Further progress
This commit is contained in:
parent
94d6be821e
commit
385b30d6b4
|
@ -0,0 +1,3 @@
|
||||||
|
export NGINX_CONF_VERSION=v5
|
||||||
|
export ENTRYPOINT_APP_VERSION=v2
|
||||||
|
export CONFIG_HJSON_VERSION=v4
|
106
compose.yml
106
compose.yml
|
@ -6,39 +6,44 @@ services:
|
||||||
image: dessalines/lemmy:0.16.1
|
image: dessalines/lemmy:0.16.1
|
||||||
environment:
|
environment:
|
||||||
- RUST_LOG="warn,lemmy_server=info,lemmy_api=info,lemmy_api_common=info,lemmy_api_crud=info,lemmy_apub=info,lemmy_db_schema=info,lemmy_db_views=info,lemmy_db_views_actor=info,lemmy_db_views_moderator=info,lemmy_routes=info,lemmy_utils=info,lemmy_websocket=info"
|
- RUST_LOG="warn,lemmy_server=info,lemmy_api=info,lemmy_api_common=info,lemmy_api_crud=info,lemmy_apub=info,lemmy_db_schema=info,lemmy_db_views=info,lemmy_db_views_actor=info,lemmy_db_views_moderator=info,lemmy_routes=info,lemmy_utils=info,lemmy_websocket=info"
|
||||||
|
- DOMAIN
|
||||||
|
- STACK_NAME
|
||||||
|
- ADMIN_USERNAME
|
||||||
|
- SITE_NAME
|
||||||
|
- SLUR_FILTER
|
||||||
volumes:
|
volumes:
|
||||||
- ./lemmy.hjson:/config/config.hjson
|
- lemmy_config:/config/
|
||||||
|
secrets:
|
||||||
|
- admin_password
|
||||||
|
entrypoint: ['/docker-entrypoint.sh']
|
||||||
|
# entrypoint: ['tail', '-f', '/dev/null']
|
||||||
|
configs:
|
||||||
|
- source: config_hjson_conf
|
||||||
|
target: /config/config.hjson.tmpl
|
||||||
|
- source: entrypoint_app_conf
|
||||||
|
target: /docker-entrypoint.sh
|
||||||
|
mode: 0555
|
||||||
depends_on:
|
depends_on:
|
||||||
- postgres
|
- postgres
|
||||||
- pictrs
|
- pictrs
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
deploy:
|
deploy:
|
||||||
restart_policy:
|
restart_policy:
|
||||||
condition: on-failure
|
condition: on-failure
|
||||||
labels:
|
labels:
|
||||||
- "coop-cloud.${STACK_NAME}.version="
|
- "coop-cloud.${STACK_NAME}.version="
|
||||||
|
|
||||||
lemmy-ui:
|
ui:
|
||||||
image: dessalines/lemmy-ui:0.16.1
|
image: dessalines/lemmy-ui:0.16.1
|
||||||
environment:
|
environment:
|
||||||
- LEMMY_INTERNAL_HOST=lemmy:8536
|
- "LEMMY_INTERNAL_HOST=${STACK_NAME}_app:8536"
|
||||||
- LEMMY_EXTERNAL_HOST="${DOMAIN}"
|
- "LEMMY_EXTERNAL_HOST=${DOMAIN}"
|
||||||
- LEMMY_HTTPS=true
|
# - LEMMY_HTTPS=true
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
depends_on:
|
depends_on:
|
||||||
- app
|
- app
|
||||||
deploy:
|
|
||||||
restart_policy:
|
|
||||||
condition: on-failure
|
|
||||||
labels:
|
|
||||||
- "traefik.enable=true"
|
|
||||||
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=1235"
|
|
||||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
|
|
||||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
|
||||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
|
||||||
# Redirect from EXTRA_DOMAINS to DOMAIN
|
|
||||||
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
|
||||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
|
||||||
- "coop-cloud.${STACK_NAME}.version="
|
|
||||||
|
|
||||||
db:
|
db:
|
||||||
image: postgres:12-alpine
|
image: postgres:12-alpine
|
||||||
|
@ -46,30 +51,71 @@ services:
|
||||||
- POSTGRES_USER=lemmy
|
- POSTGRES_USER=lemmy
|
||||||
- POSTGRES_PASSWORD=password
|
- POSTGRES_PASSWORD=password
|
||||||
- POSTGRES_DB=lemmy
|
- POSTGRES_DB=lemmy
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
volumes:
|
volumes:
|
||||||
- ./volumes/postgres:/var/lib/postgresql/data
|
- postgres_data:/var/lib/postgresql/data
|
||||||
|
|
||||||
|
|
||||||
pictrs:
|
pictrs:
|
||||||
image: asonix/pictrs:0.3.0-beta.12-r1
|
image: asonix/pictrs:0.3.0-beta.12-r1
|
||||||
ports:
|
|
||||||
- "127.0.0.1:8537:8080"
|
|
||||||
- "127.0.0.1:6670:6669"
|
|
||||||
user: 991:991
|
user: 991:991
|
||||||
|
networks:
|
||||||
|
- backend
|
||||||
volumes:
|
volumes:
|
||||||
- ./volumes/pictrs:/mnt
|
- pictrs:/mnt
|
||||||
|
|
||||||
web:
|
web:
|
||||||
image: nginx:1.20.0
|
image: nginx:1.20.0
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
healthcheck:
|
- backend
|
||||||
test: ["CMD", "curl", "-f", "http://localhost"]
|
environment:
|
||||||
interval: 30s
|
- DOMAIN
|
||||||
timeout: 10s
|
- STACK_NAME
|
||||||
retries: 10
|
configs:
|
||||||
start_period: 1m
|
- source: nginx_conf
|
||||||
|
target: /etc/nginx/conf.d/default.conf
|
||||||
|
depends_on:
|
||||||
|
- app
|
||||||
|
deploy:
|
||||||
|
restart_policy:
|
||||||
|
condition: on-failure
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||||
|
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||||
|
# Redirect from EXTRA_DOMAINS to DOMAIN
|
||||||
|
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||||
