From ff217b4086223e3683f35155fa05c3c82c85f7d2 Mon Sep 17 00:00:00 2001 From: notplants Date: Mon, 12 Jan 2026 15:45:15 -0500 Subject: [PATCH 1/4] working on nginx integration --- .gitignore | 1 + abra.sh | 2 ++ compose.yml | 51 +++++++++++++++++++++++++++++++++++++++---------- config.js.tmpl | 6 ++++-- nginx.conf.tmpl | 48 ++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 96 insertions(+), 12 deletions(-) create mode 100644 nginx.conf.tmpl diff --git a/.gitignore b/.gitignore index 7a6353d..f1d97b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .envrc +.idea diff --git a/abra.sh b/abra.sh index a9a8715..17960dc 100644 --- a/abra.sh +++ b/abra.sh @@ -1 +1,3 @@ export CONFIG_VERSION=v2 +export CONFIG_JS_VERSION=v1 +export NGINX_CONF_VERSION=v1 diff --git a/compose.yml b/compose.yml index 4617c01..0665e3a 100644 --- a/compose.yml +++ b/compose.yml @@ -3,9 +3,9 @@ version: "3.8" services: app: - image: cryptpad/cryptpad:version-2024.3.0 + image: cryptpad/cryptpad:version-2025.9.0 networks: - - proxy + - backend environment: - "CPAD_MAIN_DOMAIN=${DOMAIN}" - "CPAD_SANDBOX_DOMAIN=${SANDBOX_DOMAIN}" @@ -14,7 +14,8 @@ services: - "CPAD_HTTP2_DISABLE=true" - "CPAD_REALIP_RECURSIVE=on" - "CPAD_REALIP_HEADER=X-Real-Ip" - - CPAD_CONF=/cryptpad/config/config.js + - "CPAD_TRUST_PROXY=1" + - "CPAD_CONF=/cryptpad/config/config.js" volumes: - cryptpad_blob:/cryptpad/blob @@ -31,13 +32,16 @@ services: restart_policy: condition: on-failure labels: - - "traefik.enable=true" - - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" - - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}`${EXTRA_DOMAINS})" - - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" - - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}" - - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=${SANDBOX_DOMAIN}" + - "traefik.enable=false" + - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" + - "coop-cloud.${STACK_NAME}.version=0.4.0+version-2025.9.0" +# - "traefik.enable=true" +# - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" +# - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}`${EXTRA_DOMAINS})" +# - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" +# - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" +# - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}" +# - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=${SANDBOX_DOMAIN}" ## Redirect from EXTRA_DOMAINS to DOMAIN #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" @@ -50,9 +54,32 @@ services: # retries: 10 # start_period: 1m + web: + image: nginx:1.25 + configs: + - source: nginx_conf + target: /etc/nginx/conf.d/default.conf + networks: + proxy: + backend: + depends_on: + - app + environment: + - STACK_NAME + deploy: + labels: + - "traefik.enable=true" + - "traefik.docker.network=proxy" + - "traefik.http.routers.${STACK_NAME}.tls=true" + - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8083" + - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}` `${SANDBOX_DOMAIN}` ${EXTRA_DOMAINS})" + - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" + networks: proxy: external: true + backend: volumes: cryptpad_blob: @@ -67,3 +94,7 @@ configs: name: ${STACK_NAME}_config_${CONFIG_VERSION} file: config.js.tmpl template_driver: golang + nginx_conf: + name: ${STACK_NAME}_nginx_conf_${NGINX_CONF_VERSION} + file: nginx.conf.tmpl + template_driver: golang diff --git a/config.js.tmpl b/config.js.tmpl index 3dda44d..706470e 100644 --- a/config.js.tmpl +++ b/config.js.tmpl @@ -46,7 +46,8 @@ module.exports = { * cryptpad/docs/example.nginx.conf (see the $main_domain variable) * */ - httpUnsafeOrigin: 'https://{{ env "CPAD_MAIN_DOMAIN" }}', + //httpUnsafeOrigin: 'https://{{ env "CPAD_MAIN_DOMAIN" }}', + httpUnsafeOrigin: 'http://localhost:3000', /* httpSafeOrigin is the URL that is used for the 'sandbox' described above. * If you're testing or developing with CryptPad on your local machine then @@ -67,7 +68,8 @@ module.exports = { * * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. */ - httpSafeOrigin: 'https://{{ env "CPAD_SANDBOX_DOMAIN" }}', + //httpSafeOrigin: 'https://{{ env "CPAD_SANDBOX_DOMAIN" }}', + //httpSafeOrigin: 'http://localhost:3001', /* httpAddress specifies the address on which the nodejs server * should be accessible. By default it will listen on 127.0.0.1 diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl new file mode 100644 index 0000000..b4017c0 --- /dev/null +++ b/nginx.conf.tmpl @@ -0,0 +1,48 @@ +upstream cryptpad_app { + server {{ env "STACK_NAME" }}_app:3000; +} + +upstream cryptpad_ws { + #server {{ env "STACK_NAME" }}_app:3003; + server {{ env "STACK_NAME" }}_app:3000; +} + +server { + listen 8083; + server_name localhost; + + access_log /var/log/cpad.log; + error_log /var/log/cpad-error.log; + #access_log /dev/null; + #error_log /dev/null emerg; + + # Main CryptPad app + location / { + proxy_pass http://cryptpad_app; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + client_max_body_size 150m; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } + + # WebSocket endpoint + location ^~ /cryptpad_websocket { + proxy_pass http://cryptpad_ws; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection upgrade; + } +} \ No newline at end of file -- 2.49.0 From 97ab3f4012c7573770db5e7c75f56bfc8ccbd176 Mon Sep 17 00:00:00 2001 From: notplants Date: Mon, 12 Jan 2026 16:17:42 -0500 Subject: [PATCH 2/4] working recipe using nginx --- README.md | 2 +- compose.yml | 6 +++--- config.js.tmpl | 8 +++----- nginx.conf.tmpl | 13 ++----------- 4 files changed, 9 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index fd108fe..196110c 100644 --- a/README.md +++ b/README.md @@ -27,4 +27,4 @@ 6. Open the configured domain in your browser to finish set-up [`abra`]: https://git.coopcloud.tech/coop-cloud/abra -[`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik +[`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik \ No newline at end of file diff --git a/compose.yml b/compose.yml index 0665e3a..dd04d84 100644 --- a/compose.yml +++ b/compose.yml @@ -12,8 +12,8 @@ services: # Traefik can't use HTTP2 to communicate with cryptpat_websocket # A workaroung is disabling HTTP2 in Nginx - "CPAD_HTTP2_DISABLE=true" - - "CPAD_REALIP_RECURSIVE=on" - - "CPAD_REALIP_HEADER=X-Real-Ip" +# - "CPAD_REALIP_RECURSIVE=on" +# - "CPAD_REALIP_HEADER=X-Real-Ip" - "CPAD_TRUST_PROXY=1" - "CPAD_CONF=/cryptpad/config/config.js" @@ -72,7 +72,7 @@ services: - "traefik.docker.network=proxy" - "traefik.http.routers.