Update to latest workadventure version

.env.sample

@@ -5,17 +5,299 @@ DOMAIN=workadventure.example.com
 #EXTRA_DOMAINS=', `www.workadventure.example.com`'
 LETS_ENCRYPT_ENV=production
 
-DEBUG_MODE=true
+# Security
+
+# Secret used to encode session data in localstorage.
+# Required
+SECRET_SECRET_KEY_VERSION=v1
+# Secret used to access the admin component. Only required if you are using an "admin" server.
+SECRET_ADMIN_API_TOKEN_VERSION=v1
+
+
+# SAAS admin panel
+ADMIN_API_URL=https://$DOMAIN/admin
+ADMIN_URL=https://$DOMAIN
+
+# Basic configuration
+
+# The directory to store data in
+# DATA_DIR=./wa
+# FIXME: unused?
+
+# The URL used by default, in the form: "/_/global/map/url.tmj"
+START_ROOM_URL=/_/global/workadventure.github.io/map-starter-kit/office.tmj
+
+# If you want to have a contact page in your menu,
+# you MUST set CONTACT_URL to the URL of the page that you want
+CONTACT_URL=
+
+MAX_PER_GROUP=4
+MAX_USERNAME_LENGTH=10
+DISABLE_ANONYMOUS=false
+
+# Configure low and recommended bandwidth used by video and screen share in the peer-to-peer connection (in kbit/s)
+PEER_VIDEO_LOW_BANDWIDTH=150
+PEER_VIDEO_RECOMMENDED_BANDWIDTH=600
+PEER_SCREEN_SHARE_LOW_BANDWIDTH=250
+PEER_SCREEN_SHARE_RECOMMENDED_BANDWIDTH=1000
+
+# The version of the docker image to use
+# MUST uncomment "image" keys in the docker-compose file for it to be effective
+VERSION=master
+
+TZ=Etc/UTC
+
+#
+# Jitsi
+#
+
 JITSI_URL=meet.jit.si
-# If your Jitsi environment has authentication set up, you MUST set JITSI_PRIVATE_MODE to "true" and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
+# If your Jitsi environment has authentication set up,
+# you MUST set JITSI_PRIVATE_MODE to "true"
+# and you MUST pass a SECRET_JITSI_KEY to generate the JWT secret
 JITSI_PRIVATE_MODE=false
 JITSI_ISS=
 SECRET_JITSI_KEY=
 
+# Jitsi settings for the low-level Jitsi API (used by the live-streaming area)
+# JITSI_DOMAIN is the domain name of your Jitsi web instance (only the domain name, not the full URL)
+JITSI_DOMAIN=
+# JITSI_XMPP_DOMAIN is the domain name used by Prosody.
+# You can find this value in the Jitsi config.js file ("hosts.domain" key)
+# If you are using Jitsi Docker install, this is the value of the XMPP_DOMAIN environment variable.
+JITSI_XMPP_DOMAIN=
+# JITSI_XMPP_MUC_DOMAIN is the domain name used by Prosody for MUC.
+# You can find this value in the Jitsi config.js file ("hosts.muc" key)
+# If you are using Jitsi Docker install, this is the value of the XMPP_MUC_DOMAIN environment variable.
+JITSI_MUC_DOMAIN=
+
+#
+# BigBlueButton settings.
+# From your BBB instance, you can get the correct values using the command: "bbb-conf --secret"
+# This defaults to a test instance kindly provided by blindsidenetworks.com. Please change this in production settings.
+#
+BBB_URL=https://test-install.blindsidenetworks.com/bigbluebutton/
+BBB_SECRET=8cd8ef52e8e101574e400365b55e11a6
+
+#
+# Turn/Stun
+#
+
 # URL of the TURN server (needed to "punch a hole" through some networks for P2P connections)
+# Can be a comma separated list of servers
+# example: TURN_SERVER=turn:turn.example.com:5349,turns:turn.example.com:5349
 TURN_SERVER=
+# TURN server username and password (if your TURN server uses hard coded credentials)
+# Keep empty if you are using a shared auth secret.
 TURN_USER=
 TURN_PASSWORD=
+# If your Turn server is configured to use the Turn REST API, you MUST put the shared auth secret here.
+# If you are using Coturn, this is the value of the "static-auth-secret" parameter in your coturn config file.
