Add compose file and .env template for single domain deployment
This commit is contained in:
parent
d8d11cb008
commit
f403bb83cb
1
.gitignore
vendored
1
.gitignore
vendored
@ -7,3 +7,4 @@ docker-compose.override.yaml
|
|||||||
maps/yarn.lock
|
maps/yarn.lock
|
||||||
maps/dist/computer.js
|
maps/dist/computer.js
|
||||||
maps/dist/computer.js.map
|
maps/dist/computer.js.map
|
||||||
|
contrib/docker/acme
|
||||||
|
38
contrib/docker/.env.prod.singledomain.template
Normal file
38
contrib/docker/.env.prod.singledomain.template
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
## The single (sub)domain to use
|
||||||
|
BASE_DOMAIN=wa.example.com
|
||||||
|
|
||||||
|
DEBUG_MODE=false
|
||||||
|
|
||||||
|
## JITSI settings
|
||||||
|
JITSI_URL=meet.jit.si
|
||||||
|
# If your Jitsi environment has authentication set up, you MUST set JITSI_PRIVATE_MODE to "true" and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
|
||||||
|
JITSI_PRIVATE_MODE=false
|
||||||
|
JITSI_ISS=
|
||||||
|
SECRET_JITSI_KEY=
|
||||||
|
|
||||||
|
## ADMIN backend settings
|
||||||
|
ADMIN_API_TOKEN=2342
|
||||||
|
ADMIN_API_URL=
|
||||||
|
|
||||||
|
## TURN server settings
|
||||||
|
# URL of the TURN server (needed to "punch a hole" through some networks for P2P connections)
|
||||||
|
STUN_SERVER=
|
||||||
|
TURN_SERVER=
|
||||||
|
TURN_USER=
|
||||||
|
TURN_PASSWORD=
|
||||||
|
|
||||||
|
## Reverse proxy settings (note: these must also be manually activated in the docker-compose file for now)
|
||||||
|
TRAEFIK_BASICAUTH=testuser:$2y$05$L2t/Wx937mHhKH61mjPL7OvepvjcyUnzVUkpiMo.nKeWSdRd5oyUC
|
||||||
|
TRAEFIK_BASICAUTHFILE=/.htpasswd
|
||||||
|
|
||||||
|
# Maximum allowed number of people per "ring" group
|
||||||
|
MAX_PER_GROUP=5
|
||||||
|
|
||||||
|
# The URL used by default, in the form: "/_/global/map/url.json" or with active admin backend as "/@/org/world/room"
|
||||||
|
START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json
|
||||||
|
|
||||||
|
# The email address used by Let's encrypt to send renewal warnings (compulsory)
|
||||||
|
ACME_EMAIL=
|
||||||
|
|
||||||
|
# Set to true to allow using this instance as a target for the apiUrl property
|
||||||
|
FEDERATE_PUSHER=false
|
0
contrib/docker/.htpasswd
Normal file
0
contrib/docker/.htpasswd
Normal file
123
contrib/docker/docker-compose.prod.singledomain.yaml
Normal file
123
contrib/docker/docker-compose.prod.singledomain.yaml
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
version: "3"
|
||||||
|
services:
|
||||||
|
reverse-proxy:
|
||||||
|
image: traefik:v2.3.7
|
||||||
|
restart: unless-stopped
|
||||||
|
command:
|
||||||
|
- --providers.docker
|
||||||
|
- --entryPoints.web.address=:80
|
||||||
|
- --entrypoints.web.http.redirections.entryPoint.to=websecure
|
||||||
|
- --entrypoints.web.http.redirections.entryPoint.scheme=https
|
||||||
|
- --entrypoints.web.http.redirections.entrypoint.permanent=true
|
||||||
|
- --entryPoints.websecure.address=:443
|
||||||
|
- --providers.file.directory=/configs/
|
||||||
|
- --certificatesresolvers.myhttpchallenge.acme.tlschallenge=true
|
||||||
|
- --certificatesresolvers.myhttpchallenge.acme.email=$ACME_EMAIL
|
||||||
|
- --certificatesresolvers.myhttpchallenge.acme.storage=/acme/acme.json
|
||||||
|
ports:
|
||||||
|
- "80:80"
|
||||||
|
- "443:443"
|
||||||
|
depends_on:
|
||||||
|
- back
|
||||||
|
- front
|
||||||
|
- up
|
||||||
|
- pusher
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock
|
||||||
|
- ./acme:/acme
|
||||||
|
- ./traefik_tls.yaml:/configs/traefik_tls.yml
|
||||||
|
- ./.htpasswd:/.htpasswd
|
||||||
|
|
||||||
|
front:
|
||||||
|
restart: unless-stopped
|
||||||
|
build:
|
||||||
|
context: ../..
