Merge branch 'split' into 'master'

Splitting services in multiple docker-compose.yml, and use proxyta.net

See merge request altermediatic/docker-atelier!3

.gitignore

@@ -1,2 +1 @@
 **/.env
-setup.sh

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "proxyta.net"]
+	path = proxy
+	url = ../../nim65s/proxyta.net

README.md

@@ -24,13 +24,13 @@ Joking aside, as KITTENS will save the world-wide web, this project aims at easi
 
 ### Pré-requis
 
-Pour pouvoir installer un CHATONS, vous devez disposer :
+Pour pouvoir installer un CHATONS en production, vous devez disposer :
 - d'une machine/VM avec une nouvelle installation de debian
-- du domaine et des sous-domaines (cf. services présent dans `docker-compose.yml`) pointant sur l'ip publique de cette machine
+- du domaine et des sous-domaines désirés pointant sur l'ip publique de cette machine
 
 ### Installation
 
-Pour installer et configurer un CHATONS, suivez install.md en tant que root.
+Pour configurer et déployer un CHATONS, suivez [install.md](install.md) en tant que root.
 
 ## English
 

cloud/Dockerfile

@@ -0,0 +1,3 @@
+FROM nginx:alpine
+
+COPY nginx.conf /etc/nginx/nginx.conf

cloud/README.md

@@ -0,0 +1,17 @@
+# Nextcloud
+
+https://nextcloud.com/
+
+## Configure
+```
+echo MYSQL_ROOT_PASSWORD=$(openssl rand -base64 32) >> .env
+echo MYSQL_PASSWORD=$(openssl rand -base64 32) >> .env
+echo MYSQL_DATABASE=nextcloud >> .env
+echo MYSQL_USER=nextcloud >> .env
+echo MYSQL_HOST=db >> .env
+```
+
+## Deploy
+```
+docker-compose up -d
+```

cloud/docker-compose.yml

@@ -0,0 +1,36 @@
+version: '3'
+
+networks:
+  proxytanet:
+    external: true
+
+services:
+  db:
+    image: mariadb
+    restart: always
+    env_file:
+      - .env
+    volumes:
+      - ${CHATONS_ROOT_DIR:-/srv/chatons}/nextcloud/db:/var/lib/mysql
+
+  app:
+    image: nextcloud:fpm-alpine
+    restart: always
+    env_file:
+      - .env
+    volumes:
+      - ${CHATONS_ROOT_DIR:-/srv/chatons}/nextcloud/app:/var/www/html
+
+  web:
+    build: .
+    restart: always
+    volumes:
+      - ${CHATONS_ROOT_DIR:-/srv/chatons}/nextcloud/app:/var/www/html:ro
+    labels:
+      traefik.enable: "true"
+      traefik.backend: "nextcloud"
+      traefik.frontend.rule: "Host: cloud.${CHATONS_DOMAIN:-local}, www.cloud.${CHATONS_DOMAIN:-local}"
+      traefik.docker.network: "proxytanet"
+    networks:
+      - proxytanet
+      - default