+# Keep empty if you are sharing hard coded / clear text credentials.
+SECRET_TURN_STATIC_AUTH_SECRET_VERSION=v1
+# URL of the STUN server
+# example: STUN_SERVER=stun:stun.l.google.com:19302
+STUN_SERVER=
 
-# The URL used by default, in the form: "/_/global/map/url.json"
-START_ROOM_URL=/_/global/maps.workadventu.re/Floor0/floor0.json
+#
+# Certificate config
+#
+
+# The email address used by Let's encrypt to send renewal warnings (compulsory)
+ACME_EMAIL=
+
+#
+# Additional app configs
+# Configuration for third-party apps
+#
+
+# openID
+OPID_CLIENT_ID=
+OPID_CLIENT_SECRET=
+OPID_CLIENT_ISSUER=
+OPID_PROFILE_SCREEN_PROVIDER=
+OPID_LOGOUT_REDIRECT_URL=
+OPID_USERNAME_CLAIM=
+OPID_LOCALE_CLAIM=
+OPID_SCOPE=
+FALLBACK_LOCALE=
+
+# Whether the user can choose its name or if the name is dictated by OpenID.
+# Can be one of "user_input", "allow_override_opid", "force_opid"
+# This setting is only useful if DISABLE_ANONYMOUS=true
+#   user_input: the user will be prompted for his/her Woka name
+#   force_opid: the user cannot decide his/her Woka name
+#   allow_override_opid: by default, the user name from OpenID is used, but the user can change it
+OPID_WOKA_NAME_POLICY=user_input
+
+# Matrix configuration
+
+# The internal URL of the Matrix server. This is the URL that the WorkAdventure server will use to communicate with the Matrix server.
+# If your Matrix server is running on the same Docker host as WorkAdventure, you can use the container name as the hostname.
+# If your Matrix server is running out of Docker, use the full URL.
+MATRIX_API_URI=matrix_aolc_cc_app
+# The public URL of the Matrix server. This is the URL that the WorkAdventure clients will use to communicate with the Matrix server.
+MATRIX_PUBLIC_URI=https://matrix.aolc.cc
+# A valid Matrix user that will be used to create rooms and invite users.
+MATRIX_ADMIN_USER=
+MATRIX_ADMIN_PASSWORD=
+SECRET_MATRIX_ADMIN_PASSWORD_VERSION=v1
+
+
+#
+# Advanced configuration
+# Generally does not need to be changed
+#
+
+# Networking
+# HTTP_PORT=80
+# HTTPS_PORT=443
+# GRPC_PORT=50051
+# FIXME: unused
+
+# Workadventure settings
+DISABLE_NOTIFICATIONS=false
+SKIP_RENDER_OPTIMIZATIONS=false
+STORE_VARIABLES_FOR_LOCAL_MAPS=true
+
+# Prometheus settings
+## Uncomment this to enable the /metrics Prometheus endpoint.
+## To hit this endpoint, you will need to configure Prometheus with:
+## authorization:
+##   type: Bearer
+##   credentials: "[The value of PROMETHEUS_AUTHORIZATION_TOKEN env variable]"
+#PROMETHEUS_AUTHORIZATION_TOKEN=my_password
+
+# Debugging options
+DEBUG_MODE=false
+LOG_LEVEL=WARN
+
+RESTART_POLICY=unless-stopped
+
+# AWS environement variable for uploader
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_DEFAULT_REGION=
+AWS_BUCKET=
+AWS_ENDPOINT=
+AWS_URL=
+# Time for which signed urls are valid (in seconds)
+# UPLOADER_AWS_SIGNED_URL_EXPIRATION=60
+
+#
+# CHAT
+#
+
+# Enable / disable chat
+ENABLE_CHAT=true
+# Enable / disable upload of file in chat
+ENABLE_CHAT_UPLOAD=true
+# Chat max uploadable file size (Byte)
+UPLOAD_MAX_FILESIZE=10485760
+# Enable / disable the online list of users
+ENABLE_CHAT_ONLINE_LIST=true
+# Enable / disable the disconnected list of users
+ENABLE_CHAT_DISCONNECTED_LIST=true
+# Max day of chat history that can be fetched by users
+## No restriction is : 0 or not defined value
+# MAX_HISTORY_CHAT=0
+
+# Embedely key api for rich media embeds
+## used in the chat service
+# EMBEDLY_KEY=
+
+# Prometheus settings
+## Uncomment this to enable the /metrics Prometheus endpoint.