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
||||||
|
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
lemmy_config:
|
||||||
|
postgres_data:
|
||||||
|
pictrs:
|
||||||
|
|
||||||
|
configs:
|
||||||
|
entrypoint_app_conf:
|
||||||
|
name: ${STACK_NAME}_entrypoint_app_${ENTRYPOINT_APP_VERSION}
|
||||||
|
file: entrypoint.sh
|
||||||
|
nginx_conf:
|
||||||
|
name: ${STACK_NAME}_nginx_${NGINX_CONF_VERSION}
|
||||||
|
file: nginx.conf.tmpl
|
||||||
|
template_driver: golang
|
||||||
|
config_hjson_conf:
|
||||||
|
name: ${STACK_NAME}_config_hjson_${CONFIG_HJSON_VERSION}
|
||||||
|
file: config.hjson.tmpl
|
||||||
|
template_driver: golang
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
admin_password:
|
||||||
|
external: true
|
||||||
|
name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
|
backend:
|
||||||
proxy:
|
proxy:
|
||||||
external: true
|
external: true
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
port: 8536
|
port: 8536
|
||||||
# settings related to the postgresql database
|
# settings related to the postgresql database
|
||||||
# address where pictrs is available
|
# address where pictrs is available
|
||||||
pictrs_url: "http://pictrs:8080"
|
pictrs_url: "http://{{ env "STACK_NAME" }}_pictrs:8080"
|
||||||
database: {
|
database: {
|
||||||
# name of the postgres database for lemmy
|
# name of the postgres database for lemmy
|
||||||
database: "lemmy"
|
database: "lemmy"
|
||||||
|
@ -30,7 +30,7 @@
|
||||||
# password to connect to postgres
|
# password to connect to postgres
|
||||||
password: "password"
|
password: "password"
|
||||||
# host where postgres is running
|
# host where postgres is running
|
||||||
host: "postgres"
|
host: "db"
|
||||||
# port where postgres can be accessed
|
# port where postgres can be accessed
|
||||||
port: 5432
|
port: 5432
|
||||||
# maximum number of active sql connections
|
# maximum number of active sql connections
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if [ ! -f /config/config.hjson ]; then
|
||||||
|
cp /config/config.hjson.tmpl /config/config.hjson
|
||||||
|
fi
|
||||||
|
|
||||||
|
# https://github.com/LemmyNet/lemmy/blob/main/docker/prod/Dockerfile
|
||||||
|
/app/lemmy
|
|
@ -0,0 +1,81 @@
|
||||||
|
limit_req_zone $binary_remote_addr zone=lemmy_ratelimit:10m rate=1r/s;
|
||||||
|
|
||||||
|
upstream backend {
|
||||||
|
server "{{ env "STACK_NAME" }}_app:8536";
|
||||||
|
}
|
||||||
|
|
||||||
|
upstream frontend {
|
||||||
|
server "{{ env "STACK_NAME" }}_ui:1234";
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name {{ env "DOMAIN" }};
|
||||||
|
|
||||||
|
# Hide nginx version
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
# Enable compression for JS/CSS/HTML bundle, for improved client load times.
|
||||||
|
# It might be nice to compress JSON, but leaving that out to protect against potential
|
||||||
|
# compression+encryption information leak attacks like BREACH.
|
||||||
|
gzip on;
|
||||||
|
gzip_types text/css application/javascript image/svg+xml;
|
||||||
|
gzip_vary on;
|
||||||
|
|
||||||
|
# Upload limit for pictrs
|
||||||
|
client_max_body_size 20M;
|
||||||
|
|
||||||
|
# frontend
|
||||||
|
location / {
|
||||||
|
set $proxpass "http://frontend";
|
||||||
|
if ($http_accept ~ "^application/.*$") {
|
||||||
|
set $proxpass "http://backend";
|
||||||
|
}
|
||||||
|
if ($request_method = POST) {
|
||||||
|
set $proxpass "http://backend";
|
||||||
|
}
|
||||||
|
proxy_pass $proxpass;
|
||||||
|
|
||||||
|
rewrite ^(.+)/+$ $1 permanent;
|
||||||
|
|
||||||
|
# Send actual client IP upstream
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
}
|
||||||
|
|
||||||
|
# backend
|
||||||
|
location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
|
||||||
|
proxy_pass "http://{{ env "STACK_NAME" }}_app:8536";
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
|
||||||
|
# Rate limit
|
||||||
|
limit_req zone=lemmy_ratelimit burst=30 nodelay;
|
||||||
|
|
||||||
|
# Add IP forwarding headers
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Redirect pictshare images to pictrs
|
||||||
|
location ~ /pictshare/(.*)$ {
|
||||||
|
return 301 /pictrs/image/$1;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# Anonymize IP addresses
|
||||||
|
# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/
|
||||||
|
map $remote_addr $remote_addr_anon {
|
||||||
|
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
|
||||||
|
~(?P<ip>[^:]+:[^:]+): $ip::;
|
||||||
|
127.0.0.1 $remote_addr;
|
||||||
|
::1 $remote_addr;
|
||||||
|
default 0.0.0.0;
|
||||||
|
}
|
||||||
|
access_log /var/log/nginx/access.log combined;
|
Loading…
Reference in New Issue