cloud/nginx.conf

@@ -0,0 +1,153 @@
+# downloaded from https://raw.githubusercontent.com/nextcloud/docker/master/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    upstream php-handler {
+        server app:9000;
+    }
+
+    server {
+        listen 80;
+
+        # Add headers to serve security related headers
+        # Before enabling Strict-Transport-Security headers please read into this
+        # topic first.
+        # add_header Strict-Transport-Security "max-age=15768000;
+        # includeSubDomains; preload;";
+        #
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+
+        root /var/www/html;
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        # The following 2 rules are only needed for the user_webfinger app.
+        # Uncomment it if you're planning to use this app.
+        #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+        #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
+        # last;
+
+        location = /.well-known/carddav {
+            return 301 $scheme://$host/remote.php/dav;
+        }
+        location = /.well-known/caldav {
+            return 301 $scheme://$host/remote.php/dav;
+        }
+
+        # set max upload size
+        client_max_body_size 10G;
+        fastcgi_buffers 64 4K;
+
+        # Enable gzip but do not remove ETag headers
+        gzip on;
+        gzip_vary on;
+        gzip_comp_level 4;
+        gzip_min_length 256;
+        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+        gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+        # Uncomment if your server is build with the ngx_pagespeed module
+        # This module is currently not supported.
+        #pagespeed off;
+
+        location / {
+            rewrite ^ /index.php$uri;
+        }
+
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+            deny all;
+        }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+            deny all;
+        }
+
+        location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+            # fastcgi_param HTTPS on;
+            #Avoid sending the security headers twice
+            fastcgi_param modHeadersAvailable true;
+            fastcgi_param front_controller_active true;
+            fastcgi_pass php-handler;
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+        }
+
+        location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+            try_files $uri/ =404;
+            index index.php;
+        }
+
+        # Adding the cache control header for js and css files
+        # Make sure it is BELOW the PHP block
+        location ~ \.(?:css|js|woff|svg|gif)$ {
+            try_files $uri /index.php$uri$is_args$args;
+            add_header Cache-Control "public, max-age=15778463";
+            # Add headers to serve security related headers (It is intended to
+            # have those duplicated to the ones above)
+            # Before enabling Strict-Transport-Security headers please read into
+            # this topic first.
+            # add_header Strict-Transport-Security "max-age=15768000;
+            #  includeSubDomains; preload;";
+            #
+            # WARNING: Only add the preload option once you read about
+            # the consequences in https://hstspreload.org/. This option
+            # will add the domain to a hardcoded list that is shipped
+            # in all major browsers and getting removed from this list
+            # could take several months.
+            add_header X-Content-Type-Options nosniff;
+            add_header X-XSS-Protection "1; mode=block";
+            add_header X-Robots-Tag none;
+            add_header X-Download-Options noopen;
+            add_header X-Permitted-Cross-Domain-Policies none;
+            # Optional: Don't log access to assets
+            access_log off;
+        }
+
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+            try_files $uri /index.php$uri$is_args$args;
+            # Optional: Don't log access to other assets
+            access_log off;
+        }
+    }
+
+}

docker-compose.yml

@@ -1,111 +0,0 @@
-version: '3'
-
-services:
-
-  ### SERVICE: cloud
-
-  cloud_db:
-    image: mariadb
-    restart: always
-    environment:
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-    env_file:
-      - cloud/.env
-    networks:
-      - cloud
-    volumes:
-      - ${CHATONS_ROOT_DIR}/nextcloud/db:/var/lib/mysql
-
-  cloud_app:
-    image: nextcloud
-    restart: always
-    depends_on:
-      - cloud_db
-    labels:
-      - "traefik.backend=nextcloud"
-      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_traefik"
-      - "traefik.frontend.rule=Host:cloud.${CHATONS_DOMAIN}"
-      - "traefik.enable=true"
-      - "traefik.port=80"
-    networks:
-      - cloud
-      - traefik
-    volumes:
-      - ${CHATONS_ROOT_DIR}/nextcloud/app:/var/www/html
-
-  ### SERVICE: homepage
-
-  homepage_app:
-    build: homepage
-    restart: always
-    labels:
-      - "traefik.backend=homepage"
-      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_traefik"
-      # note: www must also be present because we need its certificate
-      # and it is required for traefik redirection to work too (in traefik.yml)
-      - "traefik.frontend.rule=Host:${CHATONS_DOMAIN},www.${CHATONS_DOMAIN}"
-      - "traefik.enable=true"
-      - "traefik.port=80"
-    networks:
-      - homepage
-      - traefik
-
-  ### SERVICE: pad
-
-  pad_db:
-    image: mariadb
-    restart: always
-    env_file:
-      - pad/.env
-    networks:
-      - pad
-    volumes:
-      - ${CHATONS_ROOT_DIR}/etherpad/db:/var/lib/mysql
-
-  pad_app:
-    build: pad
-    restart: always
-    depends_on:
-      - pad_db
-    env_file:
-      - pad/.env
-    environment:
-      - ETHERPAD_DB_HOST=pad_db
-      - ETHERPAD_TITLE=Bloc Note
-    labels:
-      - "traefik.backend=etherpad"
-      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_traefik"
-      - "traefik.frontend.rule=Host:pad.${CHATONS_DOMAIN}"
-      - "traefik.enable=true"
-      - "traefik.port=9001"
-    networks:
-      - pad
-      - traefik
-    volumes:
-      - ${CHATONS_ROOT_DIR}/etherpad/app:/opt/etherpad-lite/var
-
-### TRAEFIK
-
-  traefik:
-    image: traefik
-    command: --docker.domain=${CHATONS_DOMAIN} --acme.email=${CHATONS_MAIL}
-    restart: always
-    ports:
-      - 80:80
-      - 443:443
-      - 127.0.0.1:8080:8080
-    networks:
-      - traefik
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - ${CHATONS_ROOT_DIR}/traefik/acme.json:/acme.json
-      - ${CHATONS_ROOT_DIR}/traefik/traefik.toml:/traefik.toml
-
-### NETWORKS
-
-networks:
-  traefik:
-  cloud:
-  homepage:
-  pad:

homepage/README.md

@@ -0,0 +1,8 @@
+# Oxyta.net's Homepage
+
+https://oxyta.net/
+
+## Deploy
+```
+docker-compose up -d
+```

homepage/docker-compose.yml

@@ -0,0 +1,16 @@
+version: '3'
+
+networks:
+  proxytanet:
+    external: true
+
+services:
+  app:
+    build: .
+    restart: always
+    labels:
+      traefik.enable: "true"
+      traefik.backend: "homepage"
+      traefik.frontend.rule: "Host: ${CHATONS_DOMAIN:-local}, www.${CHATONS_DOMAIN:-local}"
+    networks:
+      - proxytanet

im/README.md

@@ -0,0 +1,3 @@
+# Matrix
+
+:warning: This is a work in progress, and not production ready :warning:

install.md

@@ -1,9 +1,9 @@
-## Install
+# Deploy your kittens
 
+## Install docker & docker-compose
 ```
-# Install docker
 # See https://docs.docker.com/engine/installation/linux/docker-ce/debian/#install-using-the-repository
-apt install \
+apt install -y \
      apt-transport-https \
      ca-certificates \
      curl \
@@ -12,13 +12,10 @@ apt install \
 
 curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | apt-key add -
 
-echo \
-   "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
-   $(lsb_release -cs) \
-   stable" \
-   > /etc/apt/sources.list.d/docker.list
+echo "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
+      $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
 
-apt update && apt install docker-ce msmtp python3-pip
+apt update && apt install -y docker-ce python3-pip
 
 # install docker-compose
 pip3 install docker-compose
@@ -26,32 +23,48 @@ pip3 install docker-compose
 # Start docker
 systemctl start docker
 systemctl enable docker
+```
 
-# Add keys
+## Add the ssh keys of the team
+```
 cd
 git clone https://framagit.org/altermediatic/keys.git
 cd .ssh
 rm -f authorized_keys
 ln -s ../keys/ssh authorized_keys
+```
 
-# Add this repo
+## Add this repo
+```
 cd
-git clone https://framagit.org/altermediatic/docker-atelier.git
+git clone --recursive https://framagit.org/altermediatic/docker-atelier.git
 cd docker-atelier
+```
+
+## Deploy the proxy
+```
+docker network create proxytanet
+```
+
+And then you can go in the `proxy/` folder and in the environment you want:
+- [dev](https://framagit.org/nim65s/proxyta.net/tree/master/dev)
+- [prod with letsencrypt](https://framagit.org/nim65s/proxyta.net/tree/master/prod-le/) (look at the README first)
+- [prod with your certificates](https://framagit.org/nim65s/proxyta.net/tree/master/prod-ssl/) (look at the README first)
 
-# Configure environment variables in setup.sh then run it
-cp setup.sh.dist setup.sh
-vim setup.sh
-./setup.sh
+## Configure your domain name and email addresses
 
-# Deploy Services (project name should only be set via the setup.sh file!)
-docker-compose up -d
+```
+echo "export CHATONS_DOMAIN=oxyta.net" >> .bashrc
+echo "export ACME_EMAIL=acme@${CHATONS_DOMAIN}" >> .bashrc
+. .bashrc
 ```
 
-## Configure mail
+## Deploy the services you want
 
-[doc](mail)
+- [nextcloud](cloud/) (in the `cloud/` folder)
+- [etherpad](pad/) (in the `pad/` folder)
+- [oxyta.net's homepage](homepage/) (in the `homepage/` folder)
 
-## Update homepage
+## Configure mail
 
-docker-compose build --no-cache
+[doc](mail)

mail/README.md

@@ -1,3 +1,8 @@
+# Install msmtp
+
+```
+apt install -y msmtp
+```
 # Configure
 
 `/etc/msmtprc`:

pad/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:alpine as build
+FROM node:9-alpine as build
 