+## To hit this endpoint, you will need to configure Prometheus with:
+## authorization:
+##   type: Bearer
+##   credentials: "[The value of PROMETHEUS_AUTHORIZATION_TOKEN env variable]"
+# PROMETHEUS_AUTHORIZATION_TOKEN=
+
+# The maximum time to live of player variables for logged players, expressed in seconds (no limit by default).
+# Use "-1" for infinity.
+# Note that anonymous players don't have any TTL limit because their data is stored in local storage, not in Redis database.
+PLAYER_VARIABLES_MAX_TTL=-1
+
+# Report issues menu
+ENABLE_REPORT_ISSUES_MENU=false
+REPORT_ISSUES_URL=
+
+# By default, WorkAdventure will send telemetry usage once a day.
+# This data contains the version of WorkAdventure used and very rough usage (max number of users...)
+# The statistics collected through telemetry can provide developers valuable insights into WorkAdventure versions that
+# are actually used. No personal user data is sent. Please keep this setting to true unless your WorkAdventure installation is 'secret'
+ENABLE_TELEMETRY=false
+# This email address will be notified if your WorkAdventure version contains a known security flaw.
+# ENABLE_TELEMETRY must be set to "true" for this to work.
+SECURITY_EMAIL=
+
+# MAP EDITOR SETTINGS
+ENABLE_MAP_EDITOR=true
+# Enable broadcast areas in map editor (beta)
+FEATURE_FLAG_BROADCAST_AREAS=
+# If you want to allow only some users to access the map editor, you can set the list of authorized users here, email separated by commas. (Only possible if OpenID Connect is configured)
+# Leave blank if you want to allow all users to access the map editor.
+# This variable is ignored if an AdminAPI is configured
+MAP_EDITOR_ALLOWED_USERS=
+
+# You MUST decide an authentication strategy for the map-storage container.
+# At least one of ENABLE_BEARER_AUTHENTICATION, ENABLE_BASIC_AUTHENTICATION or ENABLE_DIGEST_AUTHENTICATION must be set to true.
+MAP_STORAGE_ENABLE_BEARER_AUTHENTICATION=false
+MAP_STORAGE_ENABLE_BASIC_AUTHENTICATION=true
+MAP_STORAGE_ENABLE_DIGEST_AUTHENTICATION=false
+# If you choose "Bearer", you MUST set a secret token in MAP_STORAGE_AUTHENTICATION_TOKEN or delegate the token verification to a remote service using MAP_STORAGE_AUTHENTICATION_VALIDATOR_URL.
+MAP_STORAGE_AUTHENTICATION_TOKEN=
+MAP_STORAGE_AUTHENTICATION_VALIDATOR_URL=
+# If you choose "Basic" or "Digest", you MUST set a username and password.
+MAP_STORAGE_AUTHENTICATION_USER=
+MAP_STORAGE_AUTHENTICATION_PASSWORD=
+
+# The Map storage API token is used to authenticate the map storage when it is making requests to external resources.
+# If not set, will default to SECRET_KEY
+MAP_STORAGE_API_TOKEN=
+WHITELISTED_RESOURCE_URLS=
+
+
+# Need to be authenticated to the Room API. If not set, the Room API will be disabled.
+ROOM_API_SECRET_KEY=
+
+SENTRY_DSN_FRONT=
+SENTRY_DSN_PUSHER=
+SENTRY_DSN_MAPSTORAGE=
+SENTRY_DSN_BACK=
+SENTRY_DSN_CHAT=
+## You be able to set the release name in the Sentry UI
+SENTRY_RELEASE=
+## Sentry auth token
+SENTRY_AUTH_TOKEN=
+
+## The environment name
+SENTRY_ENVIRONMENT=
+
+SENTRY_ORG=
+
+SENTRY_PROJECT=
+
+## The sampling rate for Sentry traces. Only used if SENTRY_DSN is configured. Defaults to 0.1
+SENTRY_TRACES_SAMPLE_RATE=
+
+# Integration tools
+KLAXOON_ENABLED=false
+KLAXOON_CLIENT_ID=
+YOUTUBE_ENABLED=true
+GOOGLE_DRIVE_ENABLED=true
+GOOGLE_DOCS_ENABLED=true
+GOOGLE_SHEETS_ENABLED=true
+GOOGLE_SLIDES_ENABLED=true
+ERASER_ENABLED=true
+EXCALIDRAW_ENABLED=true
+EXCALIDRAW_DOMAINS=excalidraw.com
+CARDS_ENABLED=true
+# If you want to force allow some domains to be embedded in WorkAdventure, you can set the list of authorized domains here, separated by ','.