${STACK_NAME}.tls=true" - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8083" - - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}` `${SANDBOX_DOMAIN}` ${EXTRA_DOMAINS})" + - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}` ${EXTRA_DOMAINS})" - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" diff --git a/config.js.tmpl b/config.js.tmpl index 706470e..ac5b563 100644 --- a/config.js.tmpl +++ b/config.js.tmpl @@ -46,8 +46,7 @@ module.exports = { * cryptpad/docs/example.nginx.conf (see the $main_domain variable) * */ - //httpUnsafeOrigin: 'https://{{ env "CPAD_MAIN_DOMAIN" }}', - httpUnsafeOrigin: 'http://localhost:3000', + httpUnsafeOrigin: 'https://{{ env "CPAD_MAIN_DOMAIN" }}', /* httpSafeOrigin is the URL that is used for the 'sandbox' described above. * If you're testing or developing with CryptPad on your local machine then @@ -68,8 +67,7 @@ module.exports = { * * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. */ - //httpSafeOrigin: 'https://{{ env "CPAD_SANDBOX_DOMAIN" }}', - //httpSafeOrigin: 'http://localhost:3001', + httpSafeOrigin: 'https://{{ env "CPAD_SANDBOX_DOMAIN" }}', /* httpAddress specifies the address on which the nodejs server * should be accessible. By default it will listen on 127.0.0.1 @@ -77,7 +75,7 @@ module.exports = { * all addresses, including IPv6, set this to '::'. * */ - //httpAddress: '::', + httpAddress: '::', /* httpPort specifies on which port the nodejs server should listen. * By default it will serve content over port 3000, which is suitable diff --git a/nginx.conf.tmpl b/nginx.conf.tmpl index b4017c0..3fee226 100644 --- a/nginx.conf.tmpl +++ b/nginx.conf.tmpl @@ -1,12 +1,3 @@ -upstream cryptpad_app { - server {{ env "STACK_NAME" }}_app:3000; -} - -upstream cryptpad_ws { - #server {{ env "STACK_NAME" }}_app:3003; - server {{ env "STACK_NAME" }}_app:3000; -} - server { listen 8083; server_name localhost; @@ -18,7 +9,7 @@ server { # Main CryptPad app location / { - proxy_pass http://cryptpad_app; + proxy_pass http://{{ env "STACK_NAME" }}_app:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -34,7 +25,7 @@ server { # WebSocket endpoint location ^~ /cryptpad_websocket { - proxy_pass http://cryptpad_ws; + proxy_pass http://{{ env "STACK_NAME" }}_app:3003; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; -- 2.49.0 From 2128cc5b6dd6cb7de77571dcdb4473968b6c71bb Mon Sep 17 00:00:00 2001 From: notplants Date: Mon, 12 Jan 2026 16:19:24 -0500 Subject: [PATCH 3/4] cleanup of comments --- compose.yml | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/compose.yml b/compose.yml index dd04d84..c75b799 100644 --- a/compose.yml +++ b/compose.yml @@ -9,11 +9,9 @@ services: environment: - "CPAD_MAIN_DOMAIN=${DOMAIN}" - "CPAD_SANDBOX_DOMAIN=${SANDBOX_DOMAIN}" - # Traefik can't use HTTP2 to communicate with cryptpat_websocket + # Traefik can't use HTTP2 to communicate with cryptpad_websocket # A workaroung is disabling HTTP2 in Nginx - "CPAD_HTTP2_DISABLE=true" -# - "CPAD_REALIP_RECURSIVE=on" -# - "CPAD_REALIP_HEADER=X-Real-Ip" - "CPAD_TRUST_PROXY=1" - "CPAD_CONF=/cryptpad/config/config.js" @@ -34,19 +32,7 @@ services: labels: - "traefik.enable=false" - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}" - - "coop-cloud.${STACK_NAME}.version=0.4.0+version-2025.9.0" -# - "traefik.enable=true" -# - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80" -# - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`, `${SANDBOX_DOMAIN}`${EXTRA_DOMAINS})" -# - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" -# - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" -# - "traefik.http.routers.${STACK_NAME}.tls.domains[0].main=${DOMAIN}" -# - "traefik.http.routers.${STACK_NAME}.tls.domains[0].sans=${SANDBOX_DOMAIN}" - ## Redirect from EXTRA_DOMAINS to DOMAIN - #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - - "coop-cloud.${STACK_NAME}.version=0.4.0+version-2024.3.0" + - "coop-cloud.