2 "zulip: ERROR $*" ; exit 1 ; }
info() { echo >&2 "zulip: $*" ; }
DIRNAME="$(dirname $0)"
cd "$DIRNAME"
source ../env.production || die "no top level environment"
source ./env.production || die "no local environment"
DATA="../data/zulip"
SECRETS="$DATA/env.secrets"
if [ -r "$SECRETS" ]; then
docker compose up -d || die "unable to start"
exit 0
fi
info "creating new secrets $SECRETS"
mkdir -p "$DATA"
POSTGRES_PASSWORD="$(openssl rand -hex 32)"
cat <<postgressecrets > "$SECRETS".postgres
# DO NOT CHECK IN
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
postgressecrets
MEMCACHED_PASSWORD="$(openssl rand -hex 32)"
cat <<memcachedsecrets > "$SECRETS".memcached
# DO NOT CHECK IN
MEMCACHED_PASSWORD=$MEMCACHED_PASSWORD
memcachedsecrets
RABBITMQ_DEFAULT_PASS="$(openssl rand -hex 32)"
cat <<rabbitmqsecrets > "$SECRETS".rabbitmq
# DO NOT CHECK IN
RABBITMQ_DEFAULT_PASS=$RABBITMQ_DEFAULT_PASS
rabbitmqsecrets
REDIS_PASSWORD="$(openssl rand -hex 32)"
cat <<redissecrets > "$SECRETS".redis
# DO NOT CHECK IN
REDIS_PASSWORD=$REDIS_PASSWORD
redissecrets
ZULIP_SECRET_KEY="$(openssl rand -hex 32)"
ZULIP_CLIENT_SECRET="$(openssl rand -hex 32)"
cat <<zulipsecrets > "$SECRETS".zulip
# DO NOT CHECK IN
SECRETS_rabbitmq_password=$RABBITMQ_DEFAULT_PASS
SECRETS_postgres_password=$POSTGRES_PASSWORD
SECRETS_memcached_password=$MEMCACHED_PASSWORD
SECRETS_redis_password=$REDIS_PASSWORD
SECRETS_secret_key=$ZULIP_SECRET_KEY
SECRETS_email_password=$EMAIL_PASSWORD
SOCIAL_AUTH_OIDC_PROVIDER_URL=$KEYCLOAK_DOMAIN
SOCIAL_AUTH_OIDC_SECRET=$ZULIP_CLIENT_SECRET
zulipsecrets
cat <<productionenv > env.production
SETTING_EXTERNAL_HOST=$ZULIP_HOSTNAME
SETTING_ZULIP_ADMINISTRATOR=admin@$ZULIP_HOSTNAME
productionenv
docker compose down 2>/dev/null
#"redirectUris": [ "https://$ZULIP_HOSTNAME/complete/oidc" ],
../keycloak/client-delete zulip 2>/dev/null
../keycloak/client-create <<EOF || die "unable to create zulip client"
{
"clientId": "zulip",
"rootUrl": "https://$ZULIP_HOSTNAME",
"adminUrl": "https://$ZULIP_HOSTNAME",
"redirectUris": [ "https://$ZULIP_HOSTNAME/*" ],
"webOrigins": [ "https://$ZULIP_HOSTNAME" ],
"clientAuthenticatorType": "client-secret",
"secret": "$ZULIP_CLIENT_SECRET"
}
EOF
docker compose up -d || die "unable to start container"
info "waiting for startup..."
sleep 5
info "creating realm"
docker compose exec -u zulip zulip /home/zulip/deployments/current/manage.py generate_realm_creation_link
Write Preview
Loading…
Cancel
Save