+# Example: EMBEDDED_DOMAINS_WHITELIST=klaxoon.com,google.com
+EMBEDDED_DOMAINS_WHITELIST=
+
+# Google drive picker
+GOOGLE_DRIVE_PICKER_CLIENT_ID=
+GOOGLE_DRIVE_PICKER_APP_ID=

compose.yml

@@ -1,80 +1,299 @@
-version: "3.8"
+version: "3.6"
 services:
   app:
-    image: thecodingmachine/workadventure-front:v1.4.8
-    networks:
-      - proxy
+    image: thecodingmachine/workadventure-play:v1.23.4
     environment:
-      DEBUG_MODE: "$DEBUG_MODE"
-      JITSI_URL: $JITSI_URL
-      JITSI_PRIVATE_MODE: "$JITSI_PRIVATE_MODE"
-      API_URL: "api.${DOMAIN}"
-      PUSHER_URL: "pusher.${DOMAIN}"
-      TURN_SERVER: "${TURN_SERVER}"
-      TURN_USER: "${TURN_USER}"
-      TURN_PASSWORD: "${TURN_PASSWORD}"
-      START_ROOM_URL: "${START_ROOM_URL}"
+      - DEBUG_MODE
+      - JITSI_URL
+      - JITSI_PRIVATE_MODE
+      - ENABLE_MAP_EDITOR
+      - MAP_EDITOR_ALLOWED_USERS
+      - PUSHER_URL=https://${DOMAIN}/
+      - ICON_URL=/icon
+      - TURN_SERVER
+      - TURN_USER
+      - TURN_PASSWORD
+      - TURN_STATIC_AUTH_SECRET
+      - STUN_SERVER
+      - SKIP_RENDER_OPTIMIZATIONS
+      - MAX_PER_GROUP
+      - MAX_USERNAME_LENGTH
+      - DISABLE_ANONYMOUS
+      - DISABLE_NOTIFICATIONS
+      - SECRET_KEY
+      - API_URL=back:50051
+      - FRONT_URL=/
+      - INTERNAL_MAP_STORAGE_URL=http://map-storage:3000
+      - PUBLIC_MAP_STORAGE_URL=https://${DOMAIN}/map-storage
+      - START_ROOM_URL
+      - OPID_PROMPT=login
+      - OPID_WOKA_NAME_POLICY
+      - OPID_CLIENT_ID
+      - OPID_CLIENT_SECRET
+      - OPID_CLIENT_ISSUER
+      - OPID_PROFILE_SCREEN_PROVIDER
+      - OPID_SCOPE
+      - OPID_USERNAME_CLAIM
+      - OPID_LOCALE_CLAIM
+      - OPID_LOGOUT_REDIRECT_URL
+      - FALLBACK_LOCALE
+      - ENABLE_CHAT
+      - ENABLE_CHAT_UPLOAD
+      - ENABLE_CHAT_ONLINE_LIST
+      - ENABLE_CHAT_DISCONNECTED_LIST
+      - UPLOADER_URL=/uploader
+      # Report issues menu
+      - ENABLE_REPORT_ISSUES_MENU=${ENABLE_REPORT_ISSUES_MENU}
+      - REPORT_ISSUES_URL=${REPORT_ISSUES_URL}
+      - ENABLE_OPENAPI_ENDPOINT=true
+      - ADMIN_API_TOKEN
+      # - ADMIN_API_URL
+      # - ADMIN_URL
+      - ROOM_API_PORT=50051
+      - ROOM_API_SECRET_KEY=${ROOM_API_SECRET_KEY}
+      - GRPC_VERBOSITY=ERROR
+      - GRPC_TRACE=all
+      - SENTRY_ORG=${SENTRY_ORG}
+      - SENTRY_PROJECT=${SENTRY_PROJECT}
+      - SENTRY_DSN_FRONT=${SENTRY_DSN_FRONT}
+      - SENTRY_DSN_PUSHER=${SENTRY_DSN_PUSHER}
+      - SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT}
+      - SENTRY_RELEASE=${SENTRY_RELEASE}
+      - SENTRY_TRACES_SAMPLE_RATE=${SENTRY_TRACES_SAMPLE_RATE}
+      - JITSI_DOMAIN
+      - JITSI_XMPP_DOMAIN
+      - JITSI_MUC_DOMAIN
+      - WOKA_SPEED
+      - FEATURE_FLAG_BROADCAST_AREAS=${FEATURE_FLAG_BROADCAST_AREAS}
+      # Tools integration
+      - KLAXOON_ENABLED=${KLAXOON_ENABLED}
+      - KLAXOON_CLIENT_ID=${KLAXOON_CLIENT_ID}
+      - YOUTUBE_ENABLED=${YOUTUBE_ENABLED}
+      - GOOGLE_DRIVE_ENABLED=${GOOGLE_DRIVE_ENABLED}
+      - GOOGLE_DOCS_ENABLED=${GOOGLE_DOCS_ENABLED}