 RUN apk add --no-cache curl
 RUN mkdir /front-pad

pad/README.md

@@ -0,0 +1,17 @@
+# Etherpad
+
+http://etherpad.org/
+
+## Configure
+```
+export MYSQL_ROOT_PASSWORD=$(openssl rand -base64 32)
+echo MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD >> .env
+echo ETHERPAD_DB_PASSWORD=$MYSQL_ROOT_PASSWORD >> .env
+echo ETHERPAD_DB_HOST=db >> .env
+echo ETHERPAD_TITLE=Bloc Note >> .env
+```
+
+## Deploy
+```
+docker-compose up -d
+```

pad/docker-compose.yml

@@ -0,0 +1,30 @@
+version: '3'
+
+networks:
+  proxytanet:
+    external: true
+
+services:
+  db:
+    image: mariadb
+    restart: always
+    env_file:
+      - .env
+    volumes:
+      - ${CHATONS_ROOT_DIR:-/srv/chatons}/etherpad/db:/var/lib/mysql
+
+  app:
+    build: .
+    restart: always
+    env_file:
+      - .env
+    labels:
+      traefik.enable: "true"
+      traefik.backend: "etherpad"
+      traefik.frontend.rule: "Host: pad.${CHATONS_DOMAIN:-local}, www.pad.${CHATONS_DOMAIN:-local}"
+      traefik.docker.network: "proxytanet"
+    networks:
+      - default
+      - proxytanet
+    volumes:
+      - ${CHATONS_ROOT_DIR:-/srv/chatons}/etherpad/app:/opt/etherpad-lite/var

proxy

@@ -0,0 +1 @@
+Subproject commit 55ebbc9b98eb84c3343fbb543faae36d634bf5e9

setup.sh.dist

@@ -1,45 +0,0 @@
-#!/bin/sh
-
-[ -f .env ] && echo "JUST DONT" && exit 1
-
-## You can (should) customize those variables
-# the docker-compose project name
-export CHATONS_COMPOSE_PROJECT=oxyta
-# the host directory for the containers' volumes
-export CHATONS_ROOT_DIR=./srv
-# the domain name for all services
-export CHATONS_DOMAIN=oxyta.net
-# the email to which services will send important email
-export CHATONS_MAIL=services@$CHATONS_DOMAIN
-
-## Those do not need customization
-export CHATONS_MYSQL_PASSWORD=$(openssl rand -base64 32)
-export CHATONS_MYSQL_ROOT_PASSWORD=$(openssl rand -base64 32)
-
-if [ ! -d "$CHATONS_ROOT_DIR" ]; then
-    echo "error: $CHATONS_ROOT_DIR must exist and be a regular folder" >&2
-    exit 1
-fi
-
-# Export common environment variables
-
-echo "COMPOSE_PROJECT_NAME=$CHATONS_COMPOSE_PROJECT" > .env
-echo "CHATONS_ROOT_DIR=$CHATONS_ROOT_DIR" >> .env
-echo "CHATONS_DOMAIN=$CHATONS_DOMAIN" >> .env
-echo "CHATONS_MAIL=$CHATONS_MAIL" >> .env
-
-# Export specific environment configuration
-
-mkdir -p cloud pad
-
-echo "MYSQL_PASSWORD=$CHATONS_MYSQL_PASSWORD" > cloud/.env
-echo "MYSQL_ROOT_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" >> cloud/.env
-echo "MYSQL_ROOT_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" > pad/.env
-echo "ETHERPAD_DB_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" >> pad/.env
-
-# Configure traefik
-
-mkdir -p "$CHATONS_ROOT_DIR/traefik"
-touch "$CHATONS_ROOT_DIR/traefik/acme.json"
-chmod 600 "$CHATONS_ROOT_DIR/traefik/acme.json"
-cp traefik/traefik.toml "$CHATONS_ROOT_DIR/traefik/traefik.toml"

traefik/traefik.toml

@@ -1,38 +0,0 @@
-debug = false
-checkNewVersion = true
-logLevel = "ERROR"
-defaultEntryPoints = ["https","http"]
-
-[web]
-# web ui on 8080
-
-[entryPoints]
-  [entryPoints.http]
-  address = ":80"
-    [entryPoints.http.redirect]
-    entryPoint = "https"
-  [entryPoints.https]
-  address = ":443"
-    [entryPoints.https.redirect]
-    # For this to work, there must be a corresponding frontend rule
-    # See https://github.com/containous/traefik/issues/919#issuecomment-311033114
-    regex = "^https://www.(.*)"
-    replacement = "https://$1"
-  [entryPoints.https.tls]
-
-[docker]
-# the domain is set on the command line
-endpoint = "unix:///var/run/docker.sock"
-watch = true
-exposedbydefault = false
-
-[acme]
-# the email is set on the command line
-storage = "acme.json"
-entryPoint = "https"
-OnHostRule = true
-#acmeLogging = true
-#caServer = "https://acme-staging.api.letsencrypt.org/directory"
-[acme.httpChallenge]
-  entryPoint = "http"
-