${STACK_NAME}.version=0.4.1+version-2025.9.0" # healthcheck: # test: ["CMD", "curl", "-f", "http://localhost"] # interval: 30s -- 2.49.0 From cfa170509c643eeb35a31a90d4f2c32cb19fb197 Mon Sep 17 00:00:00 2001 From: notplants Date: Tue, 13 Jan 2026 12:56:12 -0500 Subject: [PATCH 4/4] add env and readme for configuring admin --- .env.sample | 7 +++++++ README.md | 14 ++++++++++++++ abra.sh | 2 +- compose.yml | 1 + config.js.tmpl | 4 +--- 5 files changed, 24 insertions(+), 4 deletions(-) diff --git a/.env.sample b/.env.sample index 3ed4f3b..fd1bb24 100644 --- a/.env.sample +++ b/.env.sample @@ -6,6 +6,13 @@ DOMAIN=cryptpad.example.com # This is a separate domain for the secure side of Cryptpad. It can be any other domain (subdomain or separate domain) SANDBOX_DOMAIN=sandbox.cryptpad.example.com +# CRYPTPAD_ADMIN_KEYS +## here is an example of the format for one single key +# CRYPTPAD_ADMIN_KEYS= '"[user1@cryptpad.cctest.autonomic.zone/zew-WaKZimxhNSL3iiVL8SCzVzPB8KhIxZNrRKn+uRo=]",' +## here is an example of the format for multiple keys (including here because it was confusing to me) +# CRYPTPAD_ADMIN_KEYS='"[user1@cryptpad.cctest.autonomic.zone/zew-WaKZimxhNSL3iiVL8SCzVzPB8KhIxZNrRKn+uRo=]","[user2@cryptpad.cctest.autonomic.zone/Z7agNvwPXHm9xuEYOYV2YY53fSofgzum86xvhUxJ4nU=]",' + + ## Domain aliases #EXTRA_DOMAINS=', `www.cryptpad.example.com`' LETS_ENCRYPT_ENV=production diff --git a/README.md b/README.md index 196110c..48ec732 100644 --- a/README.md +++ b/README.md @@ -26,5 +26,19 @@ 5. `abra app deploy YOURAPPDOMAIN` 6. Open the configured domain in your browser to finish set-up +At this point, anyone with this domain can register new users with this cryptpad instance. + +After you have registered a first user, here is how you can make this user into an admin. +After logging in as your user, go to: https://cryptpad.cctest.autonomic.zone/profile/ + +Click "Copy Public Key". This will copy your public key into your clipboard. +Then run `abra app config YOURAPPDOMAIN` and set the value of CRYPTPAD_ADMIN_KEYS +to include your public key. The example in .env.sample shows the required format. + +Then redeploy with `abra app deploy YOURAPPDOMAIN --force`. + +Now when you login as your user, and visit https://cryptpad.cctest.autonomic.zone/admin/, +you should be able to access the admin interface for this cryptpad instance. + [`abra`]: https://git.coopcloud.tech/coop-cloud/abra [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik \ No newline at end of file diff --git a/abra.sh b/abra.sh index 17960dc..c38f188 100644 --- a/abra.sh +++ b/abra.sh @@ -1,3 +1,3 @@ export CONFIG_VERSION=v2 -export CONFIG_JS_VERSION=v1 +export CONFIG_JS_VERSION=v2 export NGINX_CONF_VERSION=v1 diff --git a/compose.yml b/compose.yml index c75b799..1ff2e56 100644 --- a/compose.yml +++ b/compose.yml @@ -7,6 +7,7 @@ services: networks: - backend environment: + - CRYPTPAD_ADMIN_KEYS - "CPAD_MAIN_DOMAIN=${DOMAIN}" - "CPAD_SANDBOX_DOMAIN=${SANDBOX_DOMAIN}" # Traefik can't use HTTP2 to communicate with cryptpad_websocket diff --git a/config.js.tmpl b/config.js.tmpl index ac5b563..0559779 100644 --- a/config.js.tmpl +++ b/config.js.tmpl @@ -111,11 +111,9 @@ module.exports = { * key, which can be found on the settings page for registered users. * Entries should be strings separated by a comma. */ -/* adminKeys: [ - //"[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", + {{ env "CRYPTPAD_ADMIN_KEYS" }} ], -*/ /* ===================== * STORAGE -- 2.49.0