Merge branch '9-autodeploy' into 'master'

Resolve "déploiement auto"

Closes #9, #7, #46, #44, and #42

See merge request altermediatic/docker-atelier!1

.gitignore

@@ -1 +1,2 @@
-*/.env
+**/.env
+setup.sh

cloud/docker-compose.yml

@@ -1,23 +0,0 @@
-version: '2'
-
-services:
-  db:
-    image: mariadb
-    restart: always
-    volumes:
-      - /srv/nextcloud/db:/var/lib/mysql
-    environment:
-      - MYSQL_DATABASE=nextcloud
-      - MYSQL_USER=nextcloud
-    env_file:
-      - .env
-
-  app:
-    image: nextcloud
-    links:
-      - db
-    volumes:
-      - /srv/nextcloud/app:/var/www/html
-    restart: always
-    ports:
-      - "127.0.0.1:9000:80"

cloud/nginx.conf

@@ -1,41 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name cloud.oxyta.net www.cloud.oxyta.net;
-    return 301 https://cloud.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name www.cloud.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    return 301 https://cloud.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name cloud.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    access_log  /var/log/nginx/cloud.log;
-    error_log  /var/log/nginx/cloud.err;
-
-    location /.well-known {
-        alias /srv/letsencrypt/.well-known;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:9000;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-

docker-compose.yml

@@ -0,0 +1,111 @@
+version: '3'
+
+services:
+
+  ### SERVICE: cloud
+
+  cloud_db:
+    image: mariadb
+    restart: always
+    environment:
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+    env_file:
+      - cloud/.env
+    networks:
+      - cloud
+    volumes:
+      - ${CHATONS_ROOT_DIR}/nextcloud/db:/var/lib/mysql
+
+  cloud_app:
+    image: nextcloud
+    restart: always
+    depends_on:
+      - cloud_db
+    labels:
+      - "traefik.backend=nextcloud"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_traefik"
+      - "traefik.frontend.rule=Host:cloud.${CHATONS_DOMAIN}"
+      - "traefik.enable=true"
+      - "traefik.port=80"
+    networks:
+      - cloud
+      - traefik
+    volumes:
+      - ${CHATONS_ROOT_DIR}/nextcloud/app:/var/www/html
+
+  ### SERVICE: homepage
+
+  homepage_app:
+    build: homepage
+    restart: always
+    labels:
+      - "traefik.backend=homepage"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_traefik"
+      # note: www must also be present because we need its certificate
+      # and it is required for traefik redirection to work too (in traefik.yml)
+      - "traefik.frontend.rule=Host:${CHATONS_DOMAIN},www.${CHATONS_DOMAIN}"
+      - "traefik.enable=true"
+      - "traefik.port=80"
+    networks:
+      - homepage
+      - traefik
+
+  ### SERVICE: pad
+
+  pad_db:
+    image: mariadb
+    restart: always
+    env_file:
+      - pad/.env
+    networks:
+      - pad
+    volumes:
+      - ${CHATONS_ROOT_DIR}/etherpad/db:/var/lib/mysql
+
+  pad_app:
+    build: pad
+    restart: always
+    depends_on:
+      - pad_db
+    env_file:
+      - pad/.env
+    environment:
+      - ETHERPAD_DB_HOST=pad_db
+      - ETHERPAD_TITLE=Bloc Note
+    labels:
+      - "traefik.backend=etherpad"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_traefik"
+      - "traefik.frontend.rule=Host:pad.${CHATONS_DOMAIN}"
+      - "traefik.enable=true"
+      - "traefik.port=9001"
+    networks:
+      - pad
+      - traefik
+    volumes:
+      - ${CHATONS_ROOT_DIR}/etherpad/app:/opt/etherpad-lite/var
+
+### TRAEFIK
+
+  traefik:
+    image: traefik
+    command: --docker.domain=${CHATONS_DOMAIN} --acme.email=${CHATONS_MAIL}
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+      - 127.0.0.1:8080:8080
+    networks:
+      - traefik
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${CHATONS_ROOT_DIR}/traefik/acme.json:/acme.json
+      - ${CHATONS_ROOT_DIR}/traefik/traefik.toml:/traefik.toml
+
+### NETWORKS
+
+networks:
+  traefik:
+  cloud:
+  homepage:
+  pad:

git/docker-compose.yml

@@ -1,19 +0,0 @@
-version: '2'
-
-services:
-  app:
-    image: gitlab/gitlab-ce
-    restart: always
-    hostname: 'git.oxyta.net'
-    environment:
-      - GITLAB_OMNIBUS_CONFIG |
-        external_url 'https://git.oxyta.net'
-        gitlab_rails['gitlab_ssh_host'] = 'oxyta.net'
-    volumes:
-      - /srv/gitlab/app/config:/etc/gitlab
-      - /srv/gitlab/app/logs:/var/log/gitlab
-      - /srv/gitlab/app/data:/var/opt/gitlab
-    restart: always
-    ports:
-      - "127.0.0.1:9002:80"
-      - "22:22"

git/nginx.conf

@@ -1,41 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name git.oxyta.net www.git.oxyta.net;
-    return 301 https://git.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name www.git.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    return 301 https://git.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name git.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    access_log  /var/log/nginx/git.log;
-    error_log  /var/log/nginx/git.err;
-
-    location /.well-known {
-        alias /srv/letsencrypt/.well-known;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:9002;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-

homepage/README.md

@@ -1,13 +0,0 @@
-# Homepage in frontal_app
-
-## Install
-
-    cd homepage
-    ln -s $PWD/nginx.conf /etc/nginx/sites-enabled/frontal
-    docker-compose up -d
-
-## Update
-
-    cd homepage
-    docker-compose build --no-cache
-    docker-compose up -d

homepage/docker-compose.yml

@@ -1,8 +0,0 @@
-version: '2'
-
-services:
-  app:
-    build: .
-    restart: always
-    ports:
-      - "127.0.0.1:8999:80"

homepage/nginx.conf

@@ -1,40 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name oxyta.net www.oxyta.net;
-    return 301 https://oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name www.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    return 301 https://oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    access_log  /var/log/nginx/log;
-    error_log  /var/log/nginx/err;
-
-    location /.well-known {
-        alias /srv/letsencrypt/.well-known;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:8999;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}

install.md

@@ -0,0 +1,57 @@
+## Install
+
+```
+# Install docker
+# See https://docs.docker.com/engine/installation/linux/docker-ce/debian/#install-using-the-repository
+apt install \
+     apt-transport-https \
+     ca-certificates \
+     curl \
+     gnupg2 \
+     software-properties-common
+
+curl -fsSL https://download.docker.com/linux/$(. /etc/os-release; echo "$ID")/gpg | apt-key add -
+
+echo \
+   "deb [arch=amd64] https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
+   $(lsb_release -cs) \
+   stable" \
+   > /etc/apt/sources.list.d/docker.list
+
+apt update && apt install docker-ce msmtp python3-pip
+
+# install docker-compose
+pip3 install docker-compose
+
+# Start docker
+systemctl start docker
+systemctl enable docker
+
+# Add keys
+cd
+git clone https://framagit.org/altermediatic/keys.git
+cd .ssh
+rm -f authorized_keys
+ln -s ../keys/ssh authorized_keys
+
+# Add this repo
+cd
+git clone https://framagit.org/altermediatic/docker-atelier.git
+cd docker-atelier
+
+# Configure environment variables in setup.sh then run it
+cp setup.sh.dist setup.sh
+vim setup.sh
+./setup.sh
+
+# Deploy Services (project name should only be set via the setup.sh file!)
+docker-compose up -d
+```
+
+## Configure mail
+
+[doc](mail)
+
+## Update homepage
+
+docker-compose build --no-cache

nginx.conf

@@ -1,28 +0,0 @@
-worker_processes  1;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    include           mime.types;
-    default_type      application/octet-stream;
-    keepalive_timeout 65;
-    sendfile          on;
-    gzip              on;
-    gzip_http_version 1.1;
-    gzip_comp_level   2;
-    gzip_types        text/plain text/css
-                      application/x-javascript text/xml
-                      application/xml application/xml+rss
-                      text/javascript;
-    include           /etc/nginx/sites-enabled/*;
-    server {
-        listen 80 default_server;
-        listen [::]:80;
-        server_name _;
-        location /.well-known {
-            alias /srv/letsencrypt/.well-known;
-        }
-    }
-}

pad/docker-compose.yml

@@ -1,25 +0,0 @@
-version: '2'
-
-services:
-  db:
-    image: mysql
-    restart: always
-    volumes:
-      - /srv/etherpad/db:/var/lib/mysql
-    env_file:
-      - .env
-
-  app:
-    build: .
-    restart: always
-    links:
-      - db
-    volumes:
-      - /srv/etherpad/app:/opt/etherpad-lite/var
-    env_file:
-      - .env
-    environment:
-      - ETHERPAD_DB_HOST=db
-      - ETHERPAD_TITLE=Bloc Note
-    ports:
-      - "127.0.0.1:9001:9001"

pad/nginx.conf

@@ -1,41 +0,0 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name pad.oxyta.net www.pad.oxyta.net;
-    return 301 https://pad.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name www.pad.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    return 301 https://pad.oxyta.net$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name pad.oxyta.net;
-
-    ssl_certificate     /etc/letsencrypt/live/oxyta.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/oxyta.net/privkey.pem;
-
-    access_log  /var/log/nginx/pad.log;
-    error_log  /var/log/nginx/pad.err;
-
-    location /.well-known {
-        alias /srv/letsencrypt/.well-known;
-    }
-
-    location / {
-        proxy_pass http://127.0.0.1:9001;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-}
-

setup.sh.dist

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+[ -f .env ] && echo "JUST DONT" && exit 1
+
+## You can (should) customize those variables
+# the docker-compose project name
+export CHATONS_COMPOSE_PROJECT=oxyta
+# the host directory for the containers' volumes
+export CHATONS_ROOT_DIR=./srv
+# the domain name for all services
+export CHATONS_DOMAIN=oxyta.net
+# the email to which services will send important email
+export CHATONS_MAIL=services@$CHATONS_DOMAIN
+
+## Those do not need customization
+export CHATONS_MYSQL_PASSWORD=$(openssl rand -base64 32)
+export CHATONS_MYSQL_ROOT_PASSWORD=$(openssl rand -base64 32)
+
+if [ ! -d "$CHATONS_ROOT_DIR" ]; then
+    echo "error: $CHATONS_ROOT_DIR must exist and be a regular folder" >&2
+    exit 1
+fi
+
+# Export common environment variables
+
+echo "COMPOSE_PROJECT_NAME=$CHATONS_COMPOSE_PROJECT" > .env
+echo "CHATONS_ROOT_DIR=$CHATONS_ROOT_DIR" >> .env
+echo "CHATONS_DOMAIN=$CHATONS_DOMAIN" >> .env
+echo "CHATONS_MAIL=$CHATONS_MAIL" >> .env
+
+# Export specific environment configuration
+
+mkdir -p cloud pad
+
+echo "MYSQL_PASSWORD=$CHATONS_MYSQL_PASSWORD" > cloud/.env
+echo "MYSQL_ROOT_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" >> cloud/.env
+echo "MYSQL_ROOT_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" > pad/.env
+echo "ETHERPAD_DB_PASSWORD=$CHATONS_MYSQL_ROOT_PASSWORD" >> pad/.env
+
+# Configure traefik
+
+mkdir -p "$CHATONS_ROOT_DIR/traefik"
+touch "$CHATONS_ROOT_DIR/traefik/acme.json"
+chmod 600 "$CHATONS_ROOT_DIR/traefik/acme.json"
+sed "s/###DOMAIN###/$CHATONS_DOMAIN/g" traefik/traefik.toml > "$CHATONS_ROOT_DIR/traefik/traefik.toml"

traefik/traefik.toml

@@ -0,0 +1,39 @@
+debug = false
+checkNewVersion = true
+logLevel = "ERROR"
+defaultEntryPoints = ["https","http"]
+
+[web]
+# web ui on 8080
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.redirect]
+    # For this to work, there must be a corresponding frontend rule
+    # See https://github.com/containous/traefik/issues/919#issuecomment-311033114
+    # TODO For now the setup script replace those placeholders
+    regex = "^https://www.###DOMAIN###/(.*)"
+    replacement = "https://###DOMAIN###/$1"
+  [entryPoints.https.tls]
+
+[docker]
+# the domain is set on the command line
+endpoint = "unix:///var/run/docker.sock"
+watch = true
+exposedbydefault = false
+
+[acme]
+# the email is set on the command line
+storage = "acme.json"
+entryPoint = "https"
+OnHostRule = true
+#acmeLogging = true
+#caServer = "https://acme-staging.api.letsencrypt.org/directory"
+[acme.httpChallenge]
+  entryPoint = "http"
+