+      - GOOGLE_SHEETS_ENABLED=${GOOGLE_SHEETS_ENABLED}
+      - GOOGLE_SLIDES_ENABLED=${GOOGLE_SLIDES_ENABLED}
+      - ERASER_ENABLED=${ERASER_ENABLED}
+      - EXCALIDRAW_ENABLED=${EXCALIDRAW_ENABLED}
+      - EXCALIDRAW_DOMAINS=${EXCALIDRAW_DOMAINS}
+      - EMBEDDED_DOMAINS_WHITELIST=${EMBEDDED_DOMAINS_WHITELIST}
+      - CARDS_ENABLED=${CARDS_ENABLED}
+      - PEER_VIDEO_LOW_BANDWIDTH=${PEER_VIDEO_LOW_BANDWIDTH}
+      - PEER_VIDEO_RECOMMENDED_BANDWIDTH=${PEER_VIDEO_RECOMMENDED_BANDWIDTH}
+      - PEER_SCREEN_SHARE_LOW_BANDWIDTH=${PEER_SCREEN_SHARE_LOW_BANDWIDTH}
+      - PEER_SCREEN_SHARE_RECOMMENDED_BANDWIDTH=${PEER_SCREEN_SHARE_RECOMMENDED_BANDWIDTH}
+      # Google drive picker
+      - GOOGLE_DRIVE_PICKER_CLIENT_ID=${GOOGLE_DRIVE_PICKER_CLIENT_ID}
+      - GOOGLE_DRIVE_PICKER_APP_ID=${GOOGLE_DRIVE_PICKER_APP_ID}
+      - MAP_STORAGE_API_TOKEN=${MAP_STORAGE_API_TOKEN:-${SECRET_KEY}}
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}-app.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}-app.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}-app.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}-app.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "caddy=https://${DOMAIN}"
-        - "caddy.reverse_proxy={{upstreams 8080}}"
-        - "caddy.tls.on_demand="
-        - coop-cloud.${STACK_NAME}.app.version=v1.4.8-d82bdd95
-  pusher:
-    image: thecodingmachine/workadventure-pusher:master
-    command: yarn run runprod
+        traefik.enable: "true"
+        traefik.http.routers.play.rule: "Host(`${DOMAIN}`) && PathPrefix(`/`)"
+        traefik.http.routers.play.entryPoints: "web"
+        traefik.http.services.play.loadbalancer.server.port: "3000"
+        traefik.http.routers.play-ssl.rule: "Host(`${DOMAIN}`) && PathPrefix(`/`)"
+        traefik.http.routers.play-ssl.entryPoints: "web-secure"
+        traefik.http.routers.play-ssl.tls: "true"
+        traefik.http.routers.play-ssl.tls.certresolver: "myresolver"
+        traefik.http.routers.play-ssl.service: "play"
+        traefik.http.routers.room-api.rule: "Host(`${DOMAIN}`)"
+        traefik.http.routers.room-api.entryPoints: "grpc"
+        traefik.http.routers.room-api.service: "room-api"
+        traefik.http.services.room-api.loadbalancer.server.port: "50051"
+        traefik.http.services.room-api.loadbalancer.server.scheme: "h2c"
+        traefik.http.routers.room-api.tls: "true"
+        traefik.http.routers.room-api.tls.certresolver: "myresolver"
+        caddy: ${DOMAIN}
+        caddy.@default.path: /*
+        caddy.reverse_proxy: "@default {{upstreams 3000}}"
+        caddy.tls.on_demand: 
     networks:
-      - proxy
-    environment:
-      SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
-      SECRET_KEY: yourSecretKey
-      API_URL: back:50051
-      JITSI_URL: $JITSI_URL
-      JITSI_ISS: $JITSI_ISS
-    deploy:
-      restart_policy:
-        condition: on-failure
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}-pusher.loadbalancer.server.port=8080"