|
||||||
|
dockerfile: front/Dockerfile
|
||||||
|
args:
|
||||||
|
BASE_DOMAIN: ${BASE_DOMAIN:-workadventure.localhost}
|
||||||
|
|
||||||
|
# These should fall back to window.location.host
|
||||||
|
API_URL: ""
|
||||||
|
UPLOADER_URL: ""
|
||||||
|
|
||||||
|
START_ROOM_URL: "$START_ROOM_URL"
|
||||||
|
JITSI_PRIVATE_MODE: "$JITSI_PRIVATE_MODE"
|
||||||
|
JITSI_URL: "$JITSI_URL"
|
||||||
|
START_ROOM_URL: "$START_ROOM_URL"
|
||||||
|
STUN_SERVER: "$STUN_SERVER"
|
||||||
|
TURN_PASSWORD: "$TURN_PASSWORD"
|
||||||
|
TURN_SERVER: "$TURN_SERVER"
|
||||||
|
TURN_USER: "$TURN_USER"
|
||||||
|
MAX_PER_GROUP: "$MAX_PER_GROUP"
|
||||||
|
labels:
|
||||||
|
- "traefik.http.routers.front.rule=PathPrefix(`/`)"
|
||||||
|
- "traefik.http.routers.front.rule=Host(`${BASE_DOMAIN}`)"
|
||||||
|
- "traefik.http.routers.front.entryPoints=web"
|
||||||
|
- "traefik.http.services.front.loadbalancer.server.port=8000"
|
||||||
|
- "traefik.http.routers.front-ssl.rule=PathPrefix(`/`)"
|
||||||
|
- "traefik.http.routers.front-ssl.rule=Host(`${BASE_DOMAIN}`)"
|
||||||
|
- "traefik.http.routers.front-ssl.entryPoints=websecure"
|
||||||
|
- "traefik.http.routers.front-ssl.tls=true"
|
||||||
|
- "traefik.http.routers.front-ssl.service=front"
|
||||||
|
- "traefik.http.routers.front-ssl.tls.certresolver=myhttpchallenge"
|
||||||
|
# uncomment to enable user/pass basic auth
|
||||||
|
# - "traefik.http.routers.front.middlewares=auth"
|
||||||
|
# - "traefik.http.routers.front-ssl.middlewares=auth"
|
||||||
|
# - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_BASICAUTH}"
|
||||||
|
# - "traefik.http.middlewares.auth.basicauth.usersFile=${TRAEFIK_BASICAUTHFILE}"
|
||||||
|
# - "traefik.http.middlewares.auth.basicauth.headerField=X-WebAuth-User"
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
pusher:
|
||||||
|
restart: unless-stopped
|
||||||
|
build:
|
||||||
|
context: ../..
|
||||||
|
dockerfile: pusher/Dockerfile
|
||||||
|
environment:
|
||||||
|
SECRET_KEY: yourSecretKey
|
||||||
|
SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
|
||||||
|
ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
|
||||||
|
ADMIN_API_URL: "$ADMIN_API_URL"
|
||||||
|
API_URL: back:50051
|
||||||
|
JITSI_URL: $JITSI_URL
|
||||||
|
JITSI_ISS: $JITSI_ISS
|
||||||
|
labels:
|
||||||
|
- "traefik.http.routers.pusher.rule=Path(`/admin/rooms`, `/room`, `/verify`, `/register`, `/anonymLogin`, `/metrics`, `/dump`, `/map`)"
|
||||||
|
- "traefik.http.routers.pusher.entryPoints=web"
|
||||||
|
- "traefik.http.services.pusher.loadbalancer.server.port=8080"
|
||||||
|
- "traefik.http.routers.pusher-ssl.rule=Path(`/admin/rooms`, `/room`, `/verify`, `/register`, `/anonymLogin`, `/metrics`, `/dump`, `/map`)"
|
||||||
|
- "traefik.http.routers.pusher-ssl.entryPoints=websecure"
|
||||||
|
- "traefik.http.routers.pusher-ssl.tls=true"
|
||||||
|
- "traefik.http.routers.pusher-ssl.service=pusher"
|
||||||
|
- "traefik.http.routers.pusher-ssl.tls.certresolver=myhttpchallenge"
|
||||||
|
|
||||||
|
back:
|
||||||
|
restart: unless-stopped
|
||||||
|
build:
|
||||||
|
context: ../..
|
||||||
|
dockerfile: back/Dockerfile
|
||||||
|
environment:
|
||||||
|
SECRET_KEY: yourSecretKey
|
||||||
|
SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
|
||||||
|
ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
|
||||||
|
ADMIN_API_URL: "$ADMIN_API_URL"
|
||||||
|
JITSI_URL: $JITSI_URL
|
||||||
|
JITSI_ISS: $JITSI_ISS
|
||||||
|
MAX_PER_GROUP: $MAX_PER_GROUP
|
||||||
|
|
||||||
|
up:
|
||||||
|
restart: unless-stopped
|
||||||
|
build:
|
||||||
|
context: ../..
|
||||||
|
dockerfile: uploader/Dockerfile
|
||||||
|
labels:
|
||||||
|
- "traefik.http.routers.up.rule=Path(`/upload-audio-message`, `/download-audio-message`)"
|
||||||
|
- "traefik.http.routers.up.entryPoints=web"
|
||||||
|
- "traefik.http.services.up.loadbalancer.server.port=8080"
|
||||||
|
- "traefik.http.routers.up-ssl.rule=Path(`/upload-audio-message`, `/download-audio-message`)"
|
||||||
|
- "traefik.http.routers.up-ssl.entryPoints=websecure"
|
||||||
|
- "traefik.http.routers.up-ssl.tls=true"
|
||||||
|
- "traefik.http.routers.up-ssl.service=up"
|
||||||
|
- "traefik.http.routers.up-ssl.tls.certresolver=myhttpchallenge"
|
||||||
|
|
13
contrib/docker/traefik_tls.yaml
Normal file
13
contrib/docker/traefik_tls.yaml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
tls:
|
||||||
|
options:
|
||||||
|
default:
|
||||||
|
sniStrict: true
|
||||||
|
minVersion: VersionTLS12
|
||||||
|
cipherSuites:
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
|
||||||
|
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
|
||||||
|
|
Loading…
Reference in New Issue
Block a user