Add compose file and .env template for single domain deployment

This commit is contained in:
¯\_(ツ)_/¯ 2021-03-23 09:35:36 +01:00 committed by Thomas Basler
parent d8d11cb008
commit f403bb83cb
5 changed files with 176 additions and 1 deletions

1
.gitignore vendored
View File

@ -7,3 +7,4 @@ docker-compose.override.yaml
maps/yarn.lock
maps/dist/computer.js
maps/dist/computer.js.map
contrib/docker/acme

View File

@ -0,0 +1,38 @@
## The single (sub)domain to use
BASE_DOMAIN=wa.example.com
DEBUG_MODE=false
## JITSI settings
JITSI_URL=meet.jit.si
# If your Jitsi environment has authentication set up, you MUST set JITSI_PRIVATE_MODE to "true" and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
JITSI_PRIVATE_MODE=false
JITSI_ISS=
SECRET_JITSI_KEY=
## ADMIN backend settings
ADMIN_API_TOKEN=2342
ADMIN_API_URL=
## TURN server settings
# URL of the TURN server (needed to "punch a hole" through some networks for P2P connections)
STUN_SERVER=
TURN_SERVER=
TURN_USER=
TURN_PASSWORD=
## Reverse proxy settings (note: these must also be manually activated in the docker-compose file for now)
TRAEFIK_BASICAUTH=testuser:$2y$05$L2t/Wx937mHhKH61mjPL7OvepvjcyUnzVUkpiMo.nKeWSdRd5oyUC
TRAEFIK_BASICAUTHFILE=/.htpasswd
# Maximum allowed number of people per "ring" group
MAX_PER_GROUP=5
# The URL used by default, in the form: "/_/global/map/url.json" or with active admin backend as "/@/org/world/room"
START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json
# The email address used by Let's encrypt to send renewal warnings (compulsory)
ACME_EMAIL=
# Set to true to allow using this instance as a target for the apiUrl property
FEDERATE_PUSHER=false

0
contrib/docker/.htpasswd Normal file
View File

View File

@ -0,0 +1,123 @@
version: "3"
services:
reverse-proxy:
image: traefik:v2.3.7
restart: unless-stopped
command:
- --providers.docker
- --entryPoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.web.http.redirections.entrypoint.permanent=true
- --entryPoints.websecure.address=:443
- --providers.file.directory=/configs/
- --certificatesresolvers.myhttpchallenge.acme.tlschallenge=true
- --certificatesresolvers.myhttpchallenge.acme.email=$ACME_EMAIL
- --certificatesresolvers.myhttpchallenge.acme.storage=/acme/acme.json
ports:
- "80:80"
- "443:443"
depends_on:
- back
- front
- up
- pusher
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./acme:/acme
- ./traefik_tls.yaml:/configs/traefik_tls.yml
- ./.htpasswd:/.htpasswd
front:
restart: unless-stopped
build:
context: ../..
dockerfile: front/Dockerfile
args:
BASE_DOMAIN: ${BASE_DOMAIN:-workadventure.localhost}
# These should fall back to window.location.host
API_URL: ""
UPLOADER_URL: ""
START_ROOM_URL: "$START_ROOM_URL"
JITSI_PRIVATE_MODE: "$JITSI_PRIVATE_MODE"
JITSI_URL: "$JITSI_URL"
START_ROOM_URL: "$START_ROOM_URL"
STUN_SERVER: "$STUN_SERVER"
TURN_PASSWORD: "$TURN_PASSWORD"
TURN_SERVER: "$TURN_SERVER"
TURN_USER: "$TURN_USER"
MAX_PER_GROUP: "$MAX_PER_GROUP"
labels:
- "traefik.http.routers.front.rule=PathPrefix(`/`)"
- "traefik.http.routers.front.rule=Host(`${BASE_DOMAIN}`)"
- "traefik.http.routers.front.entryPoints=web"
- "traefik.http.services.front.loadbalancer.server.port=8000"
- "traefik.http.routers.front-ssl.rule=PathPrefix(`/`)"
- "traefik.http.routers.front-ssl.rule=Host(`${BASE_DOMAIN}`)"
- "traefik.http.routers.front-ssl.entryPoints=websecure"
- "traefik.http.routers.front-ssl.tls=true"
- "traefik.http.routers.front-ssl.service=front"
- "traefik.http.routers.front-ssl.tls.certresolver=myhttpchallenge"
# uncomment to enable user/pass basic auth
# - "traefik.http.routers.front.middlewares=auth"
# - "traefik.http.routers.front-ssl.middlewares=auth"
# - "traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_BASICAUTH}"
# - "traefik.http.middlewares.auth.basicauth.usersFile=${TRAEFIK_BASICAUTHFILE}"
# - "traefik.http.middlewares.auth.basicauth.headerField=X-WebAuth-User"
pusher:
restart: unless-stopped
build:
context: ../..
dockerfile: pusher/Dockerfile
environment:
SECRET_KEY: yourSecretKey
SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
ADMIN_API_URL: "$ADMIN_API_URL"
API_URL: back:50051
JITSI_URL: $JITSI_URL
JITSI_ISS: $JITSI_ISS
labels:
- "traefik.http.routers.pusher.rule=Path(`/admin/rooms`, `/room`, `/verify`, `/register`, `/anonymLogin`, `/metrics`, `/dump`, `/map`)"
- "traefik.http.routers.pusher.entryPoints=web"
- "traefik.http.services.pusher.loadbalancer.server.port=8080"
- "traefik.http.routers.pusher-ssl.rule=Path(`/admin/rooms`, `/room`, `/verify`, `/register`, `/anonymLogin`, `/metrics`, `/dump`, `/map`)"
- "traefik.http.routers.pusher-ssl.entryPoints=websecure"
- "traefik.http.routers.pusher-ssl.tls=true"
- "traefik.http.routers.pusher-ssl.service=pusher"
- "traefik.http.routers.pusher-ssl.tls.certresolver=myhttpchallenge"
back:
restart: unless-stopped
build:
context: ../..
dockerfile: back/Dockerfile
environment:
SECRET_KEY: yourSecretKey
SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
ADMIN_API_URL: "$ADMIN_API_URL"
JITSI_URL: $JITSI_URL
JITSI_ISS: $JITSI_ISS
MAX_PER_GROUP: $MAX_PER_GROUP
up:
restart: unless-stopped
build:
context: ../..
dockerfile: uploader/Dockerfile
labels:
- "traefik.http.routers.up.rule=Path(`/upload-audio-message`, `/download-audio-message`)"
- "traefik.http.routers.up.entryPoints=web"
- "traefik.http.services.up.loadbalancer.server.port=8080"
- "traefik.http.routers.up-ssl.rule=Path(`/upload-audio-message`, `/download-audio-message`)"
- "traefik.http.routers.up-ssl.entryPoints=websecure"
- "traefik.http.routers.up-ssl.tls=true"
- "traefik.http.routers.up-ssl.service=up"
- "traefik.http.routers.up-ssl.tls.certresolver=myhttpchallenge"

View File

@ -0,0 +1,13 @@
tls:
options:
default:
sniStrict: true
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305