-        - "traefik.http.routers.${STACK_NAME}-pusher.rule=Host(`pusher.${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}-pusher.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}-pusher.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - coop-cloud.${STACK_NAME}.pusher.version=master-702e53f9
-        - "caddy=https://pusher.${DOMAIN}"
-        - "caddy.reverse_proxy={{upstreams 8080}}"
-        - "caddy.tls.on_demand="
+    - proxy
+    - internal
+
   back:
-    image: thecodingmachine/workadventure-back:v1.4.8
-    command: yarn run runprod
-    networks:
-      - proxy
+    image: thecodingmachine/workadventure-back:v1.23.4
     environment:
-      SECRET_JITSI_KEY: "$SECRET_JITSI_KEY"
-      ADMIN_API_TOKEN: "$ADMIN_API_TOKEN"
-      ADMIN_API_URL: "$ADMIN_API_URL"
-      JITSI_URL: $JITSI_URL
-      JITSI_ISS: $JITSI_ISS
+      - PLAY_URL=https://${DOMAIN}
+      - SECRET_JITSI_KEY
+      - ENABLE_MAP_EDITOR
+      - SECRET_KEY
+      - ADMIN_API_TOKEN
+      # - ADMIN_API_URL
+      - TURN_SERVER
+      - TURN_USER
+      - TURN_PASSWORD
+      - TURN_STATIC_AUTH_SECRET
+      - STUN_SERVER
+      - JITSI_URL
+      - JITSI_ISS
+      - BBB_URL
+      - BBB_SECRET
+      - MAX_PER_GROUP
+      - STORE_VARIABLES_FOR_LOCAL_MAPS
+      - REDIS_HOST=redis
+      - PROMETHEUS_AUTHORIZATION_TOKEN
+      - MAP_STORAGE_URL=map-storage:50053
+      - INTERNAL_MAP_STORAGE_URL=http://map-storage:3000
+      - PUBLIC_MAP_STORAGE_URL=https://${DOMAIN}/map-storage
+      - PLAYER_VARIABLES_MAX_TTL
+      - ENABLE_CHAT
+      - ENABLE_CHAT_UPLOAD
+      - SENTRY_DSN=${SENTRY_DSN_BACK}
+      - SENTRY_RELEASE=${SENTRY_RELEASE}
+      - SENTRY_TRACES_SAMPLE_RATE=${SENTRY_TRACES_SAMPLE_RATE}
     deploy:
-      restart_policy:
-        condition: on-failure
       labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}-back.loadbalancer.server.port=8080"
-        - "traefik.http.routers.${STACK_NAME}-back.rule=Host(`api.${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}-back.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}-back.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - coop-cloud.${STACK_NAME}.back.version=v1.4.8-702eacb6
-        - "caddy=https://api.${DOMAIN}"
-        - "caddy.reverse_proxy={{upstreams 8080}}"
-        - "caddy.tls.on_demand="
+        traefik.enable: "true"
+        traefik.docker.network: proxy
+        traefik.http.middlewares.strip-api-prefix.stripprefix.prefixes: "/api"
+        traefik.http.routers.back.rule: "Host(`${DOMAIN}`) && PathPrefix(`/api`)"
+        traefik.http.routers.back.middlewares: "strip-api-prefix@docker"
+        traefik.http.routers.back.entryPoints: "web"
+        traefik.http.services.back.loadbalancer.server.port: "8080"
+        traefik.http.routers.back-ssl.middlewares: "strip-api-prefix@docker"
+        traefik.http.routers.back-ssl.rule: "Host(`${DOMAIN}`) && PathPrefix(`/api`)"
+        traefik.http.routers.back-ssl.entryPoints: "web-secure"
+        traefik.http.routers.back-ssl.service: "back"
+        traefik.http.routers.back-ssl.tls: "true"
+        traefik.http.routers.back-ssl.tls.certresolver: "${LETS_ENCRYPT_ENV}"
+        caddy: ${DOMAIN}
+        caddy.@api.path: /api*
+        caddy.reverse_proxy: "@api {{upstreams 8080}}"
+    networks:
+    - proxy
+    - internal
+
+  uploader:
+    image: thecodingmachine/workadventure-uploader:v1.23.4
+    environment:
+      - UPLOADER_URL=https://${DOMAIN}/uploader
+      #AWS
+      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+      - AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION}
+      - AWS_BUCKET=${AWS_BUCKET}
+      - AWS_URL=${AWS_URL}
+      - AWS_ENDPOINT=${AWS_ENDPOINT}
+      #REDIS
+      - REDIS_HOST=redis
+      # - REDIS_PORT=
+      #CHAT
+      # - ADMIN_API_URL=${ADMIN_API_URL}
+      - ENABLE_CHAT_UPLOAD=${ENABLE_CHAT_UPLOAD}
+      - UPLOAD_MAX_FILESIZE=${UPLOAD_MAX_FILESIZE}
+    labels:
+      traefik.enable: "true"
+      traefik.http.middlewares.strip-uploader-prefix.stripprefix.prefixes: "/uploader"
+      traefik.http.routers.uploader.rule: "Host(`${DOMAIN}`) && PathPrefix(`/uploader`)"
+      traefik.http.routers.uploader.middlewares: "strip-uploader-prefix@docker"
+      traefik.http.routers.uploader.entryPoints: "web"
+      traefik.http.services.uploader.loadbalancer.server.port: "8080"
+      traefik.http.routers.uploader-ssl.middlewares: "strip-uploader-prefix@docker"
+      traefik.http.routers.uploader-ssl.rule: "Host(`${DOMAIN}`) && PathPrefix(`/uploader`)"
+      traefik.http.routers.uploader-ssl.entryPoints: "web-secure"
+      traefik.http.routers.uploader-ssl.service: "uploader"
+      traefik.http.routers.uploader-ssl.tls: "true"
+      traefik.http.routers.uploader-ssl.tls.certresolver: "myresolver"
+      caddy: ${DOMAIN}
+      caddy.@uploader.path: /uploader*
+      caddy.reverse_proxy: "@uploader {{upstreams 8080}}"
+    networks:
+     - internal
+     - proxy
+
+  icon:
+    image: matthiasluedtke/iconserver:v3.16.0
+    labels:
+      traefik.enable: "true"
+      traefik.http.middlewares.strip-icon-prefix.stripprefix.prefixes: "/icon"
+      traefik.http.routers.icon.middlewares: "strip-icon-prefix@docker"
+      traefik.http.routers.icon.rule: "Host(`${DOMAIN}`) && PathPrefix(`/icon`)"
+      traefik.http.routers.icon.entryPoints: "web"
+      traefik.http.services.icon.loadbalancer.server.port: "8080"
+      traefik.http.routers.icon-ssl.middlewares: "strip-icon-prefix@docker"
+      traefik.http.routers.icon-ssl.rule: "Host(`${DOMAIN}`) && PathPrefix(`/icon`)"
+      traefik.http.routers.icon-ssl.entryPoints: "web-secure"
+      traefik.http.routers.icon-ssl.service: "icon"
+      traefik.http.routers.icon-ssl.tls: "true"
+      traefik.http.routers.icon-ssl.tls.certresolver: "myresolver"
+      caddy: ${DOMAIN}
+      caddy.@icon.path: /icon*
+      caddy.reverse_proxy: "@icon {{upstreams 8080}}"
+    networks:
+     - proxy
+     - internal
+
+  redis:
+    image: redis:6
+    volumes:
+      - redisdata:/data
+    networks:
+     - proxy
+
+  map-storage:
+    image: thecodingmachine/workadventure-map-storage:v1.23.4
+    environment:
+      API_URL: back:50051
+      PROMETHEUS_AUTHORIZATION_TOKEN: "$PROMETHEUS_AUTHORIZATION_TOKEN"
+      AUTHENTICATION_STRATEGY: "$MAP_STORAGE_AUTHENTICATION_STRATEGY"
+      ENABLE_BEARER_AUTHENTICATION: "$MAP_STORAGE_ENABLE_BEARER_AUTHENTICATION"
+      ENABLE_BASIC_AUTHENTICATION: "$MAP_STORAGE_ENABLE_BASIC_AUTHENTICATION"
+      ENABLE_DIGEST_AUTHENTICATION: "$MAP_STORAGE_ENABLE_DIGEST_AUTHENTICATION"
+      AUTHENTICATION_USER: "$MAP_STORAGE_AUTHENTICATION_USER"
+      AUTHENTICATION_PASSWORD: "$MAP_STORAGE_AUTHENTICATION_PASSWORD"
+      AUTHENTICATION_TOKEN: "$MAP_STORAGE_AUTHENTICATION_TOKEN"
+      AUTHENTICATION_VALIDATOR_URL: "$MAP_STORAGE_AUTHENTICATION_VALIDATOR_URL"
+      SENTRY_DSN: $SENTRY_DSN_MAPSTORAGE
+      SENTRY_RELEASE: $SENTRY_RELEASE
+      SENTRY_ENVIRONMENT: $SENTRY_ENVIRONMENT
+      SENTRY_TRACES_SAMPLE_RATE: $SENTRY_TRACES_SAMPLE_RATE
+      PATH_PREFIX: "/map-storage"
+      ENTITY_COLLECTION_URLS: "https://${DOMAIN}/collections/FurnitureCollection.json,https://${DOMAIN}/collections/OfficeCollection.json"
+      MAP_STORAGE_API_TOKEN: "${MAP_STORAGE_API_TOKEN:-${SECRET_KEY}}"
+      PUSHER_URL: "https://${DOMAIN}/"
+    volumes:
+      - map-storage-data:/maps
+    labels:
+      traefik.enable: "true"
+      traefik.http.middlewares.strip-map-storage-prefix.stripprefix.prefixes: "/map-storage"
+      traefik.http.routers.map-storage.middlewares: "strip-map-storage-prefix@docker"
+      traefik.http.routers.map-storage.rule: "Host(`${DOMAIN}`) && PathPrefix(`/map-storage`)"
+      traefik.http.routers.map-storage.entryPoints: "web"
+      traefik.http.services.map-storage.loadbalancer.server.port: "3000"
+      traefik.http.routers.map-storage-ssl.middlewares: "strip-map-storage-prefix@docker"
+      traefik.http.routers.map-storage-ssl.rule: "Host(`${DOMAIN}`) && PathPrefix(`/map-storage`)"
+      traefik.http.routers.map-storage-ssl.entryPoints: "web-secure"
+      traefik.http.routers.map-storage-ssl.service: "map-storage"
+      traefik.http.routers.map-storage-ssl.tls: "true"
+      traefik.http.routers.map-storage-ssl.tls.certresolver: "myresolver"
+      caddy: ${DOMAIN}
+      caddy.@map-storage.path: /map-storage*
+      caddy.reverse_proxy: "@map-storage {{upstreams 3000}}"
+    networks:
+     - proxy
+     - internal
+
+volumes:
+  redisdata:
+  map-storage-data:
+
 networks:
   proxy:
     external: true
+  internal:
+
+secrets:
+  turn_static_auth_secret:
+    external: true
+    name: ${STACK_NAME}_turn_static_auth_secret_${SECRET_TURN_STATIC_AUTH_SECRET_VERSION}
+  admin_api_token:
+    external: true
+    name: ${STACK_NAME}_admin_api_token_${SECRET_ADMIN_API_TOKEN_VERSION}
+  secret_key:
+    external: true
+    name: ${STACK_NAME}_secret_key_${SECRET_SECRET_KEY_VERSION}
+  matrix_admin_password:
+    external: true
+    name: ${STACK_NAME}_matrix_admin_password_${SECRET_MATRIX_ADMIN_PASSWORD_